Manage compliance

Prisma Cloud can monitor and enforce compliance settings across your environment. Out of the box, Prisma Cloud supports hundreds of discrete checks that cover images, containers, hosts, clusters, and clouds.
Applications are typically built with numerous components. Many components have established best practices for securing them against attack. Not everyone has the bandwidth to painstakingly work through the details of every best practice to determine which ones are the most important. Prisma Cloud lets your security team centrally review all best practices, enable the ones that align with your organization’s security mandate, then evenly enforce them across your environment.
Prisma Cloud’s predefined checks are based on industry standards, such as the CIS benchmarks, as well as research and recommendations from Prisma Cloud Labs. Additionally, you can implement your own compliance checks with scripts or XCCDF.

Enforcement

Compliance rules are defined and applied in the same way as vulnerability rules. For checks that can be performed on static images, those checks are performed as images are scanned (either in the registry or on local hosts). Results are then returned the to Console and displayed in the compliance reports under
Monitor > Compliance
.
When compliance rules are configured with block actions, they are enforced when a container is created. If the instantiated container violates your policy, Prisma Cloud prevents the container from being created.
Note that compliance enforcement is only one part of a defense in depth approach. Because compliance enforcement is applied at creation time, it is possible that a user with appropriate access could later change the configuration of a container, making it non-compliant after deployment. In these cases, the runtime layers of the defense in depth model provide protection by detecting anomalous activity, such as unauthorized processes.
Assume that you want to block any container that runs as root. The flow for blocking such a container is:
  1. Prisma Cloud admin creates a new compliance rule that blocks containers from running as root.
  2. The admin optionally targets the rule to a specific resources, such as a set of hosts, images, or containers.
  3. Someone with rights to create containers attempts to deploy a container to the environment.
  4. Prisma Cloud compares the image being deployed to the compliance state that it detected when it scanned the image. For deploy-time parameters, the specific Docker client commands sent are also analyzed.
    1. If the comparison determines that the image is compliant with the policy, the 'docker run' command is allowed to proceed as normal, and the return message from Docker Engine is sent back to the user.
    2. If the comparison determines that the image is not compliant, the container_create command is blocked and Prisma Cloud returns an error message back to the user describing the violation.
  5. In both success and failure cases, all activities are centrally logged in Console and (optionally) syslog.

Creating compliance rules

This procedure shows you how to set up a container compliance rule. As an example, you configure Prisma Cloud to block any containers running as root.
  1. Open Console, then go to
    Defend > Compliance > Containers and Images
    .
  2. Click
    Add rule
    .
    1. Enter a rule name, such as
      my-rule
      .
    2. In the search field under
      Compliance actions
      , enter
      Container is running as root
      .
      As you type, the available checks are filtered to match your search query.
    3. For check 599 (Container is running as root), set the action to
      Block
      .
    4. Under
      Add resources
      , accept the default settings. The default filter applies your rule to all containers, images, hosts, and labels in your environment.
    5. Click
      Save
      .
      Your rule is now activated.
  3. Verify that your rule is being enforced.
    1. Connect to a host running Defender, then run the following command, which starts an Ubuntu container with a root user (uid 0).
      $ docker run -u 0 -ti library/ubuntu /bin/sh
      Defender should block the command with the following message:
      docker: Error response from daemon: oci runtime error: [Prisma Cloud] Container operation blocked by policy: my-rule, has 1 compliance issues.

Reporting full results

By default, Prisma Cloud reports only the compliance checks that fail. Sometimes you need both negative and affirmative results to prove compliance. You can configure Prisma Cloud to report checks that both pass and fail.
The contents of a full compliance report (both passed and failed checks) is the sum of all applied rules. If your compliance policy raises an alert for only two checks, your compliance report will show the results of two checks. To report on
all
compliance checks, set all compliance checks to either alert or block.
  1. Open Console, then go to
    Defend > Compliance > {Containers and Images | Hosts}
    .
  2. Click
    Add rule
    .
    1. Enter a rule name.
    2. Under
      Reported results
      , click
      Passed and Failed Checks
      .
    3. Click
      Save
      .
      Your rule is now activated.
  3. Verify that the compliance reports show both passed and failed checks.
    1. Go to
      Defend > Compliance
      , select any tab, then click on a resource in the table to open its scan report. You will see a list of checks that have both passed and failed.
      manage_compliance_pass_fail.png

Recommended For You