1. Overview

This article provides a list of all rules and their intended behavior in Prisma Cloud Console UI. The purpose of this article is to help users better understand the intention of each rule in the Console and it’s corresponding effect on the host environment.

2. Running Docker commands through Defender

To access Docker daemon through Defender, you must explicitly specify Defender’s host and port. For example:

$ docker -H <DEFENDER_HOST_ADDRESS>:9998 run alpine

It is possible to make the management traffic between the Docker client and the Docker daemon flow through Defender by default via two environment variables. Those can be configured on a remote machine that accesses Docker daemon on some host (such as dev laptop), or the host itself for users who do not have root privileges (which should be the majority of users).

$ export DOCKER_HOST=tcp://<defender host address>:9998
$ export DOCKER_TLS_VERIFY=1

Once set, default calls to Docker flow through Defender (e.g., docker ps, docker run alpine). Throughout this guide however, in this guide, we have followed the default command without setting environment variables.

3. About this reference environment

This guide is designed as a reference document for all access rule policies enlisted in Prisma Cloud Console and their intended affect on host environment. These commands are run from a Docker client to a Prisma Cloud Defender using the access control feature. Access control rules can be configured at Defend > Access > Docker.

We have organized this document using the same structure as the Prisma Cloud product UI, which follows the structure in the Docker Remote API documentation. Note that there may be minor differences in the structure as the Docker Remote API evolves; this document is currently aligned with the documentation for API v 1.24 and will be updated periodically with new releases.

For understanding purposes all rules are set to deny and their corresponding influence on host environment is recorded.

4. Defend access rules

Navigate to Defend > Access > Docker.

4.1. Containers

For more information about the Docker API for containers, see https://docs.docker.com/engine/api/v1.30/#tag/Container.

4.1.1. container_list - List containers

Affects docker ps command on host which is used to list all running containers.

Command:

docker -H 10.0.0.1:9998 --tlsverify ps

Response:

[Prisma Cloud] The command container_list denied for user admin by rule Deny

4.1.2. container_create - Create a container

Affects docker create command used to create a new container.

Command:

docker -H 10.0.0.1:9998 --tlsverify create morello/docker-whale

Response:

[Prisma Cloud] The command container_create denied for user admin by rule Deny

4.1.3. container_inspect - Inspect a container

Affects docker inspect command used for returning information about the container.

Command:

docker -H 10.0.0.1 --tlsverify  inspect ubuntu_bash2

Response:

[Prisma Cloud] The command container_inspect denied for user admin by rule inspect

4.1.4. container_top - List processes running inside a container

Affects docker top command used to display the running processes of a container

Command:

docker -H 10.0.0.1:9998 --tlsverify top ubuntu_bash

Response:

[Prisma Cloud] The command container_top denied for user admin by rule Deny

4.1.5. container_logs - Get container logs

Affects docker logs command used for returning logs from the container present at the time of execution.

Command:

docker -H 10.0.0.1 --tlsverify logs ubuntu_bash2

Response:

[Prisma Cloud] The command container_logs denied for user admin by rule logs

4.1.6. container_changes - Inspect changes on a container’s filesystem

Affect docker commit command and restricts any changes to the container.

Command:

docker -H 10.0.0.1 --tlsverify  commit --change "ENV DEBUG true" cc2d57988b aqsa/testimage:version3

Response:

[Prisma Cloud] The command container_commit denied for user admin by rule commit

4.1.7. container_export - Export a container

Affects docker export command that exports a container’s filesystem as a tar archive

Command:

docker -H 10.0.0.1:9998 --tlsverify  export  twistlock_console -o saved.tar

Response:

[Prisma Cloud] The command container_export denied for user admin by rule export

4.1.8. container_stats - Get container stats based on resource usage

Affects docker stats command on host which returns live data stream for running containers.

Command:

docker -H 10.0.0.1 --tlsverify stats  silly_stallman

Response:

[Prisma Cloud] The command container_stats denied for user admin by rule status

4.1.9. container_resize - Resize a container

Affects docker logs command used for returning logs from the container present at the time of execution. This related to the size of the window of how output is returned from the container. It is called TTY.

Command:

Response:

4.1.10. container_start - Start a container

Affects docker start command used to start one or more stopped containers

Command:

docker -H 10.0.0.1:9998 --tlsverify start ubuntu_bash

Response:

[Prisma Cloud] The command container_start denied for user admin by rule Deny all

4.1.11. container_stop - Stop a container

Affects docker stop command used to stop running container

Command:

docker -H 10.0.0.1:9998 --tlsverify stop ubuntu_bash

Response:

[Prisma Cloud] The command container_stop denied for user admin by rule Deny

4.1.12. container_restart - Restart a container

Affects docker restart command on host, used to restart a container.

Command:

docker -H 10.0.0.1:9998 --tlsverify restart ubuntu_bash

Response:

[Prisma Cloud] The command container_restart denied for user admin by rule Deny

4.1.13. container_kill - Kill a container

Affects docker kill command used to kill a running container.

Command:

docker -H 10.0.0.1:9998 --tlsverify kill ubuntu_bash

Response:

[Prisma Cloud] The command container_kill denied for user admin by rule Deny

4.1.14. container_rename - Rename a container

Affects docker rename command on host that is used to rename a container.

Command:

docker -H 10.0.0.1:9998 --tlsverify rename ubuntu_bash unbuntu

Response:

[Prisma Cloud] The command container_rename denied for user admin by rule Deny
Error: failed to rename container named ubuntu_bash

4.1.15. container_pause - Pause a container

Affects docker pause command on host which is used to pause all processes within one or more containers.

Command:

docker -H 10.0.0.1 --tlsverify pause  focused_cori

Response:

[Prisma Cloud] The command container_pause denied for user admin by rule Deny

4.1.16. container_unpause - Unpause a container

Affects docker unpause command on host which is used to un-suspend all processes in a container.

Command:

docker -H 10.0.0.1 --tlsverify unpause  silly_stallman

Response:

[Prisma Cloud] The command container_unpause denied for user admin by rule unpause

4.1.17. container_attach - Attach to a container

Affects docker attach command on host where defender is deployed.

Command:

docker -H 10.0.0.1 --tlsverify attach  mycontainer

Response:

[Prisma Cloud] The command container_attach denied for user admin by rule attach persistent connection closed

4.1.18. container_attachws - Attach to a container (websocket)

Affects docker attach command on host where defender is deployed. Attach to the container id via websocket. Implements websocket protocol handshake according to RFC 6455

Command:

docker -H 10.0.0.1 --tlsverify attach  mycontainer

Response:

[Prisma Cloud] The command container_attach denied for user admin by rule attach persistent connection closed

4.1.19. container_wait - Wait a container

Affects docker wait command used to block until a container stops, then print its exit code.

Command:

docker -H 10.0.0.1:9998 --tlsverify wait ubuntu_bash

Response:

[Prisma Cloud] The command container_wait denied for user admin by rule Deny

4.1.20. container_delete - Remove a container

Affects docker rm command used for deleting a container.

Command:

docker -H 10.0.0.1:9998 --tlsverify rm  <container>

Response:

[Prisma Cloud] The command container_delete denied for user admin by rule delete

4.1.21. container_archive - Gets an archive of filesystem resource in a container

Get a tar archive of a resource in the filesystem of container id. Affects docker cp command

Command:

docker -H 10.0.0.1:9998 --tlsverify cp <container> > latest.tar

Response:

[Prisma Cloud] The command container_copy denied for user admin by rule delete

4.1.22. container_extract - Extract an archive of files or folders to a directory in a container

Affects docker export command. Uploads a tar archive to be extracted to a path in the filesystem of container id

Command:

docker -H 10.0.0.1:9998 --tlsverify cp <container> > latest.tar

Response:

[Prisma Cloud] The command container_exec_start denied for user admin by rule exec

4.2. Images

For more information about the Docker API for images, see https://docs.docker.com/engine/api/v1.30/#tag/Image.

4.2.1. image_list - List images

Affects docker images command used to list all images

Command:

docker -H 10.0.0.1:9998 --tlsverify images

Response:

[Prisma Cloud] The command image_list denied for user admin by rule Deny

4.2.2. image_build - Build image from a Dockerfile

Affects docker build command that is used to build an image from a Dockerfile.

Command:

docker -H 172.18.0.1:9998 --tlsverify build -t aqsa/testimage:v2 .

Response:

[Prisma Cloud] The command image_build denied for user admin by rule Default - deny all

4.2.3. image_create - Create an image

Affects docker pull command which is used to pull an image

Command:

docker -H 10.0.0.1:9998 --tlsverify pull ubuntu:latest

Response:

[Prisma Cloud] The command image_create denied for user admin by rule Deny

4.2.4. image_inspect - Inspect an image

Description

Affects docker inspect command used for returning information about the container.

Command:

docker -H 10.0.0.1:9998 --tlsverify inspect 28e7d49f8e6d

Response:

[Prisma Cloud] The command image_inspect denied for user admin by rule images

4.2.5. image_history - Get the history of an image

Affects docker history <image> command.

Command:

docker -H 172.18.0.1:9998 --tlsverify history twistlock

Response:

[Prisma Cloud] The command image_history denied for user admin by rule Default - deny all

4.2.6. image_push - Push an image on the registry

Affects command docker push for pushing an image to repository

Command:

docker -H 10.0.0.1:9998 --tlsverify push ubuntu:latest

Response:

[Prisma Cloud] The command image_push denied for user admin by rule Deny

4.2.7. image_tag - Tag an image into a repository

Affects docker tag command used to tag an image in the repository

Command:

docker -H 10.0.0.1:9998 --tlsverify tag ubuntu:latest aqsa:tag

Response:

[Prisma Cloud] The command image_tag denied for user admin by rule Deny

4.2.8. image_delete - Remove an image

Affects docker rmi command used to delete an image

Command:

docker -H 10.0.0.1:9998 --tlsverify  rmi aqsa/testimage:version3

Response:

[Prisma Cloud] The command image_delete denied for user admin by rule Deny

4.2.9. images_search - Search images

Affects docker search command which gives a list of available images matching the search item.

Command:

docker -H 10.0.0.1:9998 --tlsverify search twistlock

Response:

[Prisma Cloud] The command images_search denied for user admin by rule deny

4.3. MISC

Misc other docker commands.

4.3.1. docker_check_auth - Check auth configuration

Validates credentials for a registry and get identity token, if available, for accessing the registry without password. Affects docker login on the host.

Command:

docker -H 172.18.0.1:9998 --tlsverify login

Response:

[Prisma Cloud] The command docker_info denied for user admin by rule Default - deny all

4.3.2. docker_info - Display system-wide information

Affects docker info command used to display system-wide information

Command:

docker -H 10.0.0.1:9998 --tlsverify info

Response:

[Prisma Cloud] The command docker_info denied for user admin by rule Deny

4.3.3. docker_version - Show the docker version information

Affects docker version command on host which is used to find docker version.

Command:

docker -H 10.0.0.1 --tlsverify version

Response:

[Prisma Cloud] The command docker_version denied for user admin by rule version

4.3.4. docker_ping - Ping the docker server

The goal of this api is to ping the Docker server and make sure it is up and running.

Command:

It is intended to be called by an external monitoring system. It does not have a direct docker CLI command.

4.3.5. container_commit - Create a new image from a container’s changes

Affects docker commit command used for committing container’s file changes etc into a new image.

Command:

docker -H 10.0.0.1 --tlsverify  commit --change "ENV DEBUG true" cc2d57988b aqsa/testimage:version3

Response:

[Prisma Cloud] The command container_commit denied for user admin by rule commit

4.3.6. docker_events - Monitor docker’s events

Affects docker events command on host which is used to return real time events from the server.

Command:

docker -H 10.0.0.1 --tlsverify events

Response:

[Prisma Cloud] The command docker_events denied for user admin by rule events

4.3.7. images_archive - Get a tarball containing all images

Affects docker save command to save images to a tar archive

Command:

docker -H 172.17.0.1:9998 --tlsverify save $(docker images -q) -o home/aqsa/mydockersimages.tar

Response:

[Prisma Cloud] The command images_archive denied for user admin by rule Default - deny all

4.3.8. images_load - Load a tarball with a set of images and tags into docker

Affects docker load command to load an image from a tar archive or STDIN

Command:

docker -H 172.17.0.1:9998 --tlsverify load -i /home/aqsa/twistlock_1_6_81.tar.gz

Response: [Prisma Cloud] The command images_load denied for user admin by rule Default - deny all

4.3.9. container_exec_create - Exec Create

Affects docker_exec command to create any new container.

Command:

docker -H 10.0.0.1 --tlsverify   exec -d ubuntu_bash2 touch /tmp/execWorks

Response:

[Prisma Cloud] The command container_exec_start denied for user admin by rule exec

4.3.10. container_exec_start - Exec Start

Affects docker exec command used for running a command in a running container.

Command:

docker -H 10.0.0.1 --tlsverify   exec -d ubuntu_bash2 touch /tmp/execWorks

Response:

[Prisma Cloud] The command container_exec_start denied for user admin by rule exec

4.3.11. container_exec_inspect - Exec Inspect

Affects docker exec command used for running a command in a running container.

Command:

docker -H 10.0.0.1 --tlsverify   exec -d ubuntu_bash2 touch /tmp/execWorks

Response:

[Prisma Cloud] The command container_exec_start denied for user admin by rule exec

4.3.12. container_archive_head

Command:

docker -H 10.0.0.1 --tlsverify unpause  silly_stallman

Response:

[Prisma Cloud] The command container_unpause denied for user admin by rule unpause

4.3.13. container_copyfiles

Affects docker cp command used to copy files from and to containers and local file system on host.

Command:

docker -H 10.0.0.1 --tlsverify cp file  mycontainer:~

Response:

[Prisma Cloud] The command container_copyfiles denied for user admin by rule unpause

4.4. Volumes

For more information about the Docker API for volumes, see https://docs.docker.com/engine/api/v1.30/#tag/Volume.

4.4.1. volume_list - List volumes

Affects docker volume ls command to list all volumes

Command:

docker -H 10.0.0.1:9998 --tlsverify volume ls

Response:

[Prisma Cloud] The command volume_list denied for user admin by rule Deny

4.4.2. volume_create - Create a volume

Affects docker volume create command to create a volume

Command:

docker -H 10.0.0.1:9998 --tlsverify volume create

Response:

[Prisma Cloud] The command volume_create denied for user admin by rule Deny

4.4.3. volume_inspect - Inspect a volume

Affects docker volume inspect command to display detailed information on one or more volumes

Command:

docker -H 10.0.0.1:9998 --tlsverify volume inspect f1c7

Response:

[Prisma Cloud] The command volume_inspect denied for user admin by rule Deny

4.4.4. volume_remove - Remove a volume

Affects docker volume rm command to remove one or more volumes

Command:

docker -H 10.0.0.1:9998 --tlsverify volume rm f671

Response:

[Prisma Cloud] The command volume_remove denied for user admin by rule Deny

4.5. Networks

For information about the Docker API for networks, see https://docs.docker.com/engine/api/v1.30/#tag/Network.

4.5.1. network_list - list networks

Affects docker network ls to list networks

Command:

docker -H 172.17.0.1:9998 --tlsverify network ls

Response:

[Prisma Cloud] The command network_list denied for user admin by rule Default - deny all

4.5.2. network_inspect - Inspect network

Affects docker network inspect to display detailed information on one or more networks

Command:

docker -H 172.17.0.1:9998 --tlsverify network inspect 82b1c

Response:

[Prisma Cloud] The command network_inspect denied for user admin by rule Default - deny all

4.5.3. network_create - Create a network

Affects docker network create to create a network

Command:

docker -H 172.17.0.1:9998 --tlsverify network create new-network

Response:

[Prisma Cloud] The command network_create denied for user admin by rule Default - deny all

4.5.4. network_connect - Connect a container to a network

Affects docker network connect to connect a container to a network

Command:

docker -H 172.17.0.1:9998 --tlsverify network connect new-network container1

Response:

[Prisma Cloud] The command network_connect denied for user admin by rule Default - deny all

4.5.5. network_disconnect - Disconnect a container from a network

Affects docker network disconnect to disconnect a container from a network

Command:

docker -H 172.17.0.1:9998 --tlsverify network disconnect new-network container1

Response:

[Prisma Cloud] The command network_disconnect denied for user admin by rule Default - deny all

4.5.6. network_remove - Remove a network

Affects docker network rm to remove one or more networks

Command:

docker -H 172.17.0.1:9998 --tlsverify network rm new-network

Response:

[Prisma Cloud] The command network_remove denied for user admin by rule Default - deny all

4.6. Swarm nodes

For more information about the Docker API for Swarm nodes, see https://docs.docker.com/engine/api/v1.30/#tag/Node.

4.6.1. node_list - List nodes

Affects docker node ls command to list nodes in the swarm

Command:

docker -H 172.17.0.1:9998 --tlsverify node ls

Response:

[Prisma Cloud] The command node_list denied for user admin by rule Default - deny all

4.6.2. node_inspect - Inspect a node

Affects docker node inspect command to inspect a node in the swarm

Command:

docker -H 172.17.0.1:9998 --tlsverify node inspect swarm-manager

Response:

[Prisma Cloud] The command node_inspect denied for user admin by rule Default - deny all

Swarm

For more information about the Docker API for Swarm, see https://docs.docker.com/engine/api/v1.30/#tag/Swarm.

4.6.3. swarm_init - Initialize a new swarm

Affects docker swarm init command initialize a swarm.

Command:

docker -H 172.17.0.1:9998 --tlsverify swarm init

Response:

[Prisma Cloud] The command swarm_init denied for user admin by rule Default - deny all

4.6.4. swarm_join - Join an existing swarm

Affects docker swarm join command to Join a swarm as a manager node or worker node.

Command:

docker -H 172.17.0.1:9998 --tlsverify swarm join --token SWMTKN-1-3pu6hszjas19xyp7ghgosyx9k8atbfcr8p2is99znpy26u2lkl-7p73s1dx5in4tatdymyhg9hu2 192.168.99.121:2377

Response:

[Prisma Cloud] The command swarm_join denied for user admin by rule Default - deny all

4.6.5. swarm_leave - Leave a swarm

Affects docker swarm leave command to Remove the current node from the swarm.

Command:

docker -H 172.17.0.1:9998 --tlsverify swarm leave

Response:

[Prisma Cloud] The command swarm_leave denied for user admin by rule Default - deny all

4.6.6. swarm_update - update a swarm

Affects docker swarm update command to update attributes of a swarm

Command:

docker -H 172.17.0.1:9998 --tlsverify swarm update --cert-expiry 70h

Response:

[Prisma Cloud] The command swarm_update denied for user admin by rule Default - deny all

4.7. Swarm services

For more information about the Docker API for Swarm services, see https://docs.docker.com/engine/api/v1.30/#tag/Service.

4.7.1. service_list - List services

Affects docker service ls command to List services in the swarm.

Command:

docker -H 172.17.0.1:9998 --tlsverify service ls

Response:

[Prisma Cloud] The command service_list denied for user admin by rule Default - deny all

4.7.2. service_create - Create a service

Affects docker service create command to Create a new service.

Command:

docker -H 172.17.0.1:9998 --tlsverify service create --name redis redis:3.0.6

Response:

[Prisma Cloud] The command service_create denied for user admin by rule Default - deny all

4.7.3. service_remove - Remove a service

Affects docker service rm command to remove a service from the swarm.

Command:

docker -H 172.17.0.1:9998 --tlsverify service rm redis

Response:

[Prisma Cloud] The command service_remove denied for user admin by rule Default - deny all

4.7.4. service_inspect - Inspect one or more services

Affects docker service inspect command to inspect a service

Command:

docker -H 172.17.0.1:9998 --tlsverify service inspect redis

Response:

[Prisma Cloud] The command service_inspect denied for user admin by rule Default - deny all

4.7.5. service_update - Update a service

Affects docker service update command to Update the attributes of a service

Command:

docker -H 172.17.0.1:9998 --tlsverify service update --limit-cpu 2 redis

Response:

[Prisma Cloud] The command service_inspect denied for user admin by rule Default - deny all

4.8. Tasks

For more information about the Docker API for tasks, see https://docs.docker.com/engine/api/v1.30/#tag/Task.

4.8.1. task_list - List tasks

Affects docker service where host is deployed. Relevant only for Swarm.

Command:

docker -H 10.0.0.1:9998 --tlsverify service ls

Response:

[Prisma Cloud] The command service_list denied for user admin by rule Default - deny all

4.8.2. task_inspect - Inspect a task

Affects docker service inspect command.

Command:

docker -H 10.0.0.1 --tlsverify  inspect redis

Response:

[Prisma Cloud] The command service_inspect denied for user admin by rule Default - deny all

4.9. Secrets

Secrets are added in Prisma Cloud 2.0 in accordance with Docker Engine API v1.26.

For more information about the Docker API for secrets, see https://docs.docker.com/engine/api/v1.30/#tag/Secret.

4.9.1. secret_list - List secrets

Affects docker secret ls command used to list secrets.

Command:

docker -H 10.0.0.1:9998 --tlsverify secret ls

Response:

[Prisma Cloud] The command secret_ls denied for user admin by rule Default - deny all

4.9.2. secret_create - Create secrets

Affects docker secret create command used to create secrets.

Command:

docker -H 10.0.0.1:9998 --tlsverify secret create my-secret ./aqsa.json

Response:

[Prisma Cloud] The command secret_create denied for user admin by rule Default - deny all

4.9.3. secret_inspect - Inspect secrets

Affects docker secret inspect command used to inspect secrets.

Command:

docker -H 10.0.0.1:9998 --tlsverify secret inspect <id>

Response:

[Prisma Cloud] The command secret_inspect denied for user admin by rule Default - deny all

4.9.4. secret_remove - Delete secrets

Affects docker secret rm command used to remove one or more secrets.

Command:

docker -H 10.0.0.1:9998 --tlsverify secret rm aqsa.json

Response:

[Prisma Cloud] The command secret_rm denied for user admin by rule Default - deny all

4.9.5. secret_update - Update a secret

Affects POST /secrets/{id}/update command used to remove one or more secrets.

Command:

Response: