Google Compute Engine

OS Login Disabled

Ensure that OS login is enabled for the GCP project.

Risk Level: Low

Description

This plugin checks to see whether the project's OS login is disabled and ensures that it is active for all VM instances. By adding or removing SSH keys from the metadata, OS login allows IAM roles to grant or remove access. As a result, you won't need to generate individual SSH keys to access your instances.

About the Service

Google Cloud Compute Engine:

Google Cloud Compute Engine is a service that allows you to create Virtual Machines based on your preferences and run them on Google’s infrastructure. You can either use their predefined machines with certain default configurations or create your own custom Virtual Machine to meet your exact requirements. To know more, read here

Impact

If the OS Login capability is deactivated for any Google Cloud project, IAM cannot be used to manage all SSH keys. Instead, each SSH key would need to be created and kept independently.

Steps to Reproduce

Using GCP Console-

  1. Log In to your GCP Console.
  2. From the top navigation bar, select the GCP project you want to investigate.
  3. From the navigation panel on the left side of the console, go to Compute Engine and select Metadata under the Settings section. You can use this link (https://console.cloud.google.com/compute/metadata) to navigate directly if you’re already logged in.
  4. In the Metadata tab of the Metadata page, check if there is any key present with the name enable-oslogin. If it has a corresponding value of FALSE or if there is no key with the name enable-oslogin, then the OS login feature is not enabled in your Google Cloud Platform at the project level.
  5. Next, select VM instances from the navigation panel to go to the VM instances page and access the list of all Virtual Machine instances for the chosen GCP project.  This is necessary since the project configurations can be overridden by VM instances. As a result, ensuring that no individual instances have OS login enabled is highly advised.
  6. From the list of instances, choose the VM instance you want to check and go to the Details tab to examine the details of the VM instance selected.
  7. Scroll down to the Custom metadata section and check if there is any key with the name enable-oslogin. If it has a corresponding value of FALSE or if there is no key with the name enable-oslogin, then the OS login feature is not enabled in the selected Virtual Machine (VM) instance.

    (or)
  8. Repeat steps 6 and 7 for all the VM instances in the selected project.
  9. If you have multiple projects that you want to investigate, repeat steps 2-8 for each project in your GCP console.

Steps for Remediation

Determine whether or not you truly require OS login to be disabled. If not, make the necessary changes to enable OS login for your Google Cloud projects.

The steps to enable OS login are-
Using GCP Console-

  1. Log In to your GCP Console.
  2. From the top navigation bar, select the GCP project you want to investigate.
  3. From the navigation panel on the left side of the console, go to Compute Engine and select Metadata under the Settings section. You can use this link (https://console.cloud.google.com/compute/metadata) to navigate directly if you’re already logged in.
  4. Click on edit and then click Add item to add a new metadata item with the key as enable-oslogin and value as TRUE. If an item already exists with the key as enable-oslogin but value as false, then edit the value of that particular item to TRUE. Then click save to save the changes.

  5. Next, select VM instances from the navigation panel to go to the VM instances page.
  6. From the list of instances, choose the VM instance you want to reconfigure. (In case you aren’t sure which instance needs to be configured, follow the steps to reproduce listed above to determine which instance to choose.)
  7. Select the Edit option from the top navigation bar of the VM instance details page.
  8. Scroll down to the Custom metadata section and delete any metadata item with key as enable-oslogin and value set to FALSE. Click save to save the changes.
  9. Repeat steps 6 to 8 for all the VM instances you want to reconfigure in the selected project.
  10. If you have multiple projects, repeat steps 2-9 for each project in your GCP console.