The serverless runtime policy's whitelist for processes is not functioning as expected

The serverless runtime policy's whitelist for processes is not functioning as expected

845
Created On 08/05/24 08:13 AM - Last Modified 12/17/25 22:14 PM


Symptom


Explicitly Denied Process alert (Process monitoring) - "/usr/bin/uname launched by /var/lang/bin/python3.8 and is not allowed by the runtime rule. Full command: uname -p"

Environment


  • Prisma Cloud Compute Edition
  • Serverless runtime policy
  • Explicitly Denied Process alert

Cause


  • The current specification allows only parent processes to be added to the process whitelist in the Serverless runtime policy.
  • This means that child processes cannot be whitelisted.

Resolution


  1. Whitelist the processes: “bash” (the process used by the function) and “uname”
  2. Adding these processes to the whitelist will help prevent audit events from appearing in the console.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000Tp3vCAC&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language