CloseFedRAMP
FedRAMP
Prisma Cloud Compute configuration of features and functions to support an organization’s FedRAMP certification.
Document revisions
| Date | Comment |
|---|---|
20201012 |
Released for an older version of Prisma Cloud Compute(19.03). Updates are coming shortly. |
Download
Findings can be downloaded as a CSV file from here.
Findings
| Control | Twistlock Feature | Twistlock Sub-Feature | Console UI Location | Twistlock API | Values | NIST SP800-53 Control | ISO/IEC 27001 AND 15408 | Cybersecurity Framework Version 1.1 | NCCoE SP1800-19 | FedRAMP | Notes | Twistlock Docs |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
AC-2: Access Management |
Authentication |
Manage > Authentication |
PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions |
https://www.fedramp.gov/assets/resources/documents/FedRAMP_Security_Controls_Baseline.xlsx |
Twistlock leverages existing identity management systems for identity and access into the Twistlock Console and API. NIST SP800-53 moderate controls identity management functions are performed via existing organizational IDMgmt process. Twistlock should be configured for Active Directory, OpenLDAP, SAML and x.509 auth |
|||||||
SAML 2.0 Federation |
Manage > Authentication > SAML |
/api/v1/settings/saml |
Enabled | Disabled |
AC-2 - Account Management - Moderate |
AC-2 - Account Management - Moderate |
https://docs.twistlock.com/docs/latest/api/api_reference.html#settings_saml_post |
||||||
Active Directory and OpenLDAP |
Manage > Authentication > LDAP |
/api/v1/settings/ldap |
Enabled | Disabled |
AC-2 - Account Management - Moderate |
AC-2 - Account Management - Moderate |
https://docs.twistlock.com/docs/latest/api/api_reference.html#settings_ldap_post |
||||||
x.509 Smartcard authentication |
Manage > Authentication > System Certificates > Advanced Features > Console Authentication |
/api/v1/settings/trusted-certificates |
Advanced certificate configuration = show Field #2 Console Authentication = certificate(s) of smartcard issuing CAs |
AC-2 - Account Management - Moderate |
AC-2 - Account Management - Moderate |
DoD CAC card and PIV card Issuing CAs uploaded into the Twistlock Console |
https://docs.twistlock.com/docs/latest/api/api_reference.html#settings_trusted_certificates_post |
|||||
Enable certificate revocation checking |
Manage > Authentication > System Certificates > Advanced Features > Console Authentication |
/api/v1/settings/trusted-certificates |
on|off |
AC-2 - Account Management - Moderate |
AC-2 - Account Management - Moderate |
CRL and OCSP supported. Only enable when Twistlock Console is able to reach CDP endpoints |
https://docs.twistlock.com/docs/latest/configure/custom_certs_console_access.html |
|||||
AC-3: Access Enforcement |
Twistlock can be configured not to contain any local user accounts |
|||||||||||
Authentication |
No local account with Twistlock database stored password |
Manage > Authentication > Users |
/api/v1/users |
Basic | SAML | LDAP |
AC-3 - Account Management - Moderate |
AC-3 - Account Management - Moderate |
Check for user accounts authType=basic |
|||||
Disable basic authentication to Console and API |
Manage > Authentication > Logon |
/api/v1/settings/logon |
on|off |
AC-3 - Account Management - Moderate |
AC-3 - Account Management - Moderate |
If using SAML federation access to the API will not work since HTTP redirection is not understood by scripts/programs that access the API. If using x.509 smartcard auth first call the /api/v1/authenticate-client API to obtain an access token |
||||||
SAML and LDAP group assignments to role within Twistlock |
Manage > Authentication > Groups |
/api/v1/groups |
AC-3 - Account Management - Moderate |
AC-3 - Account Management - Moderate |
ldapGroup = true samlGroup = true |
|||||||
AC-4: Information Flow Enforcement |
ID.AM-3: Organizational communication and data flows are mapped |
|||||||||||
Firewall (layer 3) |
Cloud Native Network Firewall - Containers |
Defend > Firewalls > Cloud Native Network Firewall |
api/v1/policies/firewall/network/container |
Disable | Alert | Prevent |
AC-4 Information Flow Enforcement - Moderate |
PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation) |
AC-4 Information Flow Enforcement - Moderate |
Twistlock Runtime modeling will learn container to container TCP traffic. These "whitelisted" communications can be added to within this configuration. |
https://docs.twistlock.com/docs/latest/firewalls/cnnf.html#overview |
|||
Firewall (layer 3) |
Cloud Native Network Firewall - Hosts |
Defend > Firewalls > CNNF for Host |
api/v1/policies/firewall/network/host |
Disable | Alert |
AC-4 Information Flow Enforcement - Moderate |
PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation) |
AC-4 Information Flow Enforcement - Moderate |
Twistlock Runtime modeling will learn host to host TCP traffic. These "whitelisted" communications can be added to within this configuration. Host CNNF supports Alerting |
https://docs.twistlock.com/docs/latest/firewalls/cnnf.html#overview |
|||
Twistlock Intelligence Stream |
Anonymously report threats and vulnerabilities to Twistlock |
Manage > System > Intelligence |
/api/v1/status/intelligence |
on|off |
Customer’s Twistlock Console automatically establishes a secure web socket session that authenticates with license access token to receive up-to-date vulnerability and threat information. Supports offline environments. |
https://docs.twistlock.com/docs/latest/tools/update_intel_stream_offline.html |
||||||
Istio Monitoring |
Monitor the configuration of an Istio mesh |
System > Manage > Defenders > Deploy Daemon Set |
Monitor Istio = On |
Twistlock will query the Istio mesh configuration for container to container communication |
||||||||
Firewall (layer 7) |
Cloud Native Application Firewall - Container |
Defend > Firewalls > Cloud Native App Firewall |
/api/v1/policies/firewall/app/container |
Disable | Alert | Prevent |
AC-4 Information Flow Enforcement - Moderate |
AC-4 Information Flow Enforcement - Moderate |
Twistlock Layer 7 Web Application Firewall (WAF) for containers using the Defender running as a container on the same node as the destination container. |
|||||
Firewall (layer 7) |
Cloud Native Application Firewall - RASP |
Defend > Firewalls > CNAF for RASP |
/api/v1/policies/firewall/app/rasp |
Disable | Alert | Prevent |
AC-4 Information Flow Enforcement - Moderate |
AC-4 Information Flow Enforcement - Moderate |
Twistlock Layer 7 Web Application Firewall (WAF) within containers using the RASP Defender |
|||||
Firewall (layer 7) |
Cloud Native Application Firewall - Host |
Defender > Firewalls > CNAF for Hosts |
/api/v1/policies/firewall/app/host |
Disable | Alert | Prevent |
AC-4 Information Flow Enforcement - Moderate |
AC-4 Information Flow Enforcement - Moderate |
Twistlock Layer 7 Web Application Firewall (WAF) for hosts using the Host Defenders (Docker based Defender and System Service Defender). |
|||||
| |
||||||||||||
AC - 5: Separation of Duties |
PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties |
|||||||||||
Access Control |
User Roles |
Manage > Authentication > Users |
/api/v1/users |
Administrator | Operator | Defender Manager | Auditor | Dev Ops User | Access User | CI User |
AC - 5 Separation of Duties - Moderate AC -6 Least Privileged - Moderate |
AC - 5 Separation of Duties - Moderate |
All Twistlock users are assigned a role |
https://docs.twistlock.com/docs/latest/access_control/user_roles.html |
||||
Access Control |
Assign Roles |
Manage > Authentication > Groups |
/api/v1/groups |
Administrator | Operator | Defender Manager | Auditor | Dev Ops User | Access User | CI User |
AC - 5 Separation of Duties - Moderate |
AC - 5 Separation of Duties - Moderate |
Twistlock role mapping for Active Directory, OpenLDAP and SAML based groups can be applied |
https://docs.twistlock.com/docs/latest/access_control/assign_roles.html |
||||
Projects |
Tenant Project |
System > Projects |
/api/v1/settings/projects |
Tenant Project |
AC - 5 Separation of Duties - Moderate |
AC - 5 Separation of Duties - Moderate |
Centrally defined role-based access control, but have sub-groups own rules and configurations. Tiered instances of Twistlock. |
https://docs.twistlock.com/docs/latest/deployment_patterns/projects.html |
||||
| |
||||||||||||
AC - 6: Least Privileged |
||||||||||||
Runtime Defense |
Host Policy |
Defend > Runtime > Host Policy : Activities |
/api/v1/policies/runtime/host |
Disable | Alert | Prevent |
AC -6 Least Privileged |
AC -6 Least Privileged |
Monitor host level activities: general user activities, docker commands, sshd and sudo |
https://docs.twistlock.com/docs/latest/runtime_defense/runtime_defense_hosts.html |
||||
Runtime Defense |
Container Policy |
Defend > Runtime > Container Policy |
/api/v1/policies/runtime/container |
Disable | Alert | Prevent |
AC -6 Least Privileged |
AC -6 Least Privileged |
Twistlock automatically models container runtime behaviors (process, file system, network and system calls) and creates a whitelist of behaviors for every image. Global policies can be applied to all containers or a subset of containers |
https://docs.twistlock.com/docs/latest/runtime_defense/runtime_defense.html |
||||
| |
||||||||||||
AC - 7: Unsuccessful Logon Attempts |
||||||||||||
Authentication |
No local account with Twistlock database stored password |
Manage > Authentication > Users |
/api/v1/users |
Basic | SAML | LDAP |
Recommend using Active Directory, OpenLDAP, SAML or x.509 based authentication methods to leverage existing IDMgmt authentication attempts throttling controls. |
|||||||
| |
||||||||||||
AC - 8: System Use Notification |
||||||||||||
Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that |
Future feature, GH Issue #10039 |
|||||||||||
| |
||||||||||||
AC - 12: Session Termination |
||||||||||||
Logout |
All Twistlock Console user interface screens has a user logout icon |
User icon in the top right corner has a "Log out" action |
||||||||||
| |
||||||||||||
AC - 14: Permitted Actions without Identification or Authentication |
||||||||||||
Authentication |
All Twistlock access requires authentication |
|||||||||||
| |
||||||||||||
AC - 17: Remote Access |
Twistlock can be deployed in a completely offline environment |
https://docs.twistlock.com/docs/latest/tools/update_intel_stream_offline.html |
||||||||||
Logging |
Console Logs |
Manage > View Logs > Console |
/api/v1/audits/mgmt |
AC-17 (1) Automated monitoring |
AC-17 (1) Automated monitoring |
Logging within Twistlock Console is automatic and cannot be disabled |
https://docs.twistlock.com/docs/latest/audit/audit_admin_activity.html |
|||||
Authentication |
Console Authentication |
Manage > Authentication > System Certificates : Advanced certificate configuration |
/api/v1/settings/certificates |
Console TLS certificate and keys upload |
AC-17 (2) Protection of confidentiality / Integrity using encryption |
PR.PT-4: Communications and control networks are protected |
AC-17 (2) Protection of confidentiality / Integrity using encryption |
Access to Twistlock Console and API is performed over the TLS protected port. 3rd party TLS certificate and keys and be used. |
https://docs.twistlock.com/docs/latest/configure/disable_http_access_console.html |
|||
| |
||||||||||||
AC - 20: Use of External Information Systems |
ID.AM-4: External information systems are catalogued |
|||||||||||
Access Control |
AC - 20 (1) - USE OF EXTERNAL INFORMATION SYSTEMS | LIMITS ON AUTHORIZED USE |
AC - 20 (1) - USE OF EXTERNAL INFORMATION SYSTEMS | LIMITS ON AUTHORIZED USE |
Twistlock can be deployed in a completely offline environment. Access to Twistlock Console and API is dependent upon the organizational policy. |
|||||||||
| |
||||||||||||
AC - 21: Information Sharing |
||||||||||||
Intelligence Stream |
Anonymously report threats and vulnerabilities to Twistlock |
Manage > System > Intelligence > Anonymously report threats and vulnerabilities to Twistlock |
/api/v1/settings/telemetry |
on | off |
AC - 21 (1) INFORMATION SHARING | AUTOMATED DECISION SUPPORT |
AC - 21 (1) INFORMATION SHARING | AUTOMATED DECISION SUPPORT |
Opt-in feature to anonymously report threat information to Twistlock |
|||||
| |
||||||||||||
AU - 1: Audit and Accountability Policy and Procedures |
PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy |
|||||||||||
Compliance |
Compliance Policy Templates |
Defend > Compliance > Policy |
/api/v1/static/vulnerabilities |
300+ compliance checks available |
Using Twistlock Compliance Templates you can quickly enable the compliance rules that apply to an industry: GDPR, PIC, HIPAA & NIST SP 800-190 |
https://docs.twistlock.com/docs/latest/compliance/manage_compliance.html |
||||||
| |
||||||||||||
AU - 3: Content of Audit Records |
||||||||||||
Logging |
Syslog and Stdout logging supports detail reporting for vulnerability and compliance finding and all runtime process activity |
Manage > System > Logging |
/api/v1/settings/logging |
Detailed output for vulnerabilities and compliance: on | off Detailed output of all runtime process activity: on | off |
AU - 3(1) CONTENT OF AUDIT RECORDS | ADDITIONAL AUDIT INFORMATION |
AU - 3(1) CONTENT OF AUDIT RECORDS | ADDITIONAL AUDIT INFORMATION |
Twistlock Syslog and Stdout logging can be configurated for verbose output |
https://docs.twistlock.com/docs/latest/audit/syslog_integration.html |
||||
| |
||||||||||||
AU - 4: Audit Storage Capacity |
||||||||||||
Logging |
Console and Defender logs can be downloaded |
Console: Manage > System > View logs > Console Defender: Manage > Defenders > Manage |
Console: /api/v1/logs/system/download Defender: /api/v1/logs/defender |
AU-4(1) AUDIT STORAGE CAPACITY | TRANSFER TO ALTERNATE STORAGE |
Twistlock logs can be downloaded. Twistlock is configured for log rotation. 100MB log rotation of 10 historical logs. |
https://docs.twistlock.com/docs/latest/audit/log_rotation.html#overview |
||||||
| |
||||||||||||
AU - 6: Audit Review, Analysis and Reporting |
||||||||||||
Alerts |
Alert Providers |
Manage > System > Alerts |
/api/v1/settings/alerts |
Alert Providers: email, Jira, Slack, Google Cloud Security Command Center, GCP Pub/Sub, PagerDuty, Webhook, AWS Security Hub, IBM Security Advisor |
AU-6(1) AUDIT REVIEW, ANALYSIS, AND REPORTING | PROCESS INTEGRATION |
AU-6(1) AUDIT REVIEW, ANALYSIS, AND REPORTING | PROCESS INTEGRATION |
Twistlock can disseminate alerts based upon the type of alert and the alert method of the event owner. |
https://docs.twistlock.com/docs/latest/configure/alerts_email_jira_slack.html |
||||
| |
||||||||||||
AU - 7: Audit Reduction and Report Generation |
||||||||||||
Alerts |
Alert Labels |
Manage > System > Alerts > Alert Labels |
/api/v1/settings/custom-labels |
Docker and Kubernetes labels can be used to direct Alerts |
https://docs.twistlock.com/docs/latest/audit/annotate_audits.html |
|||||||
Logging |
Syslog and Stdout logging supports detail reporting for vulnerability and compliance finding and all runtime process activity |
Manage > System > Logging |
/api/v1/settings/logging |
Detailed output for vulnerabilities and compliance: on | off Detailed output of all runtime process activity: on | off |
AU-7(1) AUDIT REDUCTION AND REPORT GENERATION | AUTOMATIC PROCESSING |
AU-7(1) AUDIT REDUCTION AND REPORT GENERATION | AUTOMATIC PROCESSING |
Twistlock Syslog and Stdout logging can be configurated for verbose output |
https://docs.twistlock.com/docs/latest/audit/syslog_integration.html |
||||
| |
||||||||||||
AU - 8: Time Stamps |
||||||||||||
Logging |
Console and Defender logs use GMT time zone |
Console: Manage > System > View logs > Console Defender: Manage > Defenders > Manage |
AU-8(1) TIME STAMPS | SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE |
Twistlock clock is mapped to GMT automatically |
||||||||
| |
||||||||||||
AU - 9: Protection of Audit Information |
||||||||||||
Authentication |
User Role |
Manage > Authentication > Users |
User role of Auditor or higher allows access to view the Twistlock logs |
AU -9 (4) PROTECTION OF AUDIT INFORMATION | ACCESS BY SUBSET OF PRIVILEGED USERS |
PR.PT-4: Communications and control networks are protected |
AU -9 (4) PROTECTION OF AUDIT INFORMATION | ACCESS BY SUBSET OF PRIVILEGED USERS |
Twistlock Defender transfers event data to the Twistlock Console is over an encrypted channel (mutual TLS) |
|||||
| |
||||||||||||
AU - 11: Audit Record and Retention |
||||||||||||
Logging |
Console and Defender logs can be downloaded |
Console: Manage > System > View logs > Console Defender: Manage > Defenders > Manage |
Console: /api/v1/logs/system/download Defender: /api/v1/logs/defender |
AU-11(1) AUDIT RECORD RETENTION | LONG-TERM RETRIEVAL CAPABILITY |
AU-11(1) AUDIT RECORD RETENTION | LONG-TERM RETRIEVAL CAPABILITY |
Twistlock logs can be downloaded. Twistlock is configured for log rotation. 100MB log rotation of 10 historical logs. |
https://docs.twistlock.com/docs/latest/audit/log_rotation.html#overview |
|||||
| |
||||||||||||
AU - 12: Audit Generation |
||||||||||||
Logging |
Syslog and Stdout |
Manage > System > Logging |
/api/v1/settings/logging |
Enabled | Disabled |
AU-12(2) AUDIT GENERATION | STANDARDIZED FORMATS |
AU-12(2) AUDIT GENERATION | STANDARDIZED FORMATS |
RFC5424 compliant event message formatting |
https://docs.twistlock.com/docs/latest/audit/syslog_integration.html |
||||
| |
||||||||||||
CA - 2: Security Assessments |
Twistlock continuously monitors the environment for new and emerging threats |
|||||||||||
Vulnerabilities |
Only scan images with running containers |
Manage > System > Scan |
/api/v1/settings/scan |
On | Off |
CA-2Â SECURITY ASSESSMENTS |
ID.RA-1: Asset vulnerabilities are identified and documented |
CA-2Â SECURITY ASSESSMENTS |
Recommend setting to "Off." All images discovered local to the hosts will be scanned. |
https://docs.twistlock.com/docs/latest/configure/configure_scan_intervals.html |
|||
Vulnerabilities |
Configure scan intervals |
Manage > System > Scan |
/api/v1/settings/scan |
1 - 24 hours |
CA-2Â SECURITY ASSESSMENTS |
ID.RA-1: Asset vulnerabilities are identified and documented |
CA-2Â SECURITY ASSESSMENTS |
Scheduled frequency of when Twistlock scans |
https://docs.twistlock.com/docs/latest/configure/configure_scan_intervals.html |
|||
Intelligence Stream |
Enable automatic Twistlock Intelligence Stream Updates |
Manage > System Intelligence > Enable online updates of Intelligence Stream |
/api/v1/settings/intelligence |
On | Off |
CA-2Â SECURITY ASSESSMENTS |
CA-2Â SECURITY ASSESSMENTS |
Recommend setting to "On." Twistlock can be deployed in a completely offline environment |
https://docs.twistlock.com/docs/latest/tools/update_intel_stream_offline.html |
||||
Access Console |
Auditor User Role |
Manage > Authentication > Users |
/api/v1/users |
Auditor |
CA-2 (1) SECURITY ASSESSMENTS | INDEPENDENT ASSESSORS |
CA-2 (1) SECURITY ASSESSMENTS | INDEPENDENT ASSESSORS |
Twistlock Auditor role can be given to independent assessors |
https://docs.twistlock.com/docs/latest/access_control/user_roles.html |
||||
| |
||||||||||||
CA - 3: System Interconnections |
||||||||||||
Runtime |
Container Network |
Defend > Runtime > Container Policy > Network |
/api/v1/policies/runtime/container |
IP Connectivity: - Allowed listen ports, outbound ports and Outbound IP addresses - Denied listen port, outbound ports and Outbound IP addresses DNS: Allowed | Denied domains |
CA-3(5) SYSTEM INTERCONNECTIONS | RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS |
CA-3(5) SYSTEM INTERCONNECTIONS | RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS |
Twistlock Runtime Container rules can control a containers ability to communicated to externally via TCP/IP |
https://docs.twistlock.com/docs/latest/runtime_defense/runtime_defense.html |
||||
Host Network |
Defend > Runtime > Host Policy > Network |
/api/v1/policies/runtime/host |
IP Connectivity: - Allowed listen ports, outbound ports and Outbound IP addresses - Denied listen port, outbound ports and Outbound IP addresses DNS: Allowed | Denied domains |
CA-3(5) SYSTEM INTERCONNECTIONS | RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS |
CA-3(5) SYSTEM INTERCONNECTIONS | RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS |
Twistlock Runtime Host rules can control a hosts ability to communicated to externally via TCP/IP |
https://docs.twistlock.com/docs/latest/runtime_defense/runtime_defense_hosts.html |
|||||
Firewall |
Cloud Native Network Firewall: Container |
Defend > Firewall > Cloud Native Network Firewall |
/api/v1/policies/firewall/network/container |
Allow | Alert | Prevent Source: Image | IP Address Destination: Image | IP Address Ports: range of allowed TCP port |
CA-3(5) SYSTEM INTERCONNECTIONS | RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS |
CA-3(5) SYSTEM INTERCONNECTIONS | RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS |
Rules can be defined between container and between containers and external networks where Twistlock is not running |
|||||
Cloud Native Network Firewall: Host |
Defend > Firewall > CNNF for Hosts |
/api/v1/policies/firewall/network/host |
Allow | Alert Source: Image | IP Address Destination: Image | IP Address Ports: range of allowed TCP port |
CA-3(5) SYSTEM INTERCONNECTIONS | RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS |
CA-3(5) SYSTEM INTERCONNECTIONS | RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS |
Rules can be defined between apps or between apps and external networks where Twistlock is not running |
https://docs.twistlock.com/docs/latest/firewalls/cnnf_hosts.html |
|||||
Custom Feeds |
IP Reputation Lists |
Manage > System > Custom Feeds > IP Reputation Lists |
/api/v1/feeds/custom/ips |
IP Address in CIDR format |
CA-3(5) SYSTEM INTERCONNECTIONS | RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS |
CA-3(5) SYSTEM INTERCONNECTIONS | RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS |
List of suspicious or high risk IP endpoints. Supplement the Twistlock Intelligence Stream with your own list of banned IP addresses |
https://docs.twistlock.com/docs/latest/configure/custom_feeds.html#banned-ip-addresses |
||||
| |
||||||||||||
CA - 5: Plan of Action and Milestones |
Twistlock API can be used to generate reports for POAMs |
https://github.com/twistlock/sample-code/tree/master/powershell |
||||||||||
API |
Vulnerability Reporting |
Monitor > Vulnerabilities > Vulnerability Explorer |
/api/v1/stats/vulnerabilities/impacted-resources |
CA-5(1) PLAN OF ACTION AND MILESTONES | AUTOMATION SUPPORT FOR ACCURACY / CURRENCY |
ID.RA-4: Potential business impacts and likelihoods are identified |
CA -5 PLAN OF ACTION AND MILESTONES |
Query Twistlock API for a summary count of CVEs in the images, containers, hosts, and serverless functions your environment |
https://docs.twistlock.com/docs/latest/api/api_reference.html#stats_vulnerabilities_get |
||||
API |
Compliance Reporting |
Monitor > Compliance > Compliance Explorer |
/api/v1/stats/compliance |
CA-5(1) PLAN OF ACTION AND MILESTONES | AUTOMATION SUPPORT FOR ACCURACY / CURRENCY |
Query Twistlock API for a summary count of compliance findings in the images, containers, hosts, and serverless functions your environment |
https://docs.twistlock.com/docs/latest/api/api_reference.html#stats_compliance_get |
||||||
Custom Feeds |
CVE Allow List |
Manage > System > Custom Feeds > CVE Allow List |
api/v1/feeds/custom/cve-allow-list |
Allow CVEs to existing for a specified period of time, after time expires the vulnerability will be alerted and rules can be based upon the CVE. System wide exception. |
https://docs.twistlock.com/docs/latest/configure/custom_feeds.html#cve-allow-list |
|||||||
Vulnerabilities |
Image Policy CVE Exception |
Defend > Vulnerabilities > Images : Policy > Advanced Settings |
/api/v1/policies/vulnerability/images |
Allow CVE exception within individual image vulnerability rules |
https://docs.twistlock.com/docs/latest/vulnerability_management/vuln_management_rules.html |
|||||||
Vulnerabilities |
Host Policy CVE Exception |
Defend > Vulnerabilities > Policy |
/api/v1/policies/vulnerability/host |
Allow CVE exception within individual host vulnerability rules |
https://docs.twistlock.com/docs/latest/vulnerability_management/vuln_management_rules.html |
|||||||
| |
||||||||||||
CA - 6: Security Authorization |
Twistlock API to generate authority to operate packages |
|||||||||||
API |
Compilation of vulnerability, compliance and runtime results for a microservice |
Various locations |
multiple API calls |
Use Twistlock API to generate Authority to Operate reports for the applications to be deployed |
https://github.com/twistlock/sample-code/blob/master/powershell/rmf_ato.ps1 |
|||||||
Compliance |
Trusted Images |
Defend > Compliance > Trusted Images |
/api/v1/trust |
SP800-190 4.2.3 |
Define image trust based upon the Docker Registry of the image, the Docker imageID and RootFS layers of a "base image." Compliance rule #423 Image is not Trusted can be applied to block the creation of a container from an image that is not trusted. The authorizing official can deem an image trusted or not trusted |
https://docs.twistlock.com/docs/latest/compliance/trusted_images.html |
||||||
| |
||||||||||||
CA - 7: Continuous Monitoring |
All Twistlock features are included in a single license. All out-of-the box rules are enabled to alert. |
|||||||||||
Firewall |
Cloud Native Network Firewall: Container |
Defend > Firewall > Cloud Native Network Firewall |
/api/v1/policies/firewall/network/container |
Allow | Alert | Prevent |
DE.CM-1: The network is monitored to detect potential cybersecurity events |
Set to "Alert" to continually monitor container to container traffic |
||||||
Cloud Native Network Firewall: Host |
Defend > Firewall > CNNF for Hosts |
/api/v1/policies/firewall/network/host |
Allow | Alert |
DE.CM-1: The network is monitored to detect potential cybersecurity events |
Set to "Alert" and create a policy for all App "" communicating to all Apps "" |
https://docs.twistlock.com/docs/latest/firewalls/cnnf_hosts.html |
||||||
Runtime |
Container: Default - alert on suspicious runtime behavior |
Defend > Runtime > Container Policy |
/api/v1/policies/runtime/container |
Default - alert on suspicious runtime behavior policy is enabled by default |
https://docs.twistlock.com/docs/latest/runtime_defense/runtime_defense.html |
|||||||
Host: Default - alert on suspicious runtime behavior |
Defend > Runtime > Host Policy |
/api/v1/policies/runtime/host |
Default - alert on suspicious runtime behavior policy is enabled by default |
https://docs.twistlock.com/docs/latest/runtime_defense/runtime_defense_hosts.html |
||||||||
Vulnerabilities |
Images: Default - alert all components |
Defend > Vulnerabilities > Images |
/api/v1/policies/vulnerability/images |
ID.RA-1: Asset vulnerabilities are identified and documented |
Default - alert all components is enabled by default |
https://docs.twistlock.com/docs/latest/vulnerability_management/vuln_management_rules.html |
||||||
Hosts: Default - alert all components |
Defend > Vulnerabilities > Host |
/api/v1/policies/vulnerability/host |
ID.RA-1: Asset vulnerabilities are identified and documented |
Default - alert all components is enabled by default |
https://docs.twistlock.com/docs/latest/vulnerability_management/vuln_management_rules.html |
|||||||
Configure scan intervals |
Manage > System > Scan |
/api/v1/settings/scan |
1 - 24 hours |
CA-7(1) CONTINUOUS MONITORING |
CA-7(1) CONTINUOUS MONITORING |
Scheduled frequency of when Twistlock scans |
https://docs.twistlock.com/docs/latest/configure/configure_scan_intervals.html |
|||||
Compliance |
Container & Images: Default - alert on critical and high |
Defend > Compliance> Container and Images |
/api/v1/policies/compliance/container |
Default - alert on critical and high is enabled by default. This scans for all Critical and High compliance issue for container and images. Based upon the CIS Docker& Kubernetes Benchmarks and NIST 800-190 |
https://docs.twistlock.com/docs/latest/compliance/manage_compliance.html |
|||||||
Container & Images: Default - alert on critical and high |
Defend > Compliance > Hosts |
/api/v1/policies/compliance/host |
Default - alert on critical and high is enabled by default. This scans for all Critical and High compliance issue for container and images. Based upon the CIS Docker, Kubernetes & Linux Benchmarks and NIST 800-190 |
https://docs.twistlock.com/docs/latest/compliance/manage_compliance.html |
||||||||
Alerts |
Alert Providers |
Manage > System > Alerts |
/api/v1/settings/alerts |
Alert Providers: email, Jira, Slack, Google Cloud Security Command Center, GCP Pub/Sub, PagerDuty, Webhook, AWS Security Hub, IBM Security Advisor |
Twistlock can disseminate alerts based upon the type of alert and the alert method of the audit owner |
https://docs.twistlock.com/docs/latest/configure/alerts_email_jira_slack.html |
||||||
Logging |
Syslog and Stdout |
Manage > System > Logging |
/api/v1/settings/logging |
Enabled | Disabled |
RFC5424 compliant event message formatting |
https://docs.twistlock.com/docs/latest/audit/syslog_integration.html |
||||||
Forensics |
Forensic data collection |
Manage > System > Forensics |
/api/v1/settings/forenic |
Enabled | Disabled |
CA-7(3) CONTINUOUS MONITORING | TREND ANALYSES |
DE.AE-2: Detected events are analyzed to understand attack targets and methods |
Collect detailed host and container forensics data.When enabled, Defenders store a local log of host and container operations onthe host, and selectively forwards it to Console on-demand |
https://docs.twistlock.com/docs/latest/runtime_defense/incident_explorer.html |
||||
| |
||||||||||||
CA - 9: Internal System Connections |
||||||||||||
Firewall |
Cloud Native Network Firewall: Container |
Defend > Firewall > Cloud Native Network Firewall |
/api/v1/policies/firewall/network/container |
Allow | Alert | Prevent |
Container to Container layer 3 firewalling is based upon images. When the images spawn as container the CNNF rules are applied when TCP connections are established from the source container to the destination container |
|||||||
Cloud Native Network Firewall: Host |
Defend > Firewall > CNNF for Hosts |
/api/v1/policies/firewall/network/host |
Allow | Alert |
Set to "Alert" and create a policy for all App "" communicating to all Apps "" |
https://docs.twistlock.com/docs/latest/firewalls/cnnf_hosts.html |
|||||||
Compliance |
Compliance Actions |
Defend > Compliance > Container and Images > Policy |
/api/v1/policies/compliance/container |
Ignore | Alert | Block |
CA-9(1) INTERNAL SYSTEM CONNECTIONS | SECURITY COMPLIANCE CHECKS |
Ability to block the deployment of an image as a container based up compliance status. |
https://docs.twistlock.com/docs/latest/compliance/manage_compliance.html |
|||||
Vulnerabilities |
Severity Based Actions |
Defend > Vulnerabilities > Images > Policy |
/api/v1/policies/vulnerability/images |
Ignore | Alert | Block |
CA-9(1) INTERNAL SYSTEM CONNECTIONS | SECURITY COMPLIANCE CHECKS |
Ability to block the deployment of an image as a container based up vulnerability status. |
https://docs.twistlock.com/docs/latest/vulnerability_management/vuln_management_rules.html |
|||||
| |
||||||||||||
CM - 2: Baseline Configuration |
||||||||||||
Backup & Restore |
System Backups |
Manage > System > Backup & Restore > System Backups |
/api/v1/recovery/backup |
daily | weekly monthly |
CM-2(3) BASELINE CONFIGURATION | RETENTION OF PREVIOUS CONFIGURATIONS |
CM-2(3) BASELINE CONFIGURATION | RETENTION OF PREVIOUS CONFIGURATIONS |
Automatic process |
|||||
Manual Backups |
Manage > System > Backup & Restore > Manual Backups |
/api/v1/recovery/backup |
on demand backup |
CM-2(3) BASELINE CONFIGURATION | RETENTION OF PREVIOUS CONFIGURATIONS |
CM-2(3) BASELINE CONFIGURATION | RETENTION OF PREVIOUS CONFIGURATIONS |
Manual backup via UI or API call |
https://docs.twistlock.com/docs/latest/configure/disaster_recovery.html#making-manual-backups |
|||||
Rule Filtering |
All vulnerability and compliance rules |
Defend |
CM-2(7) BASELINE CONFIGURATION | CONFIGURE SYSTEMS, COMPONENTS, OR DEVICES FOR HIGH-RISK AREAS |
CM-2(7) BASELINE CONFIGURATION | CONFIGURE SYSTEMS, COMPONENTS, OR DEVICES FOR HIGH-RISK AREAS |
Twistlock vulnerability, compliance, runtime rules can be granularly applied to resources based upon their associated level of risk |
|||||||
| |
||||||||||||
CM - 3 Configuration Change Control |
||||||||||||
Projects |
Tenant Project |
System > Projects |
/api/v1/settings/projects |
Tenant Project |
CM-3(2) CONFIGURATION CHANGE CONTROL | TEST / VALIDATE / DOCUMENT CHANGES |
Testing and evaluation environments can be monitored and controlled via a Twistlock Tenant Project configuration. |
https://docs.twistlock.com/docs/latest/deployment_patterns/projects.html |
|||||
| |
||||||||||||
CM - 5: Access Restriction for Change |
||||||||||||
Access Control |
User Roles |
Manage > Authentication > Users |
/api/v1/users |
Administrator | Operator | Defender Manager | Auditor | Dev Ops User | Access User | CI User |
CM-5(1) ACCESS RESTRICTIONS FOR CHANGE | AUTOMATED ACCESS ENFORCEMENT / AUDITING |
CM-5(1) ACCESS RESTRICTIONS FOR CHANGE | AUTOMATED ACCESS ENFORCEMENT / AUDITING |
All Twistlock users are assigned a role, roles have assigned change controls |
https://docs.twistlock.com/docs/latest/access_control/user_roles.html |
||||
Access Control |
Assign Roles |
Manage > Authentication > Groups |
/api/v1/groups |
Administrator | Operator | Defender Manager | Auditor | Dev Ops User | Access User | CI User |
CM-5(1) ACCESS RESTRICTIONS FOR CHANGE | AUTOMATED ACCESS ENFORCEMENT / AUDITING |
CM-5(1) ACCESS RESTRICTIONS FOR CHANGE | AUTOMATED ACCESS ENFORCEMENT / AUDITING |
Twistlock role mapping for Active Directory, OpenLDAP and SAML based groups can be applied, roles have assigned change controls |
https://docs.twistlock.com/docs/latest/access_control/assign_roles.html |
||||
| |
||||||||||||
CM - 6: Configuration Settings |
||||||||||||
Compliance |
Compliance Policy Templates |
Defend > Compliance > Policy |
/api/v1/static/vulnerabilities |
300+ compliance checks available |
CM-6(1) CONFIGURATION SETTINGS | AUTOMATED CENTRAL MANAGEMENT / APPLICATION / VERIFICATION |
CM-6(1) CONFIGURATION SETTINGS | AUTOMATED CENTRAL MANAGEMENT / APPLICATION / VERIFICATION |
Using Twistlock Compliance Templates you can quickly enable the compliance rules that apply to an industry: GDPR, PIC, HIPAA & NIST SP 800-190. Ability to alert or block when a setting is deemed non-compliant |
https://docs.twistlock.com/docs/latest/compliance/manage_compliance.html |
||||
| |
||||||||||||
CM - 7: Least Functionality |
||||||||||||
Runtime |
Container Policy |
Defend > Runtime > Container Policy |
/api/v1/policies/runtime/container |
Disable | Alert | Prevent | Block |
CM-7(2) LEAST FUNCTIONALITY | PREVENT PROGRAM EXECUTION CM-7(4) LEAST FUNCTIONALITY | UNAUTHORIZED SOFTWARE / BLACKLISTING |
CM-7(2) LEAST FUNCTIONALITY | PREVENT PROGRAM EXECUTION |
Manual and Automated whitelisting of processes, file system, system calls and networking behaviors. Twistlock Runtime defense is the set of features that provide both predictive and threat based active protection for running containers. For example, predictive protection includes capabilities like determining when a container runs a process not included in the origin image or creates an unexpected network socket. Threat based protection includes capabilities like detecting when malware is added to a container or when a container connects to a botnet. |
https://docs.twistlock.com/docs/latest/runtime_defense/runtime_defense.html |
||||
| |
||||||||||||
CM - 8: Information System Component Inventory |
||||||||||||
Vulnerabilities |
Configure scan intervals |
Manage > System > Scan |
/api/v1/settings/scan |
1 - 24 hours |
CM-8(3) INFORMATION SYSTEM COMPONENT INVENTORY | AUTOMATED UNAUTHORIZED COMPONENT DETECTION |
CM-8(3) INFORMATION SYSTEM COMPONENT INVENTORY | AUTOMATED UNAUTHORIZED COMPONENT DETECTION |
Scheduled frequency of when Twistlock scans to identify new images and containers |
https://docs.twistlock.com/docs/latest/configure/configure_scan_intervals.html |
||||
Vulnerabilities |
Image |
Monitor > Vulnerabilities |
CM-8(5) INFORMATION SYSTEM COMPONENT INVENTORY | NO DUPLICATE ACCOUNTING OF COMPONENTS |
CM-8(5) INFORMATION SYSTEM COMPONENT INVENTORY | NO DUPLICATE ACCOUNTING OF COMPONENTS |
Twistlock automatically associates duplicate images if discovered local to the host, within a Docker registry or discovered during a CI build process |
|||||||
Deployment |
Defenders |
Manage > Defenders |
/api/v1/defenders |
CM-8(3) INFORMATION SYSTEM COMPONENT INVENTORY | AUTOMATED UNAUTHORIZED COMPONENT DETECTION |
CM-8(3) INFORMATION SYSTEM COMPONENT INVENTORY | AUTOMATED UNAUTHORIZED COMPONENT DETECTION |
Deploy Twistlock Defenders using orchestration tools (e.g. Kubernetes, OpenShift, SWARM, etc.) to ensure Defenders are deployed to new scaled up nodes within the environment |
https://docs.twistlock.com/docs/latest/install/install_defender.html |
|||||
| |
||||||||||||
CM - 10: Software Usage Restrictions |
||||||||||||
Vulnerabilities |
Images |
Monitor > Vulnerabilities > Image > Package Info |
/api/v1/containers/count |
CM-10(1) SOFTWARE USAGE RESTRICTIONS | OPEN SOURCE SOFTWARE |
ID.SC-2: Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process |
CM-10(1) SOFTWARE USAGE RESTRICTIONS | OPEN SOURCE SOFTWARE |
Twistlock image scan reposts include the package information: type, name, path within image, version, known CVEs and license. This information can be used to determine if Open Source software is used within the environment. |
|||||
| |
||||||||||||
CM - 11 User-Installed Software |
||||||||||||
Runtime |
Container Policy |
Defend > Runtime > Container Policy |
/api/v1/policies/runtime/container |
Disable | Alert | Prevent | Block |
CM-11(1) USER-INSTALLED SOFTWARE | ALERTS FOR UNAUTHORIZED INSTALLATIONS |
Twistlock can identify the software installation process from within a running container (e.g. apt-get, yum, etc). |
https://docs.twistlock.com/docs/latest/runtime_defense/runtime_defense.html |
|||||
Host Policy |
Defend > Runtime > Host Policy |
/api/v1/policies/runtime/host |
Disable | Alert | Prevent |
CM-11(1) USER-INSTALLED SOFTWARE | ALERTS FOR UNAUTHORIZED INSTALLATIONS |
Anomalous app detection Twistlock learns the normal set of apps running on your hosts and automatically identifies apps added abnormally. Monitor general activities, Docker commands, sshd and sudo commands Service capabilities are Twistlock-curated units of process and file system actions that express the things that services routinely need to do. They can be independently enabled or disabled on a per-service basis, and provide fine-grained control over what a service can and cannot do. |
https://docs.twistlock.com/docs/latest/runtime_defense/runtime_defense_hosts.html |
||||||
| |
||||||||||||
CP - 2 Contingency Plan |
ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value |
|||||||||||
Policy |
Resource Filter |
Defend > all policies |
Container | Host | Images | Labels |
CP-2(8) CONTINGENCY PLAN | IDENTIFY CRITICAL ASSETS |
CP-2(8) CONTINGENCY PLAN | IDENTIFY CRITICAL ASSETS |
All Twistlock rules have resource filters that let you target specific resources in your environment. You can identify the critical assets within your environment and apply specific policies to the assets. |
||||||
| |
||||||||||||
CP - 9: Information System Backup |
PR.IP-4: Backups of information are conducted, maintained, and tested |
|||||||||||
Backup & Restore |
System Backups |
Manage > System > Backup & Restore > System Backups |
/api/v1/recovery/backup |
daily | weekly monthly |
CP-9(1) INFORMATION SYSTEM BACKUP | TESTING FOR RELIABILITY / INTEGRITY |
CP-9(1) INFORMATION SYSTEM BACKUP | TESTING FOR RELIABILITY / INTEGRITY |
Automatic process, restoration can be performed from the Twistlock UI |
|||||
Manual Backups |
Manage > System > Backup & Restore > Manual Backups |
/api/v1/recovery/backup |
on demand backup |
CP-9(1) INFORMATION SYSTEM BACKUP | TESTING FOR RELIABILITY / INTEGRITY |
CP-9(1) INFORMATION SYSTEM BACKUP | TESTING FOR RELIABILITY / INTEGRITY |
Manual backup and recovery via API call |
||||||
| |
||||||||||||
IA - 2: Identification and Authentication |
||||||||||||
Authentication |
SAML 2.0 Federation |
Manage > Authentication > SAML |
/api/v1/settings/saml |
Enabled | Disabled |
IA-2(1) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO PRIVILEGED ACCOUNTS & IA-2(2) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS |
IA-2(1) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO PRIVILEGED ACCOUNTS & IA-2(2) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS |
Enforce Multi-factor authentication at SAML Identity Provider |
https://docs.twistlock.com/docs/latest/api/api_reference.html#settings_saml_post |
||||
Active Directory and OpenLDAP |
Manage > Authentication > LDAP |
/api/v1/settings/ldap |
Enabled | Disabled |
IA-2(1) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO PRIVILEGED ACCOUNTS & IA-2(2) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS |
IA-2(1) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO PRIVILEGED ACCOUNTS & IA-2(2) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS |
Enforce Mutli-factor authentication at LDAP Identity Provider |
https://docs.twistlock.com/docs/latest/api/api_reference.html#settings_ldap_post |
|||||
x.509 Smartcard authentication |
Manage > Authentication > System Certificates > Advanced Features > Console Authentication |
/api/v1/settings/trusted-certificates |
Advanced certificate configuration = show Field #2 Console Authentication = certificate(s) of smartcard issuing CAs |
IA-2(1) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO PRIVILEGED ACCOUNTS & IA-2(2) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS & IA-2(12) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | ACCEPTANCE OF PIV CREDENTIALS |
IA-2(1) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO PRIVILEGED ACCOUNTS & IA-2(2) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS & IA-2(12) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | ACCEPTANCE OF PIV CREDENTIALS |
Supports x.509 smartcard based authentication. PIV and CaC supported |
https://docs.twistlock.com/docs/latest/api/api_reference.html#settings_trusted_certificates_post |
|||||
Console and API Access |
TLS HSTS |
IA-2(8) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO PRIVILEGED ACCOUNTS - REPLAY RESISTANT |
IA-2(8) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO PRIVILEGED ACCOUNTS - REPLAY RESISTANT |
Twistlock Console and API enforces HTTP Strict Transport Security |
https://docs.twistlock.com/docs/latest/download/releases.html#2-3-78 |
|||||||
| |
||||||||||||
IA - 5: Authenticator Management |
||||||||||||
Authentication |
Require strong passwords for local accounts |
Manage > Authentication > Logon |
/api/v1/settings/logon |
On | Off |
IA-5(1) AUTHENTICATOR MANAGEMENT | PASSWORD-BASED AUTHENTICATION |
IA-5(1) AUTHENTICATOR MANAGEMENT | PASSWORD-BASED AUTHENTICATION |
Password should be at least 8 characters long and contain at least: one digit, one uppercase letter and one lowercase letter |
|||||
x.509 Smartcard authentication |
Manage > Authentication > System Certificates > Advanced Features > Console Authentication |
/api/v1/settings/trusted-certificates |
Advanced certificate configuration = show Field #2 Console Authentication = certificate(s) of smartcard issuing CAs |
IA-5(2) AUTHENTICATOR MANAGEMENT | PKI-BASED AUTHENTICATION |
IA-5(2) AUTHENTICATOR MANAGEMENT | PKI-BASED AUTHENTICATION |
DoD CAC card Issuing CAs |
https://docs.twistlock.com/docs/latest/api/api_reference.html#settings_trusted_certificates_post |
|||||
Enable certificate revocation checking |
Manage > Authentication > System Certificates > Advanced Features > Console Authentication |
/api/v1/settings/trusted-certificates |
on|off |
IA-5(2) AUTHENTICATOR MANAGEMENT | PKI-BASED AUTHENTICATION |
IA-5(2) AUTHENTICATOR MANAGEMENT | PKI-BASED AUTHENTICATION |
CRL and OCSP supported. Only enable when Twistlock Console is able to reach CDP endpoints |
https://docs.twistlock.com/docs/latest/configure/custom_certs_console_access.html |
|||||
| |
||||||||||||
IA - 8: Identification and Authentication (non-organizational users) |
||||||||||||
x.509 Smartcard authentication |
Manage > Authentication > System Certificates > Advanced Features > Console Authentication |
/api/v1/settings/trusted-certificates |
Advanced certificate configuration = show Field #2 Console Authentication = certificate(s) of smartcard issuing CAs |
IA-8(1) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | ACCEPTANCE OF PIV CREDENTIALS FROM OTHER AGENCIES |
IA-8(1) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | ACCEPTANCE OF PIV CREDENTIALS FROM OTHER AGENCIES |
Multiple smartcard Issuing CAs can be imported allowing smartcard from different organizations to authenticate to the Twistlock Console and API |
https://docs.twistlock.com/docs/latest/api/api_reference.html#settings_trusted_certificates_post |
|||||
| |
||||||||||||
IR - 4 Incident Handling |
DE.AE-2: Detected events are analyzed to understand attack targets and methods |
|||||||||||
Runtime |
Container Policy |
Defend > Runtime > Container Policy |
/api/v1/policies/runtime/container |
Disable | Alert | Prevent | Block |
IR-4(1) INCIDENT HANDLING | AUTOMATED INCIDENT HANDLING PROCESSES |
IR-4(1) INCIDENT HANDLING | AUTOMATED INCIDENT HANDLING PROCESSES |
Container runtime policy can take immediate action when an event is triggered. This will stop incidents while they are occurring. |
https://docs.twistlock.com/docs/latest/runtime_defense/runtime_defense.html |
||||
Host Policy |
Defend > Runtime > Host Policy |
/api/v1/policies/runtime/host |
Disable | Alert | Prevent |
IR-4(1) INCIDENT HANDLING | AUTOMATED INCIDENT HANDLING PROCESSES |
IR-4(1) INCIDENT HANDLING | AUTOMATED INCIDENT HANDLING PROCESSES |
Host runtime policy can take immediate action when an event is triggered. This will stop incidents while they are occurring. |
https://docs.twistlock.com/docs/latest/runtime_defense/runtime_defense_hosts.html |
|||||
IR - 5: Incident Monitoring |
||||||||||||
Runtime |
Incident Explorer |
Monitor > Runtime > Incident Explorer |
/api/v1/audits/incidents |
IR-5(1) INCIDENT MONITORING | AUTOMATED TRACKING / DATA COLLECTION / ANALYSIS |
DE.AE-5: Incident alert thresholds are established |
IR-5 INCIDENT MONITORING |
Incident Explorer elevates raw audit data to actionable security intelligence, enabling a more rapid and effective response to incidents. Rather than having to manually sift through reams of audit data, Incident Explorer automatically correlates individual events generated by the firewall and runtime sensors to identify unfolding attacks. |
https://docs.twistlock.com/docs/latest/runtime_defense/incident_explorer.html |
||||
IR - 6: Incident Reporting |
DE.AE-5: Incident alert thresholds are established |
|||||||||||
Alerts |
Alert Profiles |
Manage > System > Alerts > Alert Labels |
/api/v1/settings/alerts |
Alert Providers: email, Jira, Slack, Google Cloud Security Command Center, GCP Pub/Sub, PagerDuty, Webhook, AWS Security Hub, IBM Security Advisor |
IR-6(1) INCIDENT REPORTING | AUTOMATED REPORTING |
IR-6(1) INCIDENT REPORTING | AUTOMATED REPORTING |
Twistlock Alert Profiles can send the various type of alerts (runtime, firewall, host, etc.) to the Incident Response stakeholder responsible to the type of incident. |
https://docs.twistlock.com/docs/latest/audit/annotate_audits.html |
||||
Logging |
Syslog and Stdout logging supports detail reporting for vulnerability and compliance finding and all runtime process activity |
Manage > System > Logging |
/api/v1/settings/logging |
Syslog: Enabled | Disabled Stdout: Enabled | Disabled Prometheus instrumentation: Enabled | Disabled |
IR-6(1) INCIDENT REPORTING | AUTOMATED REPORTING |
IR-6(1) INCIDENT REPORTING | AUTOMATED REPORTING |
Twistlock Syslog, Stdout and Prometheus instrumentation events can be captured by security information and event management system |
https://docs.twistlock.com/docs/latest/audit/syslog_integration.html |
||||
IR - 8: Incident Response Plan |
RS.RP-1: Response plan is executed during or after an incident |
|||||||||||
Runtime |
Container Policy |
Defend > Runtime > Container Policy |
/api/v1/policies/runtime/container |
Disable | Alert | Prevent | Block |
Organization IR Plan can be expressed within a container runtime policy |
https://docs.twistlock.com/docs/latest/runtime_defense/runtime_defense.html |
||||||
Host Policy |
Defend > Runtime > Host Policy |
/api/v1/policies/runtime/host |
Disable | Alert | Prevent |
Organization IR Plan can be expressed within a host runtime policy |
https://docs.twistlock.com/docs/latest/runtime_defense/runtime_defense_hosts.html |
|||||||
MA - 4: Nonlocal Maintenance |
||||||||||||
Intelligence Stream |
Enable operators to upload support logs directly to Twistlock |
Manage > System > Intelligence |
/api/v1/settings/intelligence |
On | Off |
Used for Twistlock Support. Information concerning maintenance issue and be performed through other methods (e.g. screen share session, telephone communication, etc.) |
|||||||
RA - 2: Security Categorization |
||||||||||||
Projects |
Tenant Project |
System > Projects |
/api/v1/settings/projects |
Tenant Project |
Twistlock Tenant Projects can be used to catalogize instances of Twistlock based upon their security assessment level. |
https://docs.twistlock.com/docs/latest/deployment_patterns/projects.html |
||||||
RA - 3: Risk Assessment |
||||||||||||
Custom Feeds |
CVE Allow List |
Manage > System > Custom Feeds > CVE Allow List |
api/v1/feeds/custom/cve-allow-list |
Ability to control the reporting of vulnerabilities based upon risk assessment. Allow CVEs to existing for a specified period of time, after time expires the vulnerability will be alerted and rules can be based upon the CVE. System wide exception. |
https://docs.twistlock.com/docs/latest/configure/custom_feeds.html#cve-allow-list |
|||||||
Vulnerabilities |
Image Policy CVE Exception |
Defend > Vulnerabilities > Images : Policy > Advanced Settings |
/api/v1/policies/vulnerability/images |
Allow CVE exception within individual image vulnerability rules |
https://docs.twistlock.com/docs/latest/vulnerability_management/vuln_management_rules.html |
|||||||
RA - 5: Vulnerability Scanning |
||||||||||||
Intelligence Stream |
Enable automatic Twistlock Intelligence Stream Updates |
Manage > System Intelligence > Enable online updates of Intelligence Stream |
/api/v1/settings/intelligence |
On | Off |
RA-5(1) VULNERABILITY SCANNING | UPDATE TOOL CAPABILITY |
ID.RA-2: Cyber threat intelligence is received from information sharing forums and sources RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks |
RA-5(1) VULNERABILITY SCANNING | UPDATE TOOL CAPABILITY |
Recommend setting to "On." Twistlock can be deployed in a completely offline environment |
https://docs.twistlock.com/docs/latest/tools/update_intel_stream_offline.html |
|||
Update frequency |
RA-5(2) VULNERABILITY SCANNING | UPDATE BY FREQUENCY / PRIOR TO NEW SCAN / WHEN IDENTIFIED |
RA-5(2) VULNERABILITY SCANNING | UPDATE BY FREQUENCY / PRIOR TO NEW SCAN / WHEN IDENTIFIED |
Twistlock Intelligence Stream is updated at least once every 24 hours and will update when a vulnerability is posted by the upstream provider |
|||||||||
Vulnerability |
Defender architecture |
RA-5(5) VULNERABILITY SCANNING | PRIVILEGED ACCESS |
DE.CM-8: Vulnerability scans are performed |
RA-5(5) VULNERABILITY SCANNING | PRIVILEGED ACCESS |
Twistlock Defender performs vulnerability scanning and runs as a container. Defender uses cgroups to cap resource usage at 512MB of RAM and 900 CPU shares; typical load is ~1-2% CPU and 20-40MB RAM |
https://docs.twistlock.com/docs/latest/technology_overviews/defender_architecture.html |
||||||
SA - 4: Acquisition Process |
||||||||||||
Documentation |
Twistlock Customer Documentation |
SA-4(1) ACQUISITION PROCESS | FUNCTIONAL PROPERTIES OF SECURITY CONTROLS |
SA-4(1) ACQUISITION PROCESS | FUNCTIONAL PROPERTIES OF SECURITY CONTROLS |
Access to Twistlock documentation requires authentication with the customer’s Twistlock License Access Token. Every page within the Twistlock Console has a"?" icon in the top right corner. This will open a new browser tab, authenticate to the documentation site and render the documentation pertaining to the current Twistlock Console screen. |
||||||||
Documentation |
Twistlock Reference Architecture Guide |
SA-4(2) ACQUISITION PROCESS | DESIGN / IMPLEMENTATION INFORMATION FOR SECURITY CONTROLS & SA-4(9) ACQUISITION PROCESS | FUNCTIONS / PORTS / PROTOCOLS / SERVICES IN USE |
SA-4(2) ACQUISITION PROCESS | DESIGN / IMPLEMENTATION INFORMATION FOR SECURITY CONTROLS & SA-4(9) ACQUISITION PROCESS | FUNCTIONS / PORTS / PROTOCOLS / SERVICES IN USE |
Twistlock Reference Architecture Guide is available upon request. |
||||||||
Authentication |
x.509 Smartcard authentication |
Manage > Authentication > System Certificates > Advanced Features > Console Authentication |
/api/v1/settings/trusted-certificates |
Advanced certificate configuration = show Field #2 Console Authentication = certificate(s) of smartcard issuing CAs |
SA-4(10) ACQUISITION PROCESS | USE OF APPROVED PIV PRODUCTS |
SA-4(10) ACQUISITION PROCESS | USE OF APPROVED PIV PRODUCTS |
PIV and CaC smartcard authentication is supported |
https://docs.twistlock.com/docs/latest/api/api_reference.html#settings_trusted_certificates_post |
||||
SA - 10: Developer Configuration Management |
||||||||||||
Release |
SHA-256 hash of Twistlock release tar file |
SA-10(1) DEVELOPER CONFIGURATION MANAGEMENT | SOFTWARE / FIRMWARE INTEGRITY VERIFICATION |
SA-10(1) DEVELOPER CONFIGURATION MANAGEMENT | SOFTWARE / FIRMWARE INTEGRITY VERIFICATION |
Twistlock Release site includes the SHA-256 for all releases. This can be used to validate the integrity of the Twistlock release tar. |
https://docs.twistlock.com/docs/latest/download/releases.html |
|||||||
SC - 2: Application Partitioning |
||||||||||||
Collections |
Assigned Collections |
Manage > Collections |
/api/v1/collections |
Multi-valued rule |
Defender Manager, Auditor, DevOps User, Access User and CIUser roles can be assigned a collection thus only rendering data in the UI and via the API based upon the Collection Filter configured. Can be applied to Groups. |
https://docs.twistlock.com/docs/latest/configure/collections.html |
||||||
Access Control |
User Roles |
Manage > Authentication > Users |
/api/v1/users |
Administrator | Operator | Defender Manager | Auditor | Dev Ops User | Access User | CI User |
All Twistlock users are assigned a role |
https://docs.twistlock.com/docs/latest/access_control/user_roles.html |
||||||
Access Control |
Assign Roles |
Manage > Authentication > Groups |
/api/v1/groups |
Administrator | Operator | Defender Manager | Auditor | Dev Ops User | Access User | CI User |
Twistlock role mapping for Active Directory, OpenLDAP and SAML based groups can be applied |
https://docs.twistlock.com/docs/latest/access_control/assign_roles.html |
||||||
SI - 2: Flaw Remediation |
||||||||||||
Intelligence Stream |
Enable automatic Twistlock Intelligence Stream Updates |
Manage > System Intelligence > Enable online updates of Intelligence Stream |
/api/v1/settings/intelligence |
On | Off |
SI-2(2) FLAW REMEDIATION | AUTOMATED FLAW REMEDIATION STATUS |
ID.RA-2: Cyber threat intelligence is received from information sharing forums and sources |
SI-2(2) FLAW REMEDIATION | AUTOMATED FLAW REMEDIATION STATUS |
Twistlock Intelligence Stream provides software publishers' vulnerability status and remediation version. |
https://docs.twistlock.com/docs/latest/tools/update_intel_stream_offline.html |
|||
Custom Feeds |
CVE Allow List |
Manage > System > Custom Feeds > CVE Allow List |
api/v1/feeds/custom/cve-allow-list |
SI-2(3) FLAW REMEDIATION | TIME TO REMEDIATE FLAWS / BENCHMARKS FOR CORRECTIVE ACTIONS |
System wide ability to assign a time to remediate a vulnerability |
https://docs.twistlock.com/docs/latest/configure/custom_feeds.html#cve-allow-list |
||||||
Vulnerabilities |
Image Policy CVE Exception |
Defend > Vulnerabilities > Images : Policy > Advanced Settings |
/api/v1/policies/vulnerability/images |
SI-2(3) FLAW REMEDIATION | TIME TO REMEDIATE FLAWS / BENCHMARKS FOR CORRECTIVE ACTIONS |
Ability to assign a time to remediate a vulnerability to an individual or group of images. |
https://docs.twistlock.com/docs/latest/vulnerability_management/vuln_management_rules.html |
||||||
SI - 3: Malicious Code Protection |
DE.CM-4: Malicious code is detected |
|||||||||||
Custom Feeds |
Malware |
Manage > System > Custom Feeds > Malware |
/api/v1/feeds/custom/malware |
Process / filename name | MD5 Hash |
SI-3(1) MALICIOUS CODE PROTECTION | CENTRAL MANAGEMENT |
SI-3(1) MALICIOUS CODE PROTECTION | CENTRAL MANAGEMENT |
List of suspicious or high risk IP endpoints. Supplement the Twistlock Intelligence Stream with your own list of banned IP addresses |
https://docs.twistlock.com/docs/latest/configure/custom_feeds.html#banned-ip-addresses |
||||
Intelligence Stream |
Enable automatic Twistlock Intelligence Stream Updates |
Manage > System Intelligence > Enable online updates of Intelligence Stream |
/api/v1/settings/intelligence |
On | Off |
SI-3(2) MALICIOUS CODE PROTECTION | AUTOMATIC UPDATES |
SI-3(2) MALICIOUS CODE PROTECTION | AUTOMATIC UPDATES |
Twistlock Intelligence Stream includes signatures of known malware (e.g. crypto-miners). Malware data is sourced from commercial providers, Twistlock Labs, and open source lists. |
https://docs.twistlock.com/docs/latest/tools/update_intel_stream_offline.html |
||||
SI - 5: Security Alerts, Advisories and Directives |
||||||||||||
Alerts |
Alert Providers |
Manage > System > Alerts |
/api/v1/settings/alerts |
Alert Providers: email, Jira, Slack, Google Cloud Security Command Center, GCP Pub/Sub, PagerDuty, Webhook, AWS Security Hub, IBM Security Advisor |
SI-5(1) SECURITY ALERTS, ADVISORIES, AND DIRECTIVES | AUTOMATED ALERTS AND ADVISORIES |
SI-5 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES | AUTOMATED ALERTS AND ADVISORIES |
Twistlock can disseminate alerts based upon the type of alert and the alert method of the audit owner |
https://docs.twistlock.com/docs/latest/configure/alerts_email_jira_slack.html |