The Problem

This morning, a colleague was looking for situations where a Twistlock runtime model had a particular set of characteristics. Now, somebody might click through all the models in the Twistlock Console, inspecting each one to find one or more containers that met the requirements; however, a production deployment may have a large number of models. Even my tiny test lab has 35 models currently so it would take some time to click through each one of them.

Nope, not that one…

I’m a professional geek, though, so I immediately set out scripting a way to get the answer instead of doing it manually. PowerShell is my preference for scripting and, thus, I quickly came up with a few lines to answer the question conclusively:

# We want to call the container API to get all
# of the runtime models
$request = "https://neilcar.lab.twistlock.com:8083/api/v1/profiles/container"
# We will need credentials to connect so we will ask the user
$cred = Get-Credential
# Get the JSON data back from Twistlock and turn it
# into a PowerShell object.
$containers = Invoke-RestMethod $request -Authentication Basic -Credential $cred
# Answer the question 
$containers.Where{$_.processes.static.Count -EQ 0 -AND $_.processes.behavioral.Count -EQ 1}.image

In four lines of code, I was able to provide an answer that would have, otherwise, taken several minutes of clicking through all of the models in my lab.

gcr.io/google_containers/kube-apiserver-amd64:v1.9.2
gcr.io/google_containers/kube-scheduler-amd64:v1.9.2

There are two container models that have no statically-discovered processes and one dynamically discovered one.

What’s Next?

Now that I have this rich data in PowerShell, I would naturally want to do more with it. For example, I might be interested in finding all the processes that are used across all the container models:

# Combine statically discovered and behaviorally
# discovered processes into a single array
$processes = $containers.processes.static + $containers.processes.behavioral
$processes

And we get…


path                                           ppath                                        md5
----                                           -----                                        ---
/usr/local/bin/defender                                                                     02a76f45336776df2bb9acf02f6bb49e
/usr/bin/mongo                                                                              e4de873bdbb810b45099f0708dd8383a
/bin/busybox                                                                                c9280d589045776a93718e4fc8ec46ae
/app/server                                                                                 5e284cf2577a1fe3696ec008acc280ae
/usr/sbin/logrotate                                                                         9cc23f5e0b53e1f23136b5d0f3b39423
/usr/bin/openssl                                                                            d53d4d0faab959cb9b2da789f747966e
/usr/bin/mongod                                                                             728c739d6d7ad13d5c9d28cea5e34185
/usr/local/bin/fsmon                           /usr/local/bin/defender                      ed0640e5a46f0db801e8e08d68f65e57
/bin/bash                                      /usr/bin/docker-containerd-shim              d6e7fc793c8d39ead52e4d04247667c2
/sbin/runsv                                    /sbin/runsvdir                               c80a4fa2f76401ae781599b26d2b8e54
/bin/bird6                                     /sbin/runsv                                  a44dbb510e5c775a4020375d6dc5c375
/bin/calico-felix                              /sbin/runsv                                  afac798ce1d012273305edc78033efde
/bin/confd                                     /sbin/runsv                                  00427c8e883a3f672bd220d7020c4d70

(I’ve edited out most of the processes because there are quite a few of them.)

Next Level

I might want to do more than just view and report on data that Twistlock Console has, though. For example, I might want to use the API to find all container models with a particular tag and then enable manual machine learning for those models as part of a test and release cycle. In the screenshot below, I’m using Sock Shop, a microservices demo app:

# Get a list of all container profiles that are related
# to 'sock-shop'
$request = "https://neilcar.lab.twistlock.com:8083/api/v1/profiles/container?search=sock-shop"
# We will need credentials to connect so we will ask the user
$cred = Get-Credential
$sockshopcontainers = Invoke-RestMethod $request -Authentication Basic -Credential $cred
# Loop through all of the returned containers
foreach($container IN $sockshopcontainers)
{
    # $container._id is the ID we need to pass this API
    $request = "https://neilcar.lab.twistlock.com:8083/api/v1/profiles/container/" + $container._id + "/learn"
    # We want to enable manual learning for
    # each of these containers
    $body = @{
        "state" = "manualLearning"
    } | ConvertTo-Json
    Invoke-WebRequest $request -Authentication Basic -Credential $cred -Body $body -Method 'POST' 
}

After turning on manual learning for all of these models, I could generate load to ensure that my model was built the way that I wanted it. When I was finished, I could re-run the loop to set the state to ‘active’ so that the model would be applied to runtime protections.

This is just a taste of what you can do quickly and easily by combining the Twistlock API with PowerShell.

1 I’m using PowerShell 6, which supports using Basic authentication with Invoke-RestMethod. If you’re using an earlier version of PS, you’ll have to manually create the Basic authentication header as described here.

← Back to All Posts Next Post →