About

Stay organized with collections Save and categorize content based on your preferences.

Use to apply operating system es across a set of Compute Engine VM instances (VMs). Long running VMs require periodic system updates to protect against defects and vulnerabilities.

The feature has two main components:

• compliance reporting, which provides insights on the status of your VM instances across Windows and Linux distributions. Along with the insights, you can also view recommendations for your VM instances.
• deployment, which automates the operating system and software update process. A deployment schedules jobs. A job runs across VM instances and applies es.

Benefits

The service gives you the flexibility to complete the following processes:

• Create approvals. You can select what es to apply to your system from the full set of updates available for the specific operating system.
• Set up flexible scheduling. You can choose when to run updates (one-time and recurring schedules).
• Apply advanced configuration settings. You can customize your es by adding configurations such as pre and post ing scripts.
• Manage these jobs or updates from a centralized location. You can use the the dasard for monitoring and reporting of jobs and compliance status.

Pricing

For information about pricing, see VM Manager pricing.

How works

To use the feature, you must set up the OS Config API and install the OS Config agent. For detailed instructions, see Set up VM Manager. The OS Config service enables management in your environment while the OS Config agent uses the update mechanism for each operating system to apply es. Updates are pulled from the package repositories (otherwise called the distribution source package) or a local repository for the operating system.

The following update tools are used to apply es:

• Red Hat Enterprise Linux (RHEL), Rocky Linux and CentOS - yum upgrade
• Debian and Ubuntu - apt upgrade
• SUSE Linux Enterprise Server (SLES) - zypper update
• Windows - Windows Update Agent

and package sources

To use the feature in VM Manager, the VM must have access to the package updates or es. The service does not host or maintain package updates or es. In some scenarios your VM might not have access to the updates. For example, if your VM doesn't use public IPs or you are using a private VPC network. In these scenarios, you must complete additional steps to allow access to the updates or es. Consider the following options:

• Google recommends hosting your own local repository or a Windows Server Update Service for full control over the baseline.
• Alternatively, you can make external update sources available to your VMs by using Cloud NAT or other proxy services.

management consist of two services: deployment and compliance. Each service is explained in the following sections.

deployment overview

A deployment is initiated by making a call to the VM Manager API (also known as the OS Config API). This can be done by using either the Google Cloud console, Google Cloud CLI, or a direct API call. Then the VM Manager API notifies the OS Config agent that is running on the target VMs to start ing.

The OS Config agent runs the ing on each VM by using the management tool that is available for each distribution. For example, Ubuntu VMs use the apt utility tool. The utility tool retrieves updates (es) from the distribution source for the operating system. As ing proceeds, the OS Config agent reports the progress to the VM Manager API.

compliance overview

After you set up the VM Manager on a VM, the following takes place on the VM:

• The OS Config agent periodically (about every 10 minutes) reports OS inventory data .
• The compliance backend periodically reads this data, cross references it with the package metadata obtained from the OS distribution and saves it.
• The Google Cloud console then gets the compliance data and displays this information in the console.

How compliance data is generated

The compliance backend periodically completes the following tasks:

1. Reads the reports that are collected from OS inventory data on a VM.

2. Scans for classification data from the vulnerability source for each operating system, and orders this data based on severity (from highest to lowest).

   The following table summarizes vulnerability source that is used for each operating system.

   Operating system	Vulnerability source package
   RHEL and CentOS	https://access.redhat.com/security/data Vulnerability scanning results for RHEL are based on the latest minor version for each major version released. There might be inaccuracies in scanning results for older minor versions of RHEL.
   Debian	https://security-tracker.debian.org/tracker
   Ubuntu	https://launchpad.net/ubuntu-cve-tracker
   SLES	N/A compliance reporting is not supported on SLES
   Rocky Linux	N/A compliance reporting is supported on Rocky Linux. However, the classification of vulnerability data based on severity is not available.
   Windows	The compliance backend gets the classification data from the Windows Update Agent API.

3. Maps these classifications (provided by the vulnerability source) to Google's compliance status.

   The following table summarizes the mapping system used to generate Google's compliance status.

   Distribution source categories	Google's compliance status
   Critical Urgent WINDOWS_CRITICAL_UPDATE	Critical (RED)
   Important High WINDOWS_SECURITY_UPDATE	Important/Security (ORANGE)
   Everything else	Other (YELLOW)
   No updates available	Up-to-date (GREEN)

4. Selects the highest severity data for each available update and shows it on the Google Cloud console dasard page. You can also see a full report of all available updates for the VM on the VM details page.

For example, if the OS inventory data for a RHEL 7 VM has the following package data:

• Package name: package1
• Installed Version: 1.4
• Update Version: 2.0

The compliance backend scans for classification data (from the source distribution) and retrieves the following information:

• Version 1.5 => Critical, fixes CVE-001
• Version 1.8 => Low, fixes CVE-002
• Version 1.9 => Low, fixes CVE-003

Then on the Google Cloud console dasard, this RHEL 7 VM is then added to list of VMs that have a Critical update available. If you review the details for this VM, you see 1 Critical update available (version 2.0) with 3 CVE's, CVE-001, CVE-002 and CVE-003.

Simultaneous ing

When you initiate a job, the service uses the instance filter you provided to determine the specific instances to be ed. Instance filters allow you to simultaneously many instances at the same time. This filtering is done when the job starts to account for changes in your environment after the job is scheduled.

Scheduled ing

es can be executed on demand, scheduled in advance, or configured with a recurring schedule. You can also cancel an in-progress job if you need to stop it immediately.

You can set up maintenance windows by creating deployments with a specified frequency and duration. Scheduling jobs with a specified duration ensures that ing tasks do not start outside of your designated maintenance window.

You can also enforce installation deadlines by creating deployments to be completed at a specific time. If targeted VMs are not ed by this date, then the scheduled deployment starts installing es on this date. If VMs are already ed no action is taken on those VMs, unless a pre or post script is specified or a reboot is required.

What is included in a job?

When a job runs on a VM, depending on the operating system, a combination of updates are applied. You can choose to target specific updates, packages, or, for Windows operating systems, specify the KB IDs that you want to update.

You can also use a job to update any Google agents that are installed as a standard package for that specific distribution. Use the update tool for that distribution to query the packages that are available. For example, to see the available Google agents for an Ubuntu operating system, run apt list --installed | grep -P 'google'.

Access summary for your VMs

To view the summary for your VMs, you have the following options:

• To view the summary information for all VMs in an organization or folder, use the dasard on the Google Cloud console. See View summary for VMs.

• To view the status of the jobs, use the jobs page on the Google Cloud console. You can also use the Google Cloud CLI or the OS Config API. For more information, see Manage jobs.

To view other information such as OS package updates and vulnerability reports, see view operating system details.

The dasard

In the Google Cloud console, a dasard is available that you can use to monitor the compliance for your VM instances.

Go to the page

Understanding the dasard

Operating system overview

This section reflects the total number of VMs, organized by operating system. For a VM to show up in this list, it must have the OS Config agent installed and OS inventory management enabled.

If a VM is listed with its operating system as No data, one or more of the following scenarios might be true:

• The VM is unresponsive.
• OS Config agent is not installed.
• OS inventory management is not enabled.

• The operating system is not supported. For a list of supported operating systems, see Supported operating systems.

compliance status

This section describes the compliance status of each VM, organized by operating system.

Compliance status is categorized into four main categories:

• Critical: This means that a VM has critical updates available.
• Important or security: This means that a VM has important or security updates available.
• Other: This means that a VM has updates available, but none of these updates are categorized as a critical or security update.
• Up-to-date: This means that a VM has no updates available.

What's next?

• Create a job.
• Manage jobs.
• Schedule jobs.