STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 5 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide

V-253543

CAT I (High)

The configuration integrity of the container platform must be ensured and vulnerabilities policies must be configured.

Rule ID

SV-253543r961473_rule

STIG

Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide

Version

V2R3

CCIs

CCI-000366, CCI-001764, CCI-002605

Discussion

Prisma Cloud Compute's vulnerabilities defense is the set of features that provides both predictive and threat-based active protection for running containers. Consistent application of Prisma Cloud Compute vulnerabilities policies ensures the continual application of policies and the associated effects. Prisma Cloud Compute's configurations must be monitored for configuration drift and addressed according to organizational policy. Satisfies: SRG-APP-000384-CTR-000915, SRG-APP-000384-CTR-000915, SRG-APP-000456-CTR-001125, SRG-APP-000516-CTR-001335

Check Content

To verify that vulnerabilities policies are enabled, navigate to Prisma Cloud Compute Console's Defend >> Vulnerabilities. 

Select the "Code repositories" tab.
For the "Repositories" and "CI" tab:
- If "Default - alert all components" does not exist, this is a finding. 
- Click the three dots in the "Actions" column for rule "Default - alert all components". 
- If the policy is disabled, this is a finding.
- Click the "Default - alert all components" policy row. 
- If "Default - alert all components" is not scoped to "All", this is a finding. 

Select the "Images" tab.
For the "CI" and "Deployed" tab:
- If "Default - alert all components" does not exist, this is a finding. 
- Click the three dots in the "Actions" column for rule "Default - alert all components". 
- If the policy is disabled, this is a finding.
- Click the "Default - alert all components" policy row. 
- If "Default - alert all components" is not scoped to "All", this is a finding.

Select the "Hosts" tab.
For the "Running hosts" and "VM images" tab:
- If the "Default - alert all components" does not exist, this is a finding. 
- Click the three dots in the "Actions" column for rule "Default - alert all components". 
- If the policy is disabled, this is a finding.
- Click the "Default - alert all components" policy row.
- If "Default - alert all components" is not scoped to "All", this is a finding. 

Select the "Functions" tab.
For the "Functions" and "CI" tab:
- If the "Default - alert all components" does not exist, this is a finding. 
- Click the three dots in the "Actions" column for rule "Default - alert all components".
- If the policy is disabled, this is a finding.
- Click the "Default - alert all components" policy row.
- If "Default - alert all components" is not scoped to "All", this is a finding.

Fix Text

To enable vulnerabilities policies, navigate to Prisma Cloud Compute Console's Defend >> Vulnerabilities. Click tab to be edited.

To add rule:
- Click "Add rule". 
- Enter rule name.
  Scope = All
- Accept the defaults and click "Save".

Click the rule three-dot menu. Set to "Enable".

Click the rule row:
- Change the policy scope to "All".
- Click "Save".