Prisma Cloud Compute: Why am I still seeing container runtime events for a path that I have allowed in the runtime policy?

Prisma Cloud Compute: Why am I still seeing container runtime events for a path that I have allowed in the runtime policy?

400
Created On 07/10/24 18:26 PM - Last Modified 01/13/26 22:03 PM


Question


Why am I still seeing container runtime events for a path that I have allowed in the runtime policy?

Environment


  • Prisma Cloud Enterprise (SaaS) 
  • Prisma Cloud Compute (Self host)

Answer


  • Prisma Cloud does not support wildcard characters (asterisks) in the file paths for File System Monitoring.
    • For example, if you would like to monitor all files within the /etc/ directory, rather than typing "/etc/*", you would type just "/etc/"
 
  • Similarly, for custom filesystem rules, rather than including wildcard characters, you can use the "startswith" keyword:
    • file.path startswith "/etc/"
 
  • For file integrity paths under Host Runtime Policies, wildcard characters are also not allowed
    • Check the "recursive" box if you would like to include subpaths
    • Please note that this recursive box only applies to "write" operations and does not apply to read or attribute change operations



 

Additional Information


https://docs.prismacloud.io/en/compute-edition/34/admin-guide/runtime-defense/runtime-defense-hosts#global-settings

  • As per the above documentation, the "full path of binary" must be used.

https://docs.prismacloud.io/en/compute-edition/34/admin-guide/runtime-defense/custom-runtime-rules#:~:text=startswith%20%7C%20contains

  • As per the above documentation, the "startswith" keyword can be used in custom rules.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000Tox4CAC&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail