π Google GCE Instance doesn't have the latest operating system updates installed π’
- Contextual name: π Instance doesn't have the latest operating system updates installed π’
- ID:
/ce/ca/google/compute-engine/project-vm-operating-system-update - Located in: π Google GCE
Flagsβ
- π’ Impossible policy
- π’ Policy with categories
- π’ Policy with type
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
SECURITYRELIABILITY
Similar Policiesβ
- Cloud Conformity
Descriptionβ
Descriptionβ
Google Cloud Virtual Machines have the ability via an OS Config agent API to periodically (about every 10 minutes) report OS inventory data. A patch compliance API periodically reads this data, and cross references metadata to determine if the latest updates are installed.
This is not the only Patch Management solution available to your organization and you should weigh your needs before committing to using this method.
Rationaleβ
Keeping virtual machine operating systems up to date is a security best practice. Using this service will simplify this process.
Impactβ
Most Operating Systems require a restart or changing critical resources to apply the updates. Using the Google Cloud VM manager for its OS Patch management will incur additional costs for each VM managed by it. Please view the VM manager pricing reference for further information.
Auditβ
From Google Cloud Consoleβ
Determine if OS Config API is Enabled for the Project
- Navigate into a project. In the expanded navigation menu located at the top left of the screen hover over
APIs & Services. Then in the menu right of that selectAPI Libraries... see more
Remediationβ
Remediationβ
From Google Cloud Consoleβ
Enabling OS Patch Management on a Project by Project Basis
Install OS Config API for the Projectβ
- Navigate into a project. In the expanded portal menu located at the top left of the screen hover over "APIs & Services". Then in the menu right of that select "API Libraries"
- Search for "VM Manager (OS Config API) or scroll down in the left hand column and select the filter labeled "Compute" where it is the last listed. Open this API.
- Click the blue 'Enable' button.
Add MetaData Tags for OSConfig Parsing
- From the main Google Cloud console, open the portal menu in the top left. Mouse over Computer Engine to expand the menu next to it.
- Under the "Settings" heading, select "Metadata".
- In this view there will be a list of the project wide metadata tags for VMs. Click edit and 'add item' in the key column type 'enable-osconfig' and in the value column set it to 'true'.
From Command Line
For project wide tagging, run the following command
gcloud compute project-info add-metadata \... see more
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ CIS GCP v3.0.0 β πΌ 4.12 Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects - Level 2 (Manual) | 1 | |||
| πΌ Cloudaware Framework β πΌ Infrastructure Modernization | 9 |