1. Overview

Twistlock for Pivotal Cloud Foundry (PCF) scans the droplets in your blobstores for vulnerabilities.

PCF is a Platform as a Service (PaaS) that runs applications on your infrastructure. Applications in PCF are deployed, scaled, and monitored by BOSH, which is PCF’s infrastructure lifecycle management tool. PCF stores large binary files in blobstores. Blobstores are roughly equivalent to registries. One type of file stored in the blobstore is the droplet.

Droplets are archives that contain ready to run applications. They are roughly equivalent to container images. Droplets contain the OS stack, a buildpack (which contains the languages, libraries, and services used by the app), and custom app code. Before running an app on your infrastructure, the Cloud Controller stages it for delivery by combining the OS stack, buildpack, and source code into a droplet, then storing the droplet in a blobstore.

Twistlock is packaged as tile. When the tile is installed, it runs Defender as a PCF service in a dedicated VM on your infrastructure. Like all Defenders, the PCF Defender must be able to connect over the network to Twistlock Console.

The twistcli command line tool also lets you scan droplet files directly. You can integrate twistcli into your CLI to pass or fail builds based on vulnerability thresholds.

2. Install the PCF Defender

The PCF Defender is delivered as a tile. Go to the PCF Ops Manager Installation Dashboard to install the tile.

Prerequisites

External blobstores that require a custom authentication flow, such as those offered by cloud providers, are not supported.

Procedure

  1. Download the latest Twistlock release to your local host.

  2. In the Ops Manager Installation Dashboard, click Import a Product.

  3. Select the tile from the Twistlock release directory. It can be found in TWISTLOCK-RELEASE/pivotal/twistlock-tile-VERSION.pivotal.

  4. Retrieve the install command from Twistlock Console. It will be used to configure the tile.

    1. Log into Twistlock Console.

    2. Go to Manage > Defenders > Deploy.

    3. Choose the DNS name or IP address the PCF Defender will use to connect to Console. If a suitable option is not available, go to Manage > Defenders > Names, and add a DNS name or IP address to the SAN table.

    4. Set the Defender type to PCF.

    5. Leave the Defender listener type set to None.

    6. Copy the install command and set it aside.

  5. Navigate to the PCF Ops Manager Installation Dashboard.

  6. Add the Twistlock tile to your staging area. Click the + button next to the version of the tile you want to install.

    pcf blobstore add tile to staging
  7. Click the newly added Twistlock for PCF tile.

    pcf blobstore tile
  8. Configure the tile.

    pcf blobstore configure tile
    1. In Assign AZs and Network Assignments, specify where Twistlock Defender should run, then click Save. Twistlock for PCF runs as a service. If you have a dedicated subnet for services, run it there.

      By default Twistlock performs strict validation of your Cloud Controller’s (CC) TLS certificate. In case of using self-signed certificates, this check may result in failure. In order to add your custom certificates to trusted cert list, you would need to add the custom CA’s cert onto the VM where the Twistlock tile runs.

For more details on how to do this, please refer to the article below: https://docs.pivotal.io/pivotalcf/2-4/customizing/trusted-certificates.html

+ To skip strict validation of your Cloud Controller’s (CC) TLS certificate, enable Skip Cloud Controller TLS validation. Strict validation verifies the name, signer, and validity date of the CC’s certificate. Even with strict validation disabled, the sesssion is still encrypted. Skip strict validation when:

+ * You’re using self-signed certificates * You’re using certificates signed by a CA that isn’t in your cert store * When there’s a mismatch between the address you’re using to connect to the CC and the common name (CN) or subject alternative name (SAN) in the CC’s certificate.

  1. In Twistlock Component Configuration, enter the install command you copied from Twistlock Console, then click Save.

  2. In Credentials, enter your Twistlock Console credentials, then click Save. Your role must be Defender Manager or higher.

    1. Install the Twistlock tile. Return to the Ops Manager Installation Dashboard, click Review Pending Changes, select Twistlock for PCF, then click Apply changes.

    2. After the changes are applied, validate that Twistlock Defender is running. Log into Twistlock Console, then navigate to Manage > Defenders > Manage. In the table of deployed Defenders, you should see a Defender of type PCF.

      pcf blobstore defender installed

3. Configure Twistlock to scan a blobstore

Twistlock can scan internal and external blobstores, and blobstores configured to use the Fog Ruby gem or WebDAV protocol.

Procedure

  1. Log into Twistlock Console.

  2. Go to Defend > Vulnerabilities > PCF Blobstore.

  3. Click Add PCF Blobstore settings.

  4. Specify the cloud controller.

  5. Specify the droplets to scan. To scan all droplets, enter a wildcard (*).

  6. Specify the maximum number of droplets to scan. To scan all droplets, enter 0.

  7. Click Add.

  8. Click Save.

4. Review scan reports

Scan reports show all vulnerabilities found in the droplets in blobstores. By default, droplets are rescanned every 24 hours.

Procedure

  1. Log into Twistlock Console.

  2. Go to Monitor > Vulnerabilities > PCF Blobstore to see a list of summary reports for each droplet.

  3. To drill into a specific scan report, click on a row in the table.