Focus

Prisma Cloud Compute Edition Public Sector

Scan results for 30.01.153

Table of Contents

OpenSCAP and vulnerability scan report:

Prisma Cloud Compute release: 30.01 (30.01.153)

Base image: registry.access.redhat.com/ubi8/ubi-minimal:8.8

Benchmark URL: scap-security-guide-0.1.68/ssg-rhel8-ds.xml

Benchmark ID: xccdf_org.ssgproject.content_benchmark_RHEL-8

Profile ID: xccdf_org.ssgproject.content_profile_stig

Compared to IronBank’s UBI8-minimal, Version 8.8, Build Date: 2023-05-03T15:02:09

Findings for Prisma Cloud Compute Console.

You can find the OpenSCAP report here

Rule_ID	Compute finding	IronBank finding	Justification
xccdf_org.ssgproject.content_rule_accounts_authorized_local_users	Fail	Pass	Local accounts include: twistlock = non-root account for service, mongod = mongoDB database & saslauth = authentication libraries. Application is a non-interactive container. There is no interactive console session with the container.
xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists	Fail	Pass	Non-interactive / non-root user twistlock does not have a home directory (/home/twistlock).
xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc	Fail	Pass	Umask 027. Application is a non-interactive container. There is no interactive console session with the container
xccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc	Fail	Pass	Umask 027. Application is a non-interactive container. There is no interactive console session with the container.
xxccdf_org.ssgproject.content_rule_accounts_umask_etc_profile	Fail	Pass	Umask 027. Application is a non-interactive container. There is no interactive console session with the container.

You can find the full vulnerabilities report here.

CVE	Package	Version	Fix Status	Justification
CVE-2022-1996	go-restful	2.9.5	Fixed in 3.8.0	The package is a transitive dependency that is being pulled with k8s.io/client-go and k8s.io/kube-openapi, and is not being used directly in the Compute Defender and Console.
CVE-2023-29402	go	1.20.4	fixed in 1.20.5, 1.19.10	To be patched in next update, Maxwell Update 2
CVE-2023-29404	go	1.20.4	fixed in 1.20.5, 1.19.10	To be patched in next update, Maxwell Update 2
CVE-2023-29405	go	1.20.4	fixed in 1.20.5, 1.19.10	To be patched in next update, Maxwell Update 2

Findings for Prisma Cloud Compute Defender.

You can find the OpenSCAP report here.

Rule_ID	Compute finding	IronBank finding	Justification
xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc	Fail	Pass	Umask 027. Application is a non-interactive container. There is no interactive console session with the container
xccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc	Fail	Pass	Umask 027. Application is a non-interactive container. There is no interactive console session with the container.
xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile	Fail	Pass	Umask 027. Application is a non-interactive container. There is no interactive console session with the container.

You can find the full vulnerabilities report here.

CVE	Package	Version	Fix Status	Justification
CVE-2022-1996	go-restful	2.9.5	Fixed in 3.8.0	The package is a transitive dependency that is being pulled with k8s.io/client-go and k8s.io/kube-openapi, and is not being used directly in the Compute Defender and Console.
CVE-2023-29402	go	1.20.4	fixed in 1.20.5, 1.19.10	To be patched in next update, Maxwell Update 2
CVE-2023-29404	go	1.20.4	fixed in 1.20.5, 1.19.10	To be patched in next update, Maxwell Update 2
CVE-2023-29405	go	1.20.4	fixed in 1.20.5, 1.19.10	To be patched in next update, Maxwell Update 2