4.12 Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

For the virtual machines where you manage the operating system in Infrastructure as a Service (IaaS), you are responsible for keeping these operating systems and programs up to date. There are multiple ways to manage updates yourself that would be difficult to fit into one recommendation. Check the CIS Benchmarks for each of your Operating Systems as well for potential solutions there. In this recommendation we will use a feature in Google Cloud via its VM manager API to manage updates called Operating System Patch Management (referred to OS Patch Management from here on out). This may requires installing the OS Config API if it is not already installed. Also if you install custom operating systems, they may not functionally support the local OS config agent required to gather operating system patch information and issue update commands. These update commands are the default Linux and Windows commands to install updates such as yum or apt. This feature allows for a central management to issue those commands. OS Patch management also does not host the updates itself, so your VMs will need to be public or be able to access the internet. This is not the only Patch Management solution available to your organization and you should weigh your needs before committing to using this.

Rationale:

Keeping an operating system up to date is the best way to secure against ever evolving known vulnerabilities and bugs in programs that can be used in cyber attacks by bad actors.

Impact:

Most Operating Systems require a restart or changing critical resources to apply the updates. Make certain to apply updates during a time of low availability, as unforeseen complications may cause an outage of services. Using the Google Cloud VM manager for its OS Patch management will incur additional costs for each VM managed by it. Please view the VM manager pricing reference for further information.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Enabling OS Patch Management on a Project by Project Basis

Install OS Config API for the Project

Navigate into a project. In the expanded hamburger menu located at the top left of the screen hover over 'APIs & Services'. Then in the menu right of that select 'API Libraries'

Search for 'VM Manager (OS Config API) or scroll down in the left hand column and select the filter labeled 'Compute' where it is the last listed. Open this API.

Click the blue 'Enable' button.

Add MetaData Tags for OSConfig Parsing

From the main Google Cloud console, open the hamburger menu in the top left. Mouse over Computer Engine to expand the menu next to it.

Under the 'Settings' heading, select 'Metadata'.

In this view there will be a list of the project wide metadata tags for VMs. Click edit and 'add item' in the key column type 'enable-osconfig' and in the value column set it to 'true'.

From Command Line

For project wide tagging, run the following command

gcloud compute project-info add-metadata \
--project <PROJECT_ID>\
--metadata=enable-osconfig=TRUE

Please see the reference /compute/docs/troubleshooting/vm-manager/verify-setup#metadata-enabled at the bottom for more options like instance specific tagging.
Note: Adding a new tag via commandline may overwrite existing tags. You will need to do this at a time of low usage for the least impact.

Install and Start the Local OSConfig for Data Parsing

There is no way to centrally manage or start the Local OSConfig agent. Please view the reference of manage-os#agent-install to view specific operating system commands.

Setup a project wide Service Account

Please view Recommendation 4.1 to view how to setup a service account. Rerun the audit procedure to test if it has taken effect.

Enable NAT or Configure Private Google Access to allow Access to Public Update Hosting

For the sake of brevity, please see the attached resources to enable NAT or Private Google Access. Rerun the audit procedure to test if it has taken effect.
From Command Line:

Install OS Config API for the Project

In each project you wish to audit run gcloud services enable osconfig.googleapis.com

Install and Start the Local OSConfig for Data Parsing

Please view the reference of manage-os#agent-install to view specific operating system commands.

Setup a project wide Service Account

Please view Recommendation 4.1 to view how to setup a service account. Rerun the audit procedure to test if it has taken effect.

Enable NAT or Configure Private Google Access to allow Access to Public Update Hosting

For the sake of brevity, please see the attached resources to enable NAT or Private Google Access. Rerun the audit procedure to test if it has taken effect.
Determine if Instances can connect to public update hosting
Linux
Debian Based Operating Systems

sudo apt update

The output should have a numbered list of lines with Hit: URL of updates.
Redhat Based Operating Systems

yum check-update

The output should show a list of packages that have updates available.
Windows

ping http://windowsupdate.microsoft.com/

The ping should successfully be delivered and received.

Default Value:

By default most operating systems and programs do not update themselves. The Google Cloud VM Manager which is a dependency of the OS Patch management feature is installed on Google Built OS images with a build date of v20200114 or later. The VM manager is not enabled in a project by default and will need to be setup.

See Also

https://workbench.cisecurity.org/files/3817