Prisma consists of two components: a console and a defender. A defender will need to be deployed to the Mission Partners environment. This document contains information to install Prisma and run a scan in the Mission Partners environment. For detailed information regarding Prisma implementation and its architecture, click here: Prisma Installation and Custom Compliance Scanning Executionhttps://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/install/getting_started.html .
Please note that primary operation of Prisma for the DISA DevSecOps team is through the Linux command line. Examples may be provided in that manner.
Prisma Cloud ships with a command-line configuration and control tool called "twistcli". This tool is very helpful in configuring the application for use.
Detailed information can be found here: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/tools/twistcli.html .
1.1 Prisma Cloud Twistcli Installation
To install the Prisma Cloud Twistcli utility, follow these steps:
- Download and install the twistcli utility from the System Downloads in Prisma Cloud. See example below:
- Test connectivity by running a scan:
twistcli images scan <REPO URL>/<IMAGE>:<TAG> --details --address https://<Prisma Cloud IP
2. Deploy a Prisma Scanner
It may be necessary to install Prisma on its own Cloud instance, if using AWS this can be done on an Amazon Machine Image (AMI).
3. Execute a Prisma Custom Compliance Scan
Before a scan can commence, an appropriate "Containers and Images - Compliance Rule Bundle" must be created via the Prisma Cloud GUI.
- First, go to Defend > Compliance > Containers and Images tab > Deployed/CI and click on the "+ Add Rule" button.
- Second, in the new pop-up window, enter in the following information.
This will need to be done for both the Deployed and CI tabs.
- Rule Name - this is the displayed name for the entered ruleset. Typically follows this template -
<TECHNOLOGY> <VERSION> STIG Bundle.
- Under Scope > Images - enter in the technology surrounded by "*". This will allow Prisma to properly tag certain custom compliance checks to the proper technologies.
- Under Compliance Actions - Filter the custom compliance checks by technology name and set the "Action" field to "Alert".
- Under Terminal Output - change from "Summary" to "Detailed".
- Under Reported Results - change from "Failed Checks Only" to "Passed and Failed Checks".
- Once complete, click the "Save" button. The STIG Bundle should now be listed under the "Compliance Rules" section. Be sure to do this for both Deployed and CI sections.
With the rulesets loaded and a STIG Bundle created, executing a compliance scan can be done through the console as well as via a command line prompt.
To utilize the twistcli scan, the image to be scanned must reside on the system where twistcli will run - otherwise the image must be retrieved with a docker pull.
twistcli images scan [OPTIONS] [IMAGE]
More information can be found here: twistcli scan images
Scans can be performed once rulesets are loaded via compliance monitoring and clicking scan.