Focus

Prisma Cloud Compute Edition Public Sector

Methodology

Table of Contents

Methodology

Every release of Prisma Cloud Compute we perform an SCAP scan of the Console and Defender images and post the results here. This process is based upon the U.S. Air Force’s Platform 1 "Repo One" OpenSCAP scan of the Prisma Cloud Compute images. We then compare the scan results to IronBank’s latest approved UBI8-minimal scan findings, any discrepancies are addressed or justified and the results are posted here.

The scanning process is as follows:

Build RedHat Enterprise Linux server

Install openscap-utils package

Pull the latest SCAP content from the Compliance as Code GitHub repository.

Download the most current binary archive from the repository releases page, eg - the scap-security-guide-<latest version>.tar.bz2 or scap-security-guide-<latest version>.zip files. The source file archives require additional build steps before they can be used to scan an image.

Once the archive file has been downloaded, expand it to create the subdirectory scap-security-guide-<latest version>. For example, if the current version is 0.1.67, the files will be unpacked to scap-security-guide-0.1.67.

Scan the Console and Defender images

oscap-podman <imageID> xccdf eval \
--fetch-remote-resources \
--profile xccdf_org.ssgproject.content_profile_stig \
--report scan_report_name.html scap-security-guide-<latest version>/ssg-rhel8-ds.xml

The text <imageID> should be replaced by the ID of the target image of the SCAP scan

The text scap-security-guide-<latest version> should be replaced by path to the directory where the archive was unpackage, eg - scap-security-guide-0.1.67 in the example given above.

The report file name, eg - scan_report.html in the command, is arbitrary and can be customized as desired.

Compare findings against the IronBank daily issued UBI8-minimal image.

Release findings

Scan results for 30.03.122

Prisma Cloud Compute Edition Public Sector

Methodology

Methodology

Recommended For You