v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/oci_compliance
Overview
3Dashboards
133Controls
43Queries
2Variables
GitHub

Control: 2.6 Ensure Oracle Integration Cloud (OIC) access is restricted to allowed sources

Description

Oracle Integration (OIC) is a complete, secure, but lightweight integration solution that enables you to connect your applications in the cloud. It simplifies connectivity between your applications and connects both your applications that live in the cloud and your applications that still live on premises. Oracle Integration provides secure, enterprise- grade connectivity regardless of the applications you are connecting or where they reside. OIC instances are created within an Oracle managed secure private network with each having a public endpoint. The capability to configure ingress filtering of network traffic to protect your OIC instances from unauthorized network access is included. It is recommended that network access to your OIC instances be restricted to your approved corporate IP Addresses or Virtual Cloud Networks (VCN)s.

Remediation

  1. Login to OCI Console.
  2. Click in the search bar, top of the screen.
  3. Type Advanced Resource Query and click enter.
  4. Click the Advanced Resource Query button in the upper right of the screen.
  5. Enter the following query in the query box:
query integrationinstance resources
  1. For each OIC Instance returned click on the link under Display name.
  2. Click on Network Access.
  3. Ensure Restrict Network Access is selected and the IP Address/CIDR Block as well as Virtual Cloud Networks are correct.
  4. Repeat for other subscribed regions.
  5. For each OCI instance in the returned results, click the OCI Instance name.
  6. Click Network Access.
  7. Either edit the Network Access to be more restrictive.

From Command Line

  1. Execute the following command:
for region in `oci iam region list | jq -r '.data[] | .name'`;
  do
  for compid in `oci iam compartment list --compartment-id-in-subtree TRUE 2>/dev/null | jq -r '.data[] | .id'`
    do
    output=`oci integration integration-instance list --compartment-
    id $compid --region $region --all 2>/dev/null | jq -r '.data[] | select(."network-endpoint-details"."network-endpoint-type" == null)'`
    if [ ! -z "$output" ]; then echo $output; fi
    done
  done
  1. Ensure allowlisted-http-ips and allowed-http-vcns are correct
  2. Get the json input format using the below command:
oci integration integration-instance change-network-endpoint --generate- param-json-input
  1. For each of the OCI Instances identified get its details.
  2. Update the Network Access, copy the network-endpoint-details element from the JSON returned by the above get call, edit it appropriately and use it in the following command
Oci integration integration-instance change-network-endpoint --id <oic- instance-id> --from-json '<network endpoints JSON>'

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v120_2_6

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v120_2_6 --share

SQL

This control uses a named query:

manual_control

Tags

category = Compliance
cis = true
cis_item_id = 2.6
cis_level = 1
cis_section_id = 2
cis_type = manual
cis_version = v1.2.0
plugin = oci
service = OCI/VCN