Skip to main content

๐Ÿ›ก๏ธ Google GCE Instance Enable Connecting to Serial Ports is not disabled๐ŸŸข

  • Contextual name: ๐Ÿ›ก๏ธ Instance Enable Connecting to Serial Ports is not disabled๐ŸŸข
  • ID: /ce/ca/google/compute-engine/instance-serial-port-connection
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logicโ€‹

Similar Policiesโ€‹

Descriptionโ€‹

Open File

Descriptionโ€‹

Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support.

If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address. Therefore interactive serial console support should be disabled.

Rationaleโ€‹

A virtual machine instance has four virtual serial ports. Interacting with a serial port is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support. The instance's operating system, BIOS, and other system-level entities often write output to the serial ports, and can accept input such as commands or answers to prompts. Typically, these system-level entities use the first serial port (port 1) and serial port 1 is often referred to as the serial console.

The interactive serial console does not support IP-based access restrictions such as IP whitelists. If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address. This allows anybody to connect to that instance if they know the correct SSH key, username, project ID, zone, and instance name.

... see more

Remediationโ€‹

Open File

Remediationโ€‹

From Google Cloud CLIโ€‹

  1. Login to Google Cloud console
  2. Go to Computer Engine
  3. Go to VM instances
  4. Click on the Specific VM
  5. Click EDIT
  6. Unselect Enable connecting to serial ports below Remote access block.
  7. Click Save

From Google Cloud Consoleโ€‹

Use the below command to disable

        gcloud compute instances add-metadata <INSTANCE_NAME> --zone=<ZONE> --metadata=serial-port-enable=false

or

        gcloud compute instances add-metadata <INSTANCE_NAME> --zone=<ZONE> --metadata=serial-port-enable=0

policy.yamlโ€‹

Open File

Linked Framework Sectionsโ€‹

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
๐Ÿ’ผ CIS GCP v1.2.0 โ†’ ๐Ÿ’ผ 4.5 Ensure 'Enable connecting to serial ports' is not enabled for VM Instance - Level 1 (Automated)1no data
๐Ÿ’ผ CIS GCP v1.3.0 โ†’ ๐Ÿ’ผ 4.5 Ensure 'Enable Connecting to Serial Ports' Is Not Enabled for VM Instance - Level 1 (Automated)1no data
๐Ÿ’ผ CIS GCP v2.0.0 โ†’ ๐Ÿ’ผ 4.5 Ensure 'Enable Connecting to Serial Ports' Is Not Enabled for VM Instance - Level 1 (Automated)1no data
๐Ÿ’ผ CIS GCP v3.0.0 โ†’ ๐Ÿ’ผ 4.5 Ensure โ€˜Enable Connecting to Serial Portsโ€™ Is Not Enabled for VM Instance - Level 1 (Automated)1no data
๐Ÿ’ผ Cloudaware Framework โ†’ ๐Ÿ’ผ Secure Access55no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ CM-6 Configuration Settings (L)(M)(H)212no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ CM-7 Least Functionality (L)(M)(H)31833no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ CM-6 Configuration Settings (L)(M)(H)11no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ CM-7 Least Functionality (L)(M)(H)29no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ CM-6 Configuration Settings (L)(M)(H)112no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ CM-7 Least Functionality (L)(M)(H)333no data
๐Ÿ’ผ ISO/IEC 27001:2022 โ†’ ๐Ÿ’ผ 8.9 Configuration management12no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events139no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ CM-6 Configuration Settings412no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ CM-7 Least Functionality923no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.1.6 Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.127no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 2.2.2 Enable only necessary services, protocols, daemons, etc., as required for the function of the system.3no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 2.2.5 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.3no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks.11no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.27no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.27no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 2.2.4 Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled.3no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 6.4.1 For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks.11no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.1527no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.627no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 2.2.4 Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled.3no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 6.4.1 For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks.11no data
๐Ÿ’ผ SOC 2 โ†’ ๐Ÿ’ผ CC6.6-1 Restricts Access1619no data
๐Ÿ’ผ SOC 2 โ†’ ๐Ÿ’ผ CC6.6-3 Requires Additional Authentication or Credentials46no data
๐Ÿ’ผ SOC 2 โ†’ ๐Ÿ’ผ CC6.6-4 Implements Boundary Protection Systems4no data