At Twistlock, we work with large enterprises to startups around the world to secure their containers. One of the most common issues for our customers is being able to measure and demonstrate compliance for their specific industry regulations as well as implement internal compliance policies. Compliance violations not only expose vulnerabilities, but can also carry considerable financial penalties. This is why we are committed to offering industry-leading compliance capabilities across the entire application lifecycle.
Over the past year, we released and updated Twistlock Compliance Explorer to provide our customers with a centralized dashboard of their environments’ compliance. Twistlock offers users the ability to scan images for configuration settings and compare the results against Compliance Rules. For example, is the image configured for the container to run in privileged mode? Is the image trusted? Is the /etc/passwd file’s permissions set according to policy?
Based upon the results, Twistlock can ignore the finding, alert on non-compliance, or block the image from build completion and deployment. Twistlock 2.3 features over 200+ compliance checks compiled from the Center for Internet Security Docker and Kubernetes Benchmarks and Twistlock Labs research.
Built-in compliance templates within Twistlock
Twistlock customers span many industries that have varying compliance requirements. Therefore, we have added built-in Compliance Rule templates for the following industries:
- Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry (PCI)
- General Data Protection Regulation (GDPR)
- NIST SP 800-190, Application Security Guide
Our CTO John Morello was one of the authors of the NIST Special Publication, which I’ll reference in my following walkthrough.
How to easily apply a compliance template
The following steps will show you how easy it would be to implement a new compliance rule. For my example, I will show you how to apply the NIST Special Publication 800-190 compliance checks:
- Go to Defend > Compliance > Policy > Add new Compliance Rule
- Enter a rule name (e.g. US Government NIST SP 800-190) and select NIST SP 800-190 within the Compliance template drop down:
- After saving the rule, click on the “manage” icon for the newly created rule. You will notice that all checks that apply to the NIST SP 800-190 are set to “Alert.”
|Twistlock complaince check||NIST SP 800-190||NIST SP 800-53 Control|
|423 Image is not trusted||4.1.5 Use of untrusted images : Unauthorized changes tot he contents of imagescan easily be detected and the altered image replaced with a known good copy.||SI-7, Software, Firmware, And Infomration Integrity|
You can see the compliance check results via the event logs and the Monitor > Compliance > Images
For this example, Twistlock has the ability to block untrusted images from becoming containers within your runtime environment based upon a specified registry and/or the image’s docker image id.
Adding custom compliance checks
Customers who want to implement their own custom compliance checks for CentOS, Fedora or Red Hat images can leverage the Security Content Automation Protocol (SCAP v1.2) feature within Twistlock. The platform leverages the SCAP-validated Red Hat OpenSCAP scanner.
Users can create a SCAP Data Stream with XCCDF Benchmarks that perform OVAL Common Configuration Enumeration (CCE) checks. Here are some sample SCAP datastreams that you can try for yourself. In this example, I am using the SCAP check (“passwd_perm_high.xml”) for CCE-3566-7 – File permissions for /etc/passwd should be set correctly (644). To add a custom check within the US Government NIST SP 800-190 Compliance Rule created above:
- Go to Manage > System > SCAP >click Add Data Stream > select passwd_perm_high.xml
- Manage the US Government NIST SP 800-190 Compliance Rule and scroll down to name = passwd_perm_high (note: custom compliance checks will start at ID 4000). Set the failed result Action accordingly (ignore, alert or block)
- Trigger a Twistlock scan of the Registry. Go to Monitor > Vulnerabilities > Registry and click scan.
- Once the scan is complete, click on the image and select the Compliance tab. Failed compliance test results will appear here.
Image configuration compliance is a critical pillar for the overall security of your cloud-based services. We at Twistlock were honored to have participated in the formulation of NIST SP 800-190, CIS Docker and Kubernetes Benchmarks. But, we know compliance is not a set it and forget it discipline. Twistlock will continue to expand upon its compliance checking capabilities in future releases.
Follow us on Twitter
Follow us on Twitter for real time updates on the cloud native ecosystem, Twistlock product, and cloud native security threats.