Profile Applicability:
- Level 2
Description:
Google Cloud Virtual Machines (VMs) can report operating system (OS) inventory data through the OS Config agent API. This data is cross-referenced with metadata to determine if the latest updates are installed. Leveraging this feature simplifies patch management and ensures that all VMs are running the latest security updates.
Rationale:
Keeping operating systems up-to-date is a core security best practice. It mitigates vulnerabilities and reduces the risk of exploitation. Using the Google Cloud VM Manager and OS Patch Management services allows centralized update management, enhancing security and simplifying the update process.
Impact:
Reboots Required: Most operating systems require restarts to apply critical updates.
Additional Costs: Using Google Cloud’s VM Manager for OS patch management may incur extra charges. Refer to VM Manager Pricing for details.
Default Value:
By default, most VMs do not have automated patch management enabled. Google Cloud VM Manager is installed only on Google-provided OS images built after v20200114 but requires manual setup for use.
Audit Steps:
From Google Cloud Console:
Verify OS Config API is Enabled:
Navigate to APIs & Services > Library.
Search for VM Manager (OS Config API)
Ensure the API is enabled.
Check Metadata Tags:
Go to Compute Engine > Metadata.
Verify the presence of the metadata tag enable-osconfig with the value true.
Check VM OS Update Compliance:
Review each VM instance's Service Account under the instance details.
Ensure VMs are configured to report OS inventory data.
From Google Cloud CLI:
Check OS Config API Status:
gcloud services listEnsure osconfig.googleapis.com is listed.
Verify Metadata Tags:
gcloud compute project-info describe --format="json(commonInstanceMetadata)"
Confirm that enable-osconfig is set to true.
List VM OS Inventor
gcloud compute instances os-inventory describe <VM-NAME> --zone=<ZONE>Check OS Updates:
Linux:
Debian-based: Run sudo apt update and confirm Hit: for update URLs.
Red Hat-based: Run yum check-update to list available updates.
Windows:
Run ping http://windowsupdate.microsoft.com/ and verify successful connectivity.
Remediation Steps:
Enable OS Patch Management via Google Cloud Console:
Enable OS Config API:
Navigate to APIs & Services > Library.
Search for VM Manager (OS Config API) and enable it.
Set Metadata Tags:
Go to Compute Engine > Metadata.
Add the tag enable-osconfig with the value true.
From Google Cloud CLI:
Enable OS Config API:
gcloud services enable osconfig.googleapis.comAdd Metadata Tag:
gcloud compute project-info add-metadata --metadata=enable-osconfig=TRUEVerify OS Config Agent Status on VMs:
Use OS-specific commands to ensure the OS Config agent is installed and running. Refer to Check OS-Config Agent Documentation.
Enable Private Access or NAT for Update Hosting:
Configure NAT or enable Private Google Access to ensure VMs can connect to update servers. See Configuring Private Google Access.
Backout plan:
Revert Updates: If the updates cause issues, revert the VM to a previous snapshot or backup before the update. This can be done by:
Restoring from an existing snapshot or image:
gcloud compute instances create [NEW_INSTANCE_NAME] --image [IMAGE_NAME] --zone [ZONE]
Rolling back the operating system updates (using package management commands like apt-get remove or yum downgrade for specific packages).
Disable Automatic Updates: If needed, disable the "Automatic OS Updates" feature by navigating to VM Instances in the Google Cloud Console, editing the VM's metadata, and unchecking the automatic updates option.
Notify Stakeholders: Inform relevant teams about the backout and any operational impact of the changes.
References:
CIS Controls: