Twistcli sandbox run third-party assessment tool.
Table of Contents
Self.Hosted 30.xx
Expand all | Collapse all
-
- Getting started
- System Requirements
- Cluster Context
-
- Prisma Cloud Container Images
- Kubernetes
- Deploy the Prisma Cloud Console on Amazon ECS
- Console on Fargate
- Onebox
- Alibaba Cloud Container Service for Kubernetes (ACK)
- Azure Container Service (ACS) with Kubernetes
- Azure Kubernetes Service (AKS)
- Amazon Elastic Kubernetes Service (EKS)
- IBM Kubernetes Service (IKS)
- OpenShift v4
-
- Defender Types
- Manage your Defenders
- Redeploy Defenders
- Uninstall Defenders
-
- Deploy Orchestrator Defenders on Amazon ECS
- Automatically Install Container Defender in a Cluster
- Deploy Prisma Cloud Defender from the GCP Marketplace
- Deploy Defenders as DaemonSets
- VMware Tanzu Application Service (TAS) Defender
- Deploy Defender on Google Kubernetes Engine (GKE)
- Google Kubernetes Engine (GKE) Autopilot
- Deploy Defender on OpenShift v4
-
- Agentless Scanning Modes
-
- Onboard AWS Accounts for Agentless Scanning
- Onboard Azure Accounts for Agentless Scanning
- Configure Agentless Scanning for Azure
- Onboard GCP Accounts for Agentless Scanning
- Configure Agentless Scanning for GCP
- Onboard Oracle Cloud Infrastructure (OCI) Accounts for Agentless Scanning
- Configure Agentless Scanning for Oracle Cloud Infrastructure (OCI)
- Agentless Scanning Results
-
- Rule ordering and pattern matching
- Backup and restore
- Custom feeds
- Configuring Prisma Cloud proxy settings
- Prisma Cloud Compute certificates
- Configure scanning
- User certificate validity period
- Enable HTTP access to Console
- Set different paths for Defender and Console (with DaemonSets)
- Authenticate to Console with Certificates
- Configure custom certs from a predefined directory
- Customize terminal output
- Collections
- Tags
- Logon settings
- Reconfigure Prisma Cloud
- Subject Alternative Names
- WildFire Settings
- Log Scrubbing
- Clustered-DB
- Permissions by feature
-
- Logging into Prisma Cloud
- Integrating with an IdP
- Integrate with Active Directory
- Integrate with OpenLDAP
- Integrate Prisma Cloud with Open ID Connect
- Integrate with Okta via SAML 2.0 federation
- Integrate Google G Suite via SAML 2.0 federation
- Integrate with Azure Active Directory via SAML 2.0 federation
- Integrate with PingFederate via SAML 2.0 federation
- Integrate with Windows Server 2016 & 2012r2 Active Directory Federation Services (ADFS) via SAML 2.0 federation
- Integrate Prisma Cloud with GitHub
- Integrate Prisma Cloud with OpenShift
- Non-default UPN suffixes
- Compute user roles
- Assign roles
-
- Prisma Cloud Vulnerability Feed
- Scanning Procedure
- Vulnerability Management Policies
- Vulnerability Scan Reports
- Scan Images for Custom Vulnerabilities
- Base images
- Vulnerability Explorer
- CVSS scoring
- CVE Viewer
-
- Configure Registry Scans
- Scan images in Alibaba Cloud Container Registry
- Scan images in Amazon Elastic Container Registry (ECR)
- Scan images in Azure Container Registry (ACR)
- Scan images in Docker Registry v2 (including Docker Hub)
- Scan Images in GitLab Container Registry
- Scan images in Google Artifact Registry
- Scan images in Google Container Registry (GCR)
- Scan images in Harbor Registry
- Scan images in IBM Cloud Container Registry
- Scan Images in JFrog Artifactory Docker Registry
- Scan Images in Sonatype Nexus Registry
- Scan images in OpenShift integrated Docker registry
- Scan Images in CoreOS Quay Registry
- Trigger registry scans with Webhooks
- Configure VM image scanning
- Configure code repository scanning
- Malware scanning
- Windows container image scanning
- Serverless Functions Scanning
- VMware Tanzu Blobstore Scanning
- Scan App-Embedded workloads
- Troubleshoot Vulnerability Detection
-
- Compliance Explorer
- Enforce compliance checks
- CIS Benchmarks
- Prisma Cloud Labs compliance checks
- Serverless functions compliance checks
- Windows compliance checks
- DISA STIG compliance checks
- Custom compliance checks
- Trusted images
- Host scanning
- VM image scanning
- App-Embedded scanning
- Detect secrets
- OSS license management
-
- Alert mechanism
- AWS Security Hub
- Cortex XDR alerts
- Cortex XSOAR alerts
- Email alerts
- Google Cloud Pub/Sub
- Google Cloud Security Command Center
- IBM Cloud Security Advisor
- JIRA Alerts
- PagerDuty alerts
- ServiceNow alerts for Security Incident Response
- ServiceNow alerts for Vulnerability Response
- Slack Alerts
- Splunk Alerts
- Webhook alerts
- API
Twistcli sandbox run third-party assessment tool.
In the Lagrange release (v22.12+) the twistcli image analysis sandbox capability allows for the execution of third-party assessment tools.
You can supply a third-party binary/script that is executed after the twistcli sandbox image analysis is completed.
The output of the third-party tool can be captured within a volume mount for further analysis.
Twistcli sandbox analysis occurs within a temporary container of the image under examination.
No modifications are made to the image under analysis.
In this example we will use the OpenSCAP utility to perform a Compliance as Code’s v0.1.65 RHEL-8 STIG profile scan of a RedHat Universal Base Image 8.
- On the host on which the twistcli sandbox analysis will occur create a directory /opt/sandbox.
- Download the latest ComplianceAsCode release, extract ssg-rhel8-ds.xml and copy to the /opt/sandbox directory.
- Copy the following bash script to /opt/sandbox/openscap_analysis.sh.#!/bin/bash # Install tools and OpenSCAP yum update -y -q yum install -y -q openscap-scanner # Run OpenSCAP scan # Note: HTML and XML OSCAP output files are written to the host mounted directory oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --report /opt/sandbox/openscap_sandbox_stig.html --results /opt/sandbox/openscap_sandbox_stig.xml /opt/sandbox/ssg-rhel8-ds.xmlSet the executable flag on openscap_analysis.sh.$ chmod +x openscap_analysist.shExecute twistcli sandbox analysis of the ubi:8.7-1037 image with the following command:linux/twistcli sandbox \ --address https://127.0.0.1:8083 \ --volume /opt/sandbox:/opt/sandbox \ --third-party-delay 5s \ --third-party-cmd /opt/sandbox/openscap_analysis.sh \ --third-party-output /opt/sandbox/oscap-results.txt \ registry.access.redhat.com/ubi8/ubi:8.7-1037Where:
- --volume /opt/sandbox:/opt/sandbox - mounts the host’s /opt/sandbox directory into the running container’s /opt/sandbox. The files necessary to execute the OpenSCAP scan are read from this directory and the output of the script is written to this directory.
- --third-party-delay 5s - time delay after the sandbox analysis completes and the third party script is executed.
- --third-party-output /opt/sandbox/oscap-results.txt - path to output results.
The following output files are written to the host’s /opt/sandbox directory:- openscap_sandbox_stig.html - OSCAP report output.
- openscap_sandbox_stig.xml - OSCAP results output.
- oscap-results.txt - stdout captured during the execution of openscap_analysis.sh.