1. Overview

The Prisma Cloud Compute API can be used to automate all aspects of the product. In this article, we discuss using it to automate management of compliance policies.

For example, you may want to create different compliances for different parts of your environment, but base them all from a common baseline. Alternatively, you may have a central security or internal audit team that needs to be able to assess compliance across multiple environments. In both cases, the API helps 'fan out' management of compliance policies.

2. Creating and editing policies

Prisma Cloud uses a single API (a single object) to update all compliance policies at once. This makes it easy to keep a strict order between the policies. The process of adding, editing, or removing a policy is the same:

  1. Get all policies (returns JSON).

  2. Modify the JSON output according to your needs.

  3. Update policies by pushing the new JSON payload.

The following policy uses the container compliance configuration as an example. This API call is used under Defend > Compliance > Containers and Images.

  1. Get all policies

    $ curl -k -u user:password https://$CONSOLE:$PORT/api/v1/policies/compliance/container
  2. Modify the JSON output, explanatory comments provided after //

    {
      "modified": "2020-07-24T02:02:19.224Z", // see 1
      "owner": "jfalgout", // see 2
      "name": "my policy", // see 3
      "previousName": "", // see 4
      "disabled": false, // see 5
      "effect": "alert, block", //see 4
      "resources": { // see 6
        "hosts": ["*"],
        "images": ["nginx:latest"],
        "labels": ["*"],
        "containers": ["*"],
        "namespaces": ["*"],
        "accountIDs": ["*"]
      },
      "action": ["*"], // see 4
      "condition": {
        "readonly": false, // see 4
        "device": "", // see 4
        "vulnerabilities": [ // see 7
          {
            "id": 4000, // see 8
            "block": false, // see 9
            "minSeverity": 1 // see 4
          }, [...]
        ]
      },
      "group": ["*"], // see 4
      "verbose": true, // see 10
      "allCompliance": true, // see 4
      "alertThreshold": { "disabled": false,"value": 0}, // see 4
      "blockThreshold": { "enabled": false,"value": 0}, // see 4
      "graceDays": 0 // see 4
    } [...]

    Where:

    1 — Last Modified Date.

    2 — User who created the rule.

    3 — Name of the rule.

    4 — Obsolete.

    5 — Set to false to enable the policy.

    6 — Resources targeted by this policy.

    7 — Compliance rules are called vulnerabilities as well.

    8 — Compliance rule ID.

    9 — Blocking on this compliance rule enabled or disabled.

    10 — Blocking message verbosity.

    If any policy is modified or deleted here, this will replace the existing policies in Console when uploaded. For any policy to remain unchanged / undeleted, please keep it as is in the file.
  3. Update policies, where policy_upload.txt contains the JSON payload.

    $ curl -k -u user:password -X PUT -H "Content-Type:application/json" https://$CONSOLE:$PORT/api/v1/policies/compliance/container --data-binary "@policy_upload.txt"

3. Getting compliance results

Compliance results can also be retrieved via the API.

For example, to get the compliance status of containers:

$ curl -k -u user:password https://$CONSOLE:$PORT/api/v1/containers

To filter results, use the id parameter:

$ curl -k -u user:password https://$CONSOLE:$PORT/api/v1/containers?id=4cba*

Or, use the name parameter (offset and limit must also be included):

$ curl -k -u user:password https://$CONSOLE:$PORT/api/v1/containers?offset=0&limit=10&search=distracted_yona"

Use the "scan_time" property of the scan result to determine if the scan is completed. The scan request returns the time the scan started. Repeat the request until the scan time of the result is greater than the one you received from scan request. We recommend checking every 10 seconds; few scans should take more than 20-30 seconds to complete.

$ curl -k -u user:password https://$CONSOLE:$PORT/api/v1/containers/scan