- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-30-2024 04:09 PM - edited 11-04-2024 08:50 AM
The Prisma Cloud image analysis sandbox lets you dynamically analyze the runtime behavior of images before running them in your development and production environments. This article will walk you through the installation, execution, and analysis of the results of a sample image using the image analysis sandbox features of Prisma Cloud.
The image analysis sandbox collects and displays container behaviors by safely exercising the image in a sandbox machine. It exposes risks and identifies suspicious dependencies buried deep in your software supply chain that would otherwise be missed by static analysis for vulnerabilities and compliance issues. Running the analysis is supported for Linux images on Docker container runtime.
Ref doc: Get started with Amazon EC2
SSH into the EC2 instance.
$ sudo docker pull giansalex/monero-miner
Using default tag: latest
latest: Pulling from giansalex/monero-miner
72cfd02ff4d0: Pull complete
7dcc381da90f: Pull complete
eb76ea64ce6c: Pull complete
b20a51bc5e5c: Pull complete
Digest: sha256:428ac65643d358291922beae7c32daa3f3f83deddbc49cba43865f4913968f39
Status: Downloaded newer image for giansalex/monero-miner:latest
docker.io/giansalex/monero-miner:latest
Note: The default duration will be 1 minute. The duration can be adjusted according to your image. Example duration: analysis-duration 2m30s
$ sudo ./twistcli sandbox --address https://abc.twistlock.com:8083 --user usr ffff
Please provide Console credentials:
Enter Password for usr:
Failed to retrieve package's author {Version:2.9.1-r1 Name:libtls-standalone BinaryPkgs:[] Path: Files:[] FileInfos:[{Md5: Sha1:31e3c927c02372ebdce71fbabe5177ca0268658c Sha256: Path:/usr/lib/libtls-standalone.so.1 Size:0} {Md5: Sha1:f2ed3cc1c0c1566c1731c863c14e361c68fd19fb Sha256: Path:/usr/lib/libtls-standalone.so.1.0.0 Size:0}] CVECount:0 License:ISC PkgFileModTime:1660035718 PkgDirModTime:0 PkgFileCrTime:0 FullPkgPath: LayerTime:0 Source:{Name: Version:} BinaryIdx:[] FunctionLayer: Dependencies:[] OSPackage:false OriginPackageName: GoPkg:false JarIdentifier: DefaultGem:false PURL: DiscoveredDate:0001-01-01 00:00:00 +0000 UTC SecurityRepoPkg:false Symbols:[] Author:}
Container stdout/stderr:
* ABOUT XMRig/6.18.0 gcc/10.2.1
* LIBS libuv/1.40.0 LibreSSL/3.1.5 hwloc/2.8.0
* HUGE PAGES supported
* 1GB PAGES disabled
* CPU Intel(R) Xeon(R) CPU @ 2.20GHz (1) 64-bit AES VM
L2:0.2 MB L3:55.0 MB 1C/2T NUMA:1
* MEMORY 1.6/3.8 GB (42%)
* DONATE 3%
* ASSEMBLY auto:intel
* POOL #1 pool.supportxmr.com:5555 coin Monero
* COMMANDS hashrate, pause, resume, results, connection
* OPENCL disabled
* CUDA disabled
[2024-10-24 19:34:18.800] net use pool pool.supportxmr.com:5555 104.243.33.118
[2024-10-24 19:34:18.801] net new job from pool.supportxmr.com:5555 diff 100001 algo rx/0 height 3266274 (7 tx)
[2024-10-24 19:34:18.801] cpu use argon2 implementation AVX2
[2024-10-24 19:34:18.811] msr msr kernel module is not available
[2024-10-24 19:34:18.812] msr FAILED TO APPLY MSR MOD, HASHRATE WILL BE LOW
[2024-10-24 19:34:18.813] randomx init dataset algo rx/0 (2 threads) seed 246aa101aaad87f1...
[2024-10-24 19:34:18.819] randomx allocated 2336 MB (2080+256) huge pages 0% 0/1168 +JIT (5 ms)
[2024-10-24 19:34:27.542] net new job from pool.supportxmr.com:5555 diff 100001 algo rx/0 height 3266274 (11 tx)
[2024-10-24 19:34:37.758] net new job from pool.supportxmr.com:5555 diff 100001 algo rx/0 height 3266274 (13 tx)
[2024-10-24 19:34:41.828] randomx dataset ready (23008 ms)
[2024-10-24 19:34:41.828] cpu use profile rx (1 thread) scratchpad 2048 KB
[2024-10-24 19:34:41.834] cpu READY threads 1/1 (1) huge pages 0% 0/1 memory 2048 KB (6 ms)
[2024-10-24 19:34:48.048] net new job from pool.supportxmr.com:5555 diff 100001 algo rx/0 height 3266274 (16 tx)
[2024-10-24 19:34:49.811] net new job from pool.supportxmr.com:5555 diff 100001 algo rx/0 height 3266275 (4 tx)
[2024-10-24 19:34:59.842] net new job from pool.supportxmr.com:5555 diff 100001 algo rx/0 height 3266275 (6 tx)
[2024-10-24 19:35:09.862] net new job from pool.supportxmr.com:5555 diff 100001 algo rx/0 height 3266275 (10 tx)
[2024-10-24 19:35:18.591] signal SIGTERM received, exiting
WildFire scanning has started, and might extend the duration of the analysis up to 15 minutes
Analysis results for giansalex/monero-miner:latest sha256:1b9aeb7af41ff6a2b12fe705340e317ebdd08178be1f534c33d96ef82228bce4
Duration: 1m0s
Suspicious Findings:
+----------------------+-------------------+----------+------------------------------+
| TIME | TYPE | SEVERITY | DESCRIPTION |
+----------------------+-------------------+----------+------------------------------+
| 2024-10-24T19:35:19Z | Crypto Miner | critical | Detected a crypto miner |
+----------------------+-------------------+----------+------------------------------+
| 2024-10-24T19:35:19Z | Wild Fire Malware | critical | Malware detected by WildFire |
+----------------------+-------------------+----------+------------------------------+
Sandbox analysis verdict: FAIL
Link to the results in Console: https://twistlock.pcs.lab.twistlock.com:8083/#!/monitor/runtime/image-analysis/results?scanId=671aa1760177d47cb1f79a39
$
Figure 1: Terminal Output_PaloAltoNetworks
Figure 2: Console Output_PaloAltoNetworks
Console output
The analysis summary contains the following main parts:
The image analysis sandbox lets you dynamically analyze the runtime behavior of images before running them in your development and production environments.
The analysis mechanism collects and displays container behaviors by safely exercising the image in a sandbox machine. It also exposes risks and identifies suspicious dependencies buried deep in your software supply chain that would otherwise be missed by static analysis for vulnerabilities and compliance issues.
Dele Adewumi is a senior customer success engineer specializing in Prisma Cloud, Next-Generation Firewall, AWS, Azure, GCP, containers, and Kubernetes. They use collaborative approaches to break down complex problems into solutions for global enterprise customers and leverage their multi-industry knowledge to inspire success.