Why does the Prisma Cloud Defender have access to the HostPID and Host Network Namespace?
Symptom
Prisma Cloud Defender is being reported for the following compliance findings:
- 5515 - Do not share the host's process namespace
- 5059 - Do not share the host's network namespace
Environment
- Prisma Cloud Compute (Any Version)
- Prisma Cloud Defender (Any Version)
Cause
The Prisma Cloud Defender utilizes hostPID and hostNetwork to provide capabilities of host protection (in addition to container protection), i.e., monitor processes, file system access, and network activity on the host. HostPID is specifically used to access the host's process ID space, which allows Defender to access data for processes outside its own pod/cgroup. With otherwise default configurations in the DaemonSet.yaml, disabling hostPID causes the Defenders to disconnect from the Console entirely.
HostNetwork is also a minimum requirement in order to allow the Defender to have full visibility and blocking capabilities for a host/node's network stack. Changing hostNetwork to false in the DaemonSet.yaml causes the Defender to be unable to identify the host name, so it uses the defender pod name instead. For example, within Manage > Defenders > Defenders: Deployed, you would, by default, be able to observe your Defenders by the respective node/hostname. With hostNetwork: false, the pod name will be displayed instead.
These settings can be observed within the spec.hostPID and spec.hostNetwork sections of the DaemonSet.yaml downloaded from the Console prior to deployment:
hostPID: true
hostNetwork: trueResolution
The Defender's permissions are carefully selected in order to avoid blindspots for potential vectors of attack, and to utilize least privilege required to execute its duties within the environment. HostNetwork and hostPID are essential to offer the functionality required to help maintain an effective security posture.
- Enable the Compliance Rule "Default - ignore Twistlock components" and order it first
Additional Information
The following documentation outlines the Defender architecture, as well as other useful information regarding Defender's implementation of a least privilege security design at a high level: