Snowcat - A service mesh scanning tool

Snowcat - A service mesh scanning tool

CI Release

Snowcat gathers and analyzes the configuration of an Istio cluster and audits it for potential violations of security best practices.

Why We Built Snowcat

Like all cloud infrastructure, Istio requires some hardening effort beyond what a default deployment offers. The Istio Security Best Practices document covers this in great detail. This hardening process has a lot of moving parts and it's easy to miss one of the steps that could assist an attacker in compromising a cluster. Snowcat was built to make the detection of these missing hardening steps as straightforward as possible.

The two usage modes can help engineers analyze their clusters from different perspectives:

  • The perspective of an attacker that has just obtained code execution on an Istio workload but without any other context or permissions.
  • The perspective of a systems engineer that has the ability to dump all relevant configuration information for analysis.

By implementing analysis methods for both of these perspectives, Snowcat is able to gather a more "complete" picture of the security posture of an Istio cluster.

For more information, please read our blog post.

Install

You can install Snowcat locally by using any one of the options listed below.

Install with go install

$ go install github.com/praetorian-inc/snowcat@latest

Install a release binary

  1. Download the binary for your OS from the releases page.

  2. (OPTIONAL) Download the checksums.txt file to verify the integrity of the archive

# Check the checksum of the downloaded archive
$ shasum -a 256 snowcat_${VERSION}_${ARCH}.tar.gz
b05c4d7895be260aa16336f29249c50b84897dab90e1221c9e96af9233751f22  snowcat_${VERSION}_${ARCH}.tar.gz

$ cat snowcat_${VERSION}_${ARCH}_checksums.txt | grep snowcat_${VERSION}_${ARCH}.tar.gz
b05c4d7895be260aa16336f29249c50b84897dab90e1221c9e96af9233751f22  snowcat_${VERSION}_${ARCH}.tar.gz
  1. Extract the downloaded archive
$ tar -xvf snowcat_${VERSION}_${ARCH}.tar.gz
  1. Move the snowcat binary into your path:
$ mv ./snowcat /usr/local/bin/

Clone and build yourself

# clone the Snowcat repo
$ git clone https://github.com/praetorian-inc/snowcat.git

# navigate into the repo directory and build
$ cd snowcat
$ go build

# Move the Snowcat binary into your path
$ mv ./snowcat /usr/local/bin

Usage

There are two main modes of operation for Snowcat. With no positional argument, Snowcat will assume it is running inside of a cluster enabled with Istio, and begin to enumerate the required data. Optionally, you can point snowcat at a directory containing Kubernets YAML files.

Run Snowcat against static configuration information

# running with a directory specified will cause it to run in file analysis mode
./snowcat [options] <directory name>

Run Snowcat in an Istio workload container

./snowcat [options]

Get Help

snowcat help

Command Line Options

Snowcat comes equipped with several command line options to influence the operation of the tool. Additionally, many configuration options can be passed to the tool through a configuration file. By default, Snowcat looks for the config file at ./snowcat.yml (the directory from which the tool is run), but can be passed as a switch to specify an arbitrary file location.

Configuration of Snowcat is handled by a combination of Cobra and Viper. This allows Snowcat to be configured through the following methods, in order of precedence.

  1. Command Line Flag
  2. Environment Variables
  3. Configuration File

It should be noted that any data that is discovered during a run will overwrite all configuration options.

The following configuration options can be specified:

  • -c --config - the configuration file location (default: ./snowcat.yml)

  • -l --log-level - log level for console output, because logging is handled by Logrus, the currently supported levels are trace, debug, info, warning, error, fatal, and panic. (default: info)

  • -s --save-config - if this switch is passed, the configuration of Snowcat will be written out to the specified config file. This is useful if the tool is to be run multiple times on the same cluster to allow for fewer arguments to be passed in subsequent runs. NOTE: this will overwrite the existing config file every time.

  • --format [text|json] - the output format for the tool, this is either text for human readable content, or json for structured output.

  • --export - this flag will cause Snowcat to output the discovered Kubernetes resources to a directory as YAML files

  • --istio-version - if the Istio control plane version is known prior to running the tool, it can be passed via this flag. Additionally, it binds to the configuration variable istio-version in the configuration file.

  • --istio-namespace - if the namespace running the Istio control plane is known prior to running the tool, it can be passed via this flag. Additionally, it binds to the configuration variable istio-namespace in the configuration file.

  • --discovery-address - this specifies the address of the unauthenticated XDS port. It is bound to the configuration variable discovery-address.

  • --debugz-address - this specifies the address of the Istiod's debug API. It is bound to the configuration variable debugz-address.

  • --kubelet-addresses - this specifies a list of kubelet nodes read-only API ports. It is bound to the configuration variable kubelet-addresses

To set these flags with environment variables, simply uppercase the configuration variable name, and replace dashes with underscores, for example: istio-version -> ISTIO_VERSION

Owner
Praetorian
Praetorian provides a suite of security solutions that enable clients to solve cybersecurity problems across their enterprise and product portfolios.
Praetorian
https://github.com/praetorian-inc/snowcat
Comments
  • container image on ghcr.io is unauthorized to public pulls

    container image on ghcr.io is unauthorized to public pulls

    docker pull ghcr.io/praetorian-inc/snowcat:latest Error response from daemon: Head "https://ghcr.io/v2/praetorian-inc/snowcat/manifests/latest": unauthorized

  • nil pointer dereference in

    nil pointer dereference in "TLS Validation in Destination Rule" destinationrule Auditor

    • Snowcat version: 0.1.0 Linux AMD64
    • Istio version: 1.11.2

    the deref looks to be here

    # ./snowcat -l debug
WARN[0000] configuration file not found
INFO[2021-10-14T22:58:07Z] successfully loaded config file               configFile=snowcat.yml
INFO[2021-10-14T22:58:07Z] running discovery strategy                    runner=Kubelet strategy=default-gateway
INFO[2021-10-14T22:58:07Z] attempting to locate default gateway
INFO[2021-10-14T22:58:07Z] discovered default gateway                    gateway=169.254.1.1
INFO[2021-10-14T22:58:07Z] scanning for additional potential gateways using HTTP scanner
DEBU[2021-10-14T22:58:07Z] discovered kubelet api                        addr="169.254.123.1:10255"
DEBU[2021-10-14T22:58:07Z] resulting kubelet apis                        kubeletAddresses="[169.254.123.1:10255]"
INFO[2021-10-14T22:58:07Z] running discovery strategy                    runner=Namespace strategy=envoy
DEBU[2021-10-14T22:58:07Z] sending HTTP request to envoy                 method=GET url="http://localhost:15000/config_dump"
INFO[2021-10-14T22:58:07Z] running discovery strategy                    runner="Istio Control Plane" strategy=kubelet
DEBU[2021-10-14T22:58:07Z] connecting to xds                             addr="10.0.17.11:15010"
DEBU[2021-10-14T22:58:07Z] connecting to xds                             addr="10.0.17.11:15010"
DEBU[2021-10-14T22:58:07Z] validating debug API with HTTP request        method=HEAD url="http://10.0.17.11:8080/debug/configz"
DEBU[2021-10-14T22:58:07Z] connecting to xds                             addr="10.0.17.11:15010"
INFO[2021-10-14T22:58:08Z] running auditor                               auditor="Deny with Positive Match"
INFO[2021-10-14T22:58:08Z] running auditor                               auditor="TLS Validation in Destination Rule"
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x138e41b]

goroutine 1 [running]:
github.com/praetorian-inc/snowcat/auditors/destinationrule.(*auditor).Audit(0x2824df0, 0xc001b876c0, 0x6, 0xc0008811e7, 0xc, 0xc001b86730, 0x10, 0x0, 0x0, 0xc000ab4990, ...)
        /home/runner/work/snowcat/snowcat/auditors/destinationrule/cacerts.go:47 +0x57b
github.com/praetorian-inc/snowcat/pkg/cli.RunSnowcat(0xc0002b6660, 0x0, 0x2)
        /home/runner/work/snowcat/snowcat/pkg/cli/root.go:250 +0x5d5
github.com/praetorian-inc/snowcat/pkg/cli.glob..func2(0x27dc880, 0xc0002b6660, 0x0, 0x2)
        /home/runner/work/snowcat/snowcat/pkg/cli/root.go:85 +0x3f
github.com/spf13/cobra.(*Command).execute(0x27dc880, 0xc00003a190, 0x2, 0x2, 0x27dc880, 0xc00003a190)
        /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:860 +0x2c2
github.com/spf13/cobra.(*Command).ExecuteC(0x27dc880, 0x7feee0d4f748, 0x0, 0x40e0f8)
        /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:974 +0x375
github.com/spf13/cobra.(*Command).Execute(...)
        /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:902
github.com/praetorian-inc/snowcat/pkg/cli.Execute()
        /home/runner/work/snowcat/snowcat/pkg/cli/root.go:171 +0x45
main.main()
        /home/runner/work/snowcat/snowcat/cmd/snowcat/main.go:24 +0x25
  • Adding version parsing for newer discovery process

    Adding version parsing for newer discovery process

    • Adding Version() handler for debugz client.
    • Adding Version() parsing to debugz + xds processors
    • Adding some legacy context stuff as well...but it doesn't really matter.
  • added authz policy auditor

    added authz policy auditor

    i'm a little not down with how the allow/deny function looks so similar, if there's a better way to do this i am down to change it up.

    second, as mentioned in one of the comments, in a case where both a From and To rule in the same policy have errors, this will shadow the To rule, so is it the case we want to get a detailed report of all offenses? I'm not sure, we can talk it out in the morning.

  • invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation

    invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation

    Deploying following the readme as a kubernetes job the following error occurred

    time="2021-10-27T17:48:18Z" level=debug msg="connecting to xds" addr="10.x.y.z:15010" panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x28 pc=0x1417e72]

    goroutine 1 [running]: github.com/praetorian-inc/snowcat/pkg/xds.(*Client).Version(0xc0005df2d8, {0x19806f0, 0xc00013c020}) github.com/praetorian-inc/snowcat/pkg/xds/client.go:169 +0xd2 github.com/praetorian-inc/snowcat/pkg/xds.NewClient({0xc0005df2d8, 0x12}) github.com/praetorian-inc/snowcat/pkg/xds/client.go:64 +0x173 github.com/praetorian-inc/snowcat/pkg/runner/istiod.hasDiscoveryService({0xc000bdc4d0, 0xc00004ab80}) github.com/praetorian-inc/snowcat/pkg/runner/istiod/istiod.go:77 +0x37 github.com/praetorian-inc/snowcat/pkg/runner/istiod.isDebugIstiod({0xc000bdc4d0, 0x19806f0}) github.com/praetorian-inc/snowcat/pkg/runner/istiod/istiod.go:94 +0x2d github.com/praetorian-inc/snowcat/pkg/runner/istiod.(*kubeletStrategy).Run(0xc0001de540, 0xc000382660) github.com/praetorian-inc/snowcat/pkg/runner/istiod/istiod.go:138 +0xd65 github.com/praetorian-inc/snowcat/pkg/runner.(*Runner).Run(0xc000bee2d0, 0x0) github.com/praetorian-inc/snowcat/pkg/runner/runner.go:74 +0x287 github.com/praetorian-inc/snowcat/pkg/runner.Runners.Run({0xc000bef450, 0x3, 0xc0006bf3f8}, 0xc000382660, 0x0) github.com/praetorian-inc/snowcat/pkg/runner/runner.go:94 +0x12e7 github.com/praetorian-inc/snowcat/pkg/cli.RunSnowcat({0xc00054c0f0, 0x0, 0x0}) github.com/praetorian-inc/snowcat/pkg/cli/root.go:232 +0x2ab github.com/praetorian-inc/snowcat/pkg/cli.glob..func2(0x264bde0, {0xc00054c0f0, 0x5, 0x5}) github.com/praetorian-inc/snowcat/pkg/cli/root.go:95 +0x27 github.com/spf13/cobra.(*Command).execute(0x264bde0, {0xc000138130, 0x5, 0x5}) github.com/spf13/[email protected]/command.go:860 +0x5f8 github.com/spf13/cobra.(*Command).ExecuteC(0x264bde0) github.com/spf13/[email protected]/command.go:974 +0x3bc github.com/spf13/cobra.(*Command).Execute(...) github.com/spf13/[email protected]/command.go:902 github.com/praetorian-inc/snowcat/pkg/cli.Execute() github.com/praetorian-inc/snowcat/pkg/cli/root.go:187 +0x35 main.main() github.com/praetorian-inc/snowcat/cmd/snowcat/main.go:24 +0x17

Related tags
DevOps Tools snowcat
🐻 The Universal Service Mesh. CNCF Sandbox Project.
 🐻 The Universal Service Mesh. CNCF Sandbox Project.

Kuma is a modern Envoy-based service mesh that can run on every cloud, in a single or multi-zone capacity, across both Kubernetes and VMs. Thanks to i

Aug 10, 2021
🐻 The Universal Service Mesh. CNCF Sandbox Project.
 🐻 The Universal Service Mesh. CNCF Sandbox Project.

Kuma is a modern Envoy-based service mesh that can run on every cloud, in a single or multi-zone capacity, across both Kubernetes and VMs. Thanks to i

Jan 8, 2023
Meshery Adapter for Cilium Service Mesh
 Meshery Adapter for Cilium Service Mesh

Meshery Adapter for Cilium Service Mesh Cilium Service Mesh Cilium is open sourc

Dec 1, 2022
ADK Node ( a.k.a ADKgo v2 ) for the ADK Mesh with full Smart Contract support [Mainnet]

ADKGo SmartNode (MAINNET v2) Official Golang implementation of the ADK Mesh protocol with Smart Contract funtionality BASE NODE SETUP STEPS (on clean

Nov 24, 2021
TiDB Mesh: Implement Multi-Tenant Keyspace by Decorating Message between Components
 TiDB Mesh: Implement Multi-Tenant Keyspace by Decorating Message between Components

TiDB Mesh: Implement Multi-Tenant Keyspace by Decorating Message between Compone

Jan 11, 2022
Multicluster mesh addon: An enhanced addon created with addon-framework

Multicluster Mesh Addon multicluster-mesh-addon is an enhanced addon created wit

Feb 11, 2022
Kubei is a flexible Kubernetes runtime scanner, scanning images of worker and Kubernetes nodes providing accurate vulnerabilities assessment, for more information checkout:
Kubei is a flexible Kubernetes runtime scanner, scanning images of worker and Kubernetes nodes providing accurate vulnerabilities assessment, for more information checkout:

Kubei is a vulnerabilities scanning and CIS Docker benchmark tool that allows users to get an accurate and immediate risk assessment of their kubernet

Dec 30, 2022
Cheiron is a Kubernetes Operator made with OperatorSDK for reconciling service account and attaching imagePullSecrets to service accounts automatically

anny-co/cheiron NOTE: Cheiron is currently in very early stages of development and and far from anything usable. Feel free to contribute if you want t

Sep 13, 2021
crud is a cobra based CLI utility which helps in scaffolding a simple go based micro-service along with build scripts, api documentation, micro-service documentation and k8s deployment manifests

crud crud is a CLI utility which helps in scaffolding a simple go based micro-service along with build scripts, api documentation, micro-service docum

Nov 29, 2021
The AWS Enumerator was created for service enumeration and info dumping for investigations of penetration testers during Black-Box testing. The tool is intended to speed up the process of Cloud review in case the security researcher compromised AWS Account Credentials.
 The AWS Enumerator was created for service enumeration and info dumping for investigations of penetration testers during Black-Box testing. The tool is intended to speed up the process of Cloud review in case the security researcher compromised AWS Account Credentials.

AWS Service Enumeration Disclaimer The tool is in beta stage (testing in progress), no destructive API Calls used ( read only actions ). I hope, there

Dec 23, 2022
Use cli tool to troubleshoot external API service quickly.
 Use cli tool to troubleshoot external API service quickly.

golang CLI Template golang project template for building CLI Setup Setup by Command git clone https://github.com/mpppk/cli-template your_awesome_tool

Jan 5, 2022
Nycmesh-tool - nycmesh-tool CLI

nycmesh-tool nycmesh-tool CLI Features At the moment, the tool is pretty sparse. It provides the top level nycmesh-tool command, with subcommands for:

Jun 17, 2022
Terraform-equinix-migration-tool - Tool to migrate code from Equinix Metal terraform provider to Equinix terraform provider

Equinix Terraform Provider Migration Tool This tool targets a terraform working

Feb 15, 2022
Git with a cup of tea, painless self-hosted git service
 Git with a cup of tea, painless self-hosted git service

Gitea - Git with a cup of tea View the chinese version of this document Purpose The goal of this project is to make the easiest, fastest, and most pai

Jan 2, 2023
OpenAPI Terraform Provider that configures itself at runtime with the resources exposed by the service provider (defined in a swagger file)
 OpenAPI Terraform Provider that configures itself at runtime with the resources exposed by the service provider (defined in a swagger file)

Terraform Provider OpenAPI This terraform provider aims to minimise as much as possible the efforts needed from service providers to create and mainta

Dec 26, 2022
Web user interface and service agent for the monitoring and remote management of WinAFL.
 Web user interface and service agent for the monitoring and remote management of WinAFL.

WinAFL Pet WinAFL Pet is a web user interface dedicated to WinAFL remote management via an agent running as a system service on fuzzing machines. The

Nov 9, 2022
A multi-service dev environment for teams on Kubernetes
 A multi-service dev environment for teams on Kubernetes

Tilt Kubernetes for Prod, Tilt for Dev Modern apps are made of too many services. They're everywhere and in constant communication. Tilt powers multi-

Jan 5, 2023
The mec platform for service register/discovery/subscribe and other functions.roject main repo.

EdgeGallery MEP project Introduction Edgegallery MEP is an open source implementation of MEC platform according to ETSI MEC 003 [1] and 011 [2] docume

Nov 15, 2022
Hubble - Network, Service & Security Observability for Kubernetes using eBPF
 Hubble - Network, Service & Security Observability for Kubernetes using eBPF

Network, Service & Security Observability for Kubernetes What is Hubble? Getting Started Features Service Dependency Graph Metrics & Monitoring Flow V

Jan 2, 2023