云安全系列

收集与云安全相关的文章和工具

索引

• 文章

• 蓝队

  • 工具
    • IAC扫描
    • IAC用例
    • 基线扫描
    • 合规
    • 供应链安全
    • 流量测防护
    • 开源防护软件
    • 公司

• 红队

  • 工具

• 交流讨论

内容

文章

• 【云攻防系列】从攻击者视角聊聊K8S集群安全（上）
• K8s提权之RBAC权限滥用
• 云原生之Kubernetes安全
• 浅谈云安全之K8S
• K8S Runtime入侵检测之Falco
• 浅谈云安全之K8S
• RunC TOCTOU逃逸CVE-2021-30465分析
• docker 利用特权模式逃逸并拿下主机
• 【技术分享】利用Dirty Cow实现docker逃逸（附演示视频）
• 2022云原生安全发展24个洞见
• Docker逃逸初探
• K8s污点容忍度横向主节点
• 记录一次平平无奇的云上攻防过程
• 浅谈Service Mesh体系中的Envoy
• Envoy原理介绍及线上问题踩坑
• 从零开始的Kubernetes攻防
• 自动化挖掘gRPC网络接口漏洞
• envoy代理下使用wasm开发WAF
• Extending Envoy Proxy - WASM Filter with Golang
• k8s攻防脑图
• 云原生安全攻防 | 使用eBPF逃逸容器技术分析与实践
• 从攻击者视角聊聊K8S集群安全
• Security risk analysis for Kubernetes resources
• Secure secret management for Kubernetes (with gpg, Google Cloud KMS and AWS KMS backends)
• node-problem-detector
• 云安全架构连载之三-超大型企业混合云安全架构最佳实践
• kubescape
• detect-secrets
• k8s-unused-secret-detector
• trufflehog
• dockle
• awesome-k8s-security
• rbac-police
• kubesec
• kubernetes-secrets
• cloud att&&ck
• Serverless-Goat
• rbacr
• owasp-kubernetes-top-ten
• k8s-env-injector
• kubernetes-sidecar-injector
• vArmor
• badrobot
• prowler 公有云合规检测工具
• amicontained 检测系统启动容器后需要的各种capability
• kubehound
• dagda
• 白皮书
• ccat aws镜像投毒
• traitor 容器逃逸，比较特殊的带gtfbin
• 云原生加固白皮书
• go2seccomp
• kuasar kuasar云原生沙箱
• vArmor varmor云原生沙箱
• k8s攻击手法 云攻防之容器逃逸与k8s攻击手法
• k8s攻击手法 云攻防之容器逃逸与k8s攻击手法
• 运营 容器安全运营
• TerraformGoat 云安全靶场
• ScoutSuite Multi-Cloud Security Auditing Tool
• hubble Hubble - Network, Service & Security Observability for Kubernetes using eBPF
• teamsix云攻防 teamsix的云攻防
• 云顶维护的云安全知识裤 cloud-security-guides
• splunk account takeover detect account takeover
• 云原生安全工具 云原生安全工具
• peirates Peirates - Kubernetes Penetration Testing tool
• cncf-security-audits cfcn项目审计
• cloudsecurityalliance cloudsecurityalliance
• my-re0-k8s-security my-re0-k8s-security
• other-projects-from-fairwinds other-projects-from-fairwinds
• enforcing-rbac-in-kubernetes-tutorial enforcing-rbac-in-kubernetes-tutorial
• 云安全攻防在线book 云安全攻防在线book
• 云渗透操作系统 云渗透操作系统
• audit2rbac audit2rbac
• rakkess rakkess
• managed-kubernetes-auditing-toolkit managed-kubernetes-auditing-toolkit
• botb botb
• Mindmaps aws渗透手册
• namespacehound wiz多租户namespace检测工具
• runc漏洞检测 runc漏洞检测

资料

• helm官方文档
• k8s包管理工具helm中文文档
• Envoy 中文指南

蓝队工具

IAC(Infrastructure-as-Code)扫描

• chart-verifier - Rules based tool to certify Helm charts
• terraform - Terraform is a tool for building, changing, and versioning infrastructure safely and efficiently. Terraform can manage existing and popular service providers as well as custom in-house solutions.
• trivy - Docker containers vulnerability scan
• kube-bench - kube-bench is a tool that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.
• tfsec - tfsec uses static analysis of your terraform code to spot potential misconfigurations.
• Tracee - Tracee: Runtime Security and Forensics using eBPF
• kubeconform - Kubeconform is a Kubernetes manifests validation tool. Build it into your CI to validate your Kubernetes configuration!
• kube-linter - KubeLinter analyzes Kubernetes YAML files and Helm charts, and checks them against a variety of best practices, with a focus on production readiness and security.
• checkov - Checkov is a static code analysis tool for infrastructure as code (IaC) and also a software composition analysis (SCA) tool for images and open source packages.
• helm-opa - This plugin enables you to check your rendered templates files again Open Policy Agent policies to ensure that they match your policies.
• veinmind - 容器安全工具集
• syft - A CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems. Exceptional for vulnerability detection when used with a scanner like Grype.
• grype - A vulnerability scanner for container images and filesystems. Easily install the binary to try it out. Works with Syft, the powerful SBOM (software bill of materials) tool for container images and filesystems.
• nuclei - Fast and customisable vulnerability scanner based on simple YAML based DSL.
• chart-testing - ct is the the tool for testing Helm charts. It is meant to be used for linting and testing pull requests. It automatically detects charts changed against the target branch.
• terratest - Terratest is a Go library that makes it easier to write automated tests for your infrastructure code.
• utrace - UTrace is a tracing utility that leverages eBPF to trace both user space and kernel space functions
• copacetic - copa is a CLI tool written in Go and based on buildkit that can be used to directly patch container images given the vulnerability scanning results from popular tools like Trivy.

IAC用例

• terraform-examples - Rules based tool to certify Helm charts
• kubernetes-demo - kubernetes-demo
• helm-charts-examples - helm-charts-examples

规则集

• defsec - DefSec is a collection of Infrastructure-as-Code rules.

基线检测

• kube-bench - kube-bench is a tool that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.
• docker-bench - Docker-bench is a Go application that checks whether Docker is deployed securely by running the checks documented in the CIS Docker Benchmark.
• linux-bench - Linux-bench is a Go application that checks whether the Linux operating system is configured securely by running the checks documented in the CIS Distribution Independent Linux Benchmark.
• containerd-bench-security - The Containerd Bench for Security is a script that checks for dozens of common best-practices around deploying containers with containerd in production. The tests are all automated, and are based on the CIS Docker Benchmark v1.3.1.

供应链安全

• cosign - Container Signing, Verification and Storage in an OCI registry.
• DependencyCheck - Dependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project's dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.
• kubeclarity - KubeClarity is a tool for detection and management of Software Bill Of Materials (SBOM) and vulnerabilities of container images and filesystems. It scans both runtime K8s clusters and CI/CD pipelines for enhanced software supply chain security.

WAF

• tong - 基于envoy代理下的wasm waf插件
• envoy-filter-log4shell - Plugable Envoy WebAssembly L7 (HTTP) firewall to prevent log4shell vulnerability injections.
• proxy-wasm-cpp-sdk - The SDK has dependencies on specific versions of the C++ WebAssembly toolchain Emscripten (https://emscripten.org) and the protobuf library, therefor use of a Docker image is recommended.
• coraza-proxy-wasm - Web Application Firewall WASM filter built on top of Coraza and implementing the proxy-wasm ABI. It can be loaded directly from Envoy or also used as an Istio plugin.
• gotestwaf - GoTestWAF is a tool for API and OWASP attack simulation that supports a wide range of API protocols including REST, GraphQL, gRPC, WebSockets, SOAP, XMLRPC, and others.

流量代理

• envoy - ENVOY IS AN OPEN SOURCE EDGE AND SERVICE PROXY, DESIGNED FOR CLOUD-NATIVE APPLICATIONS
• cn-series-helm - This repository contains charts and templates for deploying the Palo Alto Networks CN-series containerized firewall using the Helm Package Manager for Kubernetes

开源防护软件

• neuvector - NeuVector Full Lifecycle Container Security Platform delivers the only cloud-native security with uncompromising end-to-end protection from DevOps vulnerability protection to automated run-time security, and featuring a true Layer 7 container firewall.
• cilium - Cilium is a networking, observability, and security solution with an eBPF-based dataplane. It provides a simple flat Layer 3 network with the ability to span multiple clusters in either a native routing or overlay mode. It is L7-protocol aware and can enforce network policies on L3-L7 using an identity based security model that is decoupled from network addressing.
• HummerRisk - 检测公有云和云原生安全
• curiefense - Curiefense is a new application security platform, which protects sites, services, and APIs. It extends Envoy proxy to defend against a variety of threats, including SQL and command injection, cross site scripting (XSS), account takeovers (ATOs), application-layer DDoS, remote file inclusion (RFI), API abuse, and more.
• CloudExplorer-Lite - 开源轻量级云管平台

红队工具

• shovel - docker escape
• CDK - Zero Dependency Container Penetration Toolkit
• k0otkit - k0otkit is a universal post-penetration technique which could be used in penetrations against Kubernetes clusters.
• kubeletctl - Kubeletctl is a command line tool that implement kubelet's API.
• container-escape-check - docker escape check list
• pacu - The AWS exploitation framework, designed for testing the security of Amazon Web Services environments.
• cloudfox - Automating situational awareness for cloud penetration tests.
• kubeletmein - Security testing tool for Kubernetes, abusing kubelet credentials on public cloud providers.
• CloudPrivs - Determine privileges from cloud credentials via brute-force testing
• kubetcd - etcd后渗透
• Nebula - Nebula is a cloud C2 Framework, which at the moment offers reconnaissance, enumeration, exploitation, post exploitation on AWS, but still working to allow testing other Cloud Providers and DevOps Components.
• botb - BOtB is a container analysis and exploitation tool designed to be used by pentesters and engineers while also being CI/CD friendly with common CI/CD technologies.

云原生相关工具

• protobuf - Protocol Buffers (a.k.a., protobuf) are Google's language-neutral, platform-neutral, extensible mechanism for serializing structured data

• ko - ko is a simple, fast container image builder for Go applications.

• func-e - func-e makes running Envoy® easy

• oci-seccomp-bpf-hook - Terratest is a Go library that makes it easier to write automated tests for your infrastructure code.

协议解密

• pbtk - Protobuf is a serialization format developed by Google and used in an increasing number of Android, web, desktop and more applications. It consists of a language for declaring data structures, which is then compiled to code or another kind of structure depending on the target implementation.
• protobuf_decode - decode the protobuf field value without the proto file.
• protodec - util can decode protobuf raw

靶场

• 靶场 - 自动化搭建从简单到复杂的脆弱云原生靶机环境。

监控

https://pkg.go.dev/k8s.io/utils/inotify#Watcher.AddWatch

公司

• paloalto - paloalto cnapp
• wiz - wiz
• aqua - aqua
• armo - armo
• 青藤 - 青藤
• 小佑 - 小佑
• 探针科技 - 探针科技
• neuvecotr - suse neuvector
• cloudstrike - cloudstrike
• prowler - cspm prowler

漏洞修复

• copacetic - copa is a CLI tool written in Go and based on buildkit that can be used to directly patch container images given the vulnerability scanning results from popular tools like Trivy.

靶场

• cloudgoat - CloudGoat is Rhino Security Labs' "Vulnerable by Design" AWS deployment tool

交流讨论

欢迎关注公众号，一起交流学习。