To extend the current Terraform provider to include Compute capabilities: https://registry.terraform.io/providers/PaloAltoNetworks/prismacloud/latest/docs

The Azure DevOps plugin requires that the vulnerability and compliance thresholds be set to "low," "medium," "high," or "critical." This prevents the plugin from running in a fully non-blocking mode, which is a legitimate invocation of twistcli. The thresholds should offer a "none" option that, if selected, causes the --vulnerability-threshold and --compliance-threshold flags to be omitted from the argument list to twistcli.

https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/setuppage

Currently, the user must manually edit config.json to add credentials and the Console URL. Create a setup page so the user is able to configure it in the Splunk web UI upon app installation.

• Ability to provide all configuration (everything in config.json) in setup UI
• Utilize encrypted storage for sensitive configuration items (console.password)

Include additional use cases for OPA
https://github.com/twistlock/sample-code/tree/master/opa-rego-policies

https://github.com/twistlock/sample-code/tree/master/CI/Cloud_Build

FISERV is asking for this.
Comments from their mail:
The current Prisma documentation suggests that if the container is not running with root privs, then the secrets in the filesystem must we ‘world readable’ which seems less than idea. I was wondering why the secret file could not be configured to be readable only by the userid the container is running under.

From: https://docs.paloaltonetworks.com/prisma/prisma-cloud/20-04/prisma-cloud-compute-edition-admin/secrets/inject_secrets.html
For secrets injected as files: they can be found in
/run/secrets/<SECRET_NAME>
, where the contents of the file contain the secret’s value. By default, secrets can only be read by root users in the container space. If you run your containers as non-root users, configure the injection rule to make the secrets readable by all users. Prisma Cloud can set the access permissions of the injected secrets file to read-only for the 'others' class of users. For more information about access permissions and 'others', see the chmod man page.

Splunk App to include alerts from all console and console list

Bamboo plugin vs twistcli?

https://github.com/twistlock/sample-code/tree/master/CI/Bamboo

Add vulnerability and compliance data inputs

Provide some sample code that a customer can add to the pipeline to compare the deployed Jenkins plugin version to the deployed Console version. This could also be built into the plugin as I know twistcli has a --version flag.

Investigate using logging:
https://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/ModInputsLog

I saw this article about the Twistlock defender console being available as a helm chart, and I was interested in trying it out; I figure I could run the twistlock console on kubernetes via PKS (pivotal container service) and use it to run blobstore scans against PAS (pivotal application service).

However it seems the chart is put within this general-purpose repo and having to be installed from source rather than from a dedicated charts index is a bit disappointing. Having to manually download this repo and navigate to the chart doesn't operationalize very well in comparison to other helm deployments. To be honest I haven't tried using the chart yet. Considering that it's placed here it makes me wonder if it's a usable/supported deployment model for a Twistlock console. Don't mean to come off as ungrateful or entitled though I do hope you can see where I'm coming from

Thoughts/advice?
Thanks for your time!

consoleImageName: registry-auth.twistlock.com/tw_<REPLACE_TWISTLOCK_TOKEN>/twistlock/console:console_20_04_163

but I changed the values in the CR that should have been replaced.

88s Warning OverrideValuesInUse twistlockconsole/twistlockconsole Chart value "consoleImageName" overridden to "registry-auth.twistlock.com/tw_<REPLACE_TWISTLOCK_TOKEN>/twistlock/console:console_20_04_169" by operator's watches.yaml
68s Warning OverrideValuesInUse twistlockconsole/twistlockconsole Chart value "consoleImageName" overridden to "registry-auth.twistlock.com/tw_<REPLACE_TWISTLOCK_TOKEN>/twistlock/console:console_20_04_169" by operator's watches.yaml

This continues which leads to another pop(0), erasing the incident with the error.

• Add the incident back to the file for retry later
• Add field for number of retry attempts
• Log successful ingestions

Relevant API endpoint: https://dev.splunk.com/enterprise/docs/reference/sbreleaseapiref/#appAPPIDnew_release

Installed Twistlock on rancher and used the suggested port (8083) in the documentation provided but did not work. Used port 8081 to hit the admin portal and it came up.

Hello I keep on getting the following error on the reports-v2 scripts

Improvements to the GitHub actions we support today and how we can publish things on the GitHub Actions marketplace.

• Create formal GitHub Action
• Get it added to GitHub Marketplace

So I am told from the vendor meetings I have with Palo Alto that "A new Splunk integration is 'Coming Soon'"
Is it updates to this code base?

Currently a race condition can occur if poll_incidents.py is ran twice and appends to forensics_file.txt
It will result in the JSONDecodeError stated above.
This can be resolved by testing to see if the file exists.
If it doesn't just write the file don't append to it.
The following code should resolve this issue.

twistlock.conf contents are properly updated --
[default]
[pcc]
console_addr = https://twistlock-ctools.ews.int:8083
username = ewssvcsplunk

Screenshot of the setup page is also attached. But the integration fails due to this error:
10-27-2021 13:20:00.000 -0500 INFO ExecProcessor - setting reschedule_ms=300000, for command=/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/twistlock/bin/poll_incidents.py
10-27-2021 13:20:00.208 -0500 INFO ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/twistlock/bin/poll_incidents.py" Prisma Cloud Compute poll_incidents script started.
10-27-2021 13:20:00.388 -0500 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/twistlock/bin/poll_incidents.py" Failed getting configuration from Splunk: ResourceNotFound('https://127.0.0.1:8089/servicesNS/nobody/twistlock/configs/conf-twistlock/None')
10-27-2021 13:20:00.390 -0500 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/twistlock/bin/poll_incidents.py" Traceback (most recent call last):
10-27-2021 13:20:00.390 -0500 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/twistlock/bin/poll_incidents.py" File "/opt/splunk/etc/apps/twistlock/bin/poll_incidents.py", line 229, in
10-27-2021 13:20:00.390 -0500 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/twistlock/bin/poll_incidents.py" main()
10-27-2021 13:20:00.390 -0500 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/twistlock/bin/poll_incidents.py" File "/opt/splunk/etc/apps/twistlock/bin/poll_incidents.py", line 194, in main
10-27-2021 13:20:00.390 -0500 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps
()
/twistlock/bin/poll_incidents.py" configs = generate_configs(session_key)
10-27-2021 13:20:00.390 -0500 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/twistlock/bin/poll_incidents.py" File "/opt/splunk/etc/apps/twistlock/bin/utils/splunk.py", line 59, in generate_configs
10-27-2021 13:20:00.390 -0500 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/twistlock/bin/poll_incidents.py" stanza = get_config_stanza(credential["realm"], session_key)
10-27-2021 13:20:00.390 -0500 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/twistlock/bin/poll_incidents.py" File "/opt/splunk/etc/apps/twistlock/bin/utils/splunk.py", line 43, in get_config_stanza
10-27-2021 13:20:00.390 -0500 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/twistlock/bin/poll_incidents.py" "console_addr": conf_values["console_addr"],
10-27-2021 13:20:00.390 -0500 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/twistlock/bin/poll_incidents.py" UnboundLocalError: local variable 'conf_values' referenced before assignmen

t

Visual studio code plugin, that on the save of a Dockerfile the plugin would build the image, communicate with the Console and return results of vulnerabilities and compliance scan.

Similar to how IaC and checkov work today.

@sullivan1337

https://github.com/twistlock/sample-code/blob/master/openshift/twistlock_openshift_deploy.sh#L74-L92

This should use ImageStream pass-thru instead:

oc create secret docker-registry twistlock-registry --docker-server=registry.twistlock.com --docker-user=twistlock --docker-password=${ACCESS_TOKEN} --docker-email=${CUSTOMER_EMAIL}
oc import-image twistlock/defender:defender_${TWISTLOCK_VERSION} --from=registry.twistlock.com/twistlock/defender:defender_${TWISTLOCK_VERSION} --confirm
oc import-image twistlock/console:console_${TWISTLOCK_VERSION} --from=registry.twistlock.com/twistlock/console:console_${TWISTLOCK_VERSION} --confirm

Currently the Splunk config is set up in cron job style.
This is somewhat Rube Goldberg-ian and is ripe for simplification.
However in lack of a better solution I would submit this would be a plausible path forward.
By employing the webhook from twistlock it will send a post request to an endpoint.
In testing I have set up a flask (python) web server that upon receiving a post request (in this case from the webhook).
It then fires off the poll_incidents and poll_forensics and follows the rest of the configuration flow.
It could be deployed as a container alongside current containers in twistlock.
More over it could then have environment variables assigned for example index that could generate the files that come along with the app.

https://github.com/twistlock/sample-code/tree/master/CI/CodeFresh

/api/v1/current/projects would allow for non-admin users to use project auto-discovery.

Today this breaks down if the specified users don't have access to Central Console.

• consider decoding JWT to get necessary information

Looking for example twistcli code with https://buildkite.com/

The app is 'fragile' while processing the elements of the forensic_events.txt file. The file is loaded into a variable which is iterated through to pull forensic data. This is fine unless the script is stopped unexpectedly.

The plan is to keep the forensic_events.txt file open to keep the list of unprocessed elements up-to-date. In the event of an unexpected exit, the script can pick up where it left off.

@gunjan5 Hi! I'm a former Twistlock/PANW person who wrote a CircleCI orb (it seems 😆) in the past, and a user has contributed a PR that I can't merge. Not sure if you can help. Cheers!

https://github.com/add-twistlock/twistcli-scan-image-orb/pull/5

Hey,

For marketplace the information would need to be updated. The link to source is not working. Also it would be great to link to license from marketplace right hand menu under resources, such as in Replace Tokens

Prisma Compute Cortex XSOAR Playbooks

I tried to just create a role that had the permissions to manage SCCs, but that doesn't seem to provide the needed roles so I ended up giving the operator the Cluster-admin role. It'd be great if what permissions were needed were more clearly defined and in the CSV so I didn't need to add to them at all between Subscription and creating the TwistlockConsole resource.

oc create clusterrole twistlock-scc-admin \
     --verb=* \
     --resource=securitycontextconstraints.security.openshift.io
oc adm policy add-cluster-role-to-user \
     twistlock-scc-admin system:serviceaccount:operators:twistlock-console-helm-operator

https://github.com/twistlock/sample-code/tree/master/CI/Concourse

Data can be ingested today with syslog.

• create field extractions for this data (if necessary)
• create a useful dashboard using the data

In code when the incident has been archive/can't be found app errors out and makes Splunk log roll.
Possible courses of action:

• Disable the error & continue, do we care if incidents are gone have no forensics? Additionally we can set the timeout for the request to a shorter duration to prevent a hanging request.
• Resolve on why error presents, is it imperative to have this? May require backend work to resolve it.

This error presents in environments with re-building infrastructure primarily.

Problem Description

Kubernetes has been deprecating API(s), which will be removed and are no longer available in 1.22. Operators projects using these APIs versions will not work on Kubernetes 1.22 or any cluster vendor using this Kubernetes version(1.22), such as OpenShift 4.9+. Following the APIs that are most likely your projects to be affected by:

• apiextensions.k8s.io/v1beta1: (Used for CRDs and available since v1.16)
• rbac.authorization.k8s.io/v1beta1: (Used for RBAC/rules and available since v1.8)
• admissionregistration.k8s.io/v1beta1 (Used for Webhooks and available since v1.16)

Therefore, looks like this project distributes solutions via the Red Hat Connect with the package name as prisma-cloud-compute-console-operator.v2.0.1 and does not contain any version compatible with k8s 1.22/OCP 4.9. Following some findings by checking the distributions published:

• prisma-cloud-compute-console-operator.v1.0.0: this distribution is using APIs which were deprecated and removed in v1.22. More info: https://kubernetes.io/docs/reference/using-api/deprecation-guide/#v1-22. Migrate the API(s) for CRD: (["twistlockconsoles.charts.helm.k8s.io"])

NOTE: The above findings are only about the manifests shipped inside of the distribution. It is not checking the codebase.

How to solve

It would be very nice to see new distributions of this project that are no longer using these APIs and so they can work on Kubernetes 1.22 and newer and published in the Red Hat Connect collection. OpenShift 4.9, for example, will not ship operators anymore that do still use v1beta1 extension APIs.

Due to the number of options available to build Operators, it is hard to provide direct guidance on updating your operator to support Kubernetes 1.22. Recent versions of the OperatorSDK greater than 1.0.0 and Kubebuilder greater than 3.0.0 scaffold your project with the latest versions of these APIs (all that is generated by tools only). See the guides to upgrade your projects with OperatorSDK Golang, Ansible, Helm or the Kubebuilder one. For APIs other than the ones mentioned above, you will have to check your code for usage of removed API versions and upgrade to newer APIs. The details of this depend on your codebase.

If this projects only need to migrate the API for CRDs and it was built with OperatorSDK versions lower than 1.0.0 then, you maybe able to solve it with an OperatorSDK version >= v0.18.x < 1.0.0:

$ operator-sdk generate crds --crd-version=v1
INFO[0000] Running CRD generator.
INFO[0000] CRD generation complete.

Alternatively, you can try to upgrade your manifests with controller-gen (version >= v0.4.1) :

If this project does not use Webhooks:

$ controller-gen crd:trivialVersions=true,preserveUnknownFields=false rbac:roleName=manager-role paths="./..."

If this project is using Webhooks:

1. Add the markers sideEffects and admissionReviewVersions to your webhook (Example with sideEffects=None and admissionReviewVersions={v1,v1beta1}: memcached-operator/api/v1alpha1/memcached_webhook.go):

2. Run the command:

$ controller-gen crd:trivialVersions=true,preserveUnknownFields=false rbac:roleName=manager-role webhook paths="./..."

For further info and tips see the blog.

Thank you for your attention.

Would love to use the helm chart but want to make sure I don't get in trouble for doing so. Could a license be added to the repo?

GITOps Terraform support for Prisma Cloud Compute Policies