OpenSCAP and vulnerability scan report:

  • Prisma Cloud Compute release: 21.04 (21.04.412)

  • Base image: registry.access.redhat.com/ubi8/ubi-minimal:8.3-291

  • Benchmark URL: scap-security-guide-0.1.54/ssg-rhel8-ds.xml

  • Benchmark ID: xccdf_org.ssgproject.content_benchmark_RHEL-8

  • Profile ID: xccdf_org.ssgproject.content_profile_stig

  • Compared to IronBank’s UBI8-minimal, Version 8.3 - Conditionally Approved, Build Date: 2021-04-28T14:08:19.203Z

twistlock/private:console_21_04_412

Findings for Prisma Cloud Compute Console.

Note: There is a large discrepancy in the OpenSCAP findings for this release due to the late addition of the systemd-pam package. These "Protect Accounts by Configuring PAM" findings will be corrected in the next release update. There is no interactive console session with the container and these settings are not implemented.

OpenSCAP report

Rule_ID Compute finding IronBank finding Justification

xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy

Pass

Fail

/etc/pki/tls/openssl.cnf configured according to check

xccdf_org.ssgproject.content_rule_banner_etc_issue

Fail

Pass

Application is a non-interactive container. There is no interactive console session with the container.

xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time

Fail

notapplicable

To be corrected in the next release update. There is no interactive console session with the container.

xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny

Fail

notapplicable

To be corrected in the next release update. There is no interactive console session with the container.

xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval

Fail

notapplicable

To be corrected in the next release update. There is no interactive console session with the container.

xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local

Fail

notapplicable

To be corrected in the next release update. There is no interactive console session with the container.

xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember

Fail

notapplicable

To be corrected in the next release update. There is no interactive console session with the container.

xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat

Fail

notapplicable

To be corrected in the next release update. There is no interactive console session with the container.

xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat

Fail

notapplicable

To be corrected in the next release update. There is no interactive console session with the container.

xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen

Fail

notapplicable

To be corrected in the next release update. There is no interactive console session with the container.

xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit

Fail

notapplicable

To be corrected in the next release update. There is no interactive console session with the container.

xccdf_org.ssgproject.content_rule_accounts_password_pam_difok

Fail

notapplicable

To be corrected in the next release update. There is no interactive console session with the container.

xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit

Fail

notapplicable

To be corrected in the next release update. There is no interactive console session with the container.

xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_root

Fail

notapplicable

To be corrected in the next release update. There is no interactive console session with the container.

xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit

Fail

notapplicable

To be corrected in the next release update. There is no interactive console session with the container.

xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit

Fail

notapplicable

To be corrected in the next release update. There is no interactive console session with the container.

xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_local

Fail

notapplicable

To be corrected in the next release update. There is no interactive console session with the container.

xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction

Fail

notapplicable

To be corrected in the next release update. There is no interactive console session with the container.

xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions

Fail

notapplicable

To be corrected in the next release update. There is no interactive console session with the container.

xccdf_org.ssgproject.content_rule_disable_users_coredumps

Fail

notapplicable

To be corrected in the next release update. There is no interactive console session with the container.

Vulnerabilities report

CVE Package Version Fix Status Justification

CVE-2021-27218

glib2

2.56.4-8.el8

affected

RedHat has not released patch

CVE-2021-27219

glib2

2.56.4-8.el8

affected

RedHat has not released patch

CVE-2021-28153

glib2

2.56.4-8.el8

affected

RedHat has not released patch

CVE-2020-12762

json-c

0.13.1-0.2.el8

affected

RedHat has not released patch

CVE-2020-8231

curl

7.61.1-14.el8_3.1

affected

RedHat has not released patch

CVE-2020-8284

curl

7.61.1-14.el8_3.1

affected

RedHat has not released patch

CVE-2020-8285

curl

7.61.1-14.el8_3.1

affected

RedHat has not released patch

CVE-2020-8286

curl

7.61.1-14.el8_3.1

affected

RedHat has not released patch

CVE-2021-22876

curl

7.61.1-14.el8_3.1

affected

RedHat has not released patch

CVE-2021-23840

openssl

1.1.1g-15.el8_3

affected

RedHat has not released patch

CVE-2021-23841

openssl

1.1.1g-15.el8_3

affected

RedHat has not released patch

CVE-2019-25013

glibc

2.28-127.el8_3.2

affected

RedHat has not released patch

CVE-2020-27618

glibc

2.28-127.el8_3.2

affected

RedHat has not released patch

CVE-2021-3326

glibc

2.28-127.el8_3.2

affected

RedHat has not released patch

CVE-2020-29361

p11-kit

0.23.14-5.el8_0

affected

RedHat has not released patch

CVE-2020-29363

p11-kit

0.23.14-5.el8_0

affected

RedHat has not released patch

CVE-2020-29362

p11-kit

0.23.14-5.el8_0

affected

RedHat has not released patch

CVE-2019-20838

pcre

8.42-4.el8

affected

RedHat has not released patch

CVE-2020-14155

pcre

8.42-4.el8

affected

RedHat has not released patch

CVE-2020-8927

brotli

1.0.6-2.el8

affected

RedHat has not released patch

CVE-2021-20271

rpm

4.14.3-4.el8

affected

RedHat has not released patch

CVE-2021-20231

gnutls

3.6.14-8.el8_3

affected

RedHat has not released patch

CVE-2021-20232

gnutls

3.6.14-8.el8_3

affected

RedHat has not released patch

twistlock/private:defender_21_04_412

Findings for Prisma Cloud Compute Defender.

OpenSCAP report

Rule_ID Compute finding IronBank finding Justification

xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy

Pass

Fail

/etc/pki/tls/openssl.cnf configured according to check

xccdf_org.ssgproject.content_rule_banner_etc_issue

Fail

Pass

Application is a non-interactive container. There is no interactive console session with the container.

xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time

Fail

notapplicable

To be corrected in the next release update. There is no interactive console session with the container.

xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny

Fail

notapplicable

To be corrected in the next release update. There is no interactive console session with the container.

xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval

Fail

notapplicable

To be corrected in the next release update. There is no interactive console session with the container.

xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local

Fail

notapplicable

To be corrected in the next release update. There is no interactive console session with the container.

xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember

Fail

notapplicable

To be corrected in the next release update. There is no interactive console session with the container.

xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat

Fail

notapplicable

To be corrected in the next release update. There is no interactive console session with the container.

xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat

Fail

notapplicable

To be corrected in the next release update. There is no interactive console session with the container.

xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen

Fail

notapplicable

To be corrected in the next release update. There is no interactive console session with the container.

xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit

Fail

notapplicable

To be corrected in the next release update. There is no interactive console session with the container.

xccdf_org.ssgproject.content_rule_accounts_password_pam_difok

Fail

notapplicable

To be corrected in the next release update. There is no interactive console session with the container.

xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit

Fail

notapplicable

To be corrected in the next release update. There is no interactive console session with the container.

xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_root

Fail

notapplicable

To be corrected in the next release update. There is no interactive console session with the container.

xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit

Fail

notapplicable

To be corrected in the next release update. There is no interactive console session with the container.

xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit

Fail

notapplicable

To be corrected in the next release update. There is no interactive console session with the container.

xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_local

Fail

notapplicable

To be corrected in the next release update. There is no interactive console session with the container.

xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction

Fail

notapplicable

To be corrected in the next release update. There is no interactive console session with the container.

xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs

Fail

notapplicable

To be corrected in the next release update. There is no interactive console session with the container.

xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration

Fail

notapplicable

To be corrected in the next release update. There is no interactive console session with the container.

xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions

Fail

notapplicable

To be corrected in the next release update. There is no interactive console session with the container.

xccdf_org.ssgproject.content_rule_disable_users_coredumps

Fail

notapplicable

To be corrected in the next release update. There is no interactive console session with the container.

Vulnerabilities report

CVE Package Version Fix Status Justification

CVE-2021-27218

glib2

2.56.4-8.el8

affected

RedHat has not released patch

CVE-2021-27219

glib2

2.56.4-8.el8

affected

RedHat has not released patch

CVE-2021-28153

glib2

2.56.4-8.el8

affected

RedHat has not released patch

CVE-2020-12762

json-c

0.13.1-0.2.el8

affected

RedHat has not released patch

CVE-2020-8231

curl

7.61.1-14.el8_3.1

affected

RedHat has not released patch

CVE-2020-8284

curl

7.61.1-14.el8_3.1

affected

RedHat has not released patch

CVE-2020-8285

curl

7.61.1-14.el8_3.1

affected

RedHat has not released patch

CVE-2020-8286

curl

7.61.1-14.el8_3.1

affected

RedHat has not released patch

CVE-2021-22876

curl

7.61.1-14.el8_3.1

affected

RedHat has not released patch

CVE-2021-23840

openssl

1.1.1g-15.el8_3

affected

RedHat has not released patch

CVE-2021-23841

openssl

1.1.1g-15.el8_3

affected

RedHat has not released patch

CVE-2020-13776

systemd

239-41.el8_3.2

affected

RedHat has not released patch

CVE-2019-25013

glibc

2.28-127.el8_3.2

affected

RedHat has not released patch

CVE-2020-27618

glibc

2.28-127.el8_3.2

affected

RedHat has not released patch

CVE-2021-3326

glibc

2.28-127.el8_3.2

affected

RedHat has not released patch

CVE-2020-29361

p11-kit

0.23.14-5.el8_0

affected

RedHat has not released patch

CVE-2020-29363

p11-kit

0.23.14-5.el8_0

affected

RedHat has not released patch

CVE-2020-29362

p11-kit

0.23.14-5.el8_0

affected

RedHat has not released patch

CVE-2019-20838

pcre

8.42-4.el8

affected

RedHat has not released patch

CVE-2020-14155

pcre

8.42-4.el8

affected

RedHat has not released patch

CVE-2020-8927

brotli

1.0.6-2.el8

affected

RedHat has not released patch

CVE-2021-20271

rpm

4.14.3-4.el8

affected

RedHat has not released patch

CVE-2021-20231

gnutls

3.6.14-8.el8_3

affected

RedHat has not released patch

CVE-2021-20232

gnutls

3.6.14-8.el8_3

affected

RedHat has not released patch