Image Analysis Sandbox

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L4 Transporter
No ratings

 

By Dele Adewumi, Cloud Security Engineer

 

Introduction 

 

The Prisma Cloud image analysis sandbox lets you dynamically analyze the runtime behavior of images before running them in your development and production environments. This article will walk you through the installation, execution, and analysis of the results of a sample image using the image analysis sandbox features of Prisma Cloud.

 

What is the Image Analysis Sandbox?

 

The image analysis sandbox collects and displays container behaviors by safely exercising the image in a sandbox machine. It exposes risks and identifies suspicious dependencies buried deep in your software supply chain that would otherwise be missed by static analysis for vulnerabilities and compliance issues. Running the analysis is supported for Linux images on Docker container runtime.

 

Getting Started

 

Task 1: Create A Linux Machine (EC2)

 

Ref doc:  Get started with Amazon EC2

 

  • Ensure theECc2 instance is able to connect to the Prisma cloud compute console.

 

Task 2: Access the Provisioned EC2 

 

SSH into the EC2 instance.

 

  • Install Docker
  • Update the packages on your instance:  sudo yum update -y
  • Install Docker: sudo yum install docker -y
  • Start the Docker Service: sudo service docker start
  • Add the ec2-user to the docker group so you can execute Docker commands without using sudo:  sudo usermod -a -G docker ec2-user
  • Enable docker service: sudo systemctl enable docker
  • Start docker service: sudo systemctl start docker
  • Check the docker service: sudo systemctl status docker
  • In the Prisma Cloud Compute Console, Manage → System →  Utilitiestwistcli toolLinux platform copy that curl command and paste in the ec2 instance 
  • Check to see if twistcli is installed ./twistcli
  • 2Pull a docker image
  • docker pull giansalex/monero-miner

$ sudo docker pull giansalex/monero-miner

Using default tag: latest

latest: Pulling from giansalex/monero-miner

72cfd02ff4d0: Pull complete 

7dcc381da90f: Pull complete

eb76ea64ce6c: Pull complete 

b20a51bc5e5c: Pull complete 

Digest: sha256:428ac65643d358291922beae7c32daa3f3f83deddbc49cba43865f4913968f39

Status: Downloaded newer image for giansalex/monero-miner:latest

docker.io/giansalex/monero-miner:latest

 

  • Run the sandbox command
  • Run: ./twistcli sandbox --address prisma cloud compute console address --user console username --password console password -- analysis-duration 1m image ID

Note: The default duration will be 1 minute. The duration can be adjusted according to your image. Example duration: analysis-duration 2m30s

  • Example sandbox command:
        RPrasadi_1-1730505447597.png

 

 

Terminal Output

$ sudo ./twistcli sandbox --address https://abc.twistlock.com:8083  --user usr  ffff 

Please provide Console credentials:

Enter Password for usr: 

Failed to retrieve package's author {Version:2.9.1-r1 Name:libtls-standalone BinaryPkgs:[] Path: Files:[] FileInfos:[{Md5: Sha1:31e3c927c02372ebdce71fbabe5177ca0268658c Sha256: Path:/usr/lib/libtls-standalone.so.1 Size:0} {Md5: Sha1:f2ed3cc1c0c1566c1731c863c14e361c68fd19fb Sha256: Path:/usr/lib/libtls-standalone.so.1.0.0 Size:0}] CVECount:0 License:ISC PkgFileModTime:1660035718 PkgDirModTime:0 PkgFileCrTime:0 FullPkgPath: LayerTime:0 Source:{Name: Version:} BinaryIdx:[] FunctionLayer: Dependencies:[] OSPackage:false OriginPackageName: GoPkg:false JarIdentifier: DefaultGem:false PURL: DiscoveredDate:0001-01-01 00:00:00 +0000 UTC SecurityRepoPkg:false Symbols:[] Author:}

Container stdout/stderr:

 * ABOUT        XMRig/6.18.0 gcc/10.2.1

 * LIBS         libuv/1.40.0 LibreSSL/3.1.5 hwloc/2.8.0

 * HUGE PAGES   supported

 * 1GB PAGES    disabled

 * CPU          Intel(R) Xeon(R) CPU @ 2.20GHz (1) 64-bit AES VM

                L2:0.2 MB L3:55.0 MB 1C/2T NUMA:1

 * MEMORY       1.6/3.8 GB (42%)

 * DONATE       3%

 * ASSEMBLY     auto:intel

 * POOL #1      pool.supportxmr.com:5555 coin Monero

 * COMMANDS     hashrate, pause, resume, results, connection

 * OPENCL       disabled

 * CUDA         disabled

[2024-10-24 19:34:18.800]  net      use pool pool.supportxmr.com:5555  104.243.33.118

[2024-10-24 19:34:18.801]  net      new job from pool.supportxmr.com:5555 diff 100001 algo rx/0 height 3266274 (7 tx)

[2024-10-24 19:34:18.801]  cpu      use argon2 implementation AVX2

[2024-10-24 19:34:18.811]  msr      msr kernel module is not available

[2024-10-24 19:34:18.812]  msr      FAILED TO APPLY MSR MOD, HASHRATE WILL BE LOW

[2024-10-24 19:34:18.813]  randomx  init dataset algo rx/0 (2 threads) seed 246aa101aaad87f1...

[2024-10-24 19:34:18.819]  randomx  allocated 2336 MB (2080+256) huge pages 0% 0/1168 +JIT (5 ms)

[2024-10-24 19:34:27.542]  net      new job from pool.supportxmr.com:5555 diff 100001 algo rx/0 height 3266274 (11 tx)

[2024-10-24 19:34:37.758]  net      new job from pool.supportxmr.com:5555 diff 100001 algo rx/0 height 3266274 (13 tx)

[2024-10-24 19:34:41.828]  randomx  dataset ready (23008 ms)

[2024-10-24 19:34:41.828]  cpu      use profile  rx  (1 thread) scratchpad 2048 KB

[2024-10-24 19:34:41.834]  cpu      READY threads 1/1 (1) huge pages 0% 0/1 memory 2048 KB (6 ms)

[2024-10-24 19:34:48.048]  net      new job from pool.supportxmr.com:5555 diff 100001 algo rx/0 height 3266274 (16 tx)

[2024-10-24 19:34:49.811]  net      new job from pool.supportxmr.com:5555 diff 100001 algo rx/0 height 3266275 (4 tx)

[2024-10-24 19:34:59.842]  net      new job from pool.supportxmr.com:5555 diff 100001 algo rx/0 height 3266275 (6 tx)

[2024-10-24 19:35:09.862]  net      new job from pool.supportxmr.com:5555 diff 100001 algo rx/0 height 3266275 (10 tx)

[2024-10-24 19:35:18.591]  signal   SIGTERM received, exiting

WildFire scanning has started, and might extend the duration of the analysis up to 15 minutes


Analysis results for giansalex/monero-miner:latest sha256:1b9aeb7af41ff6a2b12fe705340e317ebdd08178be1f534c33d96ef82228bce4

Duration: 1m0s


Suspicious Findings:

+----------------------+-------------------+----------+------------------------------+

|         TIME         |       TYPE        | SEVERITY |         DESCRIPTION          |

+----------------------+-------------------+----------+------------------------------+

| 2024-10-24T19:35:19Z | Crypto Miner      | critical | Detected a crypto miner      |

+----------------------+-------------------+----------+------------------------------+

| 2024-10-24T19:35:19Z | Wild Fire Malware | critical | Malware detected by WildFire |

+----------------------+-------------------+----------+------------------------------+


Sandbox analysis verdict: FAIL


Link to the results in Console: https://twistlock.pcs.lab.twistlock.com:8083/#!/monitor/runtime/image-analysis/results?scanId=671aa1760177d47cb1f79a39 

$ 

Figure 1: Terminal Output_PaloAltoNetworks

unnamed.png

Figure 2: Console Output_PaloAltoNetworks

 

Console output 


unnamed (1).png
Figure 3: Console Details Expanded_PaloAltoNetworks 

 

Analysis Summary

 

The analysis summary contains the following main parts:

 

  • Verdict - whether the image passed or failed the analysis.
  • The criteria for passing or failing the sandbox analysis is determined by the severity of the suspicious findings detected during the analysis. 
    • The analysis verdict is "Failed" when there is at least one finding with Critical or High severity. Otherwise, the verdict is "Passed".
  • Highest severity - the severity of the most critical suspicious finding.
  • Suspicious findings count - the number of suspicious findings detected.
  • Analysis metadata - analysis time, duration, and the container entry point.
  • Image details - the details of the analyzed image.
    • The image details also include an indication of an additional scan that may have been performed on the image. If the image was scanned for vulnerabilities and compliance as a part of the CI process, registry scanning, or as a deployed image, it will be displayed in the Additional scan field. 
    • You will also be able to click on its value to see the scan results. Only the furthest stage is reported in the following order: CI → Registry → Deployed.

Conclusion 


The image analysis sandbox lets you dynamically analyze the runtime behavior of images before running them in your development and production environments.


The analysis mechanism collects and displays container behaviors by safely exercising the image in a sandbox machine. It also exposes risks and identifies suspicious dependencies buried deep in your software supply chain that would otherwise be missed by static analysis for vulnerabilities and compliance issues.


Reference


 

About the Author

 

Dele Adewumi is a senior customer success engineer specializing in Prisma Cloud, Next-Generation Firewall, AWS, Azure, GCP, containers, and Kubernetes. They use collaborative approaches to break down complex problems into solutions for global enterprise customers and leverage their multi-industry knowledge to inspire success. 

Rate this article:
  • 860 Views
  • 0 comments
  • 1 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎11-04-2024 08:50 AM
Updated by: