turbot/oci_compliance

Control: 2.3 Ensure no network security groups allow ingress from 0.0.0.0/0 to port 22

Description

Network security groups provide stateful filtering of ingress/egress network traffic to OCI resources. It is recommended that no security group allows unrestricted ingress access to port 22.

Remediation

From Command Line

Using the details returned from the audit procedure either:

  • Remove the security rules
oci network nsg rules remove --nsg-id=<NSGID from audit output>

or

  • Update the security rules
oci network nsg rules update --nsg-id=<NSGID from audit output> --security- rules='[<updated security-rules JSON (without isValid and TimrCreated fields)>]'
eg:
oci network nsg rules update --nsg- id=ocid1.networksecuritygroup.oc1.iad.xxxxxxxxxxxxxxxxxxxxxx --security- rules='[{ "description": null, "destination": null, "destination-type": null, "direction": "INGRESS", "icmp-options": null, "id": "709001", "is-stateless": null, "protocol": "6", "source": "140.238.154.0/24", "source-type": "CIDR_BLOCK", "tcp-options": { "destination-port-range": { "max": 22, "min": 22 }, "source-port-range": null }, "udp-options": null }]'

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v120_2_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v120_2_3 --share

SQL

This control uses a named query:

core_network_security_group_restrict_ingress_ssh_all

Tags