7 Steps - How to create custom compliance checks in Prisma Cloud (Compute Edition)

In this post, we will learn how to create custom compliance checks in the Prisma cloud compute edition. You can write your own compliance checks to assess, measure and enforce security baselines using custom image checks. If you will follow this tutorial step by step, you will be able to create custom compliance checks in your environment.

Prisma cloud custom compliance overview

Prisma cloud allows you to implement your own custom image checks with simple scripts. These custom compliance checks are also supported on Linux containers, Linux hosts and Windows containers.

Prisma cloud custom image check consists of a single script and if script exit code determines the result of the check. For example, if a script exits with code 0 means pass and if exits with code 1 mean fails.

Scripts are executed in the default shell. The most common default shell for Linux is bash, but that’s not always the case. For Windows container images, the default shell is cmd.exe.

Pre-requisite to run custom compliance checks

Custom compliance checks are supported by Linux containers, Linux hosts and Windows containers. You would need -

  • Windows Server 2016 or Windows server 2019 to run custom compliance checks. Prisma cloud is not supported on Windows 10 or HyperV.
  • Docker for Windows (1.12.2-cs2-ws-beta) or higher

How to enable custom compliance checks in Prisma for hosts

Custom compliance checks for hosts are disabled by default.  If you enable this feature, and then later disable it, the disabled state is effective immediately. You don’t need to redeploy Defenders when you switch to the disabled state. You only need to redeploy Defenders when switching to the enabled state.

Follow these steps to enable or validate custom compliance checks for hosts

Step1- Navigate to advance defender settings.

Go to Manage > Defenders > Advanced settings.

Step2 - Enable compliance check

Switch "Custom compliance checks for hosts" to enable. The slider switch will turn blue as shown in the image.

Enable custom compliance checks for hosts

Step3 - Deploy defenders to your environment

Now you need to deploy the Defenders for your environment. In case it's already deployed, redeploy it.

Deploy defenders to environment

How to create a new custom compliance check in Prisma cloud

Follow these simple steps to create a custom check in your environment.

Caution** Prisma cloud drops the cached scan results for registries and rescan registry images, if any new custom check is added or modified. In large environments frequent changes to custom compliance check could impact negatively on Prisma cloud performance.

Step4 - Open Prisma cloud console

Open the Prisma cloud console, if it's closed or not open already.

Step5 - Write a new custom check

  • Go to Defend > Compliance > Custom
  • Click Add check
  • Enter a name and description
  • Specify the severity of the compliance issue 
  • Enter a script
  • Click Save.

Write a new custom check

Step6 - Update the compliance policy to run your check

  • Go to Defend > Compliance > Containers and Images for containers or Defend > Compliance > Hosts for hosts
  • Click Add rule
  • Then Enter a rule name
  • Under the compliance actions, narrow the compliance checks displayed
  • For containers, on the All types drop-down list, select Custom > Image
  • For hosts, on the All types drop-down list, select Custom > Custom
How to create compliance checks in Prisma
  • You should see a list of custom checks you’ve implemented, starting with ID 9000
  • Select action for your custom check (Ignore, Alert, or Block)
create Action for your custom compliance
  • Click Save.

Step7 - Validate your setup

  • Review the compliance reports under Monitor > Compliance
Validate compliance setup

Sample Scripts -

The following example scripts show how to run some basic checks, such as checking file permissions. Use them as starting point for your own scripts. Any special utilities or programs required by your script must be installed in the image being evaluated. 

To check File permissions (Linux) 

The following script checks the permissions for the /bin/busybox file. Assuming busybox is installed in your image, this check should pass. 

if [ $(stat -c %a /bin/busybox) -eq 755 ]; then 
     echo 'test permission failure' && exit 1; 
fi 

To check File exists or not

The following script checks if /tmp/test.txt exists in the container file system. If it doesn’t exist, the check fails. 

if [ ! -f /tmp/test.txt ]; then 
    echo "File not found!" 
    exit 1 
fi 

To check User existence

The following script checks if the user Dev exists. If the user exists, the check passes. Otherwise, it fails.

if grep -Fxq "Dev" /etc/passwd 
then 
    echo yes 
else 
    echo "user not found!" 
    exit 1 
fi 

To check file exists in Windows

The following script checks if C:\Users exists. If it does, the check passes. 

IF EXIST C:\Users Echo test permission failure && exit 1 
File does not exist (Windows) 

To check file doesn't exist in Windows

This check is the inverse of the previous check. The script checks if C:\Users doesn’t exist. If it  doesn’t exist, the check passes. 

IF NOT EXIST C:\Users Echo test permission failure && exit 1 

Summary

I hope now you know the steps to create custom compliance checks in Prisma cloud. To summarize quickly, Check for pre-requisite, enable custom compliance checks for hosts and create a new custom check and validate it after running it. That's all you need to do.

Let me know, in case you face any issues via comments. Till then, Happy Learning!!

Leave a Comment

Your email address will not be published.