By Dele Adewumi, Cloud Security Engineer

Introduction 

The Prisma Cloud image analysis sandbox lets you dynamically analyze the runtime behavior of images before running them in your development and production environments. This article will walk you through the installation, execution, and analysis of the results of a sample image using the image analysis sandbox features of Prisma Cloud.

What is the Image Analysis Sandbox?

The image analysis sandbox collects and displays container behaviors by safely exercising the image in a sandbox machine. It exposes risks and identifies suspicious dependencies buried deep in your software supply chain that would otherwise be missed by static analysis for vulnerabilities and compliance issues. Running the analysis is supported for Linux images on Docker container runtime.

Getting Started

Task 1: Create A Linux Machine (EC2)

Ref doc:  Get started with Amazon EC2

• Ensure theECc2 instance is able to connect to the Prisma cloud compute console.

Task 2: Access the Provisioned EC2 

SSH into the EC2 instance.

• Install Docker
• Update the packages on your instance:  sudo yum update -y
• Install Docker: sudo yum install docker -y
• Start the Docker Service: sudo service docker start
• Add the ec2-user to the docker group so you can execute Docker commands without using sudo:  sudo usermod -a -G docker ec2-user
• Enable docker service: sudo systemctl enable docker
• Start docker service: sudo systemctl start docker
• Check the docker service: sudo systemctl status docker
• In the Prisma Cloud Compute Console, Manage → System →  Utilities → twistcli tool → Linux platform copy that curl command and paste in the ec2 instance 
• Check to see if twistcli is installed ./twistcli
• 2Pull a docker image
• docker pull giansalex/monero-miner

$ sudo docker pull giansalex/monero-miner

Using default tag: latest

latest: Pulling from giansalex/monero-miner

72cfd02ff4d0: Pull complete 

7dcc381da90f: Pull complete

eb76ea64ce6c: Pull complete 

b20a51bc5e5c: Pull complete 

Digest: sha256:428ac65643d358291922beae7c32daa3f3f83deddbc49cba43865f4913968f39

Status: Downloaded newer image for giansalex/monero-miner:latest

docker.io/giansalex/monero-miner:latest

• Run the sandbox command
• Run: ./twistcli sandbox --address prisma cloud compute console address --user console username --password console password -- analysis-duration 1m image ID

Note: The default duration will be 1 minute. The duration can be adjusted according to your image. Example duration: analysis-duration 2m30s

• Example sandbox command: ./twistcli sandbox --address https://prismacloud.computeconsole --user user --password pw --analysis-duration 1m giansalex/monero-miner

Terminal Output

$ sudo ./twistcli sandbox --address https://abc.twistlock.com:8083 --user usr  ffff 

Please provide Console credentials:

Enter Password for usr: 

Failed to retrieve package's author {Version:2.9.1-r1 Name:libtls-standalone BinaryPkgs:[] Path: Files:[] FileInfos:[{Md5: Sha1:31e3c927c02372ebdce71fbabe5177ca0268658c Sha256: Path:/usr/lib/libtls-standalone.so.1 Size:0} {Md5: Sha1:f2ed3cc1c0c1566c1731c863c14e361c68fd19fb Sha256: Path:/usr/lib/libtls-standalone.so.1.0.0 Size:0}] CVECount:0 License:ISC PkgFileModTime:1660035718 PkgDirModTime:0 PkgFileCrTime:0 FullPkgPath: LayerTime:0 Source:{Name: Version:} BinaryIdx:[] FunctionLayer: Dependencies:[] OSPackage:false OriginPackageName: GoPkg:false JarIdentifier: DefaultGem:false PURL: DiscoveredDate:0001-01-01 00:00:00 +0000 UTC SecurityRepoPkg:false Symbols:[] Author:}

Container stdout/stderr:

 * ABOUT        XMRig/6.18.0 gcc/10.2.1

 * LIBS         libuv/1.40.0 LibreSSL/3.1.5 hwloc/2.8.0

 * HUGE PAGES   supported

 * 1GB PAGES    disabled

 * CPU          Intel(R) Xeon(R) CPU @ 2.20GHz (1) 64-bit AES VM

                L2:0.2 MB L3:55.0 MB 1C/2T NUMA:1

 * MEMORY       1.6/3.8 GB (42%)

 * DONATE       3%

 * ASSEMBLY     auto:intel

 * POOL #1      pool.supportxmr.com:5555 coin Monero

 * COMMANDS     hashrate, pause, resume, results, connection

 * OPENCL       disabled

 * CUDA         disabled

[2024-10-24 19:34:18.800]  net      use pool pool.supportxmr.com:5555  104.243.33.118

[2024-10-24 19:34:18.801]  net      new job from pool.supportxmr.com:5555 diff 100001 algo rx/0 height 3266274 (7 tx)

[2024-10-24 19:34:18.801]  cpu      use argon2 implementation AVX2

[2024-10-24 19:34:18.811]  msr      msr kernel module is not available

[2024-10-24 19:34:18.812]  msr      FAILED TO APPLY MSR MOD, HASHRATE WILL BE LOW

[2024-10-24 19:34:18.813]  randomx  init dataset algo rx/0 (2 threads) seed 246aa101aaad87f1...

[2024-10-24 19:34:18.819]  randomx  allocated 2336 MB (2080+256) huge pages 0% 0/1168 +JIT (5 ms)

[2024-10-24 19:34:27.542]  net      new job from pool.supportxmr.com:5555 diff 100001 algo rx/0 height 3266274 (11 tx)

[2024-10-24 19:34:37.758]  net      new job from pool.supportxmr.com:5555 diff 100001 algo rx/0 height 3266274 (13 tx)

[2024-10-24 19:34:41.828]  randomx  dataset ready (23008 ms)

[2024-10-24 19:34:41.828]  cpu      use profile  rx  (1 thread) scratchpad 2048 KB

[2024-10-24 19:34:41.834]  cpu      READY threads 1/1 (1) huge pages 0% 0/1 memory 2048 KB (6 ms)

[2024-10-24 19:34:48.048]  net      new job from pool.supportxmr.com:5555 diff 100001 algo rx/0 height 3266274 (16 tx)

[2024-10-24 19:34:49.811]  net      new job from pool.supportxmr.com:5555 diff 100001 algo rx/0 height 3266275 (4 tx)

[2024-10-24 19:34:59.842]  net      new job from pool.supportxmr.com:5555 diff 100001 algo rx/0 height 3266275 (6 tx)

[2024-10-24 19:35:09.862]  net      new job from pool.supportxmr.com:5555 diff 100001 algo rx/0 height 3266275 (10 tx)

[2024-10-24 19:35:18.591]  signal   SIGTERM received, exiting

WildFire scanning has started, and might extend the duration of the analysis up to 15 minutes

Analysis results for giansalex/monero-miner:latest sha256:1b9aeb7af41ff6a2b12fe705340e317ebdd08178be1f534c33d96ef82228bce4

Duration: 1m0s

Suspicious Findings:

+----------------------+-------------------+----------+------------------------------+

|         TIME         |       TYPE        | SEVERITY |         DESCRIPTION          |

+----------------------+-------------------+----------+------------------------------+

| 2024-10-24T19:35:19Z | Crypto Miner      | critical | Detected a crypto miner      |

+----------------------+-------------------+----------+------------------------------+

| 2024-10-24T19:35:19Z | Wild Fire Malware | critical | Malware detected by WildFire |

+----------------------+-------------------+----------+------------------------------+

Sandbox analysis verdict: FAIL

Link to the results in Console: https://twistlock.pcs.lab.twistlock.com:8083/#!/monitor/runtime/image-analysis/results?scanId=671aa1760177d47cb1f79a39 

$ 

Figure 1: Terminal Output_PaloAltoNetworks

Figure 2: Console Output_PaloAltoNetworks

Console output 

Analysis Summary

The analysis summary contains the following main parts:

• Verdict - whether the image passed or failed the analysis.
• The criteria for passing or failing the sandbox analysis is determined by the severity of the suspicious findings detected during the analysis. 
• The analysis verdict is "Failed" when there is at least one finding with Critical or High severity. Otherwise, the verdict is "Passed".
• Highest severity - the severity of the most critical suspicious finding.
• Suspicious findings count - the number of suspicious findings detected.
• Analysis metadata - analysis time, duration, and the container entry point.
• Image details - the details of the analyzed image.
• The image details also include an indication of an additional scan that may have been performed on the image. If the image was scanned for vulnerabilities and compliance as a part of the CI process, registry scanning, or as a deployed image, it will be displayed in the Additional scan field. 
• You will also be able to click on its value to see the scan results. Only the furthest stage is reported in the following order: CI → Registry → Deployed.

Conclusion 

The image analysis sandbox lets you dynamically analyze the runtime behavior of images before running them in your development and production environments.

The analysis mechanism collects and displays container behaviors by safely exercising the image in a sandbox machine. It also exposes risks and identifies suspicious dependencies buried deep in your software supply chain that would otherwise be missed by static analysis for vulnerabilities and compliance issues.

Reference

• Image analysis sandbox 

About the Author

Dele Adewumi is a senior customer success engineer specializing in Prisma Cloud, Next-Generation Firewall, AWS, Azure, GCP, containers, and Kubernetes. They use collaborative approaches to break down complex problems into solutions for global enterprise customers and leverage their multi-industry knowledge to inspire success.