Host scanning
Table of Contents
Host scanning
Prisma Cloud scans all hosts for compliance issues, provided that a defender is installed or the host is covered by an agentless scan.
Among these, the following compliance issues are covered.
- Host configuration: Compliance issues in the host setup.
- Docker daemon configuration: Compliance issues that stem from misconfiguring your Docker daemons. Docker daemon derives its configuration from various files, including /etc/sysconfig/docker or /etc/default/docker. Misconfigured daemons affect all container instances on a host.
- Docker daemon configuration files: Compliance issues that arise from improperly securing critical configuration files with the correct permissions.
- Docker security operations: Recommendations and reminders for extending your current security best practices to include containers.Prisma Cloud implements the checks from:
- CIS Distribution Independent Linux v2.0.0.
- CIS Amazon Linux 2 Benchmark v1.0.0 (for AL 2)
- CIS Amazon Linux Benchmark v2.1.0 (for AL 1)
- Compliance - For Linux hosts that have Defenders installed, you can also ensure adherence to specific application versions. Agentless scanning on hosts does not support this functionality.
Enforce Application Control
If you want to ensure that Linux hosts in your deployment are running versions of an application that you have allowed or cannnot run versions of applications that you want to deny, you can use the Application Control checks. Application control checks can generate alerts if a non-compliant version of the application is detected on a host.
The most common uses are for :
* Enforce dedicated rules by application type. For example, control what versions of mysql can be running on a DB Server.
* Specify which applications you want to make sure are not allowed to run on hosts (for example, detect any version of mongodb and deny it)
* Create host profiles from a host that has the approved list of applications and apply the rule on all other hosts, so you are alerted when a version is changed.
To enforce application control, the host must have a Defender installed. The Host Defender scans periodically for the application control checks, and matches against the application control list attached to a compliance policy rule to allow or deny applications on the hosts in your environment.
The application control checks are evaluated only for the list of applications and the versions you have specified for match. When an application is not matched, there is no compliance enforcement for it.
Application control is supported for services with an open TCP port. You can view the list of applications for which you can enforce compliance on , and on the , the
App control
column lists the application running on the host and indicates Yes if it is supported for application control.- Add an application control list.
- Select .
- Enter a Name and optionally a Description for the application control rule.
- Assign a Severity for the rule. The severity of the alert helps you triage issues when a compliance violation occurs.
- Pick one of the following options to add the applications.This rule defines the match criteria for verifying the list of applications that are running on Linux hosts with Defenders installed.
- Option 1 -Add application.
- Enter the name for this application.
- Add the match criteria for the versions you want to allow (this is an allow list).Create distinct rules that are specific to an application. For example, a database application or a web application that you want to monitor on the hosts in your inventory and trigger an alert when a compliance violation occurs. You can use >, == or ⇐, or something like >=2 AND ⇐5 to indicate a range between 2 and 5 (including 2 and 5). Alternatively, selectDeny all versions, if you want to ensure that no version of the application should run on hosts in your environment.
- Option 2 -Import from host.If you have a standard image on a specific host and the applications running on that host are what you want to monitor and verify compliance for, you do not have to create the rules manually. Users can import the list of applications along with the versions that are running on the host and automatically create the application control rules.
- Select the Host from the list.Ensure that you select Linux Hosts with Defenders installed.
- Attach the application control list to a Compliance rule.
- Select .
- Enter aRule name.
- Select theScope, which are the hosts to which this rule applies.
- Select the Compliance action.
- SelectApplication controlas the type of control,
- Choose the new app control rule you created earlier.
- Select the action.You can choose alert or block to enforce the criteria in the application control list and generate alerts.Do not selectIgnoreas an option, if you want to generate alerts for compliance violations.Block does not block the non-compliant application from running on the host, but rather it blocks new containers for the specified application and version from being deployed on that host. So, when a rule is matched and the action is set to block, any new container will be blocked from running on that host.
- View the scan results.
- Select .
- Select a host to view the alerts in the host details section.
Review host scan reports
Prisma Cloud lets you filter the displayed hosts by searching for specific hosts or by collection.
Collections support AWS tags.
When creating new collections, specify the tags you want to use for filtering in the
Labels
field.You can filter the displayed hosts by searching for specific hosts or by choosing a collection.
Collections support AWS tags.
When creating a new collection, add the tags you want to use for filtering to the
Labels
field.- Open Console, then go toMonitor > Compliance > Hosts > Running Hosts.
- Click on a host in the list.A report for the compliance issues on the host is shown.
All vulnerabilities identified in the latest host scan can be exported to a CSV file by clicking on theCSVbutton in the top right of the table.