RASP Defender for Pivotal PAS apps

RASP Defenders monitor your droplets to ensure they execute as designed, protecting them from suspicious processes and outbound network connections. Droplets are Cloud Foundry’s unit of execution. Use the procedure documented here to embed RASP Defender in to Pivotal Application Service (PAS) buildpack apps. To embed RASP Defender into Docker images that will run in PAS, see the standard RASP embed flow.
RASP Defender policies let you define:
  • Process whitelists or blacklists. Enables verification of launched processes against policy.
  • Outgoing connections whitelists or blacklists. Enables verification of domain name resolution against policy for outgoing network connections.
Besides runtime policy, you can also configure the CNAF application firewall to protect front-end droplets.

Securing droplets

To secure a droplet, embed the RASP Defender into it. The steps are:
  1. Define your policy in Prisma Cloud Console.
  2. Embed the RASP Defender into the droplet.
  3. Start the service.
When embedding RASP Defender, specify a unique identifier for it. This gives you a way to uniquely identify the RASP Defender in the environment.

Embed RASP Defender into droplets

Embed RASP Defender into a droplet from Console’s UI.
Prerequisites:
  • The location where the droplet will run can reach Console over the network on port 8084.
  • The host where you’re embedding RASP Defender can reach Console over the network on port 8083.
  • You have installed the Cloud Foundry Command Line Interface (cf CLI).
  1. Create a working directory.
  2. Download and extract the droplet into the working directory.
  3. Open Console, and go to
    Manage > Defenders > Deploy
    .
  4. In the first drop-down list, select the DNS name or IP address that RASP Defender will use to connect to Console.
  5. In the second drop-down list, select the RASP Defender type.
  6. In
    Deployment Type
    , select
    Manual
    . A set of instructions for embedding RASP Defender into your droplet is provided.
  7. Download the RASP Defender binaries into your working directory.
    $ curl -u <username> https://<CONSOLE>:8083/api/v1/images/twistlock_defender_rasp.tar.gz -O
  8. Extract the files from the tarball, update the library’s permissions, and delete the tarball.
    $ tar xzvf twistlock_defender_rasp.tar.gz $ chmod 644 libtw.so $ rm twistlock_defender_rasp.tar.gz
  9. Retrieve the keys RASP Defender needs to connect to Console. This will be the value set in the INSTALL_BUNDLE environment variable.
    $ curl -k \ -u <CONSOLE_ADMIN_USER> https://<CONSOLE>:8083/api/v1/defenders/install-bundle
    The curl command returns a JSON object:
    {"bundle":"eyJj..."}
    The value for INSTALL_BUNDLE will be set to the value for bundle. For example:
    INSTALL_BUNDLE: eyJj...
  10. Open your app’s
    manifest.yml
    for editing.
    1. Add the following environment variables to your application. Replace the values for <DEFENDER-ID> and <INSTALL-BUNDLE>. <DEFENDER-ID> is a user-defined value to uniquely identify the RASP Defender in your environment. <INSTALL-BUNDLE> was the value retrieved in the last step. The value for <WEB-SOCKET-ADDRESS> should already be correctly set.
      applications: - name: <NAME> ... env: DEFENDER_TYPE: rasp RASP_DEFENDER_ID: <DEFENDER-ID> WS_ADDRESS: <WEB-SOCKET-ADDRESS> DATA_FOLDER: /tmp INSTALL_BUNDLE: <INSTALL-BUNDLE>
      Do not use quotation marks around environment variable values.
      The value for DATA_FOLDER must be /tmp.
    2. Override the app’s default start command to run the RASP Defender instead. Pass the original command to RASP Defender as an argument.
      applications: - name: command: defender rasp <MY-PROGRAM> --<MY-PROG-ARG1> --<MY-PROG-ARG1> ...
  11. Push the droplet to Pivotal Web Services.
    1. Log into Pivotal Web Services.
      cf login -a https://api.run.pivotal.io
    2. Set the target organization and space.
      $ cf target -o <ORG> -s <SPACE>
    3. Push the droplet.
      $ cf push
      You can override the start command in your app’s manifest file by passing the -c argument to
      cf push
      . This gives you a way to force-run the app with the original buildpack command if something goes wrong.
      $ cf push -c null
      If you want to RASP Defender to start in subsequent runs, re-run
      cf push
      with the full command again since the previous start command is used unless explicitly specified otherwise.

Recommended For You