Ensure that the OS Login feature is enabled at the Google Cloud Platform (GCP) project level in order to provide you with centralized and automated SSH key pair management. OS Login ensures that SSH keys are mapped with Google Cloud IAM users, facilitating centralized management of SSH access.
PoC代码[已公开]
id: gcloud-oslogin-disabled
info:
name: OS Login Not Enabled for GCP Projects
author: princechaddha
severity: low
description: |
Ensure that the OS Login feature is enabled at the Google Cloud Platform (GCP) project level in order to provide you with centralized and automated SSH key pair management. OS Login ensures that SSH keys are mapped with Google Cloud IAM users, facilitating centralized management of SSH access.
impact: |
Without OS Login enabled, managing SSH access becomes decentralized and complex, making it difficult to handle compromised SSH keys or revoke access for specific users across multiple instances.
remediation: |
Enable OS Login at the project level by setting the "enable-oslogin" metadata key to "TRUE". Note that enabling OS Login disables metadata-based SSH key configurations on all instances within the project.
reference:
- https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ComputeEngine/enable-os-login.html
- https://cloud.google.com/compute/docs/oslogin
tags: cloud,devops,gcp,gcloud,compute,security,ssh,oslogin,gcp-cloud-config
flow: |
code(1)
for(let projectId of iterate(template.projectIds)){
set("projectId", projectId)
code(2)
code(3)
for(let instance of iterate(template.instances)){
instance = JSON.parse(instance)
set("instanceName", instance.name)
set("zone", instance.zone)
code(4)
}
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
gcloud projects list --format="json(projectId)"
extractors:
- type: json
name: projectIds
internal: true
json:
- '.[].projectId'
- engine:
- sh
- bash
source: |
gcloud compute project-info describe --project $projectId --format="json(commonInstanceMetadata.items)" | jq '.commonInstanceMetadata.items[]? | select(.key=="enable-oslogin") | .value // "null"'
matchers:
- type: word
words:
- "FALSE"
- "null"
condition: or
extractors:
- type: dsl
dsl:
- '"OS Login is not enabled at project level for project " + projectId'
- engine:
- sh
- bash
source: |
gcloud compute instances list --project $projectId --format="json(name,zone.basename())"
extractors:
- type: json
name: instances
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
gcloud compute instances describe $instanceName --zone $zone --project $projectId --format="json(metadata.items)" | jq '.items[]? | select(.key=="enable-oslogin") | .value // "null"'
matchers:
- type: word
words:
- "FALSE"
- "null"
condition: or
extractors:
- type: dsl
dsl:
- '"OS Login is not enabled for instance " + instanceName + " in zone " + zone + " of project " + projectId'
# digest: 490a0046304402200645c5e3bb349efa34c33b0df0f765c08f3e6606070dd534685b4387d178b2aa0220495288319a1fed9eb52bab11b609582575ba770d0676ad330a4f5d32cc081fb5:922c64590222798bb761d5b6d8e72950