$ docker -H <DEFENDER_HOST_ADDRESS>:9998 run alpine
This article provides a list of all rules and their intended behavior in Twistlock Console UI. The purpose of this article is to help users better understand the intention of each rule in the Console and it’s corresponding effect on the host environment.
To access Docker daemon through Defender, you must explicitly specify Defender’s host and port. For example:
$ docker -H <DEFENDER_HOST_ADDRESS>:9998 run alpine
It is possible to make the management traffic between the Docker client and the Docker daemon flow through Defender by default via two environment variables. Those can be configured on a remote machine that accesses Docker daemon on some host (such as dev laptop), or the host itself for users who do not have root privileges (which should be the majority of users).
$ export DOCKER_HOST=tcp://<defender host address>:9998
$ export DOCKER_TLS_VERIFY=1
Once set, default calls to Docker flow through Defender (e.g., docker ps, docker run alpine). Throughout this guide however, in this guide, we have followed the default command without setting environment variables.
This guide is designed as a reference document for all access rule policies enlisted in Twistlock Console and their intended affect on host environment. These commands are run from a Docker client to a Twistlock Defender using the access control feature. Access control rules can be configured at Defend > Access > Docker.
We have organized this document using the same structure as the Twistlock product UI in 1.7 and beyond, which follows the structure in the Docker Remote API documentation. Note that there may be minor differences in the structure as the Docker Remote API evolves; this document is currently aligned with the documentation for API v 1.24 and will be updated periodically with new releases.
For understanding purposes all rules are set to deny and their corresponding influence on host environment is recorded. |
Navigate to Defend > Access > Docker Rule.
For more information about the Docker API for containers, see https://docs.docker.com/engine/api/v1.30/#tag/Container.
Affects docker ps command on host which is used to list all running containers.
Command:
docker -H 10.0.0.1:9998 --tlsverify ps
Response:
[Twistlock] The command container_list denied for user admin by rule Deny
Affects docker create command used to create a new container.
Command:
docker -H 10.0.0.1:9998 --tlsverify create morello/docker-whale
Response:
[Twistlock] The command container_create denied for user admin by rule Deny
Affects docker inspect command used for returning information about the container.
Command:
docker -H 10.0.0.1 --tlsverify inspect ubuntu_bash2
Response:
[Twistlock] The command container_inspect denied for user admin by rule inspect
Affects docker top command used to display the running processes of a container
Command:
docker -H 10.0.0.1:9998 --tlsverify top ubuntu_bash
Response:
[Twistlock] The command container_top denied for user admin by rule Deny
Affects docker logs command used for returning logs from the container present at the time of execution.
Command:
docker -H 10.0.0.1 --tlsverify logs ubuntu_bash2
Response:
[Twistlock] The command container_logs denied for user admin by rule logs
Affect docker commit command and restricts any changes to the container.
Command:
docker -H 10.0.0.1 --tlsverify commit --change "ENV DEBUG true" cc2d57988b aqsa/testimage:version3
Response:
[Twistlock] The command container_commit denied for user admin by rule commit
Affects docker export command that exports a container’s filesystem as a tar archive
Command:
docker -H 10.0.0.1:9998 --tlsverify export twistlock_console -o saved.tar
Response:
[Twistlock] The command container_export denied for user admin by rule export
Affects docker stats command on host which returns live data stream for running containers.
Command:
docker -H 10.0.0.1 --tlsverify stats silly_stallman
Response:
[Twistlock] The command container_stats denied for user admin by rule status
Affects docker logs command used for returning logs from the container present at the time of execution. This related to the size of the window of how output is returned from the container. It is called TTY.
Command:
Response:
Affects docker start command used to start one or more stopped containers
Command:
docker -H 10.0.0.1:9998 --tlsverify start ubuntu_bash
Response:
[Twistlock] The command container_start denied for user admin by rule Deny all
Affects docker stop command used to stop running container
Command:
docker -H 10.0.0.1:9998 --tlsverify stop ubuntu_bash
Response:
[Twistlock] The command container_stop denied for user admin by rule Deny
Affects docker restart command on host, used to restart a container.
Command:
docker -H 10.0.0.1:9998 --tlsverify restart ubuntu_bash
Response:
[Twistlock] The command container_restart denied for user admin by rule Deny
Affects docker kill command used to kill a running container.
Command:
docker -H 10.0.0.1:9998 --tlsverify kill ubuntu_bash
Response:
[Twistlock] The command container_kill denied for user admin by rule Deny
Affects docker rename command on host that is used to rename a container.
Command:
docker -H 10.0.0.1:9998 --tlsverify rename ubuntu_bash unbuntu
Response:
[Twistlock] The command container_rename denied for user admin by rule Deny Error: failed to rename container named ubuntu_bash
Affects docker pause command on host which is used to pause all processes within one or more containers.
Command:
docker -H 10.0.0.1 --tlsverify pause focused_cori
Response:
[Twistlock] The command container_pause denied for user admin by rule Deny
Affects docker unpause command on host which is used to un-suspend all processes in a container.
Command:
docker -H 10.0.0.1 --tlsverify unpause silly_stallman
Response:
[Twistlock] The command container_unpause denied for user admin by rule unpause
Affects docker attach command on host where defender is deployed.
Command:
docker -H 10.0.0.1 --tlsverify attach mycontainer
Response:
[Twistlock] The command container_attach denied for user admin by rule attach persistent connection closed
Affects docker attach command on host where defender is deployed. Attach to the container id via websocket. Implements websocket protocol handshake according to RFC 6455
Command:
docker -H 10.0.0.1 --tlsverify attach mycontainer
Response:
[Twistlock] The command container_attach denied for user admin by rule attach persistent connection closed
Affects docker wait command used to block until a container stops, then print its exit code.
Command:
docker -H 10.0.0.1:9998 --tlsverify wait ubuntu_bash
Response:
[Twistlock] The command container_wait denied for user admin by rule Deny
Affects docker rm command used for deleting a container.
Command:
docker -H 10.0.0.1:9998 --tlsverify rm <container>
Response:
[Twistlock] The command container_delete denied for user admin by rule delete
Get a tar archive of a resource in the filesystem of container id. Affects docker cp command
Command:
docker -H 10.0.0.1:9998 --tlsverify cp <container> > latest.tar
Response:
[Twistlock] The command container_copy denied for user admin by rule delete
Affects docker export command. Uploads a tar archive to be extracted to a path in the filesystem of container id
Command:
docker -H 10.0.0.1:9998 --tlsverify cp <container> > latest.tar
Response:
[Twistlock] The command container_exec_start denied for user admin by rule exec
For more information about the Docker API for images, see https://docs.docker.com/engine/api/v1.30/#tag/Image.
Affects docker images command used to list all images
Command:
docker -H 10.0.0.1:9998 --tlsverify images
Response:
[Twistlock] The command image_list denied for user admin by rule Deny
Affects docker build command that is used to build an image from a Dockerfile.
Command:
docker -H 172.18.0.1:9998 --tlsverify build -t aqsa/testimage:v2 .
Response:
[Twistlock] The command image_build denied for user admin by rule Default - deny all
Affects docker pull command which is used to pull an image
Command:
docker -H 10.0.0.1:9998 --tlsverify pull ubuntu:latest
Response:
[Twistlock] The command image_create denied for user admin by rule Deny
Description
Affects docker inspect command used for returning information about the container.
Command:
docker -H 10.0.0.1:9998 --tlsverify inspect 28e7d49f8e6d
Response:
[Twistlock] The command image_inspect denied for user admin by rule images
Affects docker history <image> command.
Command:
docker -H 172.18.0.1:9998 --tlsverify history twistlock
Response:
[Twistlock] The command image_history denied for user admin by rule Default - deny all
Affects command docker push for pushing an image to repository
Command:
docker -H 10.0.0.1:9998 --tlsverify push ubuntu:latest
Response:
[Twistlock] The command image_push denied for user admin by rule Deny
Affects docker tag command used to tag an image in the repository
Command:
docker -H 10.0.0.1:9998 --tlsverify tag ubuntu:latest aqsa:tag
Response:
[Twistlock] The command image_tag denied for user admin by rule Deny
Validates credentials for a registry and get identity token, if available, for accessing the registry without password. Affects docker login on the host.
Command:
docker -H 172.18.0.1:9998 --tlsverify login
Response:
[Twistlock] The command docker_info denied for user admin by rule Default - deny all
Affects docker info command used to display system-wide information
Command:
docker -H 10.0.0.1:9998 --tlsverify info
Response:
[Twistlock] The command docker_info denied for user admin by rule Deny
Affects docker version command on host which is used to find docker version.
Command:
docker -H 10.0.0.1 --tlsverify version
Response:
[Twistlock] The command docker_version denied for user admin by rule version
The goal of this api is to ping the Docker server and make sure it is up and running.
Command:
It is intended to be called by an external monitoring system. It does not have a direct docker CLI command.
Affects docker commit command used for committing container’s file changes etc into a new image.
Command:
docker -H 10.0.0.1 --tlsverify commit --change "ENV DEBUG true" cc2d57988b aqsa/testimage:version3
Response:
[Twistlock] The command container_commit denied for user admin by rule commit
Affects docker events command on host which is used to return real time events from the server.
Command:
docker -H 10.0.0.1 --tlsverify events
Response:
[Twistlock] The command docker_events denied for user admin by rule events
Affects docker save command to save images to a tar archive
Command:
docker -H 172.17.0.1:9998 --tlsverify save $(docker images -q) -o home/aqsa/mydockersimages.tar
Response:
[Twistlock] The command images_archive denied for user admin by rule Default - deny all
Affects docker load command to load an image from a tar archive or STDIN
Command:
docker -H 172.17.0.1:9998 --tlsverify load -i /home/aqsa/twistlock_1_6_81.tar.gz
Response: [Twistlock] The command images_load denied for user admin by rule Default - deny all
Affects docker_exec command to create any new container.
Command:
docker -H 10.0.0.1 --tlsverify exec -d ubuntu_bash2 touch /tmp/execWorks
Response:
[Twistlock] The command container_exec_start denied for user admin by rule exec
Affects docker exec command used for running a command in a running container.
Command:
docker -H 10.0.0.1 --tlsverify exec -d ubuntu_bash2 touch /tmp/execWorks
Response:
[Twistlock] The command container_exec_start denied for user admin by rule exec
Affects docker exec command used for running a command in a running container.
Command:
docker -H 10.0.0.1 --tlsverify exec -d ubuntu_bash2 touch /tmp/execWorks
Response:
[Twistlock] The command container_exec_start denied for user admin by rule exec
For more information about the Docker API for volumes, see https://docs.docker.com/engine/api/v1.30/#tag/Volume.
Affects docker volume ls command to list all volumes
Command:
docker -H 10.0.0.1:9998 --tlsverify volume ls
Response:
[Twistlock] The command volume_list denied for user admin by rule Deny
Affects docker volume create command to create a volume
Command:
docker -H 10.0.0.1:9998 --tlsverify volume create
Response:
[Twistlock] The command volume_create denied for user admin by rule Deny
For information about the Docker API for networks, see https://docs.docker.com/engine/api/v1.30/#tag/Network.
Affects docker network ls to list networks
Command:
docker -H 172.17.0.1:9998 --tlsverify network ls
Response:
[Twistlock] The command network_list denied for user admin by rule Default - deny all
Affects docker network inspect to display detailed information on one or more networks
Command:
docker -H 172.17.0.1:9998 --tlsverify network inspect 82b1c
Response:
[Twistlock] The command network_inspect denied for user admin by rule Default - deny all
Affects docker network create to create a network
Command:
docker -H 172.17.0.1:9998 --tlsverify network create new-network
Response:
[Twistlock] The command network_create denied for user admin by rule Default - deny all
Affects docker network connect to connect a container to a network
Command:
docker -H 172.17.0.1:9998 --tlsverify network connect new-network container1
Response:
[Twistlock] The command network_connect denied for user admin by rule Default - deny all
Affects docker network disconnect to disconnect a container from a network
Command:
docker -H 172.17.0.1:9998 --tlsverify network disconnect new-network container1
Response:
[Twistlock] The command network_disconnect denied for user admin by rule Default - deny all
For more information about the Docker API for Swarm nodes, see https://docs.docker.com/engine/api/v1.30/#tag/Node.
Affects docker node ls command to list nodes in the swarm
Command:
docker -H 172.17.0.1:9998 --tlsverify node ls
Response:
[Twistlock] The command node_list denied for user admin by rule Default - deny all
Affects docker node inspect command to inspect a node in the swarm
Command:
docker -H 172.17.0.1:9998 --tlsverify node inspect swarm-manager
Response:
[Twistlock] The command node_inspect denied for user admin by rule Default - deny all
Swarm
For more information about the Docker API for Swarm, see https://docs.docker.com/engine/api/v1.30/#tag/Swarm.
Affects docker swarm init command initialize a swarm.
Command:
docker -H 172.17.0.1:9998 --tlsverify swarm init
Response:
[Twistlock] The command swarm_init denied for user admin by rule Default - deny all
Affects docker swarm join command to Join a swarm as a manager node or worker node.
Command:
docker -H 172.17.0.1:9998 --tlsverify swarm join --token SWMTKN-1-3pu6hszjas19xyp7ghgosyx9k8atbfcr8p2is99znpy26u2lkl-7p73s1dx5in4tatdymyhg9hu2 192.168.99.121:2377
Response:
[Twistlock] The command swarm_join denied for user admin by rule Default - deny all
For more information about the Docker API for Swarm services, see https://docs.docker.com/engine/api/v1.30/#tag/Service.
Affects docker service ls command to List services in the swarm.
Command:
docker -H 172.17.0.1:9998 --tlsverify service ls
Response:
[Twistlock] The command service_list denied for user admin by rule Default - deny all
Affects docker service create command to Create a new service.
Command:
docker -H 172.17.0.1:9998 --tlsverify service create --name redis redis:3.0.6
Response:
[Twistlock] The command service_create denied for user admin by rule Default - deny all
Affects docker service rm command to remove a service from the swarm.
Command:
docker -H 172.17.0.1:9998 --tlsverify service rm redis
Response:
[Twistlock] The command service_remove denied for user admin by rule Default - deny all
For more information about the Docker API for tasks, see https://docs.docker.com/engine/api/v1.30/#tag/Task.
Secrets are added in Twistlock 2.0 in accordance with Docker Engine API v1.26.
For more information about the Docker API for secrets, see https://docs.docker.com/engine/api/v1.30/#tag/Secret.
Affects docker secret ls command used to list secrets.
Command:
docker -H 10.0.0.1:9998 --tlsverify secret ls
Response:
[Twistlock] The command secret_ls denied for user admin by rule Default - deny all
Affects docker secret create command used to create secrets.
Command:
docker -H 10.0.0.1:9998 --tlsverify secret create my-secret ./aqsa.json
Response:
[Twistlock] The command secret_create denied for user admin by rule Default - deny all
Affects docker secret inspect command used to inspect secrets.
Command:
docker -H 10.0.0.1:9998 --tlsverify secret inspect <id>
Response:
[Twistlock] The command secret_inspect denied for user admin by rule Default - deny all