Require OS Login

More Info:

Ensure that “Require OS Login” constraint policy is enforced at the GCP organization level in order to enable OS Login feature on all newly created Google Cloud projects within your organization. The OS Login provides you with centralized and automated SSH key pair management.

Risk Level

Medium

Address

Operational Maturity, Reliability, Security

Compliance Standards

CISGCP, CBP, ISO27001, HIPAA

Triage and Remediation

Remediation

Using Console

Using CLI

The “Require OS Login” feature in GCP ensures that all users who need to access an instance must have a valid user account on the instance. It can be remediated using the following steps:

Open the Cloud Shell in GCP console.
Run the following command to enable the “Require OS Login” feature for all instances in the project:
```
gcloud compute project-info add-metadata \
--metadata enable-oslogin=TRUE
```
Run the following command to update all existing instances in the project to use the “Require OS Login” feature:
```
gcloud compute instances add-metadata \
--metadata enable-oslogin=TRUE --all
```
If you create a new instance, the “Require OS Login” feature will be enabled by default. However, if you want to disable it for a specific instance, you can do so by running the following command:
```
gcloud compute instances add-metadata INSTANCE_NAME \
--metadata enable-oslogin=FALSE
```
Replace INSTANCE_NAME with the name of the instance you want to disable the feature for.

By following the above steps, you can remediate the “Require OS Login” misconfiguration in GCP using GCP CLI.

Using Python

To remediate the “Require OS Login” misconfiguration in GCP using Python, you can follow the below steps:Step 1: Import the required libraries and authenticate the user credentials using Google Cloud SDK.

from google.oauth2 import service_account
from googleapiclient.discovery import build

# Authenticate the user credentials
credentials = service_account.Credentials.from_service_account_file('<path_to_service_account_file>')
service = build('compute', 'v1', credentials=credentials)

Step 2: Get the list of all instances in the project.

project = '<project_id>'
zone = '<zone>'

# Get the list of all instances
instances = service.instances().list(project=project, zone=zone).execute()

Step 3: Iterate through the list of instances and update the metadata to enable “Require OS Login”.

for instance in instances['items']:
    instance_name = instance['name']
    instance_zone = instance['zone'].split('/')[-1]

    # Get the current metadata of the instance
    metadata = service.instances().get(project=project, zone=instance_zone, instance=instance_name).execute()['metadata']

    # Update the metadata to enable "Require OS Login"
    metadata['items'].append({'key': 'enable-oslogin', 'value': 'TRUE'})

    # Set the updated metadata to the instance
    request = service.instances().setMetadata(project=project, zone=instance_zone, instance=instance_name, body=metadata)
    response = request.execute()

Step 4: Verify if the “Require OS Login” is enabled for all instances.

for instance in instances['items']:
    instance_name = instance['name']
    instance_zone = instance['zone'].split('/')[-1]

    # Get the current metadata of the instance
    metadata = service.instances().get(project=project, zone=instance_zone, instance=instance_name).execute()['metadata']

    # Verify if the "Require OS Login" is enabled
    for item in metadata['items']:
        if item['key'] == 'enable-oslogin' and item['value'] == 'TRUE':
            print(f"Require OS Login is enabled for instance {instance_name}")
            break
    else:
        print(f"Require OS Login is not enabled for instance {instance_name}")

Note: Make sure to replace the <path_to_service_account_file>, <project_id> and <zone> with the actual values in the code.

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation