Ensure that the Secure Boot security feature is enabled for your GKE cluster nodes to protect them against malware and rootkits. Secure Boot helps ensure that the system runs only authentic software by verifying the digital signature of all boot components, and halts the boot process if signature verification fails.
PoC代码[已公开]
id: gcloud-gke-secure-boot-disabled
info:
name: GKE Node Pools Without Secure Boot Enabled
author: princechaddha
severity: medium
description: |
Ensure that the Secure Boot security feature is enabled for your GKE cluster nodes to protect them against malware and rootkits. Secure Boot helps ensure that the system runs only authentic software by verifying the digital signature of all boot components, and halts the boot process if signature verification fails.
impact: |
Without Secure Boot enabled, cluster nodes are more vulnerable to boot-level and kernel-level malware and rootkits that could compromise the entire node's security.
remediation: |
Re-create your node pools with Secure Boot enabled using:
gcloud container node-pools create POOL_NAME --cluster=CLUSTER_NAME --shielded-secure-boot
reference:
- https://cloud.google.com/kubernetes-engine/docs/how-to/shielded-gke-nodes
- https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/GKE/enable-secure-boot.html
tags: cloud,devops,gcp,gcloud,gke,kubernetes,security,boot,gcp-cloud-config
flow: |
code(1)
for(let projectId of iterate(template.projectIds)){
set("projectId", projectId)
code(2)
for(let cluster of iterate(template.clusters)){
cluster = JSON.parse(cluster)
set("clusterName", cluster.name)
set("location", cluster.location)
code(3)
for(let nodePool of iterate(template.nodePools)){
nodePool = JSON.parse(nodePool)
set("nodePoolName", nodePool.name)
code(4)
}
}
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
gcloud projects list --format="json(projectId)"
extractors:
- type: json
name: projectIds
internal: true
json:
- '.[].projectId'
- engine:
- sh
- bash
source: |
gcloud container clusters list --project $projectId --format="json(name,location)"
extractors:
- type: json
name: clusters
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
gcloud container node-pools list --cluster $clusterName --location $location --project $projectId --format="json(name)"
extractors:
- type: json
name: nodePools
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
gcloud container node-pools describe $nodePoolName --cluster $clusterName --location $location --project $projectId --format="yaml(config.shieldedInstanceConfig.enableSecureBoot)"
matchers:
- type: word
words:
- "shieldedInstanceConfig: {}"
- "null"
extractors:
- type: dsl
dsl:
- '"Node pool " + nodePoolName + " in GKE cluster " + clusterName + " (" + location + ") of project " + projectId + " does not have Secure Boot enabled"'
# digest: 490a0046304402203d5733acbf3814baba82393e9af6d0be0dc2ed3ccfad787cbc1acb2d5c3f8a2a02207e104212ffe46383682d8ad138d28a4fcf2a0ab5c33418b2f92c368ea36390b2:922c64590222798bb761d5b6d8e72950