Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-gcp-compliance
Overview
14Dashboards
621Benchmarks
202Queries
2Variables
GitHub

Control: Ensure OS login is enabled for all instances in the Project

Description

Enabling OS login binds SSH certificates to IAM users and facilitates effective SSH certificate management.

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.compute_instance_oslogin_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.compute_instance_oslogin_enabled --share

SQL

This control uses a named query:

  with project_metadata as (
    select
      m.project,
      coalesce(
        (
          select lower(item ->> 'value')
          from jsonb_array_elements(m.common_instance_metadata -> 'items') as item
          where lower(item ->> 'key') = 'enable-oslogin'
          limit 1
        ), ''
      ) as project_oslogin
    from
      gcp_compute_project_metadata m
  ), instance_metadata as (
    select
      i.self_link,
      i.title,
      i.project,
      i.tags,
      i.location,
      i._ctx,
      coalesce(
        (
          select lower(item ->> 'value')
          from jsonb_array_elements(i.metadata -> 'items') as item
          where lower(item ->> 'key') = 'enable-oslogin'
          limit 1
        ), ''
      ) as instance_oslogin
    from
      gcp_compute_instance i
  )
select
  i.self_link as resource,
  case
    when pm.project_oslogin = '' then 'alarm'
    when pm.project_oslogin in ('false', 'n', 'no', '0') then 'alarm'
    when pm.project_oslogin in ('true', 'y', 'yes', '1')
        and i.instance_oslogin in ('false', 'n', 'no', '0') then 'alarm'
    else 'ok'
  end as status,
  case
    when pm.project_oslogin = '' then i.title || ' has OS login disabled at project level.'
    when pm.project_oslogin in ('false', 'n', 'no', '0') then i.title || ' has OS login disabled at project level.'
    when pm.project_oslogin in ('true', 'y', 'yes', '1') and i.instance_oslogin in ('false', 'n', 'no', '0') then i.title || ' OS login setting is disabled at instance level.'
    when pm.project_oslogin in ('true', 'y', 'yes', '1') and i.instance_oslogin = '' then i.title || ' inherits OS login enabled setting from project level.'
    else i.title || ' OS login enabled.'
  end as reason
  
  , i.location as location, i.project as project
from
  instance_metadata i
  left join project_metadata pm on pm.project = i.project;

Tags

category = Compliance
nist_800_53_rev_5 = true
nist_csf_v2 = true
plugin = gcp
service = GCP/Compute
soc_2_2017 = true