本文說明如何使用 VM 管理員、Cloud Asset Inventory 和 BigQuery,查看貴機構中 Compute Engine 執行個體的安全漏洞報告。
將 Cloud Asset Inventory 的資料匯出至 BigQuery 後,您就能執行進階查詢,找出整個機構中待處理的修補程式和安全性弱點資訊。
事前準備
- 設定 VM 管理員。
- 啟用 Cloud Asset Inventory API。
- 建立 BigQuery 資料集來儲存匯出的資料。
- 確認您具備查看安全漏洞報告的必要權限。
-
如果尚未設定驗證,請先完成設定。
驗證可確認您的身分,以便存取 Google Cloud 服務和 API。如要從本機開發環境執行程式碼或範例,請選取下列其中一個選項,向 Compute Engine 進行驗證:
選取這個頁面上的分頁,瞭解如何使用範例:
控制台
使用 Google Cloud 控制台存取 Google Cloud 服務和 API 時,無須設定驗證。
gcloud
-
安裝 Google Cloud CLI。 完成後,執行下列指令來初始化 Google Cloud CLI:
gcloud init若您採用的是外部識別資訊提供者 (IdP),請先使用聯合身分登入 gcloud CLI。
-
- 設定預設地區和區域。
必要的角色
如要取得將資源資料匯出至 BigQuery 的權限,請要求管理員在專案、資料夾或機構中,授予您下列 IAM 角色:
-
Cloud Asset Viewer (
roles/cloudasset.viewer) -
BigQuery 資料編輯者 (
roles/bigquery.dataEditor) -
BigQuery 工作使用者 (
roles/bigquery.jobUser)
如要進一步瞭解如何授予角色,請參閱「管理專案、資料夾和組織的存取權」。
這些預先定義的角色具備將資源資料匯出至 BigQuery 的權限。如要查看確切的必要權限,請展開「Required permissions」(必要權限) 部分:
所需權限
如要將資源資料匯出至 BigQuery,您必須具備下列權限:
-
cloudasset.assets.exportOSInventories -
cloudasset.assets.exportResource -
bigquery.datasets.get -
bigquery.tables.create -
bigquery.tables.update -
bigquery.tables.get -
bigquery.jobs.create
將 VM 管理員 資料匯出至 BigQuery
如要將 OS 項目清單和資源資料匯出至 BigQuery,請按照下列步驟操作:
找出機構 ID:
gcloud projects get-ancestors PROJECT_ID將
PROJECT_ID替換為專案的專案 ID。從 VM 執行個體匯出 VM 管理員 收集的 OS 目錄資料:
gcloud asset export \ --content-type=os-inventory \ --organization=ORGANIZATION_ID \ --per-asset-type \ --bigquery-table="projects/BQ_PROJECT_ID/datasets/DATASET_ID/tables/os"更改下列內容:
ORGANIZATION_ID:您的機構 ID。BQ_PROJECT_ID:BigQuery 資料集所在的專案 ID。DATASET_ID:BigQuery 資料集的名稱。
將資源中繼資料匯出至 BigQuery 資料表:
gcloud asset export \ --content-type=resource \ --organization=ORGANIZATION_ID \ --per-asset-type \ --bigquery-table="projects/BQ_PROJECT_ID/datasets/DATASET_ID/tables/res"更改下列內容:
ORGANIZATION_ID:您的機構 IDBQ_PROJECT_ID:BigQuery 資料集所在的專案 IDDATASET_ID:BigQuery 資料集的 ID
如要瞭解如何匯出 OS 資訊清單快照,請參閱「匯出資產快照」。
為貴機構產生安全漏洞報告
匯出項目清單資料後,您可以在 BigQuery 中執行 SQL 查詢,產生安全性弱點報告。這份報表提供下列資訊:
- 機構中待處理修補程式的完整清單。
- 每個 Compute Engine 執行個體的待處理修補程式摘要。
- 每個專案的待處理修補程式摘要。
如要產生報表,請按照下列步驟操作:
前往 Google Cloud 控制台的「BigQuery」頁面。
在查詢編輯器中,貼上下列 SQL 指令碼:
WITH UPDATES_GRANULAR_DATA AS ( SELECT project, instance, os, available_update, vuln.cve AS vuln_cve, vuln.severity AS linux_vuln_severity, windows_categories FROM ( SELECT SPLIT(inv.name, '/')[OFFSET(4)] AS project, SPLIT(inv.name, '/')[OFFSET(8)] AS instance, inv.os_inventory.os_Info.long_Name AS os, inv_item.key AS available_update, ( SELECT ARRAY_AGG(c.name) windows_cat_names FROM UNNEST(inv_item.value.available_Package.wua_Package.categories) c ) AS windows_categories FROM DATASET_ID.os_compute_googleapis_com_Instance AS inv CROSS JOIN UNNEST(inv.os_inventory.items) AS inv_item WHERE inv.name NOT LIKE '%/locations/%' AND inv_item.value.type = 2 --"AVAILABLE_PACKAGE" UNION ALL SELECT project, instance, os, NULL AS available_update, NULL AS windows_categories FROM ( SELECT SPLIT(name, '/')[OFFSET(4)] AS project, SPLIT(name, '/')[OFFSET(8)] AS instance, os_Inventory.os_Info.long_Name AS os, ( SELECT COUNT(*) FROM UNNEST(os_Inventory.items) WHERE value.type = 2 --"AVAILABLE_PACKAGE" ) AS count_available_updates FROM DATASET_ID.os_compute_googleapis_com_Instance WHERE name NOT LIKE '%/locations/%' ) WHERE count_available_updates = 0 ) LEFT JOIN ( SELECT inv_item, v.details.severity AS severity, v.details.cve AS cve FROM DATASET_ID.res_osconfig_googleapis_com_VulnerabilityReport CROSS JOIN UNNEST(resource.data.vulnerabilities) AS v CROSS JOIN UNNEST(v.availableInventoryItemIds) AS inv_item WHERE ARRAY_LENGTH(resource.data.vulnerabilities)>0 AND ARRAY_LENGTH(v.availableInventoryItemIds)>0 ) AS vuln ON vuln.inv_item = available_update ), REPORT_WITH_WINDOWS_CATEGORIES_VERBOSE AS ( SELECT project, instance, os, COUNTIF(available_update IS NOT NULL) as updates_pending, IF( COUNTIF(available_update IS NOT NULL)>0 AND ARRAY_LENGTH(ARRAY_CONCAT_AGG(windows_categories)) IS NULL, IF( ARRAY_LENGTH(ARRAY_AGG(DISTINCT(linux_vuln_severity) IGNORE NULLS)) > 0, IF( CONTAINS_SUBSTR(ARRAY_TO_STRING(ARRAY_AGG(DISTINCT(linux_vuln_severity) IGNORE NULLS),""), "CRITICAL"), "CRITICAL", IF( CONTAINS_SUBSTR(ARRAY_TO_STRING(ARRAY_AGG(DISTINCT(linux_vuln_severity) IGNORE NULLS),""), "HIGH"), "HIGH", IF( CONTAINS_SUBSTR(ARRAY_TO_STRING(ARRAY_AGG(DISTINCT(linux_vuln_severity) IGNORE NULLS),""), "MEDIUM"), "MEDIUM", IF( CONTAINS_SUBSTR(ARRAY_TO_STRING(ARRAY_AGG(DISTINCT(linux_vuln_severity) IGNORE NULLS),""), "LOW"), "LOW", "SEVERITY_UNSPECIFIED" ) ) ) ), "UNKNOWN" ), NULL ) as linux_vuln_severity, ARRAY_CONCAT_AGG(windows_categories) as windows_categories_agg FROM UPDATES_GRANULAR_DATA GROUP BY project, instance, os ORDER BY project, instance, os ), REPORT_BY_VM AS ( SELECT project, instance, os, updates_pending, linux_vuln_severity, IF( ARRAY_LENGTH(windows_categories_agg) > 0, IF( CONTAINS_SUBSTR(ARRAY_TO_STRING(ARRAY(SELECT DISTINCT(a) as n FROM UNNEST(windows_categories_agg) a ORDER BY n ASC),","), "Security Updates"), "SECURITY UPDATES", IF( CONTAINS_SUBSTR(ARRAY_TO_STRING(ARRAY(SELECT DISTINCT(a) as n FROM UNNEST(windows_categories_agg) a ORDER BY n ASC),","), "Update Rollups"), "UPDATE ROLLUPS", "OTHER UPDATES" ) ), NULL ) as windows_category FROM REPORT_WITH_WINDOWS_CATEGORIES_VERBOSE ), REPORT_BY_PROJECT AS ( SELECT project, COUNT(*) as total_vms, COUNTIF(updates_pending=0) as vms_up_to_date, COUNTIF(updates_pending>0) as vms_with_updates_pending, COUNTIF(linux_vuln_severity = "CRITICAL") as linux_vms_critical, COUNTIF(linux_vuln_severity = "HIGH") as linux_vms_high, COUNTIF(linux_vuln_severity = "MEDIUM") as linux_vms_medium, COUNTIF(linux_vuln_severity = "LOW") as linux_vms_low, COUNTIF(linux_vuln_severity = "SEVERITY_UNSPECIFIED") as linux_vms_severity_unspecified, COUNTIF(linux_vuln_severity = "UNKNOWN") as linux_vms_unknown, COUNTIF(windows_category = "SECURITY UPDATES") as win_vms_security_updates, COUNTIF(windows_category = "UPDATE ROLLUPS") as win_vms_update_rollups, COUNTIF(windows_category = "OTHER UPDATES") as win_vms_other_updates FROM REPORT_BY_VM GROUP BY project ) -- To view the report, uncomment one of the following SELECT statements: -- 1. List of every pending update package across all VMs with associated vulnerability severity: -- SELECT * FROM UPDATES_GRANULAR_DATA -- 2. List of VMs and pending updates count: -- SELECT * FROM REPORT_BY_VM -- 3. Summary of projects, showing count of VMs up-to-date and with pending updates: SELECT * FROM REPORT_BY_PROJECT將
DATASET_ID改為 BigQuery 資料集的 ID。按一下「執行」。
如要進一步瞭解如何查詢資料,請參閱「執行查詢」。
產生報表後,您可以使用數據分析建立自訂資訊主頁。詳情請參閱「使用數據分析分析資料」一文。
後續步驟
- 進一步瞭解 VM 管理員中的 OS 庫存。
- 瞭解如何將資產中繼資料匯出至 BigQuery。
- 使用 數據分析 視覺化呈現 BigQuery 資料。