turbot/steampipe-mod-oci-compliance

Control: 2.5 Ensure the default security list of every VCN restricts all traffic except ICMP

Description

A default security list is created when a Virtual Cloud Network (VCN) is created. Security lists provide stateful filtering of ingress and egress network traffic to OCI resources. It is recommended no security list allows unrestricted ingress access to Secure Shell (SSH) via port 22.

Remediation

From Console

  1. Login to OCI Console.
  2. Click on Networking -> Virtual Cloud Networks.
  3. For each VCN listed Click on Security Lists.
  4. Click on Default Security List for <VCN Name>.
  5. Select the Ingress Rule with 'Source 0.0.0.0/0, IP Protocol 22 and Destination Port Range 22'
  6. Click Remove.
  7. Verify that you want to remove by clicking Remove.

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v120_2_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v120_2_5 --share

SQL

This control uses a named query:

with default_security_list as (
select
id,
count (display_name)
from
oci_core_security_list,
jsonb_array_elements(ingress_security_rules) as p
where
p ->> 'protocol' != '1'
group by id
)
select
a.id as resource,
case
when p.count > 0 then 'alarm'
else 'ok'
end as status,
case
when p.count > 0 then a.display_name || ' configured with non ICMP ports.'
else a.display_name || ' configured with ICMP ports only.'
end as reason
, a.region as region, a.tenant_name as tenant
, coalesce(c.name, 'root') as compartment
from
oci_core_security_list a
left join oci_core_vcn b on a.vcn_id = b.id
left join default_security_list as p on p.id = a.id
left join oci_identity_compartment c on c.id = a.compartment_id
where
a.display_name = concat('Default Security List for ', b.display_name);

Tags