Control: 2.4 Ensure no network security groups allow ingress from 0.0.0.0/0 to port 3389

for region in `oci iam region list | jq -r '.data[] | .name'`;
  do
    for compid in `oci iam compartment list 2>/dev/null | jq -r '.data[] | .id'`;
      do
        for nsgid in `oci network nsg list --compartment-id $compid -- region $region --all 2>/dev/null | jq -r '.data[] | .id'`
          do
            output=`oci network nsg rules list --nsg-id=$nsgid --all 2>/dev/null | jq -r '.data[] | select(.source == "0.0.0.0/0" and .direction == "INGRESS" and ((."tcp-options"."destination-port-range".max >= 3389 and ."tcp-options"."destination-port-range".min <= 3389) or ."tcpoptions"."destination-port-range" == null))'`
              if [ ! -z "$output" ]; then echo "NSGID=", $nsgid, "Security Rules=", $output; fi
          done
      done
  done

oci network nsg rules remove --nsg-id=<NSGID from audit output>

oci network nsg rules update --nsg-id=<NSGID from audit output> --securityrules=<updated security-rules JSON (without the isValid or TimeCreated fields)>

eg:

oci network nsg rules update --nsgid=ocid1.networksecuritygroup.oc1.iad.xxxxxxxxxxxxxxxxxxxxxx --securityrules='[{ "description": null, "destination": null, "destination-type": null, "direction": "INGRESS", "icmp-options": null, "id": "709001", "is-stateless": null, "protocol": "6", "source": "140.238.154.0/24", "source-type": "CIDR_BLOCK", "tcp-options": { "destination-port-range": { "max": 3389, "min": 3389 }, "source-port-range": null }, "udp-options": null }]'