1. Overview

Custom image checks give you a way to write and run your own compliance checks to assess, measure, and enforce security baselines in your environment. Although Prisma Cloud supports OpenSCAP and XCCDF, these frameworks are complicated, and they can be overkill when all you want to do is run a simple check. Prisma Cloud lets you implement your own custom image checks with simple scripts.

A custom image check consists of a single script. The script’s exit code determines the result of the check, where 0 is pass and 1 is fail. Scripts are executed in the container’s default shell. For many Linux container images, the default shell is bash, but that’s not always the case. For Windows container images, the default shell is cmd.exe.

If you want to use a specific shell, or if your default shell is in a non-standard location, use the shebang interpreter directive at the top of your compliance check to specify the path to the executable. For example, the following directive specifies that the Linux Bourne-again (bash) shell should parse and interpret the compliance check.

#!/bin/bash

Defender runs the compliance checks inside a container instantiated from the image being scanned. Due to risks associated with running arbitrary code, all compliance checks are executed in a restricted sandboxed environment.

Every compliance check in the system has a unique ID. Custom image checks are automatically assigned an ID, starting with the number 9000. As new custom checks are added, they are automatically assigned the next available ID (9001, 9002, and so on).

If a new rule with custom compliance checks is added, or an existing rule is updated with a new custom compliance check, Prisma Cloud drops the cached scan results for registries, and rescans registry images. In a scaled-out environment with large registries, repeated changes to custom compliance checks could have a negative impact on Prisma Cloud’s performance.

2. Creating a new custom image check

The flow for writing and operationalizing a custom image check is:

  • Write a custom image check.

  • Create a new compliance rule that includes your custom image check, and specifies what action to take when the check fails (ignore, alert, block).

  1. Open Console

  2. Write a new custom check.

    1. Go to Defend > Compliance > Custom.

    2. Click Add check.

    3. Enter a name and description.

    4. Specify the severity of the compliance issue.

    5. Enter a script.

    6. Click Save.

  3. Update the compliance policy to run your check.

    1. Go to Defend > Compliance > Containers and Images.

    2. Click Add rule.

    3. Enter a rule name.

    4. Under Compliance actions, narrow the compliance checks displayed. On the All types drop-down list, select Custom > Image.

      You should see a list of custom checks you’ve implemented, starting with ID 9000.

    5. Select an action for your custom check (Ignore, Alert, or Block).

    6. Click Save.

  4. Validate your setup by reviewing the compliance reports under Monitor > Compliance.

3. Example scripts

The following example scripts show how to run some basic checks, such as checking file permissions. Use them as starting point for your own scripts. Any special utilities or programs required by your script must be installed in the image being evaluated.

3.1. File permissions (Linux)

The following script checks the permissions for the /bin/busybox file. Assuming busybox is installed in your image, this check should pass.

if [ $(stat -c %a /bin/busybox) -eq 755 ]; then
     echo 'test permission failure' && exit 1;
fi

3.2. File exists (Linux)

The following script checks if /tmp/foo.txt exists in the container file system. If it doesn’t exist, the check fails.

if [ ! -f /tmp/foo.txt ]; then
    echo "File not found!"
    exit 1
fi

3.3. User exists (Linux)

The following script checks if the user John exists. If the user exists, the check passes. Otherwise, it fails.

if grep -Fxq "John" /etc/passwd
then
    echo yes
else
    echo "user not found!"
    exit 1
fi

3.4. File exists (Windows)

The following script checks if C:\Users exists. If it does, the check passes.

IF EXIST C:\Users Echo test permission failure && exit 1

3.5. File does not exist (Windows)

This check is the inverse of the previous check. The script checks if C:\Users doesn’t exist. If it doesn’t exist, the check passes.

IF NOT EXIST C:\Users Echo test permission failure && exit 1