Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
16Dashboards
1651Benchmarks
486Queries
8Variables
GitHub

Control: 8.11 Ensure Trusted Launch is enabled on Virtual Machines

Description

When Secure Boot and vTPM are enabled together, they provide a strong foundation for protecting your VM from boot attacks. For example, if an attacker attempts to replace the bootloader with a malicious version, Secure Boot will prevent the VM from booting. If the attacker is able to bypass Secure Boot and install a malicious bootloader, vTPM can be used to detect the intrusion and alert you.

Secure Boot and vTPM work together to protect your VM from a variety of boot attacks, including bootkits, rootkits, and firmware rootkits. Not enabling Trusted Launch in Azure VM can lead to increased vulnerability to rootkits and boot-level malware, reduced ability to detect and prevent unauthorized changes to the boot process, and a potential compromise of system integrity and data security.

Remediation

From Azure Portal

  1. Go to Virtual Machines.
  2. For each VM, under Settings, click on Configuration on the left blade.
  3. Under Security Type, select 'Trusted Launch Virtual Machines'.
  4. Make sure Enable Secure Boot & Enable vTPM are checked.
  5. Click on Apply.

Note: Trusted launch on existing virtual machines (VMs) is currently not supported for Azure Generation 1 VMs

Default Value

On Azure Generation 2 VMs, vTPM is enabled by default. Secure Boot is not enabled by default.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v300_8_11

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v300_8_11 --share

SQL

This control uses a named query:

select
  vm.id as resource,
  case
    when (security_profile ->> 'securityType') is null or (security_profile ->> 'securityType') <> 'TrustedLaunch' then 'skip'
    when (security_profile -> 'uefiSettings' -> 'secureBootEnabled')::bool
      and (security_profile -> 'uefiSettings' -> 'vTpmEnabled')::bool then 'ok'
    else 'alarm'
  end as status,
  case
    when (security_profile ->> 'securityType') is null or (security_profile ->> 'securityType') <> 'TrustedLaunch' then vm.name || ' not using trust launch security type.'
    when (security_profile -> 'uefiSettings' -> 'secureBootEnabled')::bool
      and (security_profile -> 'uefiSettings' -> 'vTpmEnabled')::bool then vm.name || ' trusted launch enabled.'
    else vm.name || ' trusted launch disabled.'
  end as reason
  
  , vm.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_compute_virtual_machine vm
  left join azure_subscription as sub on sub.subscription_id = vm.subscription_id;

Tags

category = Compliance
cis = true
cis_item_id = 8.11
cis_level = 1
cis_section_id = 8
cis_type = automated
cis_version = v3.0.0
plugin = azure
service = Azure/Compute