Merge remote-tracking branch 'docs/master'

Author: ian

README.md

@@ -78,10 +78,11 @@ endif::prisma_cloud[]
 
 # Building the site locally
 
-The site uses a [RedHat fork of Asciidoctor](https://github.com/redhataccess/ascii_binder) in conjunction with our own package `ascii_binder_pan-0.0.00.1.gem`, located at the root of this repo.
+The site uses a Red Hat project called [AsciiBinder](https://github.com/redhataccess/ascii_binder) in conjunction with our own package `ascii_binder_pan-0.0.00.1.gem`, located at the root of this repo.
 
 As you create and edit content, we recommend making a local build to check the rendering.
 To do so, complete the following steps.
+Instructions are geared for macOS.
 
 1. Ensure that Ruby is installed.
 
@@ -124,6 +125,7 @@ To do so, complete the following steps.
 1. Navigate into the `_build` directory and use the following command to install our custom `ascii_binder` package. 
 
     ```bash
+    cd _build/
     sudo gem install -V ./ascii_binder_pan-0.0.00.1.gem
     ```
 

admin_guide/_topic_map_compute_edition.yml

@@ -106,7 +106,7 @@ Topics:
   - Name: Upgrade
     File: upgrade
   - Name: Upgrade process
-    File: upgrade_process
+    File: upgrade_process_self_hosted
   - Name: Onebox
     File: upgrade_onebox
   - Name: Kubernetes

admin_guide/_topic_map_prisma_cloud.yml

@@ -106,7 +106,7 @@ Topics:
   - Name: Upgrade
     File: upgrade
   - Name: Upgrade process
-    File: upgrade_process
+    File: upgrade_process_saas
   - Name: Kubernetes
     File: upgrade_kubernetes
   - Name: OpenShift

admin_guide/alerts/jira.adoc

@@ -79,6 +79,8 @@ Configure the channel.
 .. Select *Basic authentication*.
 
 .. Enter a username and password.
++
+NOTE: If you are using Jira Cloud, this will be an email address and API token respectively. You can generate your API token https://id.atlassian.com/manage-profile/security/api-tokens[here].
 
 .. Click *Save*.
 

admin_guide/api/automate_defender_install.adoc

@@ -42,13 +42,13 @@ xref:../install/defender_types.adoc[Single Container Defenders] are installed on
 [.procedure]
 . Validate that the node where you will install Defender can reach Console over the network.
 
-  $ curl -k https://<COMPUTE_CONSOLE>:8083/api/v1/_ping
+  $ curl -k https://<COMPUTE_CONSOLE>/api/v1/_ping
 
 . Retrieve an auth token from Console.
 
   $ curl -H "Content-Type: application/json" \
     -d '{"username":"<USERNAME>", "password":"<PASSWORD>"}' \
-    https://<COMPUTE_CONSOLE>:8083/api/v1/authenticate
+    https://<COMPUTE_CONSOLE>/api/v1/authenticate
 +
 Where:
 +
@@ -63,13 +63,14 @@ Use the token you just retrieved to get a list of deployed Defenders.
 
   $ curl \
     -H "authorization: Bearer <TOKEN>" \
-    https://<COMPUTE_CONSOLE>:8083/api/v1/defenders
+    https://<COMPUTE_CONSOLE>/api/v1/defenders
 
 . Download and run the Defender install script.
 
   $ curl \
-    -H "authorization: Bearer <TOKEN> \
-    https://<COMPUTE_CONSOLE>:8083/api/v1/scripts/defender.sh \
+    -H "authorization: Bearer <TOKEN>" \
+    -X POST \
+    https://<COMPUTE_CONSOLE>/api/v1/scripts/defender.sh \
     -o defender.sh && \
     chmod a+x defender.sh && \
     sudo ./defender.sh -c "<CONSOLE>" -d "none"
@@ -103,13 +104,14 @@ By default, it is 8084.
 
   $ curl -H "Content-Type: application/json" \
     -d '{"username":"<USERNAME>", "password":"<PASSWORD>"}' \
-    https://<COMPUTE_CONSOLE>:8083/api/v1/authenticate
+    https://<COMPUTE_CONSOLE>/api/v1/authenticate
 
 . Download and run the Defender install script with the `--install-host` option.
 
   $ curl \
-    -H "authorization: Bearer <TOKEN> \
-    https://<COMPUTE_CONSOLE>:8083/api/v1/scripts/defender.sh \
+    -H "authorization: Bearer <TOKEN>" \
+    -X POST \
+    https://<COMPUTE_CONSOLE>/api/v1/scripts/defender.sh \
     -o defender.sh && \
     chmod a+x defender.sh && \
     sudo ./defender.sh -c "<COMPUTE_CONSOLE>" -d "none" --install-host
@@ -154,14 +156,16 @@ The following call generates the same YAML file as the xref:../install/install_k
 +
   $ curl -k \
     -u <USER> \
-    'https://<COMPUTE_CONSOLE>:8083/api/v1/defenders/daemonset.yaml?consoleaddr=<COMPUTE_CONSOLE>&namespace=twistlock&orchestration=kubernetes&privileged=true' \
+    -X POST \
+    'https://<COMPUTE_CONSOLE>/api/v1/defenders/daemonset.yaml?consoleaddr=<COMPUTE_CONSOLE>&namespace=twistlock&orchestration=kubernetes&privileged=true' \
     > defender.yaml
 +
 The following command generates the same YAML file as the default _twistcli_ invocation for OpenShift:
 +
   $ curl -k \
     -u <USER> \
-    'https://<COMPUTE_CONSOLE>:8083/api/v1/defenders/daemonset.yaml?consoleaddr=<COMPUTE_CONSOLE>&namespace=twistlock&orchestration=openshift' \
+    -X POST \
+    'https://<COMPUTE_CONSOLE>/api/v1/defenders/daemonset.yaml?consoleaddr=<COMPUTE_CONSOLE>&namespace=twistlock&orchestration=openshift' \
     > defender.yaml
 
 . Create the DaemonSet.

admin_guide/compliance/cloud_discovery.adoc

@@ -71,6 +71,7 @@ Then configure Prisma Cloud to protect them with a single click.
             "Sid": "VisualEditor0",
             "Effect": "Allow",
             "Action": [
+                "lambda:GetFunction",
                 "lambda:ListFunctions",
                 "ecr:DescribeRepositories",
                 "eks:DescribeCluster",

admin_guide/install/install_openshift_3_11.adoc

@@ -1,6 +1,5 @@
 == OpenShift
 
-Prisma Cloud supports the Docker version of OpenShift 3.11.
 
 ifdef::compute_edition[]
 Prisma Cloud Console is deployed as a ReplicationController, which ensures it's always running.
@@ -493,7 +492,6 @@ Designate Prisma Cloud's cloud registry by omitting the _--image-name_ flag.
   $ <PLATFORM>/twistcli defender export openshift \
     --address https://twistlock-console.apps.ose.example.com \
     --cluster-address 172.30.41.62 \
-    --selinux-enabled \
     --helm
 +
 *Outside the OpenShift cluster + pull the Defender image from the OpenShift internal registry.*
@@ -502,7 +500,6 @@ Use the _--image-name_ flag to designate an image from the OpenShift internal re
   $ <PLATFORM>/twistcli defender export openshift \
     --address https://twistlock-console.apps.ose.example.com \
     --cluster-address 172.30.41.62 \
-    --selinux-enabled \
     --image-name 172.30.163.181:5000/twistlock/private:defender_<VERSION> \
     --helm
 +
@@ -513,7 +510,6 @@ This flag specifies the endpoint for the Prisma Cloud Compute API and must inclu
   $ <PLATFORM>/twistcli defender export openshift \
     --address https://172.30.41.62:8083 \
     --cluster-address 172.30.41.62 \
-    --selinux-enabled \
     --helm
 +
 *Inside the OpenShift cluster + pull the Defender image from the OpenShift internal registry.*
@@ -522,7 +518,6 @@ Use the _--image-name_ flag to designate an image in the OpenShift internal regi
   $ <PLATFORM>/twistcli defender export openshift \
     --address https://172.30.41.62:8083 \
     --cluster-address 172.30.41.62 \
-    --selinux-enabled \
     --image-name 172.30.163.181:5000/twistlock/private:defender_<VERSION> \
     --helm
 

admin_guide/install/install_openshift_4.adoc

@@ -1,6 +1,5 @@
 == OpenShift
 
-Prisma Cloud supports OpenShift v3.9 and later.
 
 ifdef::compute_edition[]
 Prisma Cloud Console is deployed as a ReplicationController, which ensures it's always running.
@@ -433,14 +432,16 @@ Example for export of a YAML file:
 
   $ <PLATFORM>/twistcli defender export openshift \
     --address <ADDRESS> \
-    --cluster-address <CLUSTER-ADDRESS>
+    --cluster-address <CLUSTER-ADDRESS> \
+    --cri
 
 Example for export of a Helm chart:
 
   $ <PLATFORM>/twistcli defender export openshift \
     --address <ADDRESS> \
     --cluster-address <CLUSTER-ADDRESS> \
-    --helm
+    --helm \
+    --cri
 
 The command connects to Console’s API, specified in _--address_, to generate the Defender DaemonSet YAML config file or helm chart.
 The location where you run twistcli (inside or outside the cluster) dictates which Console address should be supplied.
@@ -537,7 +538,6 @@ Designate Prisma Cloud's cloud registry by omitting the _--image-name_ flag. Def
   $ <PLATFORM>/twistcli defender export openshift \
     --address https://twistlock-console.apps.ose.example.com \
     --cluster-address 172.30.41.62 \
-    --selinux-enabled \
     --helm \
     --cri
 +
@@ -547,7 +547,6 @@ Use the _--image-name_ flag to designate an image from the OpenShift internal re
   $ <PLATFORM>/twistcli defender export openshift \
     --address https://twistlock-console.apps.ose.example.com \
     --cluster-address 172.30.41.62 \
-    --selinux-enabled \
     --image-name 172.30.163.181:5000/twistlock/private:defender_<VERSION> \
     --helm \
     --cri
@@ -559,7 +558,6 @@ This flag specifies the endpoint for the Prisma Cloud Compute API and must inclu
   $ <PLATFORM>/twistcli defender export openshift \
     --address https://172.30.41.62:8083 \
     --cluster-address 172.30.41.62 \
-    --selinux-enabled \
     --helm \
     --cri
 +
@@ -569,7 +567,6 @@ Use the _--image-name_ flag to designate an image in the OpenShift internal regi
   $ <PLATFORM>/twistcli defender export openshift \
     --address https://172.30.41.62:8083 \
     --cluster-address 172.30.41.62 \
-    --selinux-enabled \
     --image-name 172.30.163.181:5000/twistlock/private:defender_<VERSION> \
     --helm \
     --cri

admin_guide/technology_overviews/defender_architecture.adoc

@@ -2,7 +2,6 @@
 
 Customers often ask how Prisma Cloud Defender really works under the covers. Prisma Cloud leverages Docker's ability to grant advanced kernel capabilities to enable Defender to protect your whole stack, while being completely containerized and utilizing a least privilege security design.
 
-
 === Defender design
 
 Because we’ve built Prisma Cloud expressly for cloud native stacks, the architecture of our agent (what we call Defender) is quite different.  Rather than having to install a kernel module, or modify the host OS at all, Defender instead runs as a Docker container and takes only those specific system privileges required for it to perform its job.  It does not run as --privileged and instead takes the specific system capabilities of net_admin, sys_admin, sys_ptrace, audit_control, mknod, and setfcap that it needs to run in the host namespace and interact with both it and other containers running on the system.  You can see this clearly by inspecting the Defender container:
@@ -36,7 +35,6 @@ Critically, though, Defender runs as a user mode process.  If Defender were to f
 
 In the event of a communications failure with Console, Defender continues running and enforcing the active policy that was last pushed by the management point. Events that would be pushed back to Console are cached locally until it is once again reachable.
 
-
 === Why not a kernel module?
 
 Given the broad range of security protection Prisma Cloud provides, not just for containers, but also for the hosts they run on, you might assume that we use a kernel module - with all the associated baggage that goes along with that.  However, that’s not actually how Prisma Cloud works.
@@ -45,6 +43,20 @@ Kernel modules are compiled software components that can be inserted into the ke
 
 Because kernel modules have unrestricted system access, a security flaw in them is a system wide exposure.  A single unchecked buffer or other error in such a low level component can lead to the complete compromise of an otherwise well designed and hardened system.  Further, kernel modules can introduce significant stability risks to a system.  Again, because of their wide access, a poorly performing kernel module that’s frequently called can drag down performance of the entire host, consume excessive resources, and lead to kernel panics.  For these reasons, many modern operating systems designed for cloud native apps, like Google Container-Optimized OS, explicitly prevent the usage of kernel modules.
 
+=== Defender-Console communication
+
+By default, Defender establishes a connection to Console on TCP port 8084, although the port number can be customized to meet the needs of your environment.
+All traffic between Defender and Console is TLS encrypted.
+
+Defender has no privileged access to Console or the underlying host where Console is installed.
+By design, Console and Defender don't trust each other and Defender mutual certificate-based authentication is required to connect.
+Pre-auth, connections are blocked
+Post-auth, Defender's capabilities are limited to getting policies from Console and sending event data to Console.
+
+If Defender were to be compromised, the risk would be local to the system where it is deployed, the privilege it has on the local system, and the possibility of it sending garbage data to Console.
+Console communication channels are separated, with no ability to jump channels.
+Defender has no ability to interact with Console beyond port 8084.
+Both Console's API and web interfaces, served on port 8083 (HTTPS), require authentication via different channels (such as user name and password, access key, etc.), none of which Defender holds.
 
 [#_blocking_rules]
 === Blocking rules
@@ -70,7 +82,6 @@ When starting a container in a Prisma Cloud-protected environment:
 The last step guarantees that Defender always fails open, which is important for the resiliency of your environment.
 Even if the Defender process terminates, becomes unresponsive, or cannot be restarted, a failed Defender will not hinder deployments or the normal operation of a node.
 
-
 === Firewalls
 
 Defender enforces WAF policies (WAAS) and monitors layer 4 traffic (CNNF).

admin_guide/upgrade/upgrade.adoc

@@ -3,10 +3,11 @@
 ifdef::compute_edition[]
 Console notifies you when new versions of Prisma Cloud are available.
 You can upgrade Prisma Cloud without losing any of your data or configurations.
-After upgrading Console, all your deployed Defenders will automatically upgrade themselves.
+After upgrading Console, all your deployed Defenders will automatically upgrade themselves if you have auto-upgrade turned ON.
+Learn more about the upgrade process here: xref:../upgrade_process.adoc
 endif::compute_edition[]
 
 ifdef::prisma_cloud[]
-Palo Alto Networks periodically upgrades your Prisma Cloud Console.
-After a Console upgrade, all your deployed Defenders will automatically upgrade themselves.
+Palo Alto Networks manages and maintains your Prisma Cloud Console.
+For email notifications about Prisma Cloud Compute's maintenance schedules and upgrade notifications, subscribe to the Prisma Cloud service on the https://status.paloaltonetworks.com/[Palo Alto Networks status page].
 endif::prisma_cloud[]