Google CloudOverview
Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support.
If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address. Therefore interactive serial console support should be disabled.
Rationale
A virtual machine instance has four virtual serial ports. Interacting with a serial port is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support. The instance's operating system, BIOS, and other system-level entities often write output to the serial ports, and can accept input such as commands or answers to prompts. Typically, these system-level entities use the first serial port (port 1) and serial port 1 is often referred to as the serial console.
The interactive serial console does not support IP-based access restrictions such as IP whitelists. If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address. This allows anybody to connect to that instance if they know the correct SSH key, username, project ID, zone, and instance name.
Therefore interactive serial console support should be disabled.
Remediation guidance
Using Console
- Login to Google Cloud console
- Go to Computer Engine
- Go to VM instances
- Click on the Specific VM
- Click EDIT
- Unselect
Enable connecting to serial portsbelowRemote accessblock. - Click
Save
**Via CLI gcloud **
Use the below command to disable
gcloud compute instances add-metadata `<vmName>` --zone=`<region>` --metadata=serial-port-enable=false
OR
gcloud compute instances add-metadata `<vmName>` --zone=`<region>` --metadata=serial-port-enable=0
References
- https://cloud.google.com/compute/docs/instances/interacting-with-serial-console?hl=en_US&_ga=2.176763621.-1799987798.1507876265
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Google Cloud
Use organization or folder policies where available, shared project templates, logs and alerting baselines, and IaC modules so new resources inherit the secure setting.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
'Enable connecting to serial ports' is not enabled for VM Instance
Connectors
Covered asset types
Expected check: eq []
vms(where:{hasVMMetadataItem_SOME:{key:"serial-port-enable",value:"true"}}){...AssetFragment}
