This page provides an overview of OS inventory management. For information on setting up and using OS inventory management, see Viewing operating system details.
Use OS inventory management to collect and view operating system details for your virtual machine (VM) instances. These operating system details include information such as hostname, operating system, and kernel version. You can also get information about installed OS packages, available OS package updates, Windows applications and OS vulnerabilities.
When to use OS inventory management
OS inventory management can be used to complete the following tasks:
- Identify VMs that are running a specific version of an operating system
- View operating system packages that are installed on a VM
- Generate a list of operating system package updates that are available for each VM
- Identify missing operating system packages, updates, or patches for a VM
- View vulnerability reports for a VM
How OS inventory management works
When OS inventory management is enabled, the OS Config agent runs an inventory scan to collect data, and then sends this information to the metadata server, OS Config API, and various log streams. This scan runs every 10 minutes on the VM.
To enable OS inventory management, VM Manager must be set up on the VM. See Set up VM Manager.
After you set up VM Manager, you can then query either the guest attributes or the OS Config API to retrieve information about the operating system that is running on a VM. See View operating system details.
How the operating system data is collected
For Linux VMs, the OS Config agent runs on the VM and parses
the /etc/os-release
, or the equivalent file for the Linux distribution to
gather operating system details. The OS Config agent also uses package
managers such as apt
, yum
, or
GooGet to collect information
about the installed packages and available updates for the instance.
For Windows VMs, the OS Config agent uses the Windows system APIs to collect the OS information details. The Windows Update agent is also used to find the installed and available updates.
Where the operating system data is stored
Inventory data is stored in the OS Config API. The contents for the installed packages and package updates are compressed using gzip to save space and then base64 encoded.
Logging
During the collection and storage of data, the OS Config agent writes activity logs to the various log streams on Compute Engine. These include:
- The serial port
- System logs - Windows event log and Linux syslog
- Standard streams - stdout
- Cloud Logging logs - These logs are only available if Cloud Logging is enabled on the VM instance.
Information provided by OS inventory management
OS inventory management can provide the following information about the operating system that is running on your VM instance:
- Hostname
- LongName - The detailed operating system name. For example,
Microsoft Windows Server 2016 Datacenter
. - ShortName - The short form of the operating system name. For example,
Windows
. - Kernel version
- OS architecture
- OS version
- OS Config agent version
- Last updated - A timestamp of the last time the agent successfully scanned the system and updated the guest attributes with OS Inventory data.
Installed operating system package and application information
The following table summarizes the information that OS inventory management provides for installed operating system packages on Linux and Windows VMs. It also outlines the information that is available for applications that are running on Windows.
Operating system | Package manager | Available fields |
---|---|---|
Linux and Windows Server | Installed package information is available from the following
package managers:
|
For each installed package the following information is provided:
|
Windows Server | Windows update agent | The following fields are listed for the
Windows updates:
|
Windows Server | Windows Quick Fix Engineering updates | The following fields are listed for the
QuickFixEngineering updates
|
Windows Server | Windows Installer 2 | The following fields are listed for the
Windows Installer:
|
1This field is hidden in the default
gcloud compute instances os-inventory describe
command-line output.
To view this field you must view the output in the JSON format. To view the
output in JSON format, append the --format=JSON
to the gcloud
command. For more
information about output formatting, review
gcloud topic formats
.
2To view installer properties for your Windows applications, you
need OS Config agent version 20210811
or later. To view agent version, see
View OS Config agent version.
Available operating system package update information
The following table summarises the update information that OS inventory management provides for installed operating system packages.
Operating system | Package manager | Available fields |
---|---|---|
Linux and Windows Server | Package update information is available from the following package managers:
|
For each package update that is available the following information is provided:
|
Windows Server | Windows update agent | The following fields are listed for the
Windows updates:
|
1This field is hidden in the default
gcloud compute instances os-inventory describe
command-line output.
To view this field you must view the output in the JSON format. To view the
output in JSON format, append the --format=JSON
to the gcloud
command. For more
information about output formatting, review
gcloud topic formats
.
Vulnerability reports
Software vulnerabilities are weaknesses that can either cause an accidental system failure or result in malicious activity. For VMs, a vulnerability can be an issue in the code or the logic of operation for either operating system packages or software applications.
Vulnerabilities associated with the installed operating system packages are normally stored in a vulnerability source repository. For more information about these vulnerability sources, see Vulnerability sources. You can use OS inventory management to view vulnerability reports for issues with installed OS packages.
To get vulnerability data for a VM, VM Manager must be set up, and
OS Config agent version dated 20201110
or later must be running on the VM. See
Setting up VM Manager.
After the OS Config agent is set up and reporting inventory, the OS Config API service continuously scans and checks the vulnerability source of the operating system against the available inventory data. When a vulnerability is detected in the operating system packages, the service generates a vulnerability report. These reports are generated as follows:
- When a package is installed or updated in a VM's operating system, you can expect to see Common Vulnerabilities and Exposures (CVEs) information for the VM in VM Manager, Security Command Center, and Cloud Asset Inventory within two hours after the change.
- When new security advisories are published for an operating system, updated CVEs are normally available within 24 hours after the operating system vendor publishes the advisory.
To view these vulnerability reports, see View vulnerability reports.
How vulnerability reports are generated
VM Manager periodically completes the following tasks:
- Reads the reports that are collected from OS inventory data on a VM.
- Scans for classification data from the vulnerability source for each operating system, and orders this data based on severity (from highest to lowest), at least once daily.
- Displays the CVE data for a VM on the Google Cloud console. You can also view the vulnerability reports using Security Command Center or Cloud Asset Inventory.
Vulnerability sources
The following table summarizes vulnerability source that is used for each operating system. For a complete list of supported operating systems and their versions, see Operating system details.
Operating system | Vulnerability source package |
---|---|
RHEL and CentOS | https://access.redhat.com/security/data |
Debian | https://security-tracker.debian.org/tracker |
Ubuntu | https://launchpad.net/ubuntu-cve-tracker |
SLES | https://ftp.suse.com/pub/projects/security/oval/ |
Rocky Linux | N/A
Vulnerability reporting is not supported on Rocky Linux. |
Windows | Vulnerability data published by Microsoft Security Response Center. |
Data retention
OS inventory and vulnerability report data is stored until the VM is deleted. However, if for any reason the OS Config agent stops reporting to the OS Config API service for a few days, then VM Manager deletes the available OS inventory and vulnerability report data collected until that point. No data will be available for that VM until the OS Config agent starts running again.
Pricing
For information about pricing, see VM Manager pricing.
What's next
- Use the OS inventory management tool to view operating system details.