GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
OS Login Should Be Enabled
More Info:
Enable OS login to ensure that SSH keys used to connect to instances are mapped with IAM users.
Risk Level
High
Address
Security
Compliance Standards
SOC2, PCIDSS, ISO27001, HIPAA, CISGCP, CBP, NISTCSF
Triage and Remediation
Remediation
To remediate the misconfiguration “OS Login Should Be Enabled” for GCP using GCP console, follow these steps:
- Open the GCP Console and select the project you want to work on.
- In the left-hand menu, select “Compute Engine” and then select “VM instances”.
- Click on the name of the VM instance you want to configure.
- In the VM instance details page, click on the “Edit” button at the top of the page.
- Scroll down to the “Cloud API access scopes” section.
- In the “Cloud API access scopes” section, click on “Allow full access to all Cloud APIs”.
- Scroll down to the “Cloud Identity and Access Management (IAM)” section.
- In the “Cloud Identity and Access Management (IAM)” section, click on “Add item”.
- In the “Add members” dialog box, enter the email address of the user or service account you want to grant access to.
- In the “Role” dropdown menu, select “Compute OS Login”.
- Click “Save” to apply the changes.
After following these steps, OS Login will be enabled for the selected VM instance in GCP.
To remediate the “OS Login Should Be Enabled” misconfiguration in GCP using GCP CLI, you can follow these steps:
- Open the Cloud Shell from the GCP Console.
- Run the following command to enable OS Login for all users in your project:
gcloud compute project-info add-metadata --metadata enable-oslogin=TRUE
- If you want to enable OS Login for a specific instance, you can use the following command:
gcloud compute instances add-metadata INSTANCE_NAME --metadata enable-oslogin=TRUE
Replace INSTANCE_NAME
with the name of the instance for which you want to enable OS Login.
- If you want to enable OS Login for a specific user, you can use the following command:
gcloud compute os-login ssh-keys add --key-file=PUBLIC_KEY_FILE --ttl=TTL USERNAME
Replace PUBLIC_KEY_FILE
with the path to the public key file, TTL
with the time-to-live for the key (in seconds), and USERNAME
with the username of the user for whom you want to enable OS Login.
- Verify that OS Login is enabled by running the following command:
gcloud compute project-info describe --format="value(commonInstanceMetadata.items.filter(key:enable-oslogin).value)"
This command will return TRUE
if OS Login is enabled for your project.
That’s it! By following these steps, you should be able to remediate the “OS Login Should Be Enabled” misconfiguration in GCP using GCP CLI.
To remediate the misconfiguration “OS Login Should Be Enabled” for GCP using Python, follow these steps:
- Import the necessary libraries:
from googleapiclient import discovery
from oauth2client.client import GoogleCredentials
- Set the project ID and zone where the VM instances are located:
project_id = 'your-project-id'
zone = 'your-zone'
- Authenticate and authorize the client:
credentials = GoogleCredentials.get_application_default()
service = discovery.build('compute', 'v1', credentials=credentials)
- Retrieve the list of VM instances:
request = service.instances().list(project=project_id, zone=zone)
response = request.execute()
instances = response['items']
- For each VM instance, check if OS Login is enabled:
for instance in instances:
instance_name = instance['name']
instance_zone = instance['zone'].split('/')[-1]
instance_id = instance['id']
instance_url = f'/compute/v1/projects/{project_id}/zones/{instance_zone}/instances/{instance_name}'
request = service.instances().get(project=project_id, zone=instance_zone, instance=instance_name)
response = request.execute()
metadata = response['metadata']['items']
oslogin_enabled = False
for item in metadata:
if item['key'] == 'enable-oslogin' and item['value'] == 'TRUE':
oslogin_enabled = True
if not oslogin_enabled:
print(f"OS Login is not enabled for instance {instance_name}.")
- If OS Login is not enabled, enable it:
request_body = {
'items': [
{
'key': 'enable-oslogin',
'value': 'TRUE'
}
]
}
request = service.instances().setMetadata(project=project_id, zone=instance_zone, instance=instance_name, body=request_body)
response = request.execute()
- Verify that OS Login is now enabled:
request = service.instances().get(project=project_id, zone=instance_zone, instance=instance_name)
response = request.execute()
metadata = response['metadata']['items']
oslogin_enabled = False
for item in metadata:
if item['key'] == 'enable-oslogin' and item['value'] == 'TRUE':
oslogin_enabled = True
if oslogin_enabled:
print(f"OS Login has been enabled for instance {instance_name}.")
Note: Make sure to replace “your-project-id” and “your-zone” with your actual project ID and zone.