Prisma Cloud Labs compliance checks
Table of Contents
Expand all | Collapse all
-
- Getting started
- System Requirements
- Cluster Context
-
- Prisma Cloud Container Images
- Kubernetes
- Deploy the Prisma Cloud Console on Amazon ECS
- Console on Fargate
- Onebox
- Alibaba Cloud Container Service for Kubernetes (ACK)
- Azure Container Service (ACS) with Kubernetes
- Azure Kubernetes Service (AKS)
- Amazon Elastic Kubernetes Service (EKS)
- IBM Kubernetes Service (IKS)
- OpenShift v4
-
- Defender Types
- Manage your Defenders
- Redeploy Defenders
- Uninstall Defenders
-
- Deploy Orchestrator Defenders on Amazon ECS
- Automatically Install Container Defender in a Cluster
- Deploy Prisma Cloud Defender from the GCP Marketplace
- Deploy Defenders as DaemonSets
- VMware Tanzu Application Service (TAS) Defender
- Deploy Defender on Google Kubernetes Engine (GKE)
- Google Kubernetes Engine (GKE) Autopilot
- Deploy Defender on OpenShift v4
-
- Agentless Scanning Modes
-
- Onboard AWS Accounts for Agentless Scanning
- Onboard Azure Accounts for Agentless Scanning
- Configure Agentless Scanning for Azure
- Onboard GCP Accounts for Agentless Scanning
- Configure Agentless Scanning for GCP
- Onboard Oracle Cloud Infrastructure (OCI) Accounts for Agentless Scanning
- Configure Agentless Scanning for Oracle Cloud Infrastructure (OCI)
- Agentless Scanning Results
-
- Rule ordering and pattern matching
- Backup and Restore
- Custom feeds
- Configuring Prisma Cloud proxy settings
- Prisma Cloud Compute certificates
- Configure scanning
- User certificate validity period
- Enable HTTP access to Console
- Set different paths for Defender and Console (with DaemonSets)
- Authenticate to Console with Certificates
- Configure custom certs from a predefined directory
- Customize terminal output
- Collections
- Tags
- Logon settings
- Reconfigure Prisma Cloud
- Subject Alternative Names
- WildFire Settings
- Log Scrubbing
- Clustered-DB
- Permissions by feature
-
- Logging into Prisma Cloud
- Integrating with an IdP
- Integrate with Active Directory
- Integrate with OpenLDAP
- Integrate Prisma Cloud with Open ID Connect
- Integrate with Okta via SAML 2.0 federation
- Integrate Google G Suite via SAML 2.0 federation
- Integrate with Azure Active Directory via SAML 2.0 federation
- Integrate with PingFederate via SAML 2.0 federation
- Integrate with Windows Server 2016 & 2012r2 Active Directory Federation Services (ADFS) via SAML 2.0 federation
- Integrate Prisma Cloud with GitHub
- Integrate Prisma Cloud with OpenShift
- Non-default UPN suffixes
- Compute user roles
- Assign roles
-
- Prisma Cloud Vulnerability Feed
- Scanning Procedure
- Vulnerability Management Policies
- Vulnerability Scan Reports
- Scan Images for Custom Vulnerabilities
- Base images
- Vulnerability Explorer
- CVSS scoring
- CVE Viewer
-
- Configure Registry Scans
- Scan Images in Alibaba Cloud Container Registry
- Scan Images in Amazon Elastic Container Registry (ECR)
- Scan images in Azure Container Registry (ACR)
- Scan Images in Docker Registry v2 (including Docker Hub)
- Scan Images in GitLab Container Registry
- Scan images in Google Artifact Registry
- Scan Images in Google Container Registry (GCR)
- Scan Images in Harbor Registry
- Scan Images in IBM Cloud Container Registry
- Scan Images in JFrog Artifactory Docker Registry
- Scan Images in Sonatype Nexus Registry
- Scan images in OpenShift integrated Docker registry
- Scan Images in CoreOS Quay Registry
- Trigger Registry Scans with Webhooks
- Configure VM image scanning
- Configure code repository scanning
- Malware scanning
- Windows container image scanning
- Serverless Functions Scanning
- VMware Tanzu Blobstore Scanning
- Scan App-Embedded workloads
- Troubleshoot Vulnerability Detection
-
- Compliance Explorer
- Enforce compliance checks
- CIS Benchmarks
- Prisma Cloud Labs compliance checks
- Serverless functions compliance checks
- Windows compliance checks
- DISA STIG compliance checks
- Custom compliance checks
- Trusted images
- Host scanning
- VM image scanning
- App-Embedded scanning
- Detect secrets
- OSS license management
-
- Alert Mechanism
- AWS Security Hub
- Cortex XDR alerts
- Cortex XSOAR alerts
- Email alerts
- Google Cloud Pub/Sub
- Google Cloud Security Command Center
- IBM Cloud Security Advisor
- JIRA Alerts
- PagerDuty alerts
- ServiceNow alerts for Security Incident Response
- ServiceNow alerts for Vulnerability Response
- Slack Alerts
- Splunk Alerts
- Webhook alerts
- API
Prisma Cloud Labs compliance checks
Prisma Cloud Labs compliance checks are designed by our research team and fill gaps not offered by other benchmarks.
Like all compliance checks, Prisma Cloud’s supplementary checks monitor and enforce a baseline configuration across your environment.
Prisma Cloud Labs compliance checks can be enabled or disabled in custom rules.
New rules can be created under
Defend > Compliance > Policy
.Container checks
- --596 — Potentially dangerous NET_RAW capability enabledChecks if a running container has the NET_RAW capability enabled. This capability grants an application the ability to craft raw packets. In the hands of an attacker, NET_RAW can enable a wide variety of networking exploits, such as ARP-spoofing and hijacking a cluster’s DNS traffic.
- --597 — Secrets in clear text environment variables (container and serverless function check)Checks if a running container (instantiated from an image) or serverless function contains sensitive information in its environment variables. These env vars can be easily exposed with docker inspect, and thus compromise privacy.
- --598 — Container app is running with weak settingsWeak settings incidents indicate that a well-known service is running with a non-optimal configuration. This covers settings for common applications, specifically: Mongo, Postgres, Wordpress, Redis, Kibana, Elastic Search, RabbitMQ, Tomcat, Haproxy, KubeProxy, Httpd, Nginx, MySql, and registries. These check for things such as the use of default passwords, requiring SSL, etc. The output for a failed compliance check will contain a "Cause" field that gives specifics on the exact settings detected that caused a failure.
- --599 — Container is running as root (container check)Checks if the user value in the container configuration is root. If the user value is 0, root, or "" (empty string), the container is running as a root user, and the policy’s configured effect (ignore, alert, or block) is actuated.
Container image checks
- --422 — Image contains malware (image check)Checks if any binary file in the image matches the MD5 checksum for known malicious software in the database. For this check, we use the database composed of our Intelligence Stream (IS) and WildFire. We check the CI images for malware by WildFire detection and check deployed images by MD5 detection. You can populate MD5 by adding them to theManage > System > Custom feeds > Malware signatures, these signatures added by you will also be checked for any malicious software. Whether the user updates the MD5 on the custom-feed page or not, we will always check the images with the Intelligence Stream and Wildfire.
- --423 — Image is not trusted (image check)Checks if unauthorized (untrusted) images are pulled or loaded into your environment.Prisma Cloud provides a mechanism to specify specific registries, repositories, and images that are considered trusted. Enable this check to prevent unauthorized containers from running in your critical environment. For more information, see Trusted images.
- --424 — Sensitive information provided in environment variables (image and serverless function check)Checks if images or serverless functions contain sensitive information in their environment variables. Container images define environment variables with the Dockerfile ENV instruction. These environment variables can be easily exposed with docker inspect. These checks use pattern-matching with various terms related to secrets, and no extra analysis is done on these environment variables. These checks can detect private keys, Amazon access keys (for example AKIAIOSFODNN7EXAMPLE), and key-values secrets with known keys (for example "token=fdfsfgsdfkjbsdkf").
- --425 — Private keys stored in image (image and serverless function check)Opens the file with an image or serverless function, and uses a regex pattern to search only for private keys. A policy effect (ignore, alert, block) is applied on deployment if any private key is found.
- --426 — Image contains binaries used for crypto mining (image check)Detects when there are crypto miners in an image. Attackers have been quietly poisoning registries and injecting crypto mining tools into otherwise legitimate images. When you run these images, they perform their intended function, but also mine Bitcoin for the attacker. This check is based on research from Prisma Cloud Labs. For more information, see Real World Security: Software Supply Chain. The improved search logic detects binaries with known crypto miners. The following examples from Docker Hub include crypto miners that we identify:
The output message does not include remediation details, only that the binary is identified as a crypto miner.
- --448 — Package binaries should not be alteredChecks the integrity of package binaries in an image. During an image scan, every binary’s checksum is compared with its package info. If there’s a mismatch, a compliance issue is raised.Besides scan-time, this compliance issue can also be raised at run-time if a modified binary is spawned.
Prisma Cloud Labs Istio compliance checks
Istio compliance checks help enforce a secure Istio configuration.
They address risks such as misconfigured TLS settings and universally scoped service roles.
The goals of the compliance rules are to:
- Ensure mutual TLS is configured correctly (enabled over HTTPS).
- Ensure RBAC policy is configured with service level access control (service x can only talk with service y).
- Ensure RBAC policy is not too permissive.
Istio checks
427 — Configure TLS per service using Destination Rule traffic policy
450 — Enable mesh-wide mutual TLS authentication using Peer Authentication Policy
451 — Avoid using permissive authorization policies without rules as it can compromise the target services
452 — Enable Istio access control on all workloads in the mesh using Authorization Policies
In Istio versions 1.6 and later, Mesh Policy is deprecated and replaced with Peer Authentication Policy.
Linux host checks
449 — Ensure no pending OS security updates
On each host scan, Prisma Cloud checks for available package updates marked as security updates.
If such updates are found, they’re listed under the security updates tab in
Monitor > Runtime > Host observations > <HOST>
Supported for Ubuntu and Debian hosts only.