DISA STIG compliance checks

Prisma Cloud supports the Docker Enterprise 2.x Linux/Unix STIG - Ver 2, Rel 1 and the Kubernetes STIG - Ver 1, Rel 2 compliance checks. Defense Information Systems Agency Security Technical Implementation Guides (DISA STIGs) contain technical guidance to lock down systems that might otherwise be vulnerable to attack. These STIGs help ensure your environments are properly secured, based on Department of Defense guidance. Prisma Cloud will continue to incorportate DISA STIG guidance as existing STIGs are updated and new STIGs are published.
For an overview of the STIG, see here.
To download the STIGs, see here.

Checks

Prisma Cloud Compute has a compliance template "DISA STIG" for images, containers and hosts. This compliance template maps individual STIG rules to existing compliance checks within Compute. In some cases, we’ve implemented checks specficially to support the STIGs. When configuring your compliance policy, simply select the DISA STIG template to enable ("Alert") all relevant checks.

CAT I

CAT I is a category code for any vulnerability, which when exploited, will directly and immediately result in loss of Confidentiality, Availability, or Integrity. These risks are the most severe.
The following table lists the CAT I checks implemented in Prisma Cloud, and how they map to existing Prisma Cloud checks. All CAT I checks, except DKER-EE-001070, map to CIS Docker Benchmark checks. A separate check has been implemented for DKER-EE-001070 to support the Docker Enterprise STIG.
STIG ID
Prisma Cloud ID
Description
DKER-EE-001070
N/A
FIPS mode must be enabled on all Docker Engine - Enterprise nodes.
DKER-EE-002000
59
Docker Enterprise hosts network namespace must not be shared.
DKER-EE-002030
512
All Docker Enterprise containers root filesystem must be mounted as read only.
DKER-EE-002040
517
Docker Enterprise host devices must not be directly exposed to containers.
DKER-EE-002070
521
The Docker Enterprise default seccomp profile must not be disabled.
DKER-EE-002080
224
Docker Enterprise exec commands must not be used with privileged option.
DKER-EE-002110
525
All Docker Enterprise containers must be restricted from acquiring additional privileges.
DKER-EE-002120
530
The Docker Enterprise hosts user namespace must not be shared.
DKER-EE-002130
531
The Docker Enterprise socket must not be mounted inside any containers.
DKER-EE-002150
57
Docker Enterprise privileged ports must not be mapped within containers.
DKER-EE-005170
31
Docker Enterprise docker.service file ownership must be set to root:root.
DKER-EE-005190
33
Docker Enterprise docker.socket file ownership must be set to root:root.
DKER-EE-005210
35
Docker Enterprise /etc/docker directory ownership must be set to root:root.
DKER-EE-005230
37
Docker Enterprise registry certificate file ownership must be set to root:root.
DKER-EE-005250
39
Docker TLS certificate authority (CA) certificate file ownership must be set to root:root
DKER-EE-005270
311
Docker server certificate file ownership must be set to root:root
DKER-EE-005300
314
Docker server certificate key file permissions must be set to 400
DKER-EE-005310
315
Docker Enterprise socket file ownership must be set to root:docker.
DKER-EE-005320
316
Docker Enterprise socket file permissions must be set to 660 or more restrictive.
DKER-EE-005330
317
Docker Enterprise daemon.json file ownership must be set to root:root.
DKER-EE-005340
318
Docker Enterprise daemon.json file permissions must be set to 644 or more restrictive.
DKER-EE-005350
319
Docker Enterprise /etc/default/docker file ownership must be set to root:root.
DKER-EE-005360
320
Docker Enterprise /etc/default/docker file permissions must be set to 644 or more restrictive.
CNTR-K8-000220
8134
The Kubernetes Controller Manager must create unique service accounts for each work payload.
CNTR-K8-000320
8117
The Kubernetes API server must have the insecure port flag disabled.
CNTR-K8-000330
8215
The Kubernetes Kubelet must have the read-only port flag disabled.
CNTR-K8-000340
8116
The Kubernetes API server must have the insecure bind address not set.
CNTR-K8-000360
8112
The Kubernetes API server must have anonymous authentication disabled.
CNTR-K8-000370
8212
The Kubernetes Kubelet must have anonymous authentication disabled.
CNTR-K8-000380
8213
The Kubernetes kubelet must enable explicit authorization.
CNTR-K8-001160
597
Secrets in Kubernetes must not be stored as environment variables.