CNAPPgoat: The Multicloud Open-Source Tool for Deploying Vulnerable-by-Design Cloud Resources

Ermetic is proud to announce the release of the open source CNAPPgoat project, developed and maintained by the Ermetic research team. 
Ermetic自豪地宣布发布由Ermetic研究团队开发和维护的开源CNAPPgoat项目。

CNAPPgoat is intended to reinvent the creation of vulnerable cloud infrastructure for a variety of purposes (see below). 
CNAPPgoat旨在为各种目的重塑易受攻击的云基础设施的创建（见下文）。

This blog post explains why CNAPPgoat is important and how you can get started. 
这篇博文解释了为什么CNAPPgoat很重要以及如何开始。

First Things First – What is CNAPP Anyway? 
首先要做的是 – CNAPP到底是什么？

CNAPP (or Cloud Native Application Protection Platform) is a relatively new Gartner product category defined as “a unified and tightly integrated set of security and compliance capabilities designed to secure and protect cloud-native applications across development and production”. Simply put, CNAPP solutions help you transition your cloud infrastructure security practice from a layered (or even siloed) approach where different aspects of security (such as posture, network, runtime, compute, data, etc.) are handled separately to an holistic and comprehensive approach where they’re united in a single platform. As you may imagine, CNAPP solutions include the capabilities of multiple (more veteran) product categories such as CSPM (Cloud Security Posture Management), CWPP (Cloud Workload Protection Platform) and CIEM (Cloud Infrastructure Entitlements Management). 
CNAPP（或云原生应用保护平台）是一个相对较新的Gartner产品类别，定义为“一套统一且紧密集成的安全性和合规性功能，旨在保护开发和生产过程中的云原生应用”。简而言之，CNAPP 解决方案可帮助您将云基础架构安全实践从分层（甚至孤立）方法（其中安全的不同方面（如状态、网络、运行时、计算、数据等）单独处理）转变为整体和全面的方法，其中它们统一在一个平台中。正如您可能想象的那样，CNAPP解决方案包括多个（更资深）产品类别的功能，例如CSPM（云安全态势管理），CWPP（云工作负载保护平台）和CIEM（云基础设施权利管理）。

So… What is CNAPPgoat? 
所以。。。什么是CNAPP山羊？

CNAPPgoat is an open source project designed to modularly provision vulnerable-by-design components in cloud environments (currently supporting AWS, Azure and GCP). 
CNAPPgoat是一个开源项目，旨在模块化地在云环境中配置易受攻击的设计组件（目前支持AWS，Azure和GCP）。

Unlike other projects which may also fit this description (the most popular are probably CloudGoat and CloudFoxable), CNAPPgoat is NOT designed to simply illustrate possible attack paths.  Rather, it includes atomic, (and down the line – more complex) vulnerable scenarios that together will provide as much coverage as possible of the misconfigurations and risks that could potentially be exploited by an attacker. 
与其他可能也符合此描述的项目不同（最受欢迎的可能是CloudGoat和CloudFoxable），CNAPPgoat并非旨在简单地说明可能的攻击路径。 相反，它包括原子的（以及更复杂的）易受攻击的场景，这些场景将尽可能多地覆盖可能被攻击者利用的错误配置和风险。

The scenarios available in CNAPPgoat are divided into modules corresponding with the various security capabilities included in the CNAPP specification (hence the name – CNAPPgoat!) and serve a specific cloud service provider (AWS, Azure, GCP, etc.). 
CNAPPgoat 中可用的场景分为与 CNAPP 规范中包含的各种安全功能对应的模块（因此得名 – CNAPPgoat！），并为特定的云服务提供商（AWS、Azure、GCP 等）提供服务。

This structure makes it possible to provision only scenarios from a specific module or modules to address different use cases and different consumers (see below). In addition, this design makes reviewing and understanding the scenarios much easier (whether you want to find a specific scenario or add a new one). It helps break down a very complicated and multidimensional challenge into more easily digestible parts. 
这种结构使得可以仅从一个或多个特定模块预配场景，以解决不同的用例和不同的使用者（见下文）。此外，此设计使查看和理解方案变得更加容易（无论您是要查找特定方案还是添加新方案）。它有助于将非常复杂和多维的挑战分解为更容易消化的部分。

Currently, the following modules are supported: 
目前支持以下模块：

• CIEM – scenarios relevant to the management of identities and entitlements, such as the unintended ability of an identity to escalate its privileges   
  CIEM – 与身份和权利管理相关的方案，例如身份升级其特权的意外能力
• CWPP  – scenarios relevant to the exposure of workloads to vulnerabilities, for example, by running vulnerable/end of life software or OS version   
  CWPP – 与工作负载暴露在漏洞中相关的方案，例如，通过运行易受攻击/生命周期结束的软件或操作系统版本
• CSPM – scenarios relating to the misconfiguration of cloud infrastructure components, such as publicly exposed storage resources 
  CSPM – 与云基础架构组件（例如公开的存储资源）的错误配置相关的方案

We will soon add support for IAC (that is – infrastructure as code scanning, or the practice of finding misconfigurations directly in the code) and a CNAPP module which will include elaborate scenarios that describe popular attack paths leveraged by malicious entities. 
我们将很快添加对 IAC 的支持（即基础结构即代码扫描，或直接在代码中查找错误配置的做法）和 CNAPP 模块，该模块将包括描述恶意实体利用的流行攻击路径的详细场景。

Why Should You Care? 
你为什么要关心？

The ability to easily provision a vulnerable environment with broad coverage of possible risk scenarios has tremendous potential.  
轻松配置易受攻击的环境并广泛覆盖可能的风险场景的能力具有巨大的潜力。

Killer applications – to name just a few: 
杀手级应用 – 仅举几例：

• Security teams can benchmark CNAPP solutions against known environments so they can prove their ability to deliver what they promise. 
  安全团队可以根据已知环境对 CNAPP 解决方案进行基准测试，以便证明他们有能力兑现承诺。
• Security professionals can use it (responsibly and with extreme caution!) to create a sandbox for testing their teams, procedures and protocols. 
  安全专业人员可以使用它（负责任且极其谨慎！）创建一个沙箱来测试他们的团队、程序和协议。
• Instructors can use it to create vulnerable environments for hands-on workshops or chalk talks ( we’ve already done this successfully) 
  讲师可以使用它来为动手研讨会或粉笔讲座创建易受攻击的环境（我们已经成功地做到了这一点）
• Pentesters can use it to provision a “shooting range” to test their skills at exploiting the scenarios and developing relevant capabilities. (We also feel the need to mention in this context two great pen-testing projects – pacu and Stratus Red Team) 
  渗透测试人员可以使用它来提供一个“射击场”，以测试他们利用场景和开发相关能力的技能。（在这种情况下，我们也觉得有必要提到两个伟大的渗透测试项目——pacu 和 Stratus Red Team）
• Educators can create a learning environment where cloud infrastructure risks  can be explored, understood – and avoided. 
  教育工作者可以创建一个学习环境，在其中可以探索、理解和避免云基础架构风险。

Since it’s open source, you can contribute your own scenarios and together, as a community, – we can make and maintain CNAPPGoat as comprehensive as possible. 
由于它是开源的，你可以贡献自己的场景，作为一个社区，我们可以尽可能全面地制作和维护CNAPPGoat。

The initial version released is just a starting point and we’re looking forward to seeing more and more scenarios added.
发布的初始版本只是一个起点，我们期待看到越来越多的场景被添加。

How To Use CNAPPgoat? 
如何使用CNAPP山羊？

The basic process of using CNAPPgoat is quite simple: 
使用CNAPPgoat的基本流程非常简单：

1. Select the scenario(s) and/or module(s) you want to provision (or the entire set) 
   选择要预配的方案和/或模块（或整个集合）
2. Provision the vulnerable infrastructure in dedicated test accounts
   在专用测试帐户中预配易受攻击的基础结构
3. Use the environment as described in the use cases above. 
   按照上述用例中的说明使用环境。
4. Destroy the provisioned environment. 
   销毁预配的环境。

Easy to create – easy to destroy. No unneeded vulnerable components left behind for you to worry about (and pay for). 
易于创建 – 易于破坏。没有留下不必要的易受攻击的组件供您担心（和付费）。

We will now walk you through a simple example of getting started with CNAPPgoat (it’s highly recommended to go through the README to get oriented with the tool). 
现在，我们将引导您完成一个开始使用 CNAPPgoat 的简单示例（强烈建议您阅读自述文件以开始使用该工具）。

Getting Started  开始

First make sure you have the prerequisites installed.
首先，请确保已安装必备组件。

Next – download the CNAPPgoat executable compiled for your OS from our release page. 
接下来 – 从我们的发布页面下载为您的操作系统编译的 CNAPPgoat 可执行文件。

Optional: Pulling the Scenarios Repo 
可选：拉取方案存储库

The currently available scenarios are managed in a Github repository.These scenarios are automatically downloaded when you run CNAPPgoat and are stored in the `~/.cnappgoat/scenarios` directory.
当前可用的方案在 Github 存储库中进行管理。这些场景会在您运行 CNAPPgoat 时自动下载，并存储在 ‘~/.cnappgoat/scenario’ 目录中。

However – if you wish to review the scenarios yourself (and perhaps even contribute to them) – you can pull the repository. 
但是 – 如果您希望自己查看场景（甚至可能为它们做出贡献） – 您可以拉取存储库。

It’s possible to define a custom path to get scenarios from a local folder – but let’s keep things simple for now.  
可以定义自定义路径以从本地文件夹获取方案 – 但让我们暂时保持简单。

Setting Up Cloud Credentials 
设置云凭据

Remember: CNAPPGoat deploys vulnerable environments. Only use it within safe, controlled sandboxes. 
请记住：CNAPPGoat 部署易受攻击的环境。仅在安全、受控的沙盒中使用它。

It goes without saying that experiments with CNAPPgoat should ONLY BE DONE IN TEST ACCOUNTS COMPLETELY SEPARATE FROM YOUR BUSINESS ENVIRONMENT. 
不言而喻，CNAPPgoat 的实验只能在与您的业务环境完全分开的测试帐户中进行。

Running CNAPPgoat  运行CNAPP山羊

Now, we’re ready to kick things off with CNAPPgoat. 
现在，我们已经准备好与CNAPPgoat一起开始。

First, we’ll list the available scenarios by running the list command: 
首先，我们将通过运行 list 命令列出可用的方案：

For each scenario, you can see which platform (cloud service provider) it’s designed for and which module (CIEM / CSPM / CWPP) it belongs to. The names are also pretty self-explanatory. 
对于每个方案，您可以查看它专为哪个平台（云服务提供商）设计，以及它属于哪个模块（CIEM / CSPM / CWPP）。这些名字也是不言自明的。

If you’re only interested in a specific module, you can use the global option –module to specify the module you’re interested in. For example, if we only want to see the currently available CSPM modules we’ll run: 
如果您只对特定模块感兴趣，则可以使用全局选项 –module 来指定您感兴趣的模块。例如，如果我们只想查看当前可用的 CSPM 模块，我们将运行：

The Status column on the right indicates which scenarios have been deployed, which have not, and which have been destroyed (that is – deployed and then destroyed). 
右侧的“状态”列指示哪些方案已部署、哪些方案尚未部署以及哪些方案已销毁（即 – 已部署，然后销毁）。

If you’re interested in acquiring more information about a specific scenario – you can do so using the describe command, for example: 
如果有兴趣获取有关特定方案的详细信息，可以使用 describe 命令执行此操作，例如：

will produce the following output: 
将生成以下输出：

In order to provision a scenario / multiple scenarios / a module, you can use the “provision” command. If you simply run: 
为了配置一个场景/多个场景/一个模块，您可以使用“provision”命令。如果您只是运行：

All scenarios will be deployed upon your confirmation (use this carefully): 
所有方案将在您确认后部署（请谨慎使用）：

If you state as an argument a space-delimited list of selected scenarios it will provision them, for example: 
如果将所选方案的空格分隔列表声明为参数，它将预配它们，例如：

CNAPPgoat will present you with a log (partially shown in Figure 5, as it’s a bit much) of the operations performed and will present you with the end result of the process: 
CNAPPgoat 将为您提供所执行操作的日志（部分显示在图 5 中，因为它有点多），并向您显示该过程的最终结果：

Note that when you do this for the first time, CNAPPgoat will also take care of necessary dependencies installation – so it may take a while. Go get some coffee. 
请注意，当您第一次执行此操作时，CNAPPgoat 还将负责必要的依赖项安装 – 因此可能需要一段时间。去喝杯咖啡。

Once the provisioning is complete, you can check the new resources in your cloud environment. 
预配完成后，可以检查云环境中的新资源。

Now. if you perform the list function – you will see that it clearly indicates the deployed scenarios: 
现在。如果执行列表功能 – 您将看到它清楚地指示了已部署的方案：

Rather than deploying scenarios individually, – you can provision an entire module using the global option –module:  
而不是单独部署方案， – 您可以使用全局选项 –module 预配整个模块：

As this may also be a significant operation, it requires confirmation – after that, all scenarios in the selected module will be provisioned, and the output will look something like this: 
由于这也可能是一项重要的操作，因此需要确认 – 之后，将预配所选模块中的所有方案，输出将如下所示：

As you can see from Figure 8, in case there were any errors in the process of provisioning the scenarios, they are indicated in the output, and you can review the entire log to see exactly what went wrong. For example, the error we got in the above process can be tracked to an invalid zone issue: 
如图 8 所示，如果在预配方案的过程中出现任何错误，则会在输出中指示这些错误，您可以查看整个日志以准确了解出了什么问题。例如，我们在上述过程中得到的错误可以跟踪到无效区域问题：

Once you’re done using the deployed scenarios, similar to provisioning them, you can destroy all or specific scenarios / modules with the destroy command: 
使用完已部署的方案（类似于预配它们）后，可以使用 destroy 命令销毁所有或特定方案/模块：

Since now we simply want to clean up, we’ll just run it without any arguments and confirm the operation: 
由于现在我们只想清理，我们将在没有任何参数的情况下运行它并确认操作：

Once the process is done, we see the following output, clearly indicating what has been destroyed: 
该过程完成后，我们会看到以下输出，清楚地指示已销毁的内容：

And that about does it! We’ve gone through the basics of using the CNAPPgoat framework.You now know how to explore the tool for existing scenarios, provision and destroy selected scenarios / modules. 
就这样吧！我们已经了解了使用 CNAPPgoat 框架的基础知识。您现在知道如何为现有方案探索该工具，预配和销毁选定的方案/模块。

Where Do We Go From Here? 
我们该何去何从？

To the moon!  去月球！

As mentioned before – this is just the start. The first step of a very long journey, if you will. 
如前所述 – 这只是一个开始。如果你愿意的话，这是漫长旅程的第一步。

We firmly believe in the potential of this modular approach to enable almost anyone, regardless of expertise level, to leverage this tool for commercial, technical and educational purposes. 
我们坚信这种模块化方法的潜力，使几乎任何人，无论其专业水平如何，都可以将此工具用于商业、技术和教育目的。

Soon, we’ll release additional artifacts including deeper technical dives and guides to further support you in using the tool and making contributions. This is also the place to note that any contribution – whether new complete scenarios, scenario proposals , issues, suggestions, feature requests or simply sharing this with your network or organization – would be highly appreciated. If in doubt – just reach out, we’d love to hear from you.  
很快，我们将发布其他项目，包括更深入的技术介绍和指南，以进一步支持你使用该工具并做出贡献。这也是需要注意的地方，任何贡献 – 无论是新的完整场景，方案提案，问题，建议，功能请求还是简单地与您的网络或组织共享 – 都将受到高度赞赏。如有疑问 – 请联系我们，我们很乐意收到您的来信。

Cyber security, and specifically cloud security, should be a team sport. And as an industry and community, we’ll be much better off if we join our hands and CNAPPgoat is a great platform to do so. 
网络安全，特别是云安全，应该是一项团队运动。作为一个行业和社区，如果我们携手合作，我们会变得更好，CNAPPgoat是一个很好的平台。

原文始发于Lior Zatlavi ：CNAPPgoat: The Multicloud Open-Source Tool for Deploying Vulnerable-by-Design Cloud Resources