App-Embedded Defender
App-Embedded Defenders monitor your containers to ensure they execute as designed, protecting them from suspicious processes and outbound network connections.
See the article on Defender types to learn when to deploy App-Embedded Defenders.
App-Embedded Defender policies let you define:
- Process allow or deny lists. Enables verification of launched processes against policy.
- Outgoing connections allow or deny lists. Enables verification of domain name resolution against policy for outgoing network connections.
Besides runtime policy, you can also configure the WAAS application firewall to protect front-end containers.
App-Embedded Defender is the only supported option for securing containers at runtime when you’re using nested virtualization
Nested virtualization is also known as
Docker-in-Docker
.
Docker-in-Docker is a setup where you have a Docker container that itself has Docker installed, and from within the container you use Docker to pull images, build images, run containers, and so on.
To secure the containers inside a container, use App-Embedded Defender.Securing containers
To secure a container, embed the App-Embedded Defender into it.
You can embed App-Embedded Defenders with the Console UI, twistcli, or Prisma Cloud API.
App-Embedded Defender has been tested on Azure Container Instances, Google Cloud Run, and Fargate on EKS.
The steps are:
- Define your policy in Prisma Cloud Console.
- Embed the App-Embedded Defender into the container.
- Start the service.
The embed process takes a Dockerfile as input, and returns a ZIP file with an augmented Dockerfile and App-Embedded Defender binaries.
Rebuild your container image with the new Dockerfile to complete the embedding process.
The embed process modifies the container’s entrypoint to run App-Embedded Defender, which in turn starts the original entrypoint program.
When embedding App-Embedded Defender, specify a unique identifier for your container image.
This gives you a way to uniquely identify the App-Embedded Defender in the environment.
When securing your apps with runtime rules, target rules to apps using the App ID.
(Because the App-Embedded Defender runs inside the container, it can’t reliably get information such as image and container names.)
Embed App-Embedded Defender
Embed App-Embedded Defender into a container image from Console’s UI.
Prerequisites:
- The container where you’re embedding App-Embedded Defender can reach Console’s port 8084 over the network.
- You have the Dockerfile for your image.
- Open Console, and go toManage > Defenders > Deploy.
- Select the DNS name or IP address that App-Embedded Defender uses to connect to Console.
- Select the App-Embedded Defender type.
- InDeployment Type, selectDockerfile.
- InApplication ID, enter a unique identifier for the App-Embedded Defender.
- InDockerfile, clickChoose File, and upload the Dockerfile for your container image.
- ClickCreate Embedded ZIP.A file named app_embedded_embed_help.zip is created and downloaded to your system.
- Unpack app_embedded_embed_help.zip.$ mkdir tmp $ unzip app_embedded_embed_help.zip -d tmp/Build the modified Docker image.$ cd tmp/ $ docker build .Tag and push the updated image to your repository.
- The container where you’re embedding App-Embedded Defender can reach Console over the network on port 8084.
- The host where you’re updating your container image with App-Embedded Defender can reach Console over the network on port 8083.
- You have the Dockerfile for your image.
- Open Console, and go to
Embed App-Embedded Defender manually
Embed App-Embedded Defender into a container image manually.
Modify your Dockerfile with the supplied information, download the App-Embedded Defender binaries into the image’s build context, then rebuild the image.
Prerequisites: