🛡️ Google GCE Instance doesn't have the latest operating system updates installed🟢⚪
- Contextual name: 🛡️ Instance doesn't have the latest operating system updates installed🟢⚪
- ID:
/ce/ca/google/compute-engine/project-vm-operating-system-update - Tags:
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY,RELIABILITY
Similar Policies
- Cloud Conformity: Latest Operating System Updates
Description
Description
Google Cloud Virtual Machines have the ability via an OS Config agent API to periodically (about every 10 minutes) report OS inventory data. A patch compliance API periodically reads this data, and cross references metadata to determine if the latest updates are installed.
This is not the only Patch Management solution available to your organization and you should weigh your needs before committing to using this method.
Rationale
Keeping virtual machine operating systems up to date is a security best practice. Using this service will simplify this process.
Impact
Most Operating Systems require a restart or changing critical resources to apply the updates. Using the Google Cloud VM manager for its OS Patch management will incur additional costs for each VM managed by it. Please view the VM manager pricing reference for further information.
Audit
From Google Cloud Console
Determine if OS Config API is Enabled for the Project
- Navigate into a project. In the expanded navigation menu located at the top left of the screen hover over
APIs & Services. Then in the menu right of that selectAPI Libraries... see more
Remediation
Remediation
From Google Cloud Console
Enabling OS Patch Management on a Project by Project Basis
Install OS Config API for the Project
- Navigate into a project. In the expanded portal menu located at the top left of the screen hover over "APIs & Services". Then in the menu right of that select "API Libraries"
- Search for "VM Manager (OS Config API) or scroll down in the left hand column and select the filter labeled "Compute" where it is the last listed. Open this API.
- Click the blue 'Enable' button.
Add MetaData Tags for OSConfig Parsing
- From the main Google Cloud console, open the portal menu in the top left. Mouse over Computer Engine to expand the menu next to it.
- Under the "Settings" heading, select "Metadata".
- In this view there will be a list of the project wide metadata tags for VMs. Click edit and 'add item' in the key column type 'enable-osconfig' and in the value column set it to 'true'.
From Command Line
For project wide tagging, run the following command
gcloud compute project-info add-metadata \... see more
policy.yaml
Linked Framework Sections
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| 💼 CIS GCP v1.3.0 → 💼 4.12 Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects - Level 2 (Manual) | 1 | no data | |||
| 💼 CIS GCP v2.0.0 → 💼 4.12 Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects - Level 2 (Manual) | 1 | no data | |||
| 💼 CIS GCP v3.0.0 → 💼 4.12 Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects - Level 2 (Manual) | 1 | no data | |||
| 💼 Cloudaware Framework → 💼 Infrastructure Modernization | 16 | no data |