App Embedded Defender for Pivotal PAS apps

App Embedded Defenders monitor your droplets to ensure they execute as designed, protecting them from suspicious processes and outbound network connections. Droplets are Cloud Foundry’s unit of execution. Use the procedure documented here to embed App Embedded Defender in to Pivotal Application Service (PAS) buildpack apps. To embed App Embedded Defender into Docker images that will run in PAS, see the standard App Embedded embed flow.
App Embedded Defender policies let you define:
  • Process allow or deny lists. Enables verification of launched processes against policy.
  • Outgoing connections allow or deny lists. Enables verification of domain name resolution against policy for outgoing network connections.
Besides runtime policy, you can also configure the CNAF application firewall to protect front-end droplets.

Securing droplets

To secure a droplet, embed the App Embedded Defender into it. The steps are:
  1. Define your policy in Prisma Cloud Console.
  2. Embed the App Embedded Defender into the droplet.
  3. Start the service.
When embedding App Embedded Defender, specify a unique identifier for it. This gives you a way to uniquely identify the App Embedded Defender in the environment.

Embed App Embedded Defender into droplets

Embed App Embedded Defender into a droplet from Console’s UI.
Prerequisites:
  • The location where the droplet will run can reach Console over the network on port 8084.
  • The host where you’re embedding App Embedded Defender can reach Console over the network on port 8083.
  • You have installed the Cloud Foundry Command Line Interface (cf CLI).
  1. Create a working directory.
  2. Download and extract the droplet into the working directory.
  3. Open Console, and go to
    Manage > Defenders > Deploy
    .
  4. In the first drop-down list, select the DNS name or IP address that App Embedded Defender will use to connect to Console.
  5. In the second drop-down list, select the App Embedded Defender type.
  6. In
    Deployment Type
    , select
    Manual
    . A set of instructions for embedding App Embedded Defender into your droplet is provided.
  7. Download the App Embedded Defender binaries into your working directory.
    $ curl -u <username> https://<CONSOLE>:8083/api/v1/images/twistlock_defender_app_embedded.tar.gz -O
  8. Extract the files from the tarball, update the library’s permissions, and delete the tarball.
    $ tar xzvf twistlock_defender_app_embedded.tar.gz $ chmod 644 libtw.so $ rm twistlock_defender_app_embedded.tar.gz
  9. Retrieve the keys App Embedded Defender needs to connect to Console. This will be the value set in the INSTALL_BUNDLE environment variable.
    $ curl -k \ -u <CONSOLE_ADMIN_USER> https://<CONSOLE>:8083/api/v1/defenders/install-bundle
    The curl command returns a JSON object:
    {"bundle":"eyJj..."}
    The value for INSTALL_BUNDLE will be set to the value for bundle. For example:
    INSTALL_BUNDLE: eyJj...
  10. Open your app’s
    manifest.yml
    for editing.
    1. Add the following environment variables to your application. Replace the values for <DEFENDER-ID> and <INSTALL-BUNDLE>. <DEFENDER-ID> is a user-defined value to uniquely identify the App Embedded Defender in your environment. <INSTALL-BUNDLE> was the value retrieved in the last step. The value for <WEB-SOCKET-ADDRESS> should already be correctly set.
      applications: - name: <NAME> ... env: DEFENDER_TYPE: appEmbedded DEFENDER_ID: <DEFENDER-ID> WS_ADDRESS: <WEB-SOCKET-ADDRESS> DATA_FOLDER: /tmp INSTALL_BUNDLE: <INSTALL-BUNDLE>
      Do not use quotation marks around environment variable values.
      The value for DATA_FOLDER must be /tmp.
    2. Override the app’s default start command to run the App Embedded Defender instead. Pass the original command to App Embedded Defender as an argument.
      applications: - name: command: defender app-embedded <MY-PROGRAM> --<MY-PROG-ARG1> --<MY-PROG-ARG1> ...
  11. Push the droplet to Pivotal Web Services.
    1. Log into Pivotal Web Services.
      cf login -a https://api.run.pivotal.io
    2. Set the target organization and space.
      $ cf target -o <ORG> -s <SPACE>
    3. Push the droplet.
      $ cf push
      You can override the start command in your app’s manifest file by passing the -c argument to
      cf push
      . This gives you a way to force-run the app with the original buildpack command if something goes wrong.
      $ cf push -c null
      If you want to App Embedded Defender to start in subsequent runs, re-run
      cf push
      with the full command again since the previous start command is used unless explicitly specified otherwise.

Recommended For You