Pivotal Cloud Foundry blobstore scanning
Prisma Cloud for Pivotal Cloud Foundry (PCF) scans the droplets in your blobstores for vulnerabilities.
PCF is a Platform as a Service (PaaS) that runs applications on your infrastructure. Applications in PCF are deployed, scaled, and monitored by BOSH, which is PCF’s infrastructure lifecycle management tool. PCF stores large binary files in blobstores. Blobstores are roughly equivalent to registries. One type of file stored in the blobstore is the droplet.
Droplets are archives that contain ready to run applications. They are roughly equivalent to container images. Droplets contain the OS stack, a buildpack (which contains the languages, libraries, and services used by the app), and custom app code. Before running an app on your infrastructure, the Cloud Controller stages it for delivery by combining the OS stack, buildpack, and source code into a droplet, then storing the droplet in a blobstore.
Prisma Cloud is packaged as tile. When the tile is installed, it runs Defender as a PCF service in a dedicated VM on your infrastructure. Like all Defenders, the PCF Defender must be able to connect over the network to Prisma Cloud Console.
twistclicommand line tool also lets you scan droplet files directly. You can integrate
twistcliinto your CLI to pass or fail builds based on vulnerability thresholds.
Install the PCF Defender
The PCF Defender is delivered as a tile. Go to the PCF Ops Manager Installation Dashboard to install the tile.
External blobstores that require a custom authentication flow, such as those offered by cloud providers, are not supported.
- In Prisma Cloud Console, go toManage > System > Downloads, and download the PCF tile.
- In the Ops Manager Installation Dashboard, clickImport a Product, and select the tile you downloaded.
- Retrieve the install command from Prisma Cloud Console. It’s used to configure the tile.
- Go toManage > Defenders > Deploy.
- Choose the DNS name or IP address the PCF Defender will use to connect to Console. If a suitable option is not available, go toManage > Defenders > Names, and add a DNS name or IP address to the SAN table.
- Set the Defender type toPCF.
- Leave the Defender listener type set toNone.
- Copy the install command and set it aside.
- Go to the PCF Ops Manager Installation Dashboard.
- Add the Prisma Cloud tile to your staging area. Click the+button next to the version of the tile you want to install.
- Click the newly addedPrisma Cloud for PCFtile.
- Configure the tile.
- InAssign AZs and Network Assignments, specify where Prisma Cloud Defender should run, then clickSave.Prisma Cloud for PCF runs as a service. If you have a dedicated subnet for services, run it there.By default Prisma Cloud performs strict validation of your Cloud Controller’s (CC) TLS certificate. If you’re using self-signed certificates, this check will failure. To add your custom certificates to trusted cert list, you need to add the custom CA’s cert on the VM where the Prisma Cloud tile runs. For more details about how to do this, refer to Pivotal’s trusted certificates article.To skip strict validation of your Cloud Controller’s (CC) TLS certificate, enableSkip Cloud Controller TLS validation. Strict validation verifies the name, signer, and validity date of the CC’s certificate. Even with strict validation disabled, the sesssion is still encrypted. Skip strict validation when:
- You’re using self-signed certificates
- You’re using certificates signed by a CA that isn’t in your cert store
- When there’s a mismatch between the address you’re using to connect to the CC and the common name (CN) or subject alternative name (SAN) in the CC’s certificate.
- InPrisma Cloud Component Configuration, enter the install command you copied from Prisma Cloud Console, then clickSave.
- InCredentials, select your preferred authentication method: Basic Authentication or Certificate-based Authentication:For Basic Authentication, enter your Prisma Cloud Console credentials, then clickSave.For Certificate-based Authentication, paste the certificate and private key used for authentication in PEM format, then clickSave.Notes:
- For Certificate-based Authentication, the root CA used to sign the certificate used for authentication must be entered underManage > Authentication > System Certificates > Advanced Certificate Configuration.
- Install the Prisma Cloud tile. Return to the Ops Manager Installation Dashboard, clickReview Pending Changes, selectPrisma Cloud for PCF, then clickApply changes.
- After the changes are applied, validate that Prisma Cloud Defender is running. Log into Prisma Cloud Console, then navigate toManage > Defenders > Manage. In the table of deployed Defenders, you should see a Defender of typePCF.
Configure Prisma Cloud to scan a blobstore
Prisma Cloud can scan internal and external blobstores, and blobstores configured to use the Fog Ruby gem or WebDAV protocol.
- Log into Prisma Cloud Console.
- Go toDefend > Vulnerabilities > PCF Blobstore.
- ClickAdd PCF Blobstore settings.
- Specify the cloud controller.
- Specify the droplets to scan. To scan all droplets, enter a wildcard (*).
- Specify the maximum number of droplets to scan. To scan all droplets, enter 0.
Review scan reports
Scan reports show all vulnerabilities found in the droplets in blobstores. By default, droplets are rescanned every 24 hours.
- Log into Prisma Cloud Console.
- Go toMonitor > Vulnerabilities > PCF Blobstoreto see a list of summary reports for each droplet.
- To drill into a specific scan report, click on a row in the table.
Recommended For You
Recommended videos not found.