Skip to main content

lacework-global-267

info

This rule also encompasses lacework-global-498. See Adjusted Rules for CIS GCP 1.3.0 for further details.

4.4 Ensure Oslogin Is Enabled for a Project (Automated)

Profile Applicability

• Level 1

Description

Enabling OS login binds SSH certificates to IAM users and facilitates effective SSH certificate management.

Rationale

Enabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user. It facilitates centralized and automated SSH key pair management which is useful in handling cases like response to compromised SSH key pairs and/or revocation of external/third-party/Vendor users.

Impact

Enabling OS Login on project disables metadata-based SSH key configurations on all instances from a project. Disabling OS Login restores SSH keys that you have configured in project or instance meta-data.

Audit

From Console:

  1. Go to the VM compute metadata page by visiting https://console.cloud.google.com/compute/metadata.

  2. Ensure that key enable-oslogin is present with value set to TRUE.

  3. Because instances can override project settings, ensure that no instance has custom metadata with key enable-oslogin and value FALSE.

From Command Line:

  1. List the instances in your project and get details on each instance:
gcloud compute instances list --format=json
  1. Verify that the section commonInstanceMetadata has a key enable-oslogin set to value TRUE. Exception: VMs created by GKE should be excluded. These VMs have names that start with gke- and are labeled goog-gke-node

Remediation

From Console:

  1. Go to the VM compute metadata page by visiting: https://console.cloud.google.com/compute/metadata.

  2. Click Edit.

  3. Add a metadata entry where the key is enable-oslogin and the value is TRUE.

  4. Click Save to apply the changes.

  5. For every instances that overrides the project setting, go to the VM Instances page at https://console.cloud.google.com/compute/instances.

  6. Click the name of the instance on which you want to remove the metadata value.

  7. At the top of the instance details page, click Edit to edit the instance settings.

  8. Under Custom metadata, remove any entry with key enable-oslogin and the value is FALSE

  9. At the bottom of the instance details page, click Save to apply your changes to the instance.

From Command Line:

  1. Configure oslogin on the project:
gcloud compute project-info add-metadata --metadata enable-oslogin=TRUE
  1. Remove instance metadata that overrides the project setting.
gcloud compute instances remove-metadata <INSTANCE_NAME> --keys=enable-oslogin

Optionally, you can enable two factor authentication for OS login. For more information, see: https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication.

References

https://cloud.google.com/compute/docs/instances/managing-instance-access
https://cloud.google.com/compute/docs/instances/managing-instance-access#enable_oslogin
https://cloud.google.com/sdk/gcloud/reference/compute/instances/remove-metadata
https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication

Additional Information

  1. In order to use osLogin, instance using Custom Images must have the latest version of the Linux Guest Environment installed. The following image families do not yet support OS Login:
Project cos-cloud (Container-Optimized OS) image family cos-stable.

All project coreos-cloud (CoreOS) image families

Project suse-cloud (SLES) image family sles-11

All Windows Server and SQL Server image families
  1. Project enable-oslogin can be over-ridden by setting enable-oslogin parameter to an instance metadata individually.