Google Cloud & Mondoo - Overview

This page details all of the ways you can use Mondoo to assess security configurations and risk for your infrastructure running in Google Cloud.

Gather vulnerability information during build-time

• Risk assessment for Google Cloud Container Registry
• Build AMIs with Packer

Gather vulnerability information during run-time

• Scan a Google Cloud account
• Install Mondoo Client using Cloud-Init
• Terraform deployment
• Verify instances managed by Chef/AWS OpsWorks
• Verify instances managed by Ansible

Preparation

1. Install the gcloud CLI and log in with the gcloud auth login command. Then set your project:

$ gcloud config set project <projectID>
Updated property [core/project].

You can verify your configuration via:

gcloud config list
[compute]
region = us-central1
zone = us-central1-a
[core]
account = user@example.com
disable_usage_reporting = True
project = gcp-project-id
[run]
region = us-central1

2. Install Mondoo Client on your workstation.

Scan a Google Cloud account

With a few steps, we analyze the Google Cloud account

1. Activate the CIS Google Cloud Platform Foundation Benchmark Level 1 Profile
2. Open your terminal and run:

# uses the default project with the ssh username chris
$ mondoo scan gcp

3. View the results.

Scan a Google Cloud account including compute instances

You can include a Google Cloud project's compute instances in a scan. Before you start, check that the project includes running instances:

gcloud compute instances list

Mondoo uses the instance information from Google Cloud, including their public IP, and tries to connect to each instance via SSH. Make sure you are able to connect to all instances via SSH. e.g. use SSH keys in metadata

note

Mondoo Client uses ~/.ssh/config to determine the users for each detected public IP. Instead of using the same ssh username for all instances, you can also configure the SSH config and configure the username for each instance with their username:

Host 123.123.123.123
  User chris

Host www.lunalectric.com
  IdentityFile /your/path/key_name

If you require a specific list of instances with more detailed configuration, consider the use of an Ansible inventory

1. Create an inventory

Mondoo has the ability to define a list of assets including the used discovery mechanism.

inventory.yml

apiVersion: v1
kind: Inventory
metadata:
  name: mondoo-inventory
  labels:
    environment: production
spec:
  # uses ssh username chris and ssh agent to get the credentials for VMs
  credential_query: "{ user: 'chris', type: 'ssh_agent' }"
  assets:
    - name: gcp
      connections:
        - backend: gcp
          insecure: true # to allow missing host-keys
          discover:
            targets:
              - all
          options:
            project: gcp-project-1233

• credential_query defines the way credentials are retrieved per discovered asset
• discover defines if mondoo should look for assets within this cloud account
• options.project defines the project to scan

2. Scan the inventory

$ mondoo scan --inventory-file inventory.yml