Latest Operating System Updates

Risk Level: Medium (should be achieved)

Installing the latest OS updates on your Google Cloud virtual machine (VM) instances is crucial for security, stability, bug fixes, new features, compatibility, compliance, and overall performance. Google Cloud VM instances can utilize the OS Config agent API to regularly report OS inventory data, usually every 10 minutes. The patch compliance API then analyzes this data and compares it with metadata to determine if the latest updates are installed.

Security

Operational
excellence

Keeping virtual machine (VM) operating systems up to date is essential for maintaining security and compliance. Employing Google Cloud's VM manager for OS Patch management can efficiently streamline the update process. Maintaining an updated operating system is one of the most effective methods to safeguard against constantly evolving known vulnerabilities that malicious actors can exploit for cyber attacks.

Audit

To ensure that your virtual machine (VM) instances are using the latest operating system updates, perform the following actions:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to the API Library page available at https://console.cloud.google.com/apis/library.

04 Type VM Manager (OS Config API) in the Search for API & Services search box and press Enter.

05 Click on the name of the OS Config API to open the API overview page.

06 On the API overview page, search for the MANAGE button to determine the current status of the API. If the MANAGE button is not available, instead the ENABLE button is displayed, the OS Config API is currently disabled and the Audit process ends here. Otherwise, if the API is enabled, continue the Audit process with the next step.

07 Navigate to Compute Engine console at https://console.cloud.google.com/compute.

08 In the main navigation panel, under Settings, choose Metadata.

09 Select the METADATA tab and search for the "enable-osconfig" tag. If the "enable-osconfig" tag is set to "false" or the tag set is not listed on this page, the VM instances provisioned for the selected GCP project don't have the metadata tags required for OSConfig parsing and the Audit process ends here. Otherwise, if the "enable-osconfig" tag is set to "true", continue the Audit process with the next step.

10 In the main navigation panel, select VM instances to access the list with the virtual machine (VM) instances launched for the selected project.

11 Click on the name of the VM instance that you want to examine.

12 Select the DETAILS tab, choose SSH, and choose Open in browser window to connect to your instance's operating system via SSH.

13 Follow the instructions outlined on this page to verify if the VM Manager is properly installed on your VM instance. If VM Manager is not set up properly on the selected virtual machine, the Audit process ends here. Otherwise, continue the Audit process with the next step.

14 Each type of operating system has its own, unique update process. At this step, you must verify if your instance's operating system can establish a network connection with the update servers. The VM Manager does not store the updates, its purpose is to enable you to send a centralized command to each virtual machine (VM) for the update process.

15 Repeat steps no. 2 – 14 for each project deployed in your Google Cloud Platform (GCP) account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the ID of each GCP project available within your Google Cloud account:

gcloud projects list 
  --format="table(projectId)"

02 The command output should return the requested GCP project identifier(s):

PROJECT_ID
cc-web-app-project-112233
cc-bigdata-project-123123

03 Run services list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom filtering to determine if the OS Config API is enabled for the selected project:

gcloud services list
  --project cc-web-app-project-112233
  --enabled
  --filter=name:osconfig.googleapis.com

04 The command output should return the name and the title of the requested API:

Listed 0 items.

If the services list command output returns Listed 0 items., as shown in the output example above, the OS Config API is currently disabled and the Audit process ends here. Otherwise, if the name of the requested API is returned, continue the Audit process with the next step.

05 Run compute project-info describe command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom filters to determine if the enable-osconfig tag is configured at the project level:

gcloud compute project-info describe 
  --project cc-web-app-project-112233 
  --format="json(commonInstanceMetadata.items)"

06 The command output should return the metadata (i.e. tag sets) configured at the project level. All VM instances in the selected project inherit these key-value pairs:

{
	"commonInstanceMetadata": {
	  "items": [
		{
		  "key": "enable-osconfig",
		  "value": "false"
		},
		{
		  "key": "environment",
		  "value": "production"
		}
	  ]
	}
}

If the "enable-osconfig" tag is set to "false", as shown in the example above, or the tag set is not listed in the "items" list, the VM instances provisioned for the selected GCP project don't have the metadata tags required for OSConfig parsing and the Audit process ends here. Otherwise, if "enable-osconfig" is set to "true", continue the Audit process with the next step.

07 Follow the instructions outlined on this page to verify if the VM Manager is properly installed on your VM instance. If VM Manager is not set up properly on the selected virtual machine, the Audit process ends here. Otherwise, continue the Audit process with the next step.

08 Each type of operating system has its own, unique update process. At this step, you must verify if your instance's operating system can establish a network connection with the update servers. The VM Manager does not store the updates, its purpose is to enable you to send a centralized command to each virtual machine (VM) for the update process.

09 Repeat steps no. 3 - 8 for each project created within your Google Cloud Platform (GCP) account.

Remediation / Resolution

To ensure that your virtual machine (VM) instances are using the latest operating system updates, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to the API Library page available at https://console.cloud.google.com/apis/library.

04 Type VM Manager (OS Config API) in the Search for API & Services search box and press Enter.

05 Click on the name of the OS Config API to open the API overview page.

06 On the API overview page, choose ENABLE to enable the OS Config API for your GCP project.

07 Navigate to Compute Engine console at https://console.cloud.google.com/compute.

08 In the main navigation panel, under Settings, choose Metadata.

09 Choose EDIT and set the enable-osconfig tag key to true. If the enable-osconfig is not defined in the Metadata section, choose ADD ITEM to add the enable-osconfig tag set. Choose SAVE to apply the changes. All VM instances in the selected GCP project will inherit the enable-osconfig tag set.

10 In the main navigation panel, select VM instances to access the list with the virtual machine (VM) instances launched for the selected project.

11 Click on the name of the VM instance that you want to configure.

12 Select the DETAILS tab, choose SSH, and choose Open in browser window to connect to your instance's operating system via SSH.

13 Follow the instructions outlined on this page to set up VM Manager. Make sure that the OS Config agent is properly installed on the selected VM instance. Also, ensure that the selected instance has service account attached. VM Manager uses this service account to sign requests to the API service. If the selected VM instance is running within a private VPC network and does not have public Internet access, use the instructions listed on this page to enable Private Google Access.

14 Each type of operating system has its own, unique update process. The final step is to verify if your instance's operating system can establish a network connection with the update servers and run the required commands.

15 Repeat steps no. 2 – 14 for each GCP project deployed in your Google Cloud Platform (GCP) account.

Using GCP CLI

01 Run services enable command (Windows/macOS/Linux) using the ID of the GCP project that you want to configure as the identifier parameter, to enable the OS Config API for the selected project:

gcloud services enable osconfig.googleapis.com
  --project cc-web-app-project-112233

02 If successful, the command output should return the ID and status of the performed operation:

Operation "operations/acat.p0-123456789012-abcd1234-abcd-1234-abcd-1234abcd1234" finished successfully.

03 Run compute project-info add-metadata command (Windows/macOS/Linux) using the ID of the GCP project that you want to configure as the identifier parameter, to set the enable-osconfig metadata (i.e. tag set) at the project level. All VM instances in the selected GCP project will inherit this metadata:

gcloud compute project-info add-metadata 
  --project cc-web-app-project-112233
  --metadata=enable-osconfig=TRUE

04 If successful, the command output should return the ID and status of the performed operation:

Operation "operations/acat.p1-123456789012-abcd1234-abcd-1234-abcd-1234abcd1234" finished successfully.

05 Run compute instances list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as identifier parameter and custom query filters to describe the name and zone for each VM instance launched for the selected project:

gcloud compute instances list
  --project cc-web-stack-project-123123
  --format="table(name,zone)"

06 The command output should return the names of the instances within the selected GCP project:

NAME                      ZONE
cc-production-instance    us-central1-a
cc-backend-vm-instance    us-central1-a
cc-frontend-vm-instance   us-central1-a

07 Follow the instructions outlined on this page to set up VM Manager using Google Cloud CLI (gcloud). Make sure that the OS Config agent is properly installed on the selected VM instance. Also, ensure that your VM instance is associated with a service account. VM Manager uses this service account to sign requests to the API service. If the selected VM instance is running within a private VPC network and does not have public Internet access, use the instructions listed on this page to enable Private Google Access.

08 Each type of operating system has its own, unique update process. The final step is to verify if your instance's operating system can establish a network connection with the update servers and run the required commands.

09 Repeat steps no. 1 - 8 for each GCP project created within your Google Cloud Platform (GCP) account.

References

Google Cloud Platform (GCP) Documentation
Google Cloud APIs
Set up VM Manager
OS patch management
VM Manager
Operating system details
Verifying VM Manager setup
View operating system details
Configure Private Google Access
Troubleshooting VM Manager

GCP Command Line Interface (CLI) Documentation
gcloud projects list
gcloud services list
gcloud compute project-info describe
gcloud services enable
gcloud compute project-info add-metadata
gcloud compute instances list

Publication date Jun 29, 2023

Audit

Using GCP Console

Using GCP CLI

Remediation / Resolution

Using GCP Console

Using GCP CLI

References

Related CloudAPI rules