OS Login Not Enabled for GCP Projects
ID: gcloud-oslogin-disabled
Severity: low
Author: princechaddha
Tags: cloud,devops,gcp,gcloud,compute,security,ssh,oslogin,gcp-cloud-config
Description
Section titled “Description”Ensure that the OS Login feature is enabled at the Google Cloud Platform (GCP) project level in order to provide you with centralized and automated SSH key pair management. OS Login ensures that SSH keys are mapped with Google Cloud IAM users, facilitating centralized management of SSH access.
YAML Source
Section titled “YAML Source”id: gcloud-oslogin-disabled
info: name: OS Login Not Enabled for GCP Projects author: princechaddha severity: low description: | Ensure that the OS Login feature is enabled at the Google Cloud Platform (GCP) project level in order to provide you with centralized and automated SSH key pair management. OS Login ensures that SSH keys are mapped with Google Cloud IAM users, facilitating centralized management of SSH access. impact: | Without OS Login enabled, managing SSH access becomes decentralized and complex, making it difficult to handle compromised SSH keys or revoke access for specific users across multiple instances. remediation: | Enable OS Login at the project level by setting the "enable-oslogin" metadata key to "TRUE". Note that enabling OS Login disables metadata-based SSH key configurations on all instances within the project. reference: - https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ComputeEngine/enable-os-login.html - https://cloud.google.com/compute/docs/oslogin tags: cloud,devops,gcp,gcloud,compute,security,ssh,oslogin,gcp-cloud-config
flow: | code(1) for(let projectId of iterate(template.projectIds)){ set("projectId", projectId) code(2) code(3) for(let instance of iterate(template.instances)){ instance = JSON.parse(instance) set("instanceName", instance.name) set("zone", instance.zone) code(4) } }
self-contained: true
code: - engine: - sh - bash source: | gcloud projects list --format="json(projectId)"
extractors: - type: json name: projectIds internal: true json: - '.[].projectId'
- engine: - sh - bash source: | gcloud compute project-info describe --project $projectId --format="json(commonInstanceMetadata.items)" | jq '.commonInstanceMetadata.items[]? | select(.key=="enable-oslogin") | .value // "null"'
matchers: - type: word words: - "FALSE" - "null" condition: or
extractors: - type: dsl dsl: - '"OS Login is not enabled at project level for project " + projectId'
- engine: - sh - bash source: | gcloud compute instances list --project $projectId --format="json(name,zone.basename())"
extractors: - type: json name: instances internal: true json: - '.[]'
- engine: - sh - bash source: | gcloud compute instances describe $instanceName --zone $zone --project $projectId --format="json(metadata.items)" | jq '.items[]? | select(.key=="enable-oslogin") | .value // "null"'
matchers: - type: word words: - "FALSE" - "null" condition: or
extractors: - type: dsl dsl: - '"OS Login is not enabled for instance " + instanceName + " in zone " + zone + " of project " + projectId'# digest: 490a0046304402200645c5e3bb349efa34c33b0df0f765c08f3e6606070dd534685b4387d178b2aa0220495288319a1fed9eb52bab11b609582575ba770d0676ad330a4f5d32cc081fb5:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "cloud/gcp/compute/gcloud-oslogin-disabled.yaml"