1. Overview

App Embedded Defenders monitor your containers to ensure they execute as designed, protecting them from suspicious processes and outbound network connections. See the article on Defender types to learn when to deploy App Embedded Defenders.

App Embedded Defender policies let you define:

  • Process allow or deny lists. Enables verification of launched processes against policy.

  • Outgoing connections allow or deny lists. Enables verification of domain name resolution against policy for outgoing network connections.

Besides runtime policy, you can also configure the WAAS application firewall to protect front-end containers.

App Embedded Defender is the only supported option for securing containers at runtime when you’re using nested virtualization Nested virtualization is also known as Docker-in-Docker. Docker-in-Docker is a setup where you have a Docker container that itself has Docker installed, and from within the container you use Docker to pull images, build images, run containers, and so on. To secure the containers inside a container, use App Embedded Defender.

2. Securing containers

To secure a container, embed the App Embedded Defender into it. You can embed App Embedded Defenders with the Console UI, twistcli, or Prisma Cloud API. App Embedded Defender has been tested on Azure Container Instances, DC/OS (unified container runtime) , PCF PAS, and Google Serverless containers

The steps are:

  1. Define your policy in Prisma Cloud Console.

  2. Embed the App Embedded Defender into the container.

  3. Start the service.

The embed process takes a Dockerfile as input, and returns a ZIP file with an augmented Dockerfile and App Embedded Defender binaries. Rebuild your container image with the new Dockerfile to complete the embedding process. The embed process modifies the container’s entrypoint to run App Embedded Defender, which in turn starts the original entrypoint program.

When embedding App Embedded Defender, specify a unique identifier for your container image. This gives you a way to uniquely identify the App Embedded Defender in the environment.

When securing your apps with runtime rules, target rules to apps using the App ID. (Because the App Embedded Defender runs inside the container, it can’t reliably get information such as image and container names.)

install app embedded defender scope app id

3. Embed App Embedded Defender

Embed App Embedded Defender into a container image from Console’s UI.

Prerequisites:

  • The container where you’re embedding App Embedded Defender can reach Console’s port 8084 over the network.

  • You have the Dockerfile for your image.

  1. Open Console, and go to Manage > Defenders > Deploy.

  2. In the first drop-down list, select the DNS name or IP address that App Embedded Defender uses to connect to Console.

  3. In the second drop-down list, select the App Embedded Defender type.

  4. In Deployment Type, select Dockerfile.

  5. In Application ID, enter a unique identifier for the App Embedded Defender.

  6. In Dockerfile, click Choose File, and upload the Dockerfile for your container image.

  7. Click Create Embedded ZIP.

    A file named app_embedded_embed_help.zip is created and downloaded to your system.

  8. Unpack app_embedded_embed_help.zip.

    $ mkdir tmp
    $ unzip app_embedded_embed_help.zip -d tmp/
  9. Build the modified Docker image.

    $ cd tmp/
    $ docker build .
  10. Tag and push the updated image to your repository.

4. Embed App Embedded Defender manually

Embed App Embedded Defender into a container image manually. Modify your Dockerfile with the supplied information, download the App Embedded Defender binaries into the image’s build context, then rebuild the image.

Prerequisites:

  • The container where you’re embedding App Embedded Defender can reach Console over the network on port 8084.

  • The host where you’re updating your container image with App Embedded Defender can reach Console over the network on port 8083.

  • You have the Dockerfile for your image.

  1. Open Console, and go to Manage > Defenders > Deploy.

  2. In the first drop-down list, select the DNS name or IP address that App Embedded Defender uses to connect to Console.

  3. In the second drop-down list, select the App Embedded Defender type.

  4. In Deployment Type, select Manual. A set of instructions for embedding App Embedded Defender into your images is provided.

    1. Download the App Embedded Defender binaries into the directory that holds your image’s build context.

      $ curl -u <username> https://<CONSOLE>:8083/api/v1/images/twistl<CONSOLE>
    2. Retrieve the keys App Embedded Defender needs to connect to Console. This value will be set as the value for the INSTALL_BUNDLE environment variable in your Dockerfile.

      $ curl -k \
      -u <CONSOLE_ADMIN_USER>
      https://<CONSOLE>:8083/api/v1/defenders/install-bundle

      The curl command returns a JSON object:

      {"bundle":"eyJj..."}

      Set INSTALL_BUNDLE to the value for bundle. For example:

      ENV INSTALL_BUNDLE="eyJj..."
    3. Open your Dockerfile for editing.

    4. In the Dockerfile, add the App Embedded Defender to the image.

      ADD twistlock_defender_app_embedded.tar.gz /twistlock/
    5. In the Dockerfile, add the specified environment variables. Replace the values for <DEFENDER_APP_ID>, <CONSOLE>, and <INSTALL_BUNDLE>.

      ENV DEFENDER_TYPE="appEmbedded"
      ENV DEFENDER_APP_ID="my-app"
      ENV WS_ADDRESS="wss://<CONSOLE>:8084"
      ENV DATA_FOLDER="/twistlock/"
      ENV INSTALL_BUNDLE=""
    6. Modify the run or entrypoint command such that the command that starts your app is an argument to App Embedded Defender. For example, to start the hello program under the control of App Embedded Defender, specify the following entrypoint.

      ENTRYPOINT ["/twistlock/defender", "app-embedded", "hello"]
  5. Rebuild your image.

    $ docker build .
  6. Tag and push the updated image to your repository.

5. Embed App Embedded Defender with twistcli

Prisma Cloud supports automation for embedding App Embedded Defender into container images with either twistcli or the API. This section shows you how to use twistcli. To learn how to use the API, see the API docs.

Prerequisites:

  • The container where you’re embedding App Embedded Defender can reach Console’s port 8084 over the network.

  • You have the Dockerfile for your image.

  1. Download twistcli.

    1. Log into Console, and go to Manage > System > Downloads.

    2. Download the twistcli binary for your platform.

  2. Generate the artifacts for an updated container with twistcli. A file named app_embedded_embed_help.zip is created.

    $ ./twistcli app-embedded embed \
      --user <USER>
      --address "https://<CONSOLE>:8083" \
      --console-host <CONSOLE> \
      --app-id "<DEFENDER-ID>"  \
      --data-folder "<DATA-FOLDER>"  \
      Dockerfile
    <USER>

    Name of a Prisma Cloud user with a minimum role of Defender Manager.

    <CONSOLE>

    DNS name or IP address for Console.

    <APP-ID>

    Unique identifier for the App Embedded Defender. For example, my-app.

    <DATA-FOLDER>

    Readable and writable directory in the container’s filesystem. For example, /twistlock/.

  3. Unpack app_embedded_embed_help.zip.

    $ mkdir tmp
    $ unzip app_embedded_embed_help.zip -d tmp/
  4. Build the updated image.

    $ cd tmp/
    $ docker build .
  5. Tag and push the updated image to your repository.