1. Overview

Prisma Cloud lets you import custom security checklists and evaluate them against your container images. Custom checklists complement the predefined compliance checks already provided in the default Prisma Cloud installation.

Prisma Cloud can consume Extensible Checklist Configuration and Description Format (XCCDF) benchmarks and checklists. XCCDF is an open standard defined by the National Institute of Standards and Technology (NIST) that automates the assessment of an application’s configuration and the testing of its compliance to security rules. Checklists are expressed in XML. For more information about XCCDF, see the specification.

For example, your organization might require that each container running a Payment Card Industry (PCI) workload embed a manifest file that describes the team responsible for the chain of custody of the credit card data. With Prisma Cloud and XCCDF, you can configure a rule to check for compliance to this requirement and take action (alert or block) when a container is missing this file. Your audit team can then use Console as the central point for monitoring and enforcing compliance to this setting.

To use XCCDF with Prisma Cloud, your environment must meet the following requirements:

  • Your XCCDF benchmark must be encapsulated in a SCAP datastream. Datastreams are defined in the SCAP v1.2 specification. For more information, see the technical specifcation. If your benchmark is not in datastream format, you can convert it. For more information, see Procedure: Converting XCCDF checklists to datastream format.

  • Your container images must be derived from an RPM-based distribution, such as CentOS, Fedora, or Red Hat Enterprise Linux (RHEL).

  • Your base image must have glibc version 2.17 or later. Distributions that ship with glibc 2.17 or later include CentOS 7, RHEL 7, and Fedora 20. You can run the following command in your container to get the version of glibc:

    $ ldd --version
    ldd (GNU libc) 2.17

2. Getting started

To get started with XCCDF, first locate an .xml file.

Here is a sample to get you started:

  1. Install a Fedora container.

  2. Run the following:

    $ dnf install scap-security-guide
  3. Grab any xml file under /usr/share/xml/scap/ssg/content/, specifically the -ds.xml ones. Use these as a template going forward.

3. Importing an XCCDF Datastream

Set up XCCDF compliance checks.

  1. Open twistlock.cfg for editing.

  2. Enable SCAP by setting SCAP_ENABLED to true.

    SCAP_ENABLED=true
  3. Load the new configuration setting.

    If you have not installed Prisma Cloud yet, follow the regular installation procedure. Otherwise, follow the upgrade procedure for Console, which loads the new configuration without impacting the rest of Console’s data or state.

  4. If Prisma Cloud has already been installed, redeploy your Defenders.

    If you have deployed Defenders in a Kubernetes or OpenShift cluster, perform the following steps:

    1. SSH to the node where Defender runs registry scanning.

    2. Retrieve the openscap.tar.gz distribution from the Prisma Cloud API and extract into Defender’s working directory.

      $ curl -k -u "<TWISTLOCK_CONSOLE_ADMIN>" \
        https://<twistlock_console>:8083/api/v1/util/openscap.tar.gz \
        -o openscap.tar.gz
      $ sudo tar -xvf openscap.tar.gz -C /var/lib/twistlock/utils/openscap
    3. Repeat the procedure on all nodes where Defender performs SCAP scanning.

  5. If you have deployed Defenders within a Kuberetes / OpenShift cluster perform the following steps:

    1. SSH onto the node that the Defender performing registry scanning is running

    2. Pull the openscap.tar.gz distribution via your Console’s API and extract into the Defenders working directory.

      $ curl -k -u "<twistlock_console_admin>" https://<twistlock_console>:8083/api/v1/util/openscap.tar.gz -o openscap.tar.gz
      $ sudo tar -xvf openscap.tar.gz -C /var/lib/twistlock/utils/openscap
    3. Repeat on all nodes in which the Defender performs SCAP scanning.

  6. Open Console, and go to Manage > System > SCAP.

  7. Click the +DATASTREAM button, and select a datastream to upload.

    A benchmark, with its available profiles, is added to the table. Prisma Cloud assigns a vulnerability ID for each profile, which can be used to set up your policies. Vulnerability IDs for benchmark profiles start at 4000.

4. Setting your policy

In order to process a checklist in a profile, set up a new policy.

  1. Open Console, then go to Defend > Compliance.

  2. Click the +COMPLIANCE RULE button to create a new rule.

    1. In Rule Name, enter an identifier for your rule.

    2. Select the profile you want to process, and then set an action (NONE, ALERT, or BLOCK) when a rule in your checklist fails.

      By default, XCCDF profiles are assigned a vulnerability ID that start at 4000.

    3. Click SAVE to activate your rule.

  3. Check the results of an image scan.

    1. Go to Monitor > Compliance > Images.

    2. Select an image from the table.

      Any rule that does not pass is listed in this tab. The severity of an issue is determined by the rule in the benchmark file.

5. Converting XCCDF checklists to datastream format

If your XCCDF checklist complies to version 1.2 of the SCAP specification, but it is not in datastream format, you must first convert it to datastream format before importing it into Console.

To convert an xccdf, cpe, cpe-dictionary, or oval checklist to datastream format:

  1. Install the oscap utility. For more information, see the OpenSCAP documentation.

    $ yum install openscap-scanner
  2. Verify that oscap was installed successfully.

    $ oscap version
  3. Convert your checklist.

    Assuming your checklist is named myChecklist-{cps-dictionary | cps-oval | oval | xccdf}.xml, run the following command:

    $ oscap ds sds-compose myChecklist-xccdf.xml myChecklist-ds.xml
    Your checklist name should not contain any spaces or parenthesis.

    The resulting output is a datastream that can be directly imported into Prisma Cloud.