Serial Ports Are Enabled For VM Instances

  • Query id: c6fc6f29-dc04-46b6-99ba-683c01aff350
  • Query name: Serial Ports Are Enabled For VM Instances
  • Platform: Ansible
  • Severity: Medium
  • Category: Networking and Firewall
  • URL: Github

Description

Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - yaml file
- name: serial_enabled
  google.cloud.gcp_compute_instance:
    metadata:
      serial-port-enable: yes
    zone: us-central1-a
    auth_kind: serviceaccount

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: serial_disabled
  google.cloud.gcp_compute_instance:
    metadata:
      serial-port-enabled: no
    zone: us-central1-a
    auth_kind: serviceaccount
- name: serial_undefined
  google.cloud.gcp_compute_instance:
    metadata:
      startup-script-url: gs:://graphite-playground/bootstrap.sh
      cost-center: '12345'
    zone: us-central1-a
    auth_kind: serviceaccount