1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Administrator’s Guide (Compute)
    5. Technology overviews
    6. Prisma Cloud Rules Guide - Docker

    Prisma Cloud Rules Guide - Docker

    This article provides a list of all rules and their intended behavior in Prisma Cloud Console UI. The purpose of this article is to help users better understand the intention of each rule in the Console and it’s corresponding effect on the host environment.

    Running Docker commands through Defender

    To access Docker daemon through Defender, you must explicitly specify Defender’s host and port. For example:
    $ docker -H <DEFENDER_HOST_ADDRESS>:9998 run alpine
    It is possible to make the management traffic between the Docker client and the Docker daemon flow through Defender by default via two environment variables. Those can be configured on a remote machine that accesses Docker daemon on some host (such as dev laptop), or the host itself for users who do not have root privileges (which should be the majority of users).
    $ export DOCKER_HOST=tcp://<defender host address>:9998
    $ export DOCKER_TLS_VERIFY=1
    Once set, default calls to Docker flow through Defender (e.g., docker ps, docker run alpine). Throughout this guide however, in this guide, we have followed the default command without setting environment variables.

    About this reference environment

    This guide is designed as a reference document for all access rule policies enlisted in Prisma Cloud Console and their intended affect on host environment. These commands are run from a Docker client to a Prisma Cloud Defender using the access control feature. Access control rules can be configured at
    Defend > Access > Docker
    .
    We have organized this document using the same structure as the Prisma Cloud product UI, which follows the structure in the Docker Remote API documentation. Note that there may be minor differences in the structure as the Docker Remote API evolves; this document is currently aligned with the documentation for API v 1.24 and will be updated periodically with new releases.
    For understanding purposes all rules are set to deny and their corresponding influence on host environment is recorded.

    Defend access rules

    Navigate to
    Defend > Access > Docker
    .

    Containers

    For more information about the Docker API for containers, see https://docs.docker.com/engine/api/v1.30/#tag/Container.

    container_list - List containers

    Affects docker ps command on host which is used to list all running containers.
    Command:
    docker -H 10.0.0.1:9998 --tlsverify ps
    Response:
    [Prisma Cloud] The command container_list denied for user admin by rule Deny

    container_create - Create a container

    Affects docker create command used to create a new container.
    Command:
    docker -H 10.0.0.1:9998 --tlsverify create morello/docker-whale
    Response:
    [Prisma Cloud] The command container_create denied for user admin by rule Deny

    container_inspect - Inspect a container

    Affects docker inspect command used for returning information about the container.
    Command:
    docker -H 10.0.0.1 --tlsverify  inspect ubuntu_bash2
    Response:
    [Prisma Cloud] The command container_inspect denied for user admin by rule inspect

    container_top - List processes running inside a container

    Affects docker top command used to display the running processes of a container
    Command:
    docker -H 10.0.0.1:9998 --tlsverify top ubuntu_bash
    Response:
    [Prisma Cloud] The command container_top denied for user admin by rule Deny

    container_logs - Get container logs

    Affects docker logs command used for returning logs from the container present at the time of execution.
    Command:
    docker -H 10.0.0.1 --tlsverify logs ubuntu_bash2
    Response:
    [Prisma Cloud] The command container_logs denied for user admin by rule logs

    container_changes - Inspect changes on a container’s filesystem

    Affect docker commit command and restricts any changes to the container.
    Command:
    docker -H 10.0.0.1 --tlsverify  commit --change "ENV DEBUG true" cc2d57988b aqsa/testimage:version3
    Response:
    [Prisma Cloud] The command container_commit denied for user admin by rule commit

    container_export - Export a container

    Affects docker export command that exports a container’s filesystem as a tar archive
    Command:
    docker -H 10.0.0.1:9998 --tlsverify  export  twistlock_console -o saved.tar
    Response:
    [Prisma Cloud] The command container_export denied for user admin by rule export

    container_stats - Get container stats based on resource usage

    Affects docker stats command on host which returns live data stream for running containers.
    Command:
    docker -H 10.0.0.1 --tlsverify stats  silly_stallman
    Response:
    [Prisma Cloud] The command container_stats denied for user admin by rule status

    container_resize - Resize a container

    Affects docker logs command used for returning logs from the container present at the time of execution. This related to the size of the window of how output is returned from the container. It is called TTY.
    Command:
    Response:

    container_start - Start a container

    Affects docker start command used to start one or more stopped containers
    Command:
    docker -H 10.0.0.1:9998 --tlsverify start ubuntu_bash
    Response:
    [Prisma Cloud] The command container_start denied for user admin by rule Deny all