Prisma Cloud Rules Guide - Docker

This article provides a list of all rules and their intended behavior in Prisma Cloud Console UI. The purpose of this article is to help users better understand the intention of each rule in the Console and it’s corresponding effect on the host environment.

Running Docker commands through Defender

To access Docker daemon through Defender, you must explicitly specify Defender’s host and port. For example:
$ docker -H <DEFENDER_HOST_ADDRESS>:9998 run alpine
It is possible to make the management traffic between the Docker client and the Docker daemon flow through Defender by default via two environment variables. Those can be configured on a remote machine that accesses Docker daemon on some host (such as dev laptop), or the host itself for users who do not have root privileges (which should be the majority of users).
$ export DOCKER_HOST=tcp://<defender host address>:9998
$ export DOCKER_TLS_VERIFY=1
Once set, default calls to Docker flow through Defender (e.g., docker ps, docker run alpine). Throughout this guide however, in this guide, we have followed the default command without setting environment variables.

About this reference environment

This guide is designed as a reference document for all access rule policies enlisted in Prisma Cloud Console and their intended affect on host environment. These commands are run from a Docker client to a Prisma Cloud Defender using the access control feature. Access control rules can be configured at
Defend > Access > Docker
.
We have organized this document using the same structure as the Prisma Cloud product UI, which follows the structure in the Docker Remote API documentation. Note that there may be minor differences in the structure as the Docker Remote API evolves; this document is currently aligned with the documentation for API v 1.24 and will be updated periodically with new releases.
For understanding purposes all rules are set to deny and their corresponding influence on host environment is recorded.

Defend access rules

Navigate to
Defend > Access > Docker
.

Containers

For more information about the Docker API for containers, see https://docs.docker.com/engine/api/v1.30/#tag/Container.

container_list - List containers

Affects docker ps command on host which is used to list all running containers.
Command:
docker -H 10.0.0.1:9998 --tlsverify ps
Response:
[Prisma Cloud] The command container_list denied for user admin by rule Deny

container_create - Create a container

Affects docker create command used to create a new container.
Command:
docker -H 10.0.0.1:9998 --tlsverify create morello/docker-whale
Response:
[Prisma Cloud] The command container_create denied for user admin by rule Deny

container_inspect - Inspect a container

Affects docker inspect command used for returning information about the container.
Command:
docker -H 10.0.0.1 --tlsverify inspect ubuntu_bash2
Response:
[Prisma Cloud] The command container_inspect denied for user admin by rule inspect

container_top - List processes running inside a container

Affects docker top command used to display the running processes of a container
Command:
docker -H 10.0.0.1:9998 --tlsverify top ubuntu_bash
Response:
[Prisma Cloud] The command container_top denied for user admin by rule Deny

container_logs - Get container logs

Affects docker logs command used for returning logs from the container present at the time of execution.
Command:
docker -H 10.0.0.1 --tlsverify logs ubuntu_bash2
Response:
[Prisma Cloud] The command container_logs denied for user admin by rule logs

container_changes - Inspect changes on a container’s filesystem

Affect docker commit command and restricts any changes to the container.
Command:
docker -H 10.0.0.1 --tlsverify commit --change "ENV DEBUG true" cc2d57988b aqsa/testimage:version3
Response:
[Prisma Cloud] The command container_commit denied for user admin by rule commit

container_export - Export a container

Affects docker export command that exports a container’s filesystem as a tar archive
Command:
docker -H 10.0.0.1:9998 --tlsverify export twistlock_console -o saved.tar
Response:
[Prisma Cloud] The command container_export denied for user admin by rule export

container_stats - Get container stats based on resource usage

Affects docker stats command on host which returns live data stream for running containers.
Command:
docker -H 10.0.0.1 --tlsverify stats silly_stallman
Response:
[Prisma Cloud] The command container_stats denied for user admin by rule status

container_resize - Resize a container

Affects docker logs command used for returning logs from the container present at the time of execution. This related to the size of the window of how output is returned from the container. It is called TTY.
Command:
Response:

container_start - Start a container

Affects docker start command used to start one or more stopped containers
Command:
docker -H 10.0.0.1:9998 --tlsverify start ubuntu_bash
Response:
[Prisma Cloud] The command container_start denied for user admin by rule Deny all

container_stop - Stop a container

Affects docker stop command used to stop running container
Command:
docker -H 10.0.0.1:9998 --tlsverify stop ubuntu_bash
Response:
[Prisma Cloud] The command container_stop denied for user admin by rule Deny

container_restart - Restart a container

Affects docker restart command on host, used to restart a container.
Command:
docker -H 10.0.0.1:9998 --tlsverify restart ubuntu_bash
Response:
[Prisma Cloud] The command container_restart denied for user admin by rule Deny

container_kill - Kill a container

Affects docker kill command used to kill a running container.
Command:
docker -H 10.0.0.1:9998 --tlsverify kill ubuntu_bash
Response:
[Prisma Cloud] The command container_kill denied for user admin by rule Deny

container_rename - Rename a container

Affects docker rename command on host that is used to rename a container.
Command:
docker -H 10.0.0.1:9998 --tlsverify rename ubuntu_bash unbuntu
Response:
[Prisma Cloud] The command container_rename denied for user admin by rule Deny Error: failed to rename container named ubuntu_bash

container_pause - Pause a container

Affects docker pause command on host which is used to pause all processes within one or more containers.
Command:
docker -H 10.0.0.1 --tlsverify pause focused_cori
Response:
[Prisma Cloud] The command container_pause denied for user admin by rule Deny

container_unpause - Unpause a container

Affects docker unpause command on host which is used to un-suspend all processes in a container.
Command:
docker -H 10.0.0.1 --tlsverify unpause silly_stallman