Disable Interactive Serial Console Support

Risk Level: Medium (should be achieved)

Rule ID: ComputeEngine-003

Ensure that "Enable connecting to serial ports" configuration setting is disabled for all your production Google Compute Engine instances.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security

A Google Cloud virtual machine (VM) instance has 4 virtual serial ports. On your VM instances, the operating system (OS), BIOS, and other system-level entities write often output data to the serial ports and can accept input, such as commands or answers, to prompts. Usually, these system-level entities use the first serial port (Port 1) and Serial Port 1 is often referred to as the interactive serial console. This interactive serial console does not support IP-based access restrictions such as IP address whitelists. If you enable the interactive serial console on your VM instance, clients can attempt to connect to your instance from any IP address and this allows anybody to access the instance if they know the user name, the SSH key, the project ID, and the instance name and zone. To adhere to cloud security best practices and reduce the risk of unauthorized access, interactive serial console support should be disabled for all instances used in production.

Audit

To determine if interactive serial console support is enabled for your Google Cloud virtual machine (VM) instances, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Google Compute Engine dashboard at https://console.cloud.google.com/compute.

04 In the navigation panel, select VM instances to access the list with the virtual machine (VM) instances provisioned for the selected project.

05 Click on the name of the VM instance that you want to examine.

06 Click EDIT to access the instance configuration edit mode, then under Remote access check the Enable connecting to serial ports configuration setting status. If the Enable connecting to serial ports setting checkbox is selected, the verified Google Compute Engine instance is configured with interactive serial console support, therefore the instance configuration is not secure and compliant.

07 Repeat step no. 5 and 6 for each virtual machine instance created within the selected project.

08 Repeat steps no. 2 – 7 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your Google Cloud account:

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDs:

PROJECT_ID
cc-production-web-project-112233
cc-application-stack-project-123123

03 Run compute instances list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as identifier parameter and custom query filters to describe the name and zone for each VM instance provisioned within the selected project:

gcloud compute instances list
	--project cc-production-web-project-112233
	--format="table(name,zone)"

04 The command output should return the name(s) of the instance(s) within the selected GCP project:

NAME                   ZONE
cc-prod-vm1-instance   us-central1-a
cc-prod-vm2-instance   us-central1-a

05 Run compute instances describe command (Windows/macOS/Linux) using the name and the zone of the instance that you want to examine as identifier parameter and custom filtering to describe the configuration metadata available for the selected VM instance:

gcloud compute instances describe cc-prod-vm1-instance
	--zone us-central1-a
	--format="json(metadata.items)"

06 The command output should return the requested instance configuration metadata:

{
  "metadata": {
    "items": [
      {
        "key": "block-project-ssh-keys",
        "value": "true"
      },
      {
        "key": "ssh-keys",
        "value": "prod-ssh:ssh-rsa ... prod-ssh"
      },
      {
        "key": "serial-port-enable",
        "value": "true"
      }
    ]
  }
}

If the compute instances describe command output lists the "serial-port-enable" metadata item with the value set to "true", as shown in the output example above, the selected Google Compute Engine instance is configured with interactive serial console support, therefore the instance configuration is not secure and compliant.

07 Repeat step no. 5 and 6 for each virtual machine instance provisioned in the selected project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To disable interactive serial console support for your production Google Compute Engine instances, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Google Compute Engine dashboard at https://console.cloud.google.com/compute.

04 In the navigation panel, select VM instances to access the list with the virtual machine (VM) instances created for the selected project.

05 Click on the name of the VM instance that you want to reconfigure.

06 On the selected instance configuration page, click EDIT to enter the edit mode.

07 Under Remote access, unselect Enable connecting to serial ports configuration setting to disable interactive serial console support for the selected Google Cloud VM instance.

08 Click Save to apply the configuration changes.

09 If required, repeat steps no. 5 – 7 to reconfigure other virtual machine instances provisioned for the selected project.

10 Repeat steps no. 2 – 9 for each GCP project available in your Google Cloud account.

Using GCP CLI

01 Run compute instances add-metadata command (Windows/macOS/Linux) using the name and the zone of the instance that you want to reconfigure as identifier (see Audit section part II to identify the right resource), to update the configuration metadata and disable the interactive serial console support for the selected Google Compute Engine instance:

gcloud compute instances add-metadata cc-prod-vm1-instance
	--zone us-central1-a
	--metadata=serial-port-enable=false

02 The command output should return the URL of the reconfigured VM instance:

Updated [https://www.googleapis.com/compute/v1/projects/cc-production-web-project-112233/zones/us-central1-a/instances/cc-prod-vm1-instance].

03 If required, repeat steps no. 1 and 2 to reconfigure other virtual machine instances available within the selected project.

04 Repeat steps no. 1 – 3 for each GCP project deployed in your Google Cloud account.

References

Google Cloud Platform (GCP) Documentation
Compute Engine
Interacting with the serial console

CIS Security Documentation
Securing Google Cloud Computing Platform

GCP Command Line Interface (CLI) Documentation
gcloud projects list
gcloud compute instances list
gcloud compute instances describe
gcloud compute instances add-metadata

Publication date Mar 12, 2020

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Disable Interactive Serial Console Support

Risk Level: Medium

Audit

Using GCP Console

Using GCP CLI

Remediation / Resolution

Using GCP Console

Using GCP CLI

References

Related ComputeEngine rules