This technical deep dive highlights key capabilities released as part of Twistlock 2.5. To learn more about what’s included with Twistlock 2.5, check out our full release blog post.

Have you ever authored SCAP content? I did over my vacation recently. I call SCAP a “vacation-ruiner,” and I now have immense respect/sympathy for the SCAP authors of the DISA STIGs and USGCB. Twistlock has supported custom compliance checks using SCAP since v1 and still does today, but asking customers to write their own SCAP compliance check was a tall order. Until now!

With the release of Twistlock 2.5, we have added new functionality to our compliance scanning capabilities that allow users to more quickly and easily build custom compliance checks.

Custom compliance checks: UNIX bash and Windows shell scripts

With our latest release, you can skip the SCAP learning curve and use UNIX bash and Windows shell scripts. in addition to the 250+ out-of-the-box checks already included from the CIS Docker and Kubernetes Benchmarks and Twistlock Labs Research, Twistlock now offers the following:

  • The ability for users to author their own UNIX bash script to check images for specific compliance requirements
  • Additional ability to use Windows shell scripts for Windows image compliance scanning
  • Identification and reporting of both passing and failing compliance checks
  • Additional Linux host OS checks based upon CIS Distribution Independent Linux Benchmark

A custom check in action: UNIX

In a previous compliance blog, I demonstrated the authoring of SCAP content to check for the umask of an image’s /etc/passwd file. With the new custom compliance feature, I can write the same check with in a UNIX bash script.

---- begin script block ----
#!/bin/sh
filename=/etc/passwd
mask=644
perm=$(stat -c "%a" "$filename")
if [ $perm -eq $mask ]
 then
  echo ": $filename permission is $perm"
  exit 0
 else
  echo ": incorrect file permission on $filename: $perm"
  exit 1
fi

---- end script block ----

To use this feature in Twistlock, you would navigate to Defend > Compliance > Custom and select Add check.

Next, enter the check’s name and description, before setting the severity level and pasting in the script above. You can see what this step looks like in the following screenshot for my custom check called Passwd umask.

Then within Defend > Compliance > Policy, you would modify an existing rule or add a new one. Note the custom compliance checks will start at ID 9000.

Then, set the Action to Alert or Block and select #5 Reported results = Passed and Failed Checks. My example is below:

Twistlock will use the script to inspect the image. The exit code of the script will tell Twistlock if the check passed (exit 0) or failed (exit 1). For images that fail their compliance check, Twistlock will capture the standard out of the script and present it within the image’s compliance scan results. In this example I modified the base Alpine image’s /etc/passwd umask to 777. Note the script’s echo “: incorrect file permission on $filename: $perm” is provided in the scan results in the screenshot below.

Our goal with Twistlock 2.5 was to make this process a lot easier than writing the same check in SCAP.

Additionally, you’ll notice the compliance scan results, in the screenshot below, state that this image also fails the CIS Docker Community Edition Benchmark V1.1.0 check 4.1: Ensure a user for the container has been created. In the compliance results, we include the CIS check’s description — making an auditor’s life easier.

A custom check in action: Windows

But what about Windows? In this example below, I show an example Windows shell script used to check for the existence of c:\users\usera directory.

```
IF NOT EXIST C:\Users\UserA echo “test permission failure” && exit 1
```

The process for adding the check takes place in the same window as my UNIX script earlier in this blog. I’ll give the new check a name, in this case Windows Check, and then include an appropriate Description and Severity level before pasting in my script. This is shown in the screenshot below:

Twistlock then includes this compliance check as part of the image scan results just like my UNIX bash script. My image fails the custom check and includes a brief summary of the issue:

Conclusion

Compliance across the application lifecycle is a cornerstone capability of the Twistlock Platform. Twistlock 2.5 makes it easier for you to write your own custom compliance checks for UNIX and Windows-based images.

If you’re interested in learning more about compliance capabilities within Twistlock, check out my recent blog Container Compliance: HIPAA, PCI, NIST & GDPR = Oh My!

← Back to All Posts Next Post →