1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Compute Edition Administrator’s Guide
    5. Technology overviews
    6. Prisma Cloud Rules Guide - Docker
    End-of-Life (EoL)

    Prisma Cloud Rules Guide - Docker

    This article provides a list of all rules and their intended behavior in Prisma Cloud Console UI. The purpose of this article is to help users better understand the intention of each rule in the Console and it’s corresponding effect on the host environment.

    Running Docker commands through Defender

    To access Docker daemon through Defender, you must explicitly specify Defender’s host and port. For example:
    $ docker -H <DEFENDER_HOST_ADDRESS>:9998 run alpine
    It is possible to make the management traffic between the Docker client and the Docker daemon flow through Defender by default via two environment variables. Those can be configured on a remote machine that accesses Docker daemon on some host (such as dev laptop), or the host itself for users who do not have root privileges (which should be the majority of users).
    $ export DOCKER_HOST=tcp://<defender host address>:9998
    $ export DOCKER_TLS_VERIFY=1
    Once set, default calls to Docker flow through Defender (e.g., docker ps, docker run alpine). Throughout this guide however, in this guide, we have followed the default command without setting environment variables.

    About this reference environment

    This guide is designed as a reference document for all access rule policies enlisted in Prisma Cloud Console and their intended affect on host environment. These commands are run from a Docker client to a Prisma Cloud Defender using the access control feature. Access control rules can be configured at
    Defend > Access > Docker
    .
    We have organized this document using the same structure as the Prisma Cloud product UI, which follows the structure in the Docker Remote API documentation. Note that there may be minor differences in the structure as the Docker Remote API evolves; this document is currently aligned with the documentation for API v 1.24 and will be updated periodically with new releases.
    For understanding purposes all rules are set to deny and their corresponding influence on host environment is recorded.

    Defend access rules

    Navigate to
    Defend > Access > Docker
    .

    Containers

    For more information about the Docker API for containers, see https://docs.docker.com/engine/api/v1.30/#tag/Container.

    container_list - List containers

    Affects docker ps command on host which is used to list all running containers.
    Command:
    docker -H 10.0.0.1:9998 --tlsverify ps
    Response:
    [Prisma Cloud] The command container_list denied for user admin by rule Deny

    container_create - Create a container

    Affects docker create command used to create a new container.
    Command:
    docker -H 10.0.0.1:9998 --tlsverify create morello/docker-whale
    Response:
    [Prisma Cloud] The command container_create denied for user admin by rule Deny

    container_inspect - Inspect a container

    Affects docker inspect command used for returning information about the container.
    Command:
    docker -H 10.0.0.1 --tlsverify  inspect ubuntu_bash2
    Response:
    [Prisma Cloud] The command container_inspect denied for user admin by rule inspect

    container_top - List processes running inside a container

    Affects docker top command used to display the running processes of a container
    Command:
    docker -H 10.0.0.1:9998 --tlsverify top ubuntu_bash
    Response:
    [Prisma Cloud] The command container_top denied for user admin by rule Deny

    container_logs - Get container logs

    Affects docker logs command used for returning logs from the container present at the time of execution.
    Command:
    docker -H 10.0.0.1 --tlsverify logs ubuntu_bash2
    Response:
    [Prisma Cloud] The command container_logs denied for user admin by rule logs

    container_changes - Inspect changes on a container’s filesystem

    Affect docker commit command and restricts any changes to the container.
    Command:
    docker -H 10.0.0.1 --tlsverify  commit --change "ENV DEBUG true" cc2d57988b aqsa/testimage:version3
    Response:
    [Prisma Cloud] The command container_commit denied for user admin by rule commit

    container_export - Export a container

    Affects docker export command that exports a container’s filesystem as a tar archive
    Command:
    docker -H 10.0.0.1:9998 --tlsverify  export  twistlock_console -o saved.tar
    Response:
    [Prisma Cloud] The command container_export denied for user admin by rule export

    container_stats - Get container stats based on resource usage

    Affects docker stats command on host which returns live data stream for running containers.
    Command:
    docker -H 10.0.0.1 --tlsverify stats  silly_stallman
    Response:
    [Prisma Cloud] The command container_stats denied for user admin by rule status

    container_resize - Resize a container

    Affects docker logs command used for returning logs from the container present at the time of execution. This related to the size of the window of how output is returned from the container. It is called TTY.
    Command:
    Response:

    container_start - Start a container

    Affects docker start command used to start one or more stopped containers
    Command:
    docker -H 10.0.0.1:9998 --tlsverify start ubuntu_bash
    Response:
    [Prisma Cloud] The command container_start denied for user admin by rule Deny all

    container_stop - Stop a container

    Affects docker stop command used to stop running container
    Command:
    docker -H 10.0.0.1:9998 --tlsverify stop ubuntu_bash
    Response:
    [Prisma Cloud] The command container_stop denied for user admin by rule Deny

    container_restart - Restart a container

    Affects docker restart command on host, used to restart a container.
    Command:
    docker -H 10.0.0.1:9998 --tlsverify restart ubuntu_bash
    Response:
    [Prisma Cloud] The command container_restart denied for user admin by rule Deny

    container_kill - Kill a container

    Affects docker kill command used to kill a running container.
    Command:
    docker -H 10.0.0.1:9998 --tlsverify kill ubuntu_bash
    Response:
    [Prisma Cloud] The command container_kill denied for user admin by rule Deny

    container_rename - Rename a container

    Affects docker rename command on host that is used to rename a container.
    Command:
    docker -H 10.0.0.1:9998 --tlsverify rename ubuntu_bash unbuntu
    Response:
    [Prisma Cloud] The command container_rename denied for user admin by rule Deny
Error: failed to rename container named ubuntu_bash

    container_pause - Pause a container

    Affects docker pause command on host which is used to pause all processes within one or more containers.
    Command:
    docker -H 10.0.0.1 --tlsverify pause  focused_cori
    Response:
    [Prisma Cloud] The command container_pause denied for user admin by rule Deny

    container_unpause - Unpause a container

    Affects docker unpause command on host which is used to un-suspend all processes in a container.
    Command:
    docker -H 10.0.0.1 --tlsverify unpause  silly_stallman
    Response:
    [Prisma Cloud] The command container_unpause denied for user admin by rule unpause

    container_attach - Attach to a container

    Affects docker attach command on host where defender is deployed.
    Command:
    docker -H 10.0.0.1 --tlsverify attach  mycontainer
    Response:
    [Prisma Cloud] The command container_attach denied for user admin by rule attach persistent connection closed

    container_attachws - Attach to a container (websocket)

    Affects docker attach command on host where defender is deployed. Attach to the container id via websocket. Implements websocket protocol handshake according to RFC 6455
    Command:
    docker -H 10.0.0.1 --tlsverify attach  mycontainer
    Response: