In this post, we will learn how to create custom compliance checks in the Prisma cloud compute edition. You can write your own compliance checks to assess, measure and enforce security baselines using custom image checks. If you will follow this tutorial step by step, you will be able to create custom compliance checks in your environment.
Table of Contents
Prisma cloud custom compliance overview
Prisma cloud allows you to implement your own custom image checks with simple scripts. These custom compliance checks are also supported on Linux containers, Linux hosts and Windows containers.
Prisma cloud custom image check consists of a single script and if script exit code determines the result of the check. For example, if a script exits with code 0 means pass and if exits with code 1 mean fails.
Scripts are executed in the default shell. The most common default shell for Linux is bash, but that’s not always the case. For Windows container images, the default shell is cmd.exe.
Pre-requisite to run custom compliance checks
- Windows Server 2016 or Windows server 2019 to run custom compliance checks. Prisma cloud is not supported on Windows 10 or HyperV.
- Docker for Windows (1.12.2-cs2-ws-beta) or higher
How to enable custom compliance checks in Prisma for hosts
Custom compliance checks for hosts are disabled by default. If you enable this feature, and then later disable it, the disabled state is effective immediately. You don’t need to redeploy Defenders when you switch to the disabled state. You only need to redeploy Defenders when switching to the enabled state.
Follow these steps to enable or validate custom compliance checks for hosts
Step1- Navigate to advance defender settings.
Go to Manage > Defenders > Advanced settings.
Step2 - Enable compliance check
Switch "Custom compliance checks for hosts" to enable. The slider switch will turn blue as shown in the image.
Step3 - Deploy defenders to your environment
Now you need to deploy the Defenders for your environment. In case it's already deployed, redeploy it.
How to create a new custom compliance check in Prisma cloud
Follow these simple steps to create a custom check in your environment.
Caution** Prisma cloud drops the cached scan results for registries and rescan registry images, if any new custom check is added or modified. In large environments frequent changes to custom compliance check could impact negatively on Prisma cloud performance.
Step4 - Open Prisma cloud console
Open the Prisma cloud console, if it's closed or not open already.
Step5 - Write a new custom check
- Go to Defend > Compliance > Custom
- Click Add check
- Enter a name and description
- Specify the severity of the compliance issue
- Enter a script
- Click Save.
Step6 - Update the compliance policy to run your check
- Go to Defend > Compliance > Containers and Images for containers or Defend > Compliance > Hosts for hosts
- Click Add rule
- Then Enter a rule name
- Under the compliance actions, narrow the compliance checks displayed
- For containers, on the All types drop-down list, select Custom > Image
- For hosts, on the All types drop-down list, select Custom > Custom
- You should see a list of custom checks you’ve implemented, starting with ID 9000
- Select action for your custom check (Ignore, Alert, or Block)
- Click Save.
Step7 - Validate your setup
- Review the compliance reports under Monitor > Compliance.
Sample Scripts -
The following example scripts show how to run some basic checks, such as checking file permissions. Use them as starting point for your own scripts. Any special utilities or programs required by your script must be installed in the image being evaluated.
To check File permissions (Linux)
The following script checks the permissions for the /bin/busybox file. Assuming busybox is installed in your image, this check should pass.
if [ $(stat -c %a /bin/busybox) -eq 755 ]; then echo 'test permission failure' && exit 1; fi
To check File exists or not
The following script checks if /tmp/test.txt exists in the container file system. If it doesn’t exist, the check fails.
if [ ! -f /tmp/test.txt ]; then echo "File not found!" exit 1 fi
To check User existence
The following script checks if the user Dev exists. If the user exists, the check passes. Otherwise, it fails.
if grep -Fxq "Dev" /etc/passwd then echo yes else echo "user not found!" exit 1 fi
To check file exists in Windows
The following script checks if C:\Users exists. If it does, the check passes.
IF EXIST C:\Users Echo test permission failure && exit 1 File does not exist (Windows)
To check file doesn't exist in Windows
This check is the inverse of the previous check. The script checks if C:\Users doesn’t exist. If it doesn’t exist, the check passes.
IF NOT EXIST C:\Users Echo test permission failure && exit 1
I hope now you know the steps to create custom compliance checks in Prisma cloud. To summarize quickly, Check for pre-requisite, enable custom compliance checks for hosts and create a new custom check and validate it after running it. That's all you need to do.
Let me know, in case you face any issues via comments. Till then, Happy Learning!!