* [Blog](https://www.paloaltonetworks.com.au/blog)
* [Cloud Security](https://www.paloaltonetworks.com.au/blog/cloud-security/)
* [Cloud Computing](https://www.paloaltonetworks.com.au/blog/category/cloud-computing-2/)
* Prisma Cloud Support for ...

# Prisma Cloud Support for Docker DISA STIG

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fcloud-security%2Fsupport-for-docker-disa-stig%2F)  
[](https://twitter.com/share?text=Prisma+Cloud+Support+for+Docker+DISA+STIG&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fcloud-security%2Fsupport-for-docker-disa-stig%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fcloud-security%2Fsupport-for-docker-disa-stig%2F&title=Prisma+Cloud+Support+for+Docker+DISA+STIG&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com.au/blog/cloud-security/support-for-docker-disa-stig/&ts=markdown)  
\[\](mailto:?subject=Prisma Cloud Support for Docker DISA STIG)  
Link copied  
By [Paul Fox](https://www.paloaltonetworks.com/blog/author/paul-fox/?ts=markdown "Posts by Paul Fox")  
Apr 28, 2021  
6 minutes  
[Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown)  
[Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown)  
[Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown)  
[Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown)  
[Docker](https://www.paloaltonetworks.com/blog/tag/docker/?ts=markdown)  
[Federal](https://www.paloaltonetworks.com/blog/tag/federal/?ts=markdown)

The United States Department of Defense (DoD) was an early adopter of containerized technologies, and it continues its rapid adoption of microservices in all environments. As part of that adoption and other overall cyber initiatives, the Defense Information Systems Agency (DISA), a DoD agency, collaborates with private industry to create Security Technical Implementation Guides (STIGs). These STIGs provide the DoD and other federal agencies with operational configuration guidance to harden computer systems and protect cyberinfrastructure that might otherwise be vulnerable to malicious computer attacks.

Recently, DISA collaborated with Docker, the container platform, to create the [Docker Enterprise 2.x Linux/UNIX STIG](https://www.docker.com/blog/docker-enterprise-first-disa-stig-container-platform/). The purpose of this STIG is to provide guidance for securing Docker and the supporting Linux and UNIX-based operating systems.

We're excited to announce that Prisma Cloud now supports the Docker DISA STIG compliance template, allowing users to monitor adherence to its specific policies.

## DISA STIG Compliance Template

The Prisma Cloud [Compliance Explorer](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/compliance/compliance_explorer.html) monitors and helps enforce industry standards, best practices and security compliance benchmarks to your organization's hosts, containers and serverless environments.

We have curated the checks within the Docker Enterprise 2.x Linux/UNIX STIG into a "DISA STIG" compliance template. When you create a new compliance policy and select the DISA STIG compliance template, you will automatically receive alerts based on the checks aligned with the STIG. You can then further modify your compliance policy to meet your organization's requirements.

![Setting alerts for DISA STIG framework policies in Prisma Cloud](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/04/word-image-42.png)
Setting alerts for DISA STIG framework policies in Prisma Cloud

We've added eight new compliance checks specifically for the DISA STIG template, in addition to 49 existing checks that already align with it. The remaining 43 STIG checks are not applicable. For example, STIG ID: DKER-EE-002180, SAML integration, must be enabled in Docker Enterprise. The complete mapping of the STIG rules to the Prisma Cloud Compute compliance rules can be found [in our technical documentation](https://docs.twistlock.com/docs/government/government/government.html).

## How Compliance Checks Work

Prisma Cloud DISA STIG compliance checks can be applied to images, containers, and hosts. The template is available in the following compliance policies.

##### Images

Prisma Cloud will scan images as they are being built by developers. You can stop the development workflow of an image that does not comply with the DISA STIG. Following the example below, you can set Prisma Cloud to fail a Jenkins pipeline build of an image that does not define a USER command.

|----------------|--------------------------------------------------------------------------------------------------------------|---------------------|-------------------|----------------------|
| **STIG ID**    | **Rule Title**                                                                                               | **Compute Check #** | **STIG Severity** | **Compute Severity** |
| DKER-EE-003200 | Docker Enterprise images must be built with the USER instruction to prevent containers from running as root. | 41                  | CAT II            | High                 |

**Step 1**

Create a new policy in **Manage \> Compliance \> Containers and images \> CI** , then apply the DISA STIG template and modify rule #41 from **Alert to Fail**.

![Example of the DISA STIG rules, set to fail a build that violates the policy for rule 41.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/04/word-image-43.png)
Example of the DISA STIG rules, set to fail a build that violates the policy for rule 41.

**Step 2**

Then, integrate vulnerability and compliance scanning into the [Jenkins environment](https://docs.twistlock.com/docs/compute_edition/continuous_integration/jenkins_plugin.html) and [pipeline](https://docs.twistlock.com/docs/compute_edition/continuous_integration/jenkins_pipeline_project.html). The pipeline run will fail, and the developer will be notified as to why. It will appear in Jenkins:

![Failed Jenkins build that violates rule 41](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/04/word-image-44.png)
Failed Jenkins build that violates rule 41

And within the Console's **Monitor \> Compliance \> Images \> CI**:

![Alert for the failed Jenkins build in the Prisma Cloud Compute dashboard](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/04/word-image-45.png)
Alert for the failed Jenkins build in the Prisma Cloud Compute dashboard.

##### Containers

Next in the life of an application, Prisma Cloud will scan images and containers that are found on running nodes and stored in registries. Here is how to create an error alert for containers.

**Step 1**

Create a new compliance rule in **Manage \> Compliance \> Containers and images \> Deployed** and use the DISA STIG template to set the associated checks to alert.

**Step 2**

Change rule 41 to **block**, which will halt a non-DISA STIG compliant image from launching as a container.
![Prisma Cloud Defend rule set to block deploying images that violate rule 41](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/04/word-image-46.png)
Prisma Cloud rule set to block deploying images that violate rule 41

If someone tries to run the image as a container, an error appears:

![Error message when attempting to delpoy an image that violates a "block" rule](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/04/word-image-47.png)
Error message when attempting to deploy an image that violates a "block" rule.

**Step 3**

You can view the event logs within **Monitor \> Events \> Docker audits**.

![Prisma Cloud Docker audit for the blocked Docker run](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/04/word-image-48.png)
Prisma Cloud Docker audit for the blocked Docker run

##### Hosts

Prisma Cloud will also scan for host misconfigurations. Securing the hosts where containers run is paramount. One of the new compliance checks we added to Prisma Cloud is the ever "favorite" Federal Information Processing Standards (FIPS) enablement.

|----------------|--------------------------------------------------------------------|---------------------|-------------------|----------------------|
| **STIG ID**    | **Rule Title**                                                     | **Compute Check #** | **STIG Severity** | **Compute Severity** |
| DKER-EE-001070 | FIPS mode must be enabled on all Docker Engine - Enterprise nodes. | 701070              | CAT I             | Medium               |

**Step 1**

Create a new compliance rule in **Manage \> Compliance \> Hosts** and use the DISA STIG template to set the associated checks to alert. Note the new check 701070, *FIPS mode must be enabled on all Docker Engine - Enterprise nodes*, which correlates to STIG ID: DKER-EE-001070.

![DISA STIG rule set with rule 701070 set to alert](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/04/word-image-49.png)
DISA STIG rules with rule 701070 set to alert

Remember, this STIG is for Docker Enterprise Edition and is required to perform the FIPS enablement check.

![An example node that violates rule 701070](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/04/word-image-50.png)
An example node that violates rule 701070

## Conclusion

Palo Alto Networks has been -- and will continue to be -- a committed partner with our public sector customers. We know you operate highly regulated and controlled environments, and that new regulatory guidance is continually developed and published -- as is the case with the DISA Docker Enterprise 2.x Linux/UNIX STIG. The Prisma Cloud DISA STIG compliance template enables public sector customers to quickly assess and control their microservice environments based upon this guidance.

You can [download the Docker Enterprise 2.x Linux/UNIX STIG](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Docker_Enterprise_2-x_Linux-UNIX_V1R1_STIG.zip) directly from DISA's site for more information. Or if you are not yet a customer, you can [sign up for a personalized demo of Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud#specialist) to see the compliance functionality in action.

*** ** * ** ***

## Related Blogs

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown)

[#### Unveiling a Comprehensive Attack Explorer for Cloud Native Apps](https://www.paloaltonetworks.com.au/blog/cloud-security/comprehensive-attack-explorer-for-cloud-native-apps/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown)

[#### WAAS-Up with Cryptojacking Microservice-Based Web Apps?](https://www.paloaltonetworks.com.au/blog/cloud-security/waas-cryptojacking-microservice-based-web-apps/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown)

[#### How to Set Up Prisma Cloud Threat Detection in 6 Steps](https://www.paloaltonetworks.com.au/blog/cloud-security/how-to-set-up-prisma-cloud-threat-detection/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/cloud-security/category/partners/?ts=markdown)

[#### Better Together With IBM and Prisma Cloud Compute Edition](https://www.paloaltonetworks.com.au/blog/cloud-security/better-together-ibm-prisma-cloud/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/cloud-security/category/partners/?ts=markdown)

[#### Automating Visibility and Protection for Cloud VMs](https://www.paloaltonetworks.com.au/blog/cloud-security/automating-visibility-protection-cloud-vms/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/cloud-security/category/partners/?ts=markdown)

[#### Open Source License Detection and Expanded Git Repo Scanning](https://www.paloaltonetworks.com.au/blog/cloud-security/open-source-license-detection-expanded-git-repo-scanning/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com.au/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language