search

salrashid123 / gcp_tokendistributor

Remote Authorization and TokenDistributor for GCP VMs
Apache License 2.0
6 stars 1 forks source link

Check Integrity event logs #1

Open salrashid123 opened 4 years ago

salrashid123 commented 4 years ago

The tokenserver should also scan StackDriver logs for the TokenClient and check for integrity event logs before returning the secret.

eg. somewhere here add on a check similar to the snippet below.

"bob" will need to grant alice and the tokenServer's service account the roles/logging.Viewer role on the tokenclient project.

https://cloud.google.com/security/shielded-cloud/automating-responses-integrity-failures

package main

import (
    "encoding/json"
    "fmt"
    "log"

    //"cloud.google.com/go/logging"

    "cloud.google.com/go/logging/logadmin"
    //logging "google.golang.org/api/logging/v2"

    "golang.org/x/net/context"
    "google.golang.org/api/iterator"
    "google.golang.org/api/option"
)

// roles/logging.viewer

func main() {

    projectID := "mineral-minutia-820"
    instanceId := "4221951316531624448"
    timestamp := "2020-07-26T17:22:39.818877767Z"

    ctx := context.Background()

    client, err := logadmin.NewClient(ctx, projectID, option.WithScopes("https://www.googleapis.com/auth/logging.read"))
    if err != nil {
        log.Fatal(err)
    }

    //   @type: "type.googleapis.com/cloud_integrity.IntegrityEvent"
    //   sevLaunchAttestationReportEvent
    filter := fmt.Sprintf("resource.type=gce_instance AND logName=projects/%s/logs/compute.googleapis.com%%2Fshielded_vm_integrity AND jsonPayload.\"@type\"=\"type.googleapis.com/cloud_integrity.IntegrityEvent\" AND resource.labels.instance_id=%s AND timestamp>=\"%s\"", projectID, instanceId, timestamp)
    it := client.Entries(ctx, logadmin.Filter(filter))

    for {
        le, err := it.Next()
        if err == iterator.Done {
            break
        }
        if err != nil {
            log.Fatalf("Error getting log entries: %v", err)
        }
        // todo: parse payload as  "type.googleapis.com/cloud_integrity.IntegrityEvent" 
        log.Printf("%s\n", le.Payload)
    }

}

ievent

salrashid123 commented 3 years ago

probably won't need tocheck the logs. PCR0 value from quote/verify should indicate SEV status

salrashid123 commented 3 years ago

the GCP identity document now contains a claim that signals if its runing conf.compute. (it just means its a cc instance)

https://cloud.google.com/compute/docs/instances/verifying-instance-identity#payload

{
   "iss": "[TOKEN_ISSUER]",
   "iat": [ISSUED_TIME],
   "exp": [EXPIRED_TIME],
   "aud": "[AUDIENCE]",
   "sub": "[SUBJECT]",
   "azp": "[AUTHORIZED_PARTY]",
   "google": {
    "compute_engine": {
      "project_id": "[PROJECT_ID]",
      "project_number": [PROJECT_NUMBER],
      "zone": "[ZONE]",
      "instance_id": "[INSTANCE_ID]",
      "instance_name": "[INSTANCE_NAME]",
      "instance_creation_timestamp": [CREATION_TIMESTAMP],
      "instance_confidentiality": [INSTANCE_CONFIDENTIALITY],
      "license_id": [
        "[LICENSE_1]",
          ...
        "[LICENSE_N]"
      ]
    }
  }
}
salrashid123 commented 3 years ago

ref https://github.com/salrashid123/gcp_tokendistributor#enablingsev