← Back to Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide

V-253530

CAT II (Medium)

Prisma Cloud Compute must be configured to send events to the hosts' syslog.

Rule ID

SV-253530r960918_rule

STIG

Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide

Version

V2R3

CCIs

CCI-000154, CCI-000366, CCI-001851, CCI-001876, CCI-002702

Discussion

Event log collection is critical in ensuring the security of a containerized environment due to the ephemeral nature of the workloads. In an environment that is continually in flux, audit logs must be properly collected and secured. Prisma Cloud Compute can be configured to send audit events to the host node's syslog in RFC5424-compliant format. Satisfies: SRG-APP-000111-CTR-000220, SRG-APP-000181-CTR-000485, SRG-APP-000358-CTR-000805, SRG-APP-000474-CTR-001180, SRG-APP-000516-CTR-000790

Check Content

Navigate to Prisma Cloud Compute Console's >> Manage >> Alerts >> Logging tab. 

If the Syslog setting is "disabled", this is a finding.

Select the "Manage" tab.

If no Alert Providers are configured, this is a finding.

Fix Text

Navigate to Prisma Cloud Compute Console's >> Manage >> Alerts >> Logging tab. 

Set Syslog to "enabled".

Select the "Manage" tab.

Click "Add profile".

Complete the form based on the organization. At a minimum, the following Alert triggers must be selected:
- Host vulnerabilities.
- Image vulnerabilities.

Click "Save".