Twistlock Labs compliance checks are designed by our research team and fill gaps not offered by other benchmarks. Like all compliance checks, Twistlock’s supplementary checks monitor and enforce a baseline configuration across your environment.
Twistlock Labs compliance checks can be enabled or disabled in custom rules. New rules can be created under Defend > Compliance > Policy.
Checks if a running container (instantiated from an image) or serverless function contains sensitive information in its environment variables. These env vars can be easily exposed with docker inspect, and thus compromise privacy.
Weak settings incidents indicate that a well-known service is running with a non-optimal configuration. This covers settings for common applications, specifically: Mongo, Postgres, Wordpress, Redis, Kibana, Elasitc Search, RabbitMQ, Tomcat, Haproxy, KubeProxy, Httpd, Nginx, MySql, and registries. These check for things such as the use of default passwords, requiring SSL, etc. The output for a failed compliance check will contain a "Cause" field that gives specifics on the exact settings detected that caused a failure.
Checks if the user value in the container configuration is root. If the user value is 0, root, or "" (empty string), the container is running as a root user, and the policy’s configured effect (ignore, alert, or block) is actuated.
For running containers, Twistlock checks that the creation time of each layer in image:tag is the same as its corresponding image:tag in the registry.
For any image pulled from a password protected registry/repo, the registry must be configured in Twistlock. To add a registry, go to Defend > Vulnerabilities > Registry.
If an image does not belong to any user configured registry, and the image origin is Docker Hub, the image is compared against image:tag in Docker Hub.
Each layer in the image is assessed separately. If a layer cannot be found in the registry, it is skipped, and the next layer is assessed.
Checks if any binary in the image matches the md5 checksum for known malicous software.
Checks if unauthorized (untrusted) images are pulled or loaded into your environment.
Twistlock provides a mechanism to specify specific registries, repositories, and images that are considered trusted. Enable this check to prevent unauthorized containers from running in your critical environment. For more information, see Trusted images.
Checks if images or serverless functions contain sensitive information in their environment variables. Container images define environment variables with the Dockerfile ENV instruction. These environment variables can be easily exposed with docker inspect.
Searches for private keys stored in an image or serverless function. If found, the policy effect (ignore, alert, block) is applied on deployment.
Detects when there are crypto miners in an image. Attackers have been quietly poisoning registries and injecting crypto mining tools into otherwise legitimate images. When you run these images, they perform their intended function, but also mine Bitcoin for the attacker. This check is based on research from Twistlock Labs. For more information, see Real World Security: Software Supply Chain.
The Istio family of compliance checks lets you enforce a secure Istio configuration and address risks such as misconfigured TLS settings and universally scoped service roles. The goals of the compliance rules are to:
Ensure mutual TLS is configured correctly (enabled and over HTTPs).
Ensure RBAC policy is configured with service level access control (service x can only talk with service y).
Ensure RBAC policy is not too permissive.
More detailed information about each check will be published here shortly.
427 — Configure TLS per service using Destination Rule traffic policy
Ensures mutual TLS is globally enabled.
429 — Enable Istio authorization by creating RbacConfig named default
430 — Remove any additional RbacConfig and ensure there is only one RbacConfig named default
Extracts RbacConfig resource and make sure it is not set to OFF.
Ensures RBAC rules not too permissive. Verify there are no wildcards in the service roles.
Ensures service roles are at the service level and not the namespace level, which grants access to all services in the namespace.