OS Login Should Be Enabled

More Info:

Enable OS login to ensure that SSH keys used to connect to instances are mapped with IAM users.

Risk Level

High

Address

Security

Compliance Standards

SOC2, PCIDSS, ISO27001, HIPAA, CISGCP, CBP, NISTCSF

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the “OS Login Should Be Enabled” misconfiguration in GCP using GCP CLI, you can follow these steps:

Open the Cloud Shell from the GCP Console.
Run the following command to enable OS Login for all users in your project:

gcloud compute project-info add-metadata --metadata enable-oslogin=TRUE

If you want to enable OS Login for a specific instance, you can use the following command:

gcloud compute instances add-metadata INSTANCE_NAME --metadata enable-oslogin=TRUE

Replace INSTANCE_NAME with the name of the instance for which you want to enable OS Login.

If you want to enable OS Login for a specific user, you can use the following command:

gcloud compute os-login ssh-keys add --key-file=PUBLIC_KEY_FILE --ttl=TTL USERNAME

Replace PUBLIC_KEY_FILE with the path to the public key file, TTL with the time-to-live for the key (in seconds), and USERNAME with the username of the user for whom you want to enable OS Login.

Verify that OS Login is enabled by running the following command:

gcloud compute project-info describe --format="value(commonInstanceMetadata.items.filter(key:enable-oslogin).value)"

This command will return TRUE if OS Login is enabled for your project.That’s it! By following these steps, you should be able to remediate the “OS Login Should Be Enabled” misconfiguration in GCP using GCP CLI.

Using Python

To remediate the misconfiguration “OS Login Should Be Enabled” for GCP using Python, follow these steps:

Import the necessary libraries:

from googleapiclient import discovery
from oauth2client.client import GoogleCredentials

Set the project ID and zone where the VM instances are located:

project_id = 'your-project-id'
zone = 'your-zone'

Authenticate and authorize the client:

credentials = GoogleCredentials.get_application_default()
service = discovery.build('compute', 'v1', credentials=credentials)

Retrieve the list of VM instances:

request = service.instances().list(project=project_id, zone=zone)
response = request.execute()
instances = response['items']

For each VM instance, check if OS Login is enabled:

for instance in instances:
    instance_name = instance['name']
    instance_zone = instance['zone'].split('/')[-1]
    instance_id = instance['id']
    instance_url = f'/compute/v1/projects/{project_id}/zones/{instance_zone}/instances/{instance_name}'

    request = service.instances().get(project=project_id, zone=instance_zone, instance=instance_name)
    response = request.execute()
    metadata = response['metadata']['items']

    oslogin_enabled = False
    for item in metadata:
        if item['key'] == 'enable-oslogin' and item['value'] == 'TRUE':
            oslogin_enabled = True

    if not oslogin_enabled:
        print(f"OS Login is not enabled for instance {instance_name}.")

If OS Login is not enabled, enable it:

request_body = {
    'items': [
        {
            'key': 'enable-oslogin',
            'value': 'TRUE'
        }
    ]
}

request = service.instances().setMetadata(project=project_id, zone=instance_zone, instance=instance_name, body=request_body)
response = request.execute()

Verify that OS Login is now enabled:

request = service.instances().get(project=project_id, zone=instance_zone, instance=instance_name)
response = request.execute()
metadata = response['metadata']['items']

oslogin_enabled = False
for item in metadata:
    if item['key'] == 'enable-oslogin' and item['value'] == 'TRUE':
        oslogin_enabled = True

if oslogin_enabled:
    print(f"OS Login has been enabled for instance {instance_name}.")

Note: Make sure to replace “your-project-id” and “your-zone” with your actual project ID and zone.

Additional Reading:

https://cloud.google.com/compute/docs/instances/managing-instance-access

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

OS Login Should Be Enabled

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: