The CIS Benchmarks provide consensus-oriented best practices for securely configuring systems. Prisma Cloud provides checks that validate the recommendations in the following CIS Benchmarks:
We have graded each check using a system of four possible scores: critical, high, medium, and low. This scoring system lets you create compliance rules that take action depending on the severity of the violation. If you want to be reasonably certain that your environment is secure, you should address all critical and high checks. By default, all critical and high checks are set to alert, and all medium and low checks are set to ignore. We expect customers to review, but probably never fix, medium and low checks.
There are just a handful of checks graded as critical. Critical is reserved for things where your container environment is exposed to the Internet, and can result in a direct attack by somebody on the outside. They should be addressed immediately.
Prisma Cloud has not implemented CIS checks marked as Not Scored. These checks are are hard to define in a strict way. Other checks are might not implemented because the logic is resource-heavy, results depend on user input, or files cannot be parsed reliably.
The compliance rule dialog provides some useful information. Compliance rules for containers can be created under Defend > Compliance > Containers and Images, while compliance rules for hosts can be created under Defend > Compliance > Hosts.
Benchmark versions — To see which version of the CIS benchmark is supported in the product, click on the All types drop-down list.
Grades — To see Prisma Cloud’s grade for a check, see the corresponding Severity column.
Built-in policy library — To enable the checks for the PCI DSS, HIPAA, NIST SP 800-190, and GDPR standards, select the appropriate template.
Prisma Cloud didn’t implement the following recommendations from the CIS Distribution Independent Linux benchmark: