Skip to main content

πŸ“ Google GCE Instance Enable Connecting to Serial Ports is not disabled 🟒

  • Contextual name: πŸ“ Instance Enable Connecting to Serial Ports is not disabled 🟒
  • ID: /ce/ca/google/compute-engine/instance-serial-port-connection
  • Located in: πŸ“ Google GCE

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Logic​

Description​

Open File

Description​

Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support.

If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address. Therefore interactive serial console support should be disabled.

Rationale​

A virtual machine instance has four virtual serial ports. Interacting with a serial port is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support. The instance's operating system, BIOS, and other system-level entities often write output to the serial ports, and can accept input such as commands or answers to prompts. Typically, these system-level entities use the first serial port (port 1) and serial port 1 is often referred to as the serial console.

The interactive serial console does not support IP-based access restrictions such as IP whitelists. If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address. This allows anybody to connect to that instance if they know the correct SSH key, username, project ID, zone, and instance name.

... see more

Remediation​

Open File

Remediation​

From Google Cloud CLI​

  1. Login to Google Cloud console
  2. Go to Computer Engine
  3. Go to VM instances
  4. Click on the Specific VM
  5. Click EDIT
  6. Unselect Enable connecting to serial ports below Remote access block.
  7. Click Save

From Google Cloud Console​

Use the below command to disable

        gcloud compute instances add-metadata <INSTANCE_NAME> --zone=<ZONE> --metadata=serial-port-enable=false

or

        gcloud compute instances add-metadata <INSTANCE_NAME> --zone=<ZONE> --metadata=serial-port-enable=0

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CIS GCP v1.2.0 β†’ πŸ’Ό 4.5 Ensure 'Enable connecting to serial ports' is not enabled for VM Instance - Level 1 (Automated)1
πŸ’Ό CIS GCP v1.3.0 β†’ πŸ’Ό 4.5 Ensure 'Enable Connecting to Serial Ports' Is Not Enabled for VM Instance - Level 1 (Automated)1
πŸ’Ό CIS GCP v2.0.0 β†’ πŸ’Ό 4.5 Ensure 'Enable Connecting to Serial Ports' Is Not Enabled for VM Instance - Level 1 (Automated)1
πŸ’Ό CIS GCP v3.0.0 β†’ πŸ’Ό 4.5 Ensure β€˜Enable Connecting to Serial Ports’ Is Not Enabled for VM Instance - Level 1 (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Secure Access46
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-6 Configuration Settings (L)(M)(H)212
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-7 Least Functionality (L)(M)(H)31733
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-6 Configuration Settings (L)(M)(H)11
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-7 Least Functionality (L)(M)(H)29
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-6 Configuration Settings (L)(M)(H)112
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-7 Least Functionality (L)(M)(H)333
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.9 Configuration management12
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events133
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-6 Configuration Settings412
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-7 Least Functionality923
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.1.6 Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.112
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 2.2.2 Enable only necessary services, protocols, daemons, etc., as required for the function of the system.3
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 2.2.5 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.3
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks.11
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.12
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.12
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 2.2.4 Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled.3
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 6.4.1 For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks.11
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.12
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.12
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 2.2.4 Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled.3
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 6.4.1 For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks.11
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.6-1 Restricts Access1519
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.6-3 Requires Additional Authentication or Credentials46
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.6-4 Implements Boundary Protection Systems4