Please visit the new sample code repository: https://github.com/PaloAltoNetworks/prisma-cloud-compute-sample-code
All existing content will remain in this repository as-is. Please use the new repository going forward.
Sample code for Prisma Cloud Compute (formerly Twistlock)
Home Page: https://www.paloaltonetworks.com/prisma/cloud
License: MIT License
Please visit the new sample code repository: https://github.com/PaloAltoNetworks/prisma-cloud-compute-sample-code
All existing content will remain in this repository as-is. Please use the new repository going forward.
Investigate using logging:
https://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/ModInputsLog
Provide some sample code that a customer can add to the pipeline to compare the deployed Jenkins plugin version to the deployed Console version. This could also be built into the plugin as I know twistcli has a --version flag.
Splunk App to include alerts from all console and console list
https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/setuppage
Currently, the user must manually edit config.json
to add credentials and the Console URL. Create a setup page so the user is able to configure it in the Splunk web UI upon app installation.
config.json
) in setup UIconsole.password
)Installed Twistlock on rancher and used the suggested port (8083) in the documentation provided but did not work. Used port 8081 to hit the admin portal and it came up.
I saw this article about the Twistlock defender console being available as a helm chart, and I was interested in trying it out; I figure I could run the twistlock console on kubernetes via PKS (pivotal container service) and use it to run blobstore scans against PAS (pivotal application service).
However it seems the chart is put within this general-purpose repo and having to be installed from source rather than from a dedicated charts index is a bit disappointing. Having to manually download this repo and navigate to the chart doesn't operationalize very well in comparison to other helm deployments. To be honest I haven't tried using the chart yet. Considering that it's placed here it makes me wonder if it's a usable/supported deployment model for a Twistlock console. Don't mean to come off as ungrateful or entitled though I do hope you can see where I'm coming from
Thoughts/advice?
Thanks for your time!
Data can be ingested today with syslog.
Bamboo plugin vs twistcli
?
https://github.com/twistlock/sample-code/tree/master/CI/Bamboo
twistlock.conf contents are properly updated --
[default]
[pcc]
console_addr = https://twistlock-ctools.ews.int:8083
username = ewssvcsplunk
Screenshot of the setup page is also attached. But the integration fails due to this error:
10-27-2021 13:20:00.000 -0500 INFO ExecProcessor - setting reschedule_ms=300000, for command=/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/twistlock/bin/poll_incidents.py
10-27-2021 13:20:00.208 -0500 INFO ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/twistlock/bin/poll_incidents.py" Prisma Cloud Compute poll_incidents script started.
10-27-2021 13:20:00.388 -0500 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/twistlock/bin/poll_incidents.py" Failed getting configuration from Splunk: ResourceNotFound('https://127.0.0.1:8089/servicesNS/nobody/twistlock/configs/conf-twistlock/None')
10-27-2021 13:20:00.390 -0500 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/twistlock/bin/poll_incidents.py" Traceback (most recent call last):
10-27-2021 13:20:00.390 -0500 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/twistlock/bin/poll_incidents.py" File "/opt/splunk/etc/apps/twistlock/bin/poll_incidents.py", line 229, in
10-27-2021 13:20:00.390 -0500 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/twistlock/bin/poll_incidents.py" main()
10-27-2021 13:20:00.390 -0500 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/twistlock/bin/poll_incidents.py" File "/opt/splunk/etc/apps/twistlock/bin/poll_incidents.py", line 194, in main
10-27-2021 13:20:00.390 -0500 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps
()
/twistlock/bin/poll_incidents.py" configs = generate_configs(session_key)
10-27-2021 13:20:00.390 -0500 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/twistlock/bin/poll_incidents.py" File "/opt/splunk/etc/apps/twistlock/bin/utils/splunk.py", line 59, in generate_configs
10-27-2021 13:20:00.390 -0500 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/twistlock/bin/poll_incidents.py" stanza = get_config_stanza(credential["realm"], session_key)
10-27-2021 13:20:00.390 -0500 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/twistlock/bin/poll_incidents.py" File "/opt/splunk/etc/apps/twistlock/bin/utils/splunk.py", line 43, in get_config_stanza
10-27-2021 13:20:00.390 -0500 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/twistlock/bin/poll_incidents.py" "console_addr": conf_values["console_addr"],
10-27-2021 13:20:00.390 -0500 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/twistlock/bin/poll_incidents.py" UnboundLocalError: local variable 'conf_values' referenced before assignmen
t
Prisma Compute Cortex XSOAR Playbooks
In code when the incident has been archive/can't be found app errors out and makes Splunk log roll.
Possible courses of action:
This error presents in environments with re-building infrastructure primarily.
I tried to just create a role that had the permissions to manage SCCs, but that doesn't seem to provide the needed roles so I ended up giving the operator the Cluster-admin role. It'd be great if what permissions were needed were more clearly defined and in the CSV so I didn't need to add to them at all between Subscription
and creating the TwistlockConsole
resource.
oc create clusterrole twistlock-scc-admin \
--verb=* \
--resource=securitycontextconstraints.security.openshift.io
oc adm policy add-cluster-role-to-user \
twistlock-scc-admin system:serviceaccount:operators:twistlock-console-helm-operator
Kubernetes has been deprecating API(s), which will be removed and are no longer available in 1.22. Operators projects using these APIs versions will not work on Kubernetes 1.22 or any cluster vendor using this Kubernetes version(1.22), such as OpenShift 4.9+. Following the APIs that are most likely your projects to be affected by:
Therefore, looks like this project distributes solutions via the Red Hat Connect with the package name as prisma-cloud-compute-console-operator.v2.0.1 and does not contain any version compatible with k8s 1.22/OCP 4.9. Following some findings by checking the distributions published:
NOTE: The above findings are only about the manifests shipped inside of the distribution. It is not checking the codebase.
It would be very nice to see new distributions of this project that are no longer using these APIs and so they can work on Kubernetes 1.22 and newer and published in the Red Hat Connect collection. OpenShift 4.9, for example, will not ship operators anymore that do still use v1beta1 extension APIs.
Due to the number of options available to build Operators, it is hard to provide direct guidance on updating your operator to support Kubernetes 1.22. Recent versions of the OperatorSDK greater than 1.0.0 and Kubebuilder greater than 3.0.0 scaffold your project with the latest versions of these APIs (all that is generated by tools only). See the guides to upgrade your projects with OperatorSDK Golang, Ansible, Helm or the Kubebuilder one. For APIs other than the ones mentioned above, you will have to check your code for usage of removed API versions and upgrade to newer APIs. The details of this depend on your codebase.
If this projects only need to migrate the API for CRDs and it was built with OperatorSDK versions lower than 1.0.0 then, you maybe able to solve it with an OperatorSDK version >= v0.18.x < 1.0.0:
$ operator-sdk generate crds --crd-version=v1
INFO[0000] Running CRD generator.
INFO[0000] CRD generation complete.
Alternatively, you can try to upgrade your manifests with controller-gen (version >= v0.4.1) :
$ controller-gen crd:trivialVersions=true,preserveUnknownFields=false rbac:roleName=manager-role paths="./..."
Add the markers sideEffects and admissionReviewVersions to your webhook (Example with sideEffects=None and admissionReviewVersions={v1,v1beta1}: memcached-operator/api/v1alpha1/memcached_webhook.go):
Run the command:
$ controller-gen crd:trivialVersions=true,preserveUnknownFields=false rbac:roleName=manager-role webhook paths="./..."
For further info and tips see the blog.
Thank you for your attention.
Relevant API endpoint: https://dev.splunk.com/enterprise/docs/reference/sbreleaseapiref/#appAPPIDnew_release
Would love to use the helm chart but want to make sure I don't get in trouble for doing so. Could a license be added to the repo?
FISERV is asking for this.
Comments from their mail:
The current Prisma documentation suggests that if the container is not running with root privs, then the secrets in the filesystem must we ‘world readable’ which seems less than idea. I was wondering why the secret file could not be configured to be readable only by the userid the container is running under.
From: https://docs.paloaltonetworks.com/prisma/prisma-cloud/20-04/prisma-cloud-compute-edition-admin/secrets/inject_secrets.html
For secrets injected as files: they can be found in
/run/secrets/<SECRET_NAME>
, where the contents of the file contain the secret’s value. By default, secrets can only be read by root users in the container space. If you run your containers as non-root users, configure the injection rule to make the secrets readable by all users. Prisma Cloud can set the access permissions of the injected secrets file to read-only for the 'others' class of users. For more information about access permissions and 'others', see the chmod man page.
The Azure DevOps plugin requires that the vulnerability and compliance thresholds be set to "low," "medium," "high," or "critical." This prevents the plugin from running in a fully non-blocking mode, which is a legitimate invocation of twistcli. The thresholds should offer a "none" option that, if selected, causes the --vulnerability-threshold
and --compliance-threshold
flags to be omitted from the argument list to twistcli.
Currently a race condition can occur if poll_incidents.py is ran twice and appends to forensics_file.txt
It will result in the JSONDecodeError stated above.
This can be resolved by testing to see if the file exists.
If it doesn't just write the file don't append to it.
The following code should resolve this issue.
Include additional use cases for OPA
https://github.com/twistlock/sample-code/tree/master/opa-rego-policies
@gunjan5 Hi! I'm a former Twistlock/PANW person who wrote a CircleCI orb (it seems 😆) in the past, and a user has contributed a PR that I can't merge. Not sure if you can help. Cheers!
https://github.com/add-twistlock/twistcli-scan-image-orb/pull/5
consoleImageName: registry-auth.twistlock.com/tw_<REPLACE_TWISTLOCK_TOKEN>/twistlock/console:console_20_04_163
but I changed the values in the CR that should have been replaced.
88s Warning OverrideValuesInUse twistlockconsole/twistlockconsole Chart value "consoleImageName" overridden to "registry-auth.twistlock.com/tw_<REPLACE_TWISTLOCK_TOKEN>/twistlock/console:console_20_04_169" by operator's watches.yaml
68s Warning OverrideValuesInUse twistlockconsole/twistlockconsole Chart value "consoleImageName" overridden to "registry-auth.twistlock.com/tw_<REPLACE_TWISTLOCK_TOKEN>/twistlock/console:console_20_04_169" by operator's watches.yaml
To extend the current Terraform provider to include Compute capabilities: https://registry.terraform.io/providers/PaloAltoNetworks/prismacloud/latest/docs
/api/v1/current/projects
would allow for non-admin users to use project auto-discovery.
Today this breaks down if the specified users don't have access to Central Console.
Visual studio code plugin, that on the save of a Dockerfile the plugin would build the image, communicate with the Console and return results of vulnerabilities and compliance scan.
Similar to how IaC and checkov work today.
The app is 'fragile' while processing the elements of the forensic_events.txt
file. The file is loaded into a variable which is iterated through to pull forensic data. This is fine unless the script is stopped unexpectedly.
The plan is to keep the forensic_events.txt
file open to keep the list of unprocessed elements up-to-date. In the event of an unexpected exit, the script can pick up where it left off.
So I am told from the vendor meetings I have with Palo Alto that "A new Splunk integration is 'Coming Soon'"
Is it updates to this code base?
Add vulnerability and compliance data inputs
Looking for example twistcli code with https://buildkite.com/
https://github.com/twistlock/sample-code/blob/master/openshift/twistlock_openshift_deploy.sh#L74-L92
This should use ImageStream pass-thru instead:
oc create secret docker-registry twistlock-registry --docker-server=registry.twistlock.com --docker-user=twistlock --docker-password=${ACCESS_TOKEN} --docker-email=${CUSTOMER_EMAIL}
oc import-image twistlock/defender:defender_${TWISTLOCK_VERSION} --from=registry.twistlock.com/twistlock/defender:defender_${TWISTLOCK_VERSION} --confirm
oc import-image twistlock/console:console_${TWISTLOCK_VERSION} --from=registry.twistlock.com/twistlock/console:console_${TWISTLOCK_VERSION} --confirm
Currently the Splunk config is set up in cron job style.
This is somewhat Rube Goldberg-ian and is ripe for simplification.
However in lack of a better solution I would submit this would be a plausible path forward.
By employing the webhook from twistlock it will send a post request to an endpoint.
In testing I have set up a flask (python) web server that upon receiving a post request (in this case from the webhook).
It then fires off the poll_incidents and poll_forensics and follows the rest of the configuration flow.
It could be deployed as a container alongside current containers in twistlock.
More over it could then have environment variables assigned for example index that could generate the files that come along with the app.
Improvements to the GitHub actions we support today and how we can publish things on the GitHub Actions marketplace.
sample-code/siem/splunk/twistlock/bin/poll_forensics.py
Lines 53 to 55 in 639d813
This continues which leads to another pop(0)
, erasing the incident with the error.
Hey,
For marketplace the information would need to be updated. The link to source is not working. Also it would be great to link to license from marketplace right hand menu under resources, such as in Replace Tokens
GITOps Terraform support for Prisma Cloud Compute Policies
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.