1. Overview

The CIS Benchmarks provide consensus-oriented best practices for securely configuring systems. Prisma Cloud provides checks that validate the recommendations in the following CIS Benchmarks:

We have graded each check using a system of four possible scores: critical, high, medium, and low. This scoring system lets you create compliance rules that take action depending on the severity of the violation. If you want to be reasonably certain that your environment is secure, you should address all critical and high checks. By default, all critical and high checks are set to alert, and all medium and low checks are set to ignore. We expect customers to review, but probably never fix, medium and low checks.

There are just a handful of checks graded as critical. Critical is reserved for things where your container environment is exposed to the Internet, and can result in a direct attack by somebody on the outside. They should be addressed immediately.

Prisma Cloud has not implemented CIS checks marked as Not Scored. These checks are are hard to define in a strict way. Other checks are might not implemented because the logic is resource-heavy, results depend on user input, or files cannot be parsed reliably.

2. Additional details about Prisma Cloud’s implementation of the CIS benchmarks

The compliance rule dialog provides some useful information. Compliance rules for containers can be created under Defend > Compliance > Containers and Images, while compliance rules for hosts can be created under Defend > Compliance > Hosts.

Benchmark versions — To see which version of the CIS benchmark is supported in the product, click on the All types drop-down list.

cis benchmarks versions

Grades — To see Prisma Cloud’s grade for a check, see the corresponding Severity column.

cis benchmarks grades

Built-in policy library — To enable the checks for the PCI DSS, HIPAA, NIST SP 800-190, and GDPR standards, select the appropriate template.

cis benchmarks templates

Prisma Cloud didn’t implement the following recommendations from the CIS Distribution Independent Linux benchmark:

  • 1.7.2 - Ensure GDM login banner is configured — By default, most server distributions ship without a windows manager. A manual assessment is required.

  • 2.2.1.2 - Ensure ntp (Network Time Protocol) is configured — CIS did not score this recommendation. A manual assessment is required.

  • 2.2.1.3 - Ensure chrony is configured — CIS did not score this recommendation. A manual assessment is required.

  • 5.3.1 - Ensure password creation requirements are configured — This recommendation cannot be implemented generically because password requirements vary from organization to organization. A manual assessment is required.