Doc support for vuln/compliance scan for Fargate (#112)

Author: MorShabiPAN

admin_guide/_topic_map_compute_edition.yml

@@ -296,6 +296,8 @@ Topics:
   File: serverless_functions
 - Name: VMware Tanzu blobstore scanning
   File: vmware_tanzu_blobstore
+- Name: Fargate scanning
+  File: scan_fargate_tasks
 ---
 Name: Compliance
 Dir: compliance
@@ -322,6 +324,8 @@ Topics:
   File: host_scanning
 - Name: VM image scanning
   File: vm_image_scanning
+- Name: Fargate scanning
+  File: scan_fargate_tasks
 - Name: Detect secrets
   File: detect_secrets
 - Name: Cloud discovery

admin_guide/_topic_map_prisma_cloud.yml

@@ -298,6 +298,8 @@ Topics:
   File: host_scanning
 - Name: VM image scanning
   File: vm_image_scanning
+- Name: Fargate scanning
+  File: scan_fargate_tasks
 - Name: Detect secrets
   File: detect_secrets
 - Name: Cloud discovery

admin_guide/compliance/images/fargate_collection_image.png

@@ -67,7 +67,7 @@ When you run these images, they perform their intended function, but also mine B
 This check is based on research from Prisma Cloud Labs.
 For more information, see https://dockercon.docker.com/watch/T2xVKBNbq255j56Hecd1XZ[Real World Security: Software Supply Chain].
 
-*428 -- Package binaries should not be altered*::
+*448 -- Package binaries should not be altered*::
 
 Checks the integrity of package binaries in an image.
 During an image scan, every binary's checksum is compared with its package info.

admin_guide/compliance/images/fargate_image_comp_scan_result.png

@@ -0,0 +1,151 @@
+== Fargate scanning
+
+AWS Fargate is a serverless compute engine for containers under Amazon ECS that lets you run containers without needing to provision and manage servers and hosts.
+Each container is defined as part of a task and several containers can be run as part of the same task. 
+
+Prisma Cloud can scan Fargate tasks for compliance issues.
+To see the scan report for your Fargate task images, go to *Monitor > Compliance > Images > Deployed* and filter the table with *Fargate:Select*.
+
+Prisma Cloud Compute labels all containers running within the same task as if they run on the same host.
+For containers that are running in Fargate, the Host column will contain the Fargate task identifier.
+
+
+[.task]
+=== Create compliance rules for Fargate tasks
+
+Create a compliance rule for Fargate tasks in scope.
+
+[.procedure]
+. Login to the Console.
+
+. Go to *Defend > Compliance > Containers and images > Deployed*.
+
+. Click *Add rule*.
+
+. Enter a rule name.
+
+. Click on *Scope* to select a relevant collection, or create a new collection for your Fatgate tasks:
+
+.. Click *Add collection*.
+
+.. Enter collection name.
+
+.. In the host you can type the name of the required Fargate task name or postfix wildcards.
++
+For example `fargate`, `fargate-vulnerability-compliance-task`.
+
+.. Click *Save*.
+
+.. Select the new Fargate task collection.
+
+.. Click *Select collection*.
+
+. Click *Save*.
++
+NOTE: The block action doesn't apply to Fargate tasks.
++
+image::fargate_collection_image.png[width=600]
+
+
+=== Compliance check details
+
+The following checks are supported for Fargate tasks:
+
+*424: Sensitive information provided in environment variables*::
+Checks if images contain sensitive information in their environment variables.
+
+*425: Private keys stored in image*::
+Searches for private keys stored in an image or serverless function.
+
+*426: Image contains binaries used for crypto mining*::
+Detects when there are crypto miners in an image. Attackers have been quietly poisoning registries and injecting crypto mining tools into otherwise legitimate images.
+
+*448: Package binaries should not be altered*::
+Checks the integrity of package binaries in an image. During an image scan, every binary’s checksum is compared with its package info.
+
+*Custom compliance*::
+Custom checks capability works only for tasks that allows users with *root* privileges. Custom image checks give you a way to write and run your own compliance checks to assess, measure, and enforce security baselines in your environment. learn more in xref:../custom_compliance_checks.adoc [Custom compliance checks]
+
+
+=== Deploy Fargate task
+
+Deploy the `fargate-vulnerability-compliance-task` Fargate task (described below), following the steps in xref:..priv-docs/admin_guide/install/install_defender/install_app_embedded_defender_fargate.adoc[Embed App-Embedded Defender into Fargate tasks].
+
+
+==== Example task definition
+
+You can use the following task definition to test Prisma Cloud's App-Embedded Defender.
+The task deploys a `ubuntu:18.04` container and runs the `/bin/sh -c 'cp /bin/sleep /tmp/xmrig` command that triggers the *Image contains binaries used for crypto mining* compliance check.
+
+[source,json]
+----
+{
+  "containerDefinitions": [
+     {
+        "command": [
+           "/bin/sh -c 'cp /bin/sleep /tmp/xmrig && echo \"[+] Sleeping...\" && while true; do sleep 1000 ; done'"
+        ],
+        "entryPoint": [
+           "sh",
+           "-c"
+        ],
+        "essential": true,
+        "image": "ubuntu:18.04",
+        "logConfiguration": {
+           "logDriver": "awslogs",
+           "options": {
+              "awslogs-group" : "/ecs/fargate-task-definition",
+              "awslogs-region": "us-east-1",
+              "awslogs-stream-prefix": "ecs"
+           }
+        },
+        "name": "Fargate-vul-comp-test",
+        "portMappings": [
+           {
+              "containerPort": 80,
+              "hostPort": 80,
+              "protocol": "tcp"
+           }
+        ]
+     }
+  ],
+  "cpu": "256",
+  "executionRoleArn": "arn:aws:iam::012345678910:role/ecsTaskExecutionRole",
+  "family": "fargate-vulnerability-compliance-task",
+  "memory": "512",
+  "networkMode": "awsvpc",
+  "requiresCompatibilities": [
+      "FARGATE"
+   ]
+}
+----
+
+[.task]
+=== View compliance scan results
+
+[.procedure]
+. Navigate to *Monitor > Compliance > Images > Deployed* and validate that the deployed image appears with an alerted compliance check.
+
+. To see all images that are related to Fargate tasks, filter the image table by adding the *Fargate:Select* filter.
++
+You can also filter the results by a specific task name or postfix wildcards.
+For example: `fargate-task` OR `fargate-task*`.
+Use the *Hosts:* filter to filter the table specifically by hosts.
++
+image::fargate_select_filter_comp.png[width=600]
+
+. Search for the `fargate-vulnerability-compliance-task` Fargate task.
+
+. Click on the image to view image details:
+
+.. The associated vulnerabilities will appear under the Vulnerabilities tab
+
+.. Under the Compliance tab, see the following compliance issue: *Image contains binaries used for crypto mining*
+
+.. See the related fargate tasks under the *Environment > Fargate Tasks* tab.
++
+NOTE: the Host column represents the number of hosts and Fargate tasks that this image is associated with.
++
+NOTE: Runtime, Layers, Processes info and Labels tabs are not supported for images scanning by Fargate defenders.
++
+image::fargate_image_comp_scan_result.png[width=600]

admin_guide/compliance/images/fargate_select_filter_comp.png

@@ -63,6 +63,8 @@ However, the page lets you force a re-scan and refresh the results.
 Also note that updated policies aren't automatically reflected in the view.
 If you change a rule in your Trusted Images policy, re-scan the images in your environment to update the view.
 
+NOTE: Trusted images are not supported for Fargate tasks.
+
 
 === Trust indicators in the Console UI
 

admin_guide/compliance/prisma_cloud_compliance_checks.adoc

@@ -1,8 +1,8 @@
-== App Embedded Defender for Fargate
+== App-Embedded Defender for Fargate
 
-App Embedded Defenders for Fargate monitor your tasks to ensure they execute as designed, protecting tasks from suspicious processes and outbound network connections.
+App-Embedded Defenders for Fargate monitor your tasks to ensure they execute as designed, protecting tasks from suspicious processes and outbound network connections.
 
-App Embedded Defender policies let you define:
+App-Embedded Defender policies let you define:
 
 * Process allow or deny lists.
 Enables verification of launched processes against policy.
@@ -15,16 +15,16 @@ Besides runtime policy, you can also configure the xref:../../waas/waas.adoc[WAA
 
 === Architecture
 
-When you embed the App Embedded Defender into your Fargate task, Prisma Cloud modifies the task definition.
+When you embed the App-Embedded Defender into your Fargate task, Prisma Cloud modifies the task definition.
 The updated task definition includes a Prisma Cloud sidecar container.
 The sidecar container handles all communication with Console, including retrieving policies and sending audits.
-It also hosts the App Embedded Defender binaries, which are shared with the task's other containers through a shared volume.
+It also hosts the App-Embedded Defender binaries, which are shared with the task's other containers through a shared volume.
 The embed process modifies each containerDefinition to:
 
-* Mount the Prisma Cloud sidecar container's shared volume to gain access to the App Embedded Defender binaries.
-* Start the original entrypoint command under the control of App Embedded Defender.
+* Mount the Prisma Cloud sidecar container's shared volume to gain access to the App-Embedded Defender binaries.
+* Start the original entrypoint command under the control of App-Embedded Defender.
 
-App Embedded Defenders do not communicate directly with Console.
+App-Embedded Defenders do not communicate directly with Console.
 All communication is proxied through the Prisma Cloud sidecar container.
 The following diagram illustrates the setup:
 
@@ -48,9 +48,9 @@ To secure a Fargate task, embed the Prisma Cloud Fargate Defender into it.
 The steps are:
 
 . Define your policy in Prisma Cloud Console.
-By default, there are no rules in the App Embedded runtime policy.
-App Embedded Defenders dynamically retrieve policies from Console as they are updated.
-You can embed the App Embedded Defender into a task with very simple initial policies, then refine them later as needed.
+By default, there are no rules in the App-Embedded runtime policy.
+App-Embedded Defenders dynamically retrieve policies from Console as they are updated.
+You can embed the App-Embedded Defender into a task with very simple initial policies, then refine them later as needed.
 
 . Embed the Fargate Defender into your task definition.
 
@@ -70,7 +70,7 @@ image::install_app_embedded_defender_fargate_cnaf_scope.png[width=500]
 
 
 [.task, #_emedding_fargate_defender]
-=== Embed App Embedded Defender into Fargate tasks
+=== Embed App-Embedded Defender into Fargate tasks
 
 Prisma Cloud cleanly separates the code developers produce from the Fargate containers we protect.
 Developers don't need to change their code to accomodate Prisma Cloud.
@@ -82,21 +82,25 @@ You can call the Prisma Cloud API to embed the Fargate Defender into your task d
 
 *Prerequisites:*
 
-* The task where you’re embedding the App Embedded Defender can reach Console’s port 8084 over the network.
-
-* You have the task definition.
+* The task where you’re embedding the App-Embedded Defender can reach Console’s port 8084 over the network.
+* You have a task definition.
+* You have already created an ECS cluster.
+* Cluster VPC and subnets.
+* Task role.
 
 IMPORTANT: Your task definition must include matching `entrypoint` and `cmd` parameters from the Dockerfile(s) of the image(s) in your task.
-Because Prisma Cloud does not see the actual images as part of the embedding flow, it depends on having these parameter present to reliably insert the App Embedded Defender into the task startup flow.
+Because Prisma Cloud does not see the actual images as part of the embedding flow, it depends on having these parameter present to reliably insert the App-Embedded Defender into the task startup flow.
 If your Dockerfile does not include an `entrypoint` parameter, a default one, such as `/bin/sh`, must be used in the task definition.
 However, because the `cmd` parameter is optional, if your Dockerfile does not include a `cmd` parameter, one is not required in the task definition.
 
 [.procedure]
 . Log into Prisma Cloud Console.
 
-. Go to *Manage > Defenders > Deploy*.
+. Go to *Manage > Defenders > Deploy > Defenders*
+
+. Select *Single defender*
 
-. In the first drop-down list, choose the name or IP address App Embedded Defender should use to connect to Console.
+. In the first drop-down list, choose the name or IP address App-Embedded Defender should use to connect to Console.
 +
 NOTE: A list of IP addresses and hostnames are pre-populated in the drop-down list.
 If none of the items are valid, select the *Names* tab and add a new subject alternative name (SAN) using *Add SAN* button.
@@ -105,9 +109,9 @@ After adding a SAN, your IP address or hostname will be available in the drop-do
 NOTE: Selecting an IP address in a evaluation setup is acceptable, but using a DNS name is more resilient.
 If you select Console's IP address, and Console's IP address changes, your Defenders will no longer be able to communicate with Console.
 
-. In the second drop-down list, choose the *Defender type* of *App Embedded*.
+. In the *Defender Type* drop-down list, choose *App-Embedded*.
 
-. Set the *Deployment type* to *Fargate Task*.
+. Set the *Deploy App-Embedded Defender* to *Fargate Task*.
 
 . Embed the Fargate Defender into your task definition.
 
@@ -117,8 +121,79 @@ If you select Console's IP address, and Console's IP address changes, your Defen
 
 .. Copy the updated task definition from the right-hand box.
 
-. In AWS, create a new task definition using the new Prisma Cloud protected task.
+
+[.task]
+==== Creating a task definition in AWS
+
+Create a new task definition in AWS with the output from the previous section.
 If you already have an existing task definition, create a new revision.
+
+This section is geared to creating a new task definition based on the sample task.
+
+[.procedure]
+. Log into the AWS Management Console.
+
+. Go to *Services > ECS*.
+
+. Click *Task Definitions*, then click *Create new Task Definition*.
+
+.. Select *Fargate*, then click *Next step*.
+
+.. Scroll to the bottom of the page, and click *Configure via JSON*.
+
+.. Delete the prepopulated JSON, then paste the JSON generated for task from the previous section.
+
+.. Click *Save*.
+
+. Validate task content.
+
+.. Task name should be as described in the JSON.
+
+.. Select the *Task Role*.
+
+.. The task should include the *TwistlockDefender* container.
+
+.. Click *Create*.
+
+.. Click *View task definition*.
+
+
+[.task]
+==== Testing the task
+
+[.procedure]
+. Log into the AWS Management Console.
+
+. Go to *Services > ECS*.
+
+. Click *Clusters*, then select one of your Fargate cluster.
+
+. Click the *Services* tab, then click *Create*.
+
+.. For *Launch type*, select *Fargate*.
+
+.. For *Task Definition*, select your pre-defined task.
+
+.. Enter a *Service name*.
+
+.. For *Number of tasks*, enter *1*.
+
+.. Click *Next step*.
+
+.. Select a *Cluster VPC* and *Subnets*, then click *Next step*.
+
+.. For *Service Auto Scaling*, select *Do not adjust the service’s desired count*, then click *Next step*.
+
+.. Review your settings, then click *Create Service*.
+
+. Validate the results.
+
+.. Click *View Service*.
+
+.. When Last status is Running, your Fargate task is running.
+
+.. The containers are running.
+
+. View the defender in the Prisma Cloud Console: Go to *Manage > Defenders > Manage > Defenders* and search the fargate task by adding the filters *Fargate* and *Status:Connected*.
 +
-After running your task, view audits in Prisma Cloud Console.
-Go to *Monitor > Events*, and select *App Embedded Audits*.
+image::connected_fargate_defenders.png[width=500]