Prisma Cloud Compute Console must run as nonroot user (uid 2674).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-253536 | CNTR-PC-000530 | SV-253536r1051115_rule | CCI-000764 | medium |
| Description | ||||
| Containers not requiring root-level permissions must run as a unique user account. To ensure accountability and prevent unauthenticated access to containers, the user the container is using to execute must be uniquely identified and authenticated to prevent potential misuse and compromise of the system. | ||||
| STIG | Date | |||
| Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide | 2024-12-06 | |||
Related Frameworks
4 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
IA-2
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.5.1
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.5.2
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000764
1.00
- DISA · 2 · disa_xccdf · related
Details
Check Text (C-253536r1051115_chk)
Locate the node in which the Prisma Cloud Compute Console container is running.
Determine the process owner for "app/server".
Execute: "ps -aux | grep "/app/server"
If the process is owned by root, this is a finding.
Fix Text (F-56939r840445_fix)
In the root directory of the extracted release tar file, modify the twistlock.cfg file's line:
RUN_CONSOLE_AS_ROOT=false
For Kubernetes deployment, perform these additional steps:
When generating the twistlock_console.yaml deployment file, supply the --run-as-user flag.
Linux/twistcli console export kubernetes --service-type ClusterIP --run-as-user 2674
Modify the resulting twistlock_console.yaml file to include fsGroup: 2674 within the Deployment pod specification's securityContext:
securityContext: fsGroup: 2674
Add runAsGroup: 2674 to the container specification's securityContext:
securityContext: runAsUser: 2674
runAsGroup: 2674