This page provides an overview of OS inventory management.
For information on setting up and using OS inventory management, see
Viewing operating system details
.
Use OS inventory management to collect and view operating system details for
your virtual machine (VM) instances. These operating system details include
information such as hostname, operating system, and kernel version. You can also
get information about installed OS packages, available OS package updates,
Windows applications and OS vulnerabilities.
When to use OS inventory management
OS inventory management can be used to complete the following tasks:
- Identify VMs that are running a specific version of an
operating system
- View operating system packages that are installed on a VM
- Generate a list of operating system package updates that are available for
each VM
- Identify missing operating system packages, updates, or patches for a VM
- View vulnerability reports for a VM
How OS inventory management works
When OS inventory management is enabled, the OS Config agent runs an
inventory scan to collect data, and then sends this information to the
metadata server, OS Config API, and various log streams. This scan runs
every 10 minutes on the VM.
To enable OS inventory management, VM Manager must be set up on the VM.
See
Setting up VM Manager
.
After you set up VM Manager, you can then query either the guest
attributes or the OS Config API to retrieve information about the operating
system that is running on a VM. See
Viewing operating system details
.
How the operating system data is collected
For Linux VMs, the OS Config agent runs on the VM and parses
the
/etc/os-release
, or the equivalent file for the Linux distribution to
gather operating system details. The OS Config agent also uses package
managers such as
apt
,
yum
, or
GooGet
to collect information
about the installed packages and available updates for the instance.
For Windows VMs, the OS Config agent uses the Windows system APIs to
collect the OS information details. The Windows Update agent is also used to
find the installed and available updates.
Where the operating system data is stored
Inventory data is stored in the OS Config API. The contents
for the installed packages and package updates are compressed using gzip and
then base64 encoded to save space.
Logging
During the collection and storage of data, the OS Config agent writes
activity logs to the various log streams on Compute Engine. These include:
- The serial port
- System logs - Windows event log and Linux syslog
- Standard streams - stdout
- Cloud Logging logs
- These logs are only available
if Cloud Logging is enabled on the VM instance.
Information provided by OS inventory management
OS inventory management can provide the following information about the
operating system that is running on your VM instance:
- Hostname
- LongName - The detailed operating system name. For example,
Microsoft Windows Server 2016 Datacenter
.
- ShortName - The short form of the operating system name. For example,
Windows
.
- Kernel version
- OS architecture
- OS version
- OS Config agent version
- Last updated - A timestamp of the last time the agent successfully scanned
the system and updated the guest attributes with OS Inventory data.
Installed operating system package and application information
The following table summarizes the information that OS inventory management
provides for installed operating system packages on Linux and Windows VMs.
It also outlines the information that is available for applications that
are running on Windows.
Operating system
|
Package manager
|
Available fields
|
Linux and Windows Server
|
Installed package information is available from the following
package managers:
- RPM for Red Hat Enterprise Linux (RHEL)
- DEB for Debian and Ubuntu
- GooGet for Windows Server
|
For each installed package the following information is provided:
- Name of the package
- Architecture
- Version
|
Windows Server
|
Windows update agent
|
The following fields are listed for the
Windows updates
:
- Title
- Description
- Categories
- CategoryIDs
1
- KBArticleIDs
- SupportURL
- UpdateID
1
- RevisionNumber
1
- LastDeploymentChangeTime
|
Windows Server
|
Windows Quick Fix Engineering updates
|
The following fields are listed for the
QuickFixEngineering updates
- Caption
- Description
- HotFixID
- InstalledOn
|
Windows Server
|
Windows Installer
2
|
The following fields are listed for the
Windows Installer
:
- DisplayName
- DisplayVersion
- Publisher
- InstallDate
- HelpLink
|
1
This field is hidden in the default
gcloud compute instances os-inventory describe
command-line output.
To view this field you must view the output in the JSON format. To view the
output in JSON format, append the
--format=JSON
to the
gcloud
command. For more
information about output formatting, review
gcloud topic formats
.
2
To view installer properties for your Windows applications, you
need OS Config agent version
20210811
or later. To view agent version, see
View OS Config agent version
.
The following table summarises the update information that
OS inventory management provides for installed operating system packages.
Operating system
|
Package manager
|
Available fields
|
Linux and Windows Server
|
Package update information is available from the following package managers:
- Yum for Red Hat Enterprise Linux (RHEL)
- Apt for Debian and Ubuntu
- GooGet for Windows Server
|
For each package update that is available the following information is provided:
- Name of the package
- Architecture
- Version
|
Windows Server
|
Windows update agent
|
The following fields are listed for the
Windows updates
:
- Title
- Description
- Categories
- CategoryIDs
1
- KBArticleIDs
- SupportURL
- UpdateID
1
- RevisionNumber
1
- LastDeploymentChangeTime
|
1
This field is hidden in the default
gcloud compute instances os-inventory describe
command-line output.
To view this field you must view the output in the JSON format. To view the
output in JSON format, append the
--format=JSON
to the
gcloud
command. For more
information about output formatting, review
gcloud topic formats
.
Vulnerability reports
Software vulnerabilities are weaknesses that can either cause an accidental
system failure or result in malicious activity. For VMs, a vulnerability can be
an issue in the code or the logic of operation for either operating system
packages or software applications.
Vulnerabilities associated with the installed operating system packages
are normally stored in a vulnerability source repository. For more information
about these vulnerability sources, see
Vulnerability sources
.
You can use OS inventory management to view vulnerability reports for
issues with installed OS packages.
To get vulnerability data for a VM, VM Manager must be set up, and
OS Config agent version dated
20201110
or later must be running on the VM. See
Setting up VM Manager
.
After the OS Config agent is set up and reporting inventory, the OS Config API
service continuously scans and checks the vulnerability source of the operating
system against the available inventory data.
When a vulnerability is detected in the operating system packages, the service
generates a vulnerability report. These reports are generated as follows:
- For most vulnerabilities in the installed operating system package,
the OS Config API generates a vulnerability report within a few minutes
of the change.
- For
Common Vulnerabilities and Exposures (CVEs)
,
the OS Config API generates the vulnerability report within three
to four hours after the CVE is published to the operating system.
To view these vulnerability reports, see
View vulnerability reports
.
How vulnerability reports are generated
VM Manager periodically completes the following tasks:
- Reads the reports that are collected
from
OS inventory data
on a VM.
- Scans for classification data from the vulnerability source for each operating
system, and orders this data based on severity (from highest to lowest), at
least once daily.
- Displays the CVE data for a VM on the Google Cloud console. You can also
view
the vulnerability reports
using Security Command Center or Cloud Asset Inventory.
Vulnerability sources
The following table summarizes vulnerability source that is used for each
operating system.
For a complete list of supported operating systems and their versions, see
Operating system details
.
Data retention
OS inventory and vulnerability report data is stored until the VM is deleted.
However, if for any reason the OS Config agent stops reporting to the OS Config
API service for a few days, then VM Manager deletes the available OS
inventory and vulnerability report data collected until that point. No data
will be available for that VM until the OS Config agent starts running again.
Pricing
For information about pricing, see
VM Manager pricing
.
What's next