Powerpipe Detection Mods →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-oci-compliance
Overview
3Dashboards
133Benchmarks
43Queries
2Variables
GitHub

Control: 2.1 Ensure no security lists allow ingress from 0.0.0.0/0 to port 22

Description

Security lists provide stateful or stateless filtering of ingress/egress network traffic to OCI resources on a subnet level. It is recommended that no security group allows unrestricted ingress access to port 22.

Remediation

From Console

  1. Login to OCI Console.
  2. Click in the search bar, top of the screen.
  3. Type Advance Resource Query and hit enter.
  4. Click the Advanced Resource Query button in the upper right of the screen.
  5. Enter the following query into the query box:
query SecurityList resources where
(IngressSecurityRules.source = '0.0.0.0/0' &&
IngressSecurityRules.protocol = 6 &&
IngressSecurityRules.tcpOptions.destinationPortRange.max = 22 &&
IngressSecurityRules.tcpOptions.destinationPortRange.min = 22)
  1. Ensure query returns no results.
  2. For each security list in the returned results, click the security list name.
  3. Either edit the ingress rule to be more restrictive, delete the ingress rule or click on the VCN and terminate the security list as appropriate.

From Command Line

  1. Execute the following command
oci search resource structured-search --query-text "query SecurityList resources where
(IngressSecurityRules.source = '0.0.0.0/0' && IngressSecurityRules.protocol = 6 && IngressSecurityRules.tcpOptions.destinationPortRange.max = 22 && IngressSecurityRules.tcpOptions.destinationPortRange.min = 22)"
  1. Ensure query returns no results.
  2. For each of the security lists identified get the its details
oci network security-list get --security-list-id <security list id>
  1. Then either:
  • Update the security list, copy the ingress-security-rules element from the JSON returned by the above get call, edit it appropriately and use it in the following command
oci network security-list update --security-list-id <security-list-id> --ingress-security-rules '<ingress security rules JSON>'

or

  • Delete the security list
oci network security-list delete --security-list-id <security list id>

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v120_2_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v120_2_1 --share

SQL

This control uses a named query:

with non_compliant_rules as (
  select
    id,
    count(*) as num_noncompliant_rules
  from
    oci_core_security_list,
    jsonb_array_elements(ingress_security_rules) as p
  where
    p ->> 'source' = '0.0.0.0/0'
    and (
      (
        p ->> 'protocol' = 'all'
        and (p -> 'tcpOptions' -> 'destinationPortRange' -> 'min') is null
      )
      or (
        p ->> 'protocol' = '6' and
        (p -> 'tcpOptions' -> 'destinationPortRange' ->> 'min')::integer <= 22
        and (p -> 'tcpOptions' -> 'destinationPortRange' ->> 'max')::integer >= 22
      )
    )
  group by id
)
select
  osl.id as resource,
  case
    when non_compliant_rules.id is null then 'ok'
    else 'alarm'
  end as status,
  case
    when non_compliant_rules.id is null then osl.display_name || ' ingress restricted for SSH from 0.0.0.0/0.'
    else osl.display_name || ' contains '|| non_compliant_rules.num_noncompliant_rules || ' ingress rule(s) allowing SSH from 0.0.0.0/0.'
  end as reason
  
  , osl.region as region, osl.tenant_name as tenant
  , coalesce(c.name, 'root') as compartment
from
  oci_core_security_list as osl
  left join non_compliant_rules on non_compliant_rules.id = osl.id
  left join oci_identity_compartment c on c.id = osl.compartment_id;

Tags

category = Compliance
cis = true
cis_item_id = 2.1
cis_level = 1
cis_section_id = 2
cis_type = automated
cis_version = v1.2.0
plugin = oci
service = OCI/VCN