This document outlines deploying the wiz-cli docker image as an Azure Container Instance.
By reusing the wiz-cli docker image (and changing its entrypoint) you leverage the supported docker image.
This TechNote illustrates scanning IaC templates, but can be extended or modified for other use cases.
This documents the steps to configure Prisma Cloud Agentless Scanning for GCP Projects.
There are two scanning options (Same Account, Hub and Target) and two credential options (SaaS, Compute).
Agentless Workload Scanning
This documents the steps to configure Prisma Cloud Agentless Scanning for GCP Projects, using the Hub and Target model with Prisma Cloud SaaS credentials.
Onboarding Projects in Prisma Cloud > Settings > Cloud Accounts provides almost all of the necessary configuration, with only cross-project configuration required to support the Hub and Target model.
In this document, each GCP Project and its Prisma Cloud Account use the same name. Doing so creates a one-to-one mapping of projects, accounts, resources, and filenames. This mapping is not required, but results in a simple series of steps.
This documents the steps to configure Prisma Cloud Agentless Scanning for GCP Projects, using the Same Account model, with Prisma Cloud Compute credentials.
In this document, the GCP Project, its Service Account, and its Prisma Cloud Account use the same name. Doing so creates a one-to-one mapping of projects, accounts, resources, and filenames. This mapping is not required, but results in a simple series of steps.
Set the following environment variable (locally, or in CloudShell) to define the name of the Project:
This documents the steps to configure Prisma Cloud Agentless Scanning for GCP Projects, using the Hub and Target model, with Prisma Cloud Compute credentials.
In this document, each GCP Project, its Service Account, and its Prisma Cloud Account use the same name. Doing so creates a one-to-one mapping of projects, accounts, resources, and filenames. This mapping is not required, but results in a simple series of steps.
Set the following environment variables (locally, or in CloudShell) to define the name of the Hub and Target Projects:
| #!/usr/bin/env ruby | |
| require 'uri' | |
| require 'net/http' | |
| # require 'openssl' | |
| #### METHODS | |
| def get_package(package) | |
| if (matched = package.match(%r{^(?<name>.+)-(?<version>[^-]+)-(?<release>[^-]+)\.(?<architecture>\w+)})) |
| #!/bin/bash | |
| [ "$PT_noop" = "true" ] && NOOP_FLAG="--noop" || unset NOOP_FLAG | |
| puppet_command="/opt/puppetlabs/bin/puppet agent --onetime --verbose --no-daemonize --no-splay --no-usecacheonfailure --no-use_cached_catalog $NOOP_FLAG" | |
| # Sometimes it takes more than one run ... | |
| # Retries until idempotent or error. | |
| # | |
| # Waits for up to five minutes for an in-progress puppet run to complete. |
| #!/usr/bin/env ruby | |
| # Change into the Support Script output directory, and execute this script. | |
| # Or, pass the directory as the parameter. | |
| require 'json' | |
| # Convert JAVA_ARGS string to a Hash. | |
| def java_args_to_hash(s) |
Verify the server setting in puppet.conf on the Agent is set to the Master (or the Load Balancer of the Master).
Note the datetime stamp of the files in puppet/ssl on the Agent
Review the Application and System logs.
Execute puppet agent -t as root on Linux or an Administrator on Windows.
Execute puppet cert list or puppetserver ca list on the Master
PuppetDB only stores one catalog and factset per node (but n number of reports), so deleting older catalog and fact queue files older than an hour (given runinterval=30) could allow PuppetDB to catch up on the queue, and would not have an impact on the data in PostgreSQL. To delete older catalogs and factsets (that would have been replaced by newer catalogs and factsets) from the PuppetDB queue:
find /opt/puppetlabs/server/data/puppetdb/stockpile/cmd/q -name "*_catalog_9_*.json.gz" -mmin +60 -delete
find /opt/puppetlabs/server/data/puppetdb/stockpile/cmd/q -name "*_facts_5_*.json.gz" -mmin +60 -delete