Google Cloud & Mondoo - Overview

---

This page details all of the ways you can use Mondoo to assess security configurations and risk for your infrastructure running in Google Cloud.

Gather vulnerability information during build-time

• Risk assessment in GCP CloudBuild
• Risk assessment for GCP Container Registry
• Build AMIs with Packer
• Test Docker Images in GCP Cloudbuild

Gather vulnerability information during run-time

• Scan GCP cloud account
• Install Mondoo Client via Cloud-Init
• Terraform deployment
• Verify instances managed by Chef/AWS OpsWorks
• Verify instances managed by Ansible

Preparation

1. Install the gcloud CLI and login via gcloud auth login. Then set your project:

$ gcloud config set project <projectID>
Updated property [core/project].

You can verify your configuration via:

gcloud config list
[compute]
region = us-central1
zone = us-central1-a
[core]
account = user@example.com
disable_usage_reporting = True
project = gcp-project-id
[run]
region = us-central1

2. Install the Mondoo Client on your workstation

Scan GCP Cloud Account

With a few steps, we analyse the GCP account

1. Activate the CIS Google Cloud Platform Foundation Benchmark Level 1 Profile
2. Open your terminal and run

# uses the default project with the ssh username chris
$ mondoo scan -t gcp://

3. See the results

Scan GCP Cloud Account including Compute instances

We are going to scan a GCP project including its compute instances. Before we start, lets check that the project includes running instances:

gcloud compute instances list

Mondoo uses the instance information from GCP, including their public IP, and tries to connect to each instance via SSH. Make sure you are able to connect to all instances via SSH. e.g. use SSH keys in metadata

note

Mondoo Client leverages ~/.ssh/config to determine the users for each detected public IP. Instead of using the same ssh username for all instances, you can also configure the SSH config and configure the username for each instance with their username:

Host 123.123.123.123
  User chris

Host yourdomain.com
  IdentityFile /your/path/keyname

If you require a specific list of instances with more detailed configuration, consider the use of an Ansible inventory

1. Create an inventory

Mondoo has the ability to define a list of assets including the used discovery mechanism.

inventory.yml

apiVersion: v1
kind: Inventory
metadata:
  name: mondoo-inventory
  labels:
    environment: production
spec:
  # uses ssh username chris and ssh agent to get the credentials for VMs
  credential_query: "{ user: 'chris', type: 'ssh_agent' }"
  assets:
    - name: gcp
      connections:
        - backend: gcp
          insecure: true # to allow missing host-keys
          discover:
            targets:
              - all
          options:
            project: gcp-project-1233

• credential_query defines the way credentials are retrieved per discovered asset
• discover defines if mondoo should look for assets within this cloud account
• options.project defines the gcp project that should be scanned

2. Scan the inventory

$ mondoo scan --inventory inventory.yml