Software vulnerabilities are weaknesses that can either cause an accidental system failure or result in malicious activity. For more information, see Vulnerability reports.
This document describes how to set up your VMs using VM Manager and view the vulnerability reports for your operating systems.
Before you begin
- Review OS Config quotas.
- Set up VM Manager.
-
If you haven't already, then set up authentication.
Authentication is
the process by which your identity is verified for access to Google Cloud services and APIs.
To run code or samples from a local development environment, you can authenticate to
Compute Engine by selecting one of the following options:
Select the tab for how you plan to use the samples on this page:
Console
When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.
gcloud
-
Install the Google Cloud CLI, then initialize it by running the following command:
gcloud init
- Set a default region and zone.
REST
To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.
Install the Google Cloud CLI, then initialize it by running the following command:
gcloud init
For more information, see Authenticate for using REST in the Google Cloud authentication documentation.
-
Supported operating systems
For the full list of operating systems and versions for which you can get vulnerability reports using VM Manager, see Operating system details.
Required roles and permissions
To get the permissions that you need to view vulnerability reports, ask your administrator to grant you the following IAM roles on the project:
-
To view vulnerability reports using the gcloud CLI or API:
OS Config Vulnerability Report Viewer (
roles/osconfig.vulnerabilityReportViewer) -
To view vulnerability reports using the Google Cloud console:
-
OS Config Vulnerability Report Viewer (
roles/osconfig.vulnerabilityReportViewer) -
OS Inventory Viewer (
roles/osconfig.inventoryViewer)
-
OS Config Vulnerability Report Viewer (
-
To view CVE information in the VM instance details dialog on the Patch page:
-
Patch Deployment Viewer (
roles/osconfig.patchDeploymentViewer) -
Patch Job Viewer (
roles/osconfig.patchJobViewer)
-
Patch Deployment Viewer (
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
In addition to these roles, to access Compute Engine resources by using
the Google Cloud console, you must have a role that contains the
compute.projects.get permission on the project.
View vulnerability reports
To view vulnerability reports, you can use any of the following options:
- Use the Google Cloud console, gcloud CLI or API.
- If you are a Security Command Center premium tier user, use the Security Command Center dashboard.
- Use Cloud Asset Inventory.
View vulnerability report using the gcloud CLI or API
Use one of the following methods to view vulnerability reports for your VMs.
Console
To view OS vulnerability reports for a VM by using the Google Cloud console, perform the following steps:
- In the Google Cloud console, go to the VM instances page.
- Click the name of the instance for which you want to view the OS information. The Instance details page appears.
- Click the OS info tab.
To view OS inventory data, you must enable VM Manager. If Google Cloud console prompts you to enable VM Manager, select one of the following options:- Enable for current project: enables VM Manager for all VMs in the selected project
- Enable for this VM: enables VM Manager only for the selected VM
- Review the list of OS vulnerabilities in the OS info tab.
gcloud
To view vulnerability reports for VMs in a specific zone, use the
os-config vulnerability-reports listcommand.For example, to list all the VMs that have inventory data, run the following command:
gcloud compute os-config vulnerability-reports list \ --location=ZONE
Replace
ZONEwith the zone where the VM is located.Example
gcloud compute os-config vulnerability-reports list \ --location=us-west2-a
Example output
INSTANCE_ID VULNERABILITY_COUNT UPDATE_TIME 29255009728795105 2 2021-04-13T19:10:10.303046Z 307058717116242358 1 2021-04-13T19:10:10.303046Z
To view vulnerability report for a specific VM, run the
os-config vulnerability-reports describecommand specifying theINSTANCE_IDreturned from the previous step or theINSTANCE_NAME.gcloud compute os-config vulnerability-reports describe VM_NAME \ --location=ZONE
Replace the following:
VM_NAME: the name for your VMZONE: the zone where the VM instance is located
Example
gcloud compute os-config vulnerability-reports describe vm1-centos \ --location=us-west2-a
Example output
┌───────────────────────────────────────────────────────────────────┐ │ Vulnerabilities │ ├──────────────────┬──────────┬───────────────┬─────────────────────┤ │ CVE │ SEVERITY │ CVSS_V3_SCORE │ CREATE_TIME │ ├──────────────────┼──────────┼───────────────┼─────────────────────┤ │ CVE-2012-6655 │ LOW │ 3.3 │ 2021-04-29T22:19:53 │ │ CVE-2016-1585 │ MEDIUM │ 9.8 │ 2021-04-29T22:19:53 │ │ CVE-2016-2781 │ LOW │ 6.5 │ 2021-04-29T22:19:53 │ │ CVE-2019-7306 │ LOW │ 7.5 │ 2021-04-29T22:19:53 │ │ CVE-2020-13776 │ LOW │ 6.7 │ 2021-04-29T22:19:53 │ │ CVE-2021-31879 │ MEDIUM │ 6.1 │ 2021-05-05T06:11:53 │ └──────────────────┴──────────┴───────────────┴─────────────────────┘ name: projects/384587888288/locations/us-west2-a/instances/29255009728795105/vulnerabilityReport updateTime: '2021-05-11T22:29:50'
REST
To view vulnerability reports for VMs in a specific zone, create a
GETrequest to theprojects.locations.instances.vulnerabilityReportsmethod.GET https://osconfig.googleapis.com/v1/projects/PROJECT_ID/locations/ZONE/instances/–/vulnerabilityReports
Replace the following:
PROJECT_ID: your project IDZONE: the zone where the VMs are located
To view vulnerability report for a specific VM, create a
GETrequest to theprojects.locations.instances.getVulnerabilityReportmethod.GET https://osconfig.googleapis.com/v1/projects/PROJECT_ID/locations/ZONE/instances/INSTANCE/vulnerabilityReport
Replace the following:
PROJECT_ID: your project IDZONE: the zone where the VM instance is locatedINSTANCE: specify either the instance ID or the name for your VM
View vulnerability reports using the Security Command Center dashboard
Security Command Center is Google Cloud's centralized vulnerability and threat reporting service.
If you are a Security Command Center premium tier user, you can access vulnerability report data for the operating systems that are running on VMs across your organization.
On the Findings page in the Security Command Center dashboard, you can review the Common Vulnerabilities and Exposures (CVE) IDs for all identified vulnerabilities that are affecting your operating system.
For information about using the Security Command Center dashboard to access and review operating system vulnerability data, see VM Manager.
View vulnerability reports data from Cloud Asset Inventory
OS inventory management stores and forwards inventory and vulnerability report data to Cloud Asset Inventory. Cloud Asset Inventory is a metadata inventory service that allows you to view, monitor, and analyze assets across Google Cloud. From Cloud Asset Inventory, you can poll the information and view changes in the data.
To access OS inventory and vulnerability report data from Cloud Asset Inventory, you need to complete the following setup:
- Set up VM Manager.
- On your Google Cloud project, enable the Cloud Asset Inventory API, the Google Cloud CLI, and assign permissions.
For more information, see Viewing VM Manager data.
What's next
- Learn more about OS inventory management.