View patch summary for VMs

---

This document describes the patch summary information on the Patch dashboard of the Google Cloud console. From this dashboard, you can do the following:

• View the patch summary information for your VMs in a project, organization, or folders.
• View the status of patch jobs in your project.
• View the status of scheduled patch deployments.

Before you begin

• Review OS Config quotas.
• If you haven't already, set up authentication. Authentication is the process by which your identity is verified for access to Google Cloud services and APIs. To run code or samples from a local development environment, you can authenticate to Compute Engine as follows.
  

  Select the tab for how you plan to use the samples on this page:

  Console

  When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.

  gcloud

  1. Install the Google Cloud CLI, then initialize it by running the following command:

     gcloud init

  2. Set a default region and zone.

  REST

  To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.

  Install the Google Cloud CLI, then initialize it by running the following command:

  gcloud init

Required roles and permissions

To get the permissions that you need to view patch summary, ask your administrator to grant you the following IAM roles:

• View patch summary for VMs in an organization or folder: OS Config Upgrade Report Viewer (roles/osconfig.upgradeReportViewer) on the organization or folder
• View patch summary for VMs in a project: OS Config Vulnerability Report Viewer (roles/osconfig.vulnerabilityReportViewer) on the project

For more information about granting roles, see Manage access.

These predefined roles contain the permissions required to view patch summary. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to view patch summary:

• View patch summary for VMs in an organization or folder:
  • osconfig.upgradeReports.getSummary
  • resourcemanager.projects.get
  • resourcemanager.projects.list
• View patch summary for VMs in a project (Projects tab):
  • osconfig.upgradeReports.searchSummaries
  • resourcemanager.projects.get
  • resourcemanager.projects.list

You might also be able to get these permissions with custom roles or other predefined roles.

View patch summary for VMs in an organization or folder

You can set the view scope to an organization or folder and view the patch summary for VMs in all projects in that organization or folder.

Only those projects in your organization or folder that meet one of the following requirements are listed in the Patch summary table:

• Contains one or more VMs on which VM Manager is enabled and running.
• Contains one or more VMs on which VM Manager was running in the past 7 days and patch data is available.

To view patch summary for VMs in an organization or folder, do the following:

1. In the Google Cloud console, go to the Compute Engine > VM Manager > Patch page.

   Go to the Patch page

2. In the project drop-down list on the Google Cloud console, select the organization or folder for which you want to see the patch summary information.
3. Click Projects tab.
4. Optional: Specify the criteria for patch summary computation by using the query builder.

5. Review patch summary information in the Patch summary table. The table includes a row for each project as shown in the following figure:

   

   The Patch summary table lists the following information that meets the criteria you've specified in the query builder:

   • Project: The name of projects in the organization that contain at least one VM and have VM Manager enabled.

     Clicking on the project name opens the VM instances tab that lists the patch status of individual VMs in the project.

   • Total VMs: Total number of VMs in each project.

   • Monitored VMs: Number of VMs in the project that have VM Manager agent enabled and are being scanned for patches.

   • Critical: Number of VMs with at least one CRITICAL patch available.

   • Important: Number of VMs with one or more IMPORTANT patches available.

   • Other: Number of VMs for which there are patches available with a severity rating below CRITICAL or IMPORTANT.

   • Up to date: Number of VMs without any available patches.

   • No data: Number of VMs with no patch data available. Either VM Manager is not enabled for these VMs, or their operation system is not supported.

6. Optional: Apply table filters if you want to view specific rows in the Patch summary table:

   

   For example, if you want to see patch summary for projects that have more than 10 VMs, then set the filter option Total VMs to >= 10.

Use query builder to filter the patch summary information

Based on the criteria that you specify using the query builder, VM Manager computes and displays the patch summary for VMs in the projects in your organization or folder. You can then use the table filters in the Patch summary table to filter the displayed data.

For example, when you set the OS attribute in the query builder as Debian, VM Manager displays patch information for all VMs with Debian OS. If you want to view the patch summary for VMs in a specific project, use the filter to specify the project ID.

To set a query in the query builder, do the following:

1. Select an Attribute. The query builder supports the following attributes:

   • OS: Specify the short names of the operating systems such as Windows or Debian.
   • OS version: Specify the version of the operating system. For example, 21.04 or 10.0.22000. You can specify a single asterisk (*) at the end of the OS version string to denote partial match, for example 10*.
   • VM running: Specify whether you want to view patch summary for VMs that are in the RUNNING state.
   • CVE ID: The identifier of the CVE that is fixed by a particular patch, in the CVE-2023-12345 format. If this attribute is set, only those patches that are related to the given CVE ID are considered to compute the patch summary information.
   • Patch available: Set this attribute to true to compute patch summary information only for those VMs with at least one patch available.
   • Patch severity: Specify the severity of patches applicable to the VMs.

2. Choose one of the attributes and specify a value for the attribute. For example, if you want to see patch summary for VMs with a specific operating system, then select OS. You then get a list of comparison operators to choose from.

   1. Select an Operator, for example, ==.
   2. In the Value field, specify the comparison value. For example Debian.

3. To add another attribute, click Add condition.

4. Click Search.

What's next?

• Create a patch job.
• Manage patch jobs.
• Schedule patch jobs.