RASP Defender

RASP Defenders monitor your containers to ensure they execute as designed, protecting them from suspicious processes and outbound network connections. See the article on Defender types to learn when to deploy RASP Defenders.
RASP Defender policies let you define:
  • Process whitelists or blacklists. Enables verification of launched processes against policy.
  • Outgoing connections whitelists or blacklists. Enables verification of domain name resolution against policy for outgoing network connections.
Besides runtime policy, you can also configure the CNAF application firewall to protect front-end containers.
RASP Defender is the only supported option for securing containers at runtime when you’re using nested virtualization Nested virtualization is also known as
Docker-in-Docker
. Docker-in-Docker is a setup where you have a Docker container that itself has Docker installed, and from within the container you use Docker to pull images, build images, run containers, and so on. To secure the containers inside a container, use RASP Defender.

Securing containers

To secure a container, embed the RASP Defender into it. The steps are:
  1. Define your policy in Prisma Cloud Console.
  2. Embed the RASP Defender into the container.
  3. Start the service.
You can embed RASP Defenders with the Console UI, twistcli, or Prisma Cloud API. RASP Defender has been tested on Azure Container Instances, DC/OS (unified container runtime) , PCF PAS, and Google Serverless containers
The embed process takes a Dockerfile as input, and returns a ZIP file with an augmented Dockefile and RASP Defender binaries. Rebuild your container image with the new Dockerfile to complete the embedding process. The embed process modifies the container’s entrypoint to run RASP Defender, which in turn starts the original entrypoint program.
When embedding RASP Defender, specify a unique identifier for your container image. This gives you a way to uniquely identify the RASP Defender in the environment.

Embed RASP Defender

Embed RASP Defender into a container image from Console’s UI.
Prerequisites:
  • The container where you’re embedding RASP Defender can reach Console’s port 8084 over the network.
  • You have the Dockerfile for your image.
  1. Open Console, and go to
    Manage > Defenders > Deploy
    .
  2. In the first drop-down list, select the DNS name or IP address that RASP Defender uses to connect to Console.
  3. In the second drop-down list, select the RASP Defender type.
  4. In
    Deployment Type
    , select
    Dockerfile
    .
  5. In
    Application ID
    , enter a unique identifier for the RASP Defender.
  6. In
    Dockerfile
    , click
    Choose File
    , and upload the Dockerfile for your container image.
  7. Click
    Create Embedded ZIP
    .
    A file named
    rasp_embed.zip
    is created and downloaded to your system.
  8. Unpack rasp_embed.zip.
    $ mkdir tmp $ unzip rasp_embed.zip -d tmp/
  9. Build the modified Docker image.
    $ cd tmp/ $ docker build .
  10. Tag and push the updated image to your repository.

Embed RASP Defender manually

Embed RASP Defender into a container image manually. Modify your Dockerfile with the supplied information, download the RASP Defender binaries into the image’s build context, then rebuild the image.
Prerequisites:
  • The container where you’re embedding RASP Defender can reach Console over the network on port 8084.
  • The host where you’re updating your container image with RASP Defender can reach Console over the network on port 8083.
  • You have the Dockerfile for your image.
  1. Open Console, and go to
    Manage > Defenders > Deploy
    .
  2. In the first drop-down list, select the DNS name or IP address that RASP Defender uses to connect to Console.
  3. In the second drop-down list, select the RASP Defender type.
  4. In
    Deployment Type
    , select
    Manual
    . A set of instructions for embedding RASP Defender into your images is provided.
    1. Download the RASP Defender binaries into the directory that holds your image’s build context.
      $ curl -u <username> https://<CONSOLE>:8083/api/v1/images/twistl<CONSOLE>
    2. Retrieve the keys RASP Defender needs to connect to Console. This value will be set as the value for the INSTALL_BUNDLE environment variable in your Dockerfile.
      $ curl -k \ -u <CONSOLE_ADMIN_USER> https://<CONSOLE>:8083/api/v1/defenders/install-bundle
      The curl command returns a JSON object:
      {"bundle":"eyJj..."}
      Set INSTALL_BUNDLE to the value for bundle. For example:
      ENV INSTALL_BUNDLE="eyJj..."
    3. Open your Dockerfile for editing.
    4. In the Dockerfile, add the RASP Defender to the image.
      ADD twistlock_defender_rasp.tar.gz /twistlock/
    5. In the Dockerfile, add the specified environment variables. Replace the values for <RASP_DEDENDER_ID>, <CONSOLE>, and <INSTALL_BUNDLE>.
      ENV DEFENDER_TYPE="rasp" ENV RASP_DEFENDER_ID="my-app" ENV WS_ADDRESS="wss://<CONSOLE>:8084" ENV DATA_FOLDER="/twistlock/" ENV INSTALL_BUNDLE=""
    6. Modify the run or entrypoint command such that the command that starts your app is an argument to RASP Defender. For example, to start the hello program under the control of RASP Defender, specify the following entrypoint.
      ENTRYPOINT ["/twistlock/defender", "rasp", "hello"]
  5. Rebuild your image.
    $ docker build .
  6. Tag and push the updated image to your repository.

Embed RASP Defender with twistcli

Prisma Cloud supports automation for embedding RASP Defender into container images with either twistcli or the API. This section shows you how to use twistcli. To learn how to use the API, see the API docs.
Prerequisites:
  • The container where you’re embedding RASP Defender can reach Console’s port 8084 over the network.
  • You have the Dockerfile for your image.
  1. Download twistcli.
    1. Log into Console, and go to
      Manage > System > Downloads
      .
    2. Download the twistcli binary for your platform.
  2. Generate the artifacts for an updated container with twistcli. A file named
    rasp_embed.zip
    is created.
    $ ./twistcli rasp embed \ --user <USER> --address "https://<CONSOLE>:8083" \ --console-host <CONSOLE> \ --app-id "<RASP-DEFENDER-ID>" \ --data-folder "<DATA-FOLDER>" \ Dockerfile
    • <USER>
      --
      Name of a Prisma Cloud user with a minimum role of Defender Manager.
    • <CONSOLE>
      --
      DNS name or IP address for Console.
    • <APP-ID>
      --
      Unique identifier for the RASP Defender. For example,
      my-app
      .
    • <DATA-FOLDER>
      --
      Readable and writable directory in the container’s filesystem. For example,
      /twistlock/
      .
  3. Unpack
    rasp_embed.zip
    .
    $ mkdir tmp $ unzip rasp_embed.zip -d tmp/
  4. Build the updated image.
    $ cd tmp/ $ docker build .
  5. Tag and push the updated image to your repository.

Recommended For You