1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Administrator’s Guide (Compute)
    5. Compliance
    6. Enforce compliance checks

    Enforce compliance checks

    Prisma Cloud can monitor and enforce compliance settings across your environment. Out of the box, Prisma Cloud supports hundreds of discrete checks that cover images, containers, hosts, clusters, and clouds.
    Prisma Cloud provides predefined checks that are based on industry standards, such as the CIS benchmarks, as well as research and recommendations from Prisma Cloud Labs. Your security teams can review these best practices and enable the ones that align with your organization’s security mandate and consistently enforce them across your environment. Additionally, you can implement your own compliance checks with scripts.

    Enforcement

    Compliance rules are defined and applied in the same way as vulnerability rules. When there is no matching rule for compliance checks on specific resorces, Prisma Cloud generates alerts on all violations that are found. For checks that can be performed on static images, those checks are performed as images are scanned (either in the registry or on local hosts). Results are then displayed in the compliance reports under
    Monitor > Compliance
     on the Console.
    When compliance rules are configured with block actions, they are enforced when a container is created. If the instantiated container violates your policy, Prisma Cloud prevents the container from being created.
    Note that compliance enforcement is only one part of a defense in depth approach. Because compliance enforcement is applied at creation time, it is possible that a user with appropriate access could later change the configuration of a container, making it non-compliant after deployment. In these cases, the runtime layers of the defense-in-depth model provide protection by detecting anomalous activity, such as unauthorized processes.
    Assume that you want to block any container that runs as root. The flow for blocking such a container is:
    1. Prisma Cloud admin creates a new compliance rule that blocks containers from running as root.
    2. The admin optionally targets the rule to a specific resources, such as a set of hosts, images, or containers.
    3. Someone with rights to create containers attempts to deploy a container to the environment.
    4. Prisma Cloud compares the image being deployed to the compliance state that it detected when it scanned the image. For deploy-time parameters, the specific Docker client commands sent are also analyzed.
      1. If the comparison determines that the image is compliant with the policy, the 'docker run' command is allowed to proceed as normal, and the return message from Docker Engine is sent back to the user.
      2. If the comparison determines that the image is not compliant, the container_create command is blocked and Prisma Cloud returns an error message back to the user describing the violation.
    5. In both success and failure cases, all activities are centrally logged in Console and (optionally) syslog.

    Supported runtimes

    The supported runtimes for compliance are:
    • Docker
    • CRIO
    • Containerd

    Surveying Prisma Cloud compliance checks

    As you configure your compliance policy, you might want more details for the built-in checks. Teams that address compliance issues might also need more information about why checks fail, so that they can resolve the underlying issues.
    As you explore the built-in checks, consider the following points.

    CIS

    Most built-in checks are based on the CIS benchmarks. For full details about what a check does, and why, refer to the CIS benchmark documentation. Prisma Cloud check IDs map to CIS benchmark IDs. For example, Prisma Cloud check ID 51 maps to CIS Docker Benchmark 5.1

    Check IDs

    When creating compliance rules, there’s a drop-down menu that lets you filter checks by type. Each type has a heading, which indicates the origin of the checks. Checks from the CIS benchmarks are clearly labeled.

    CRI checks

    All CRI checks are direct analogs of the Docker CIS checks, but repurposed for CRI environments.

    Twistlock Labs checks

    For all other checks, including those from Twistlock Labs, we provide documentation.

    Creating compliance rules

    This procedure shows you how to set up a container compliance rule to block any containers running as root.
    1. Open Console, then go to
      Defend > Compliance > Containers and Images
      .
    2. Click
      Add rule
      .
      1. Enter a rule name, such as
        my-rule
        .
      2. In the search field under
        Compliance actions
        , enter
        Container is running as root
        .
        As you type, the available checks are filtered to match your search query.
      3. For check 599 (Container is running as root), set the action to
        Block
        .
        The "Block" effect for the unsupported compliance policies is disabled in the UI and set to "Ignore" and "Alert" only.
      4. In
        Scope
        , accept the default collection,
        All
        . The default collection applies the rule to all containers in your environment.
      5. Click
        Save
        .
        Your rule is now activated.
    3. Verify that your rule is being enforced.
      1. Connect to a host running Defender, then run the following command, which starts an Ubuntu container with a root user (uid 0).
        $ docker run -u 0 -ti library/ubuntu /bin/sh
        Defender should block the command with the following message:
        docker: Error response from daemon: oci runtime error: [Prisma Cloud] Container operation blocked by policy: my-rule, has 1 compliance issues.

    Reporting full results

    By default, Prisma Cloud reports only the compliance checks that fail. Sometimes you need both negative and affirmative results to prove compliance. You can configure Prisma Cloud to report checks that both pass and fail.
    The contents of a full compliance report (both passed and failed checks) is the sum of all applied rules. If your compliance policy raises an alert for only two checks, your compliance report will show the results of two checks. To report on all compliance checks, set all compliance checks to either alert or block.
    1. Open Console, then go to
      Defend > Compliance > {Containers and Images | Hosts}
      .
    2. Click
      Add rule
      .
      1. Enter a rule name.
      2. Under
        Reported results
        , click
        Passed and Failed Checks
        .
      3. Click
        Save
        .
        Your rule is now activated.
    3. Verify that the compliance reports show both passed and failed checks.
      1. Go to
        Defend > Compliance
        , select any tab, then click on a resource in the table to open its scan report. You will see a list of checks that have both passed and failed.
    <