turbot/oci_compliance

Control: 2.8 Ensure Oracle Autonomous Shared Databases (ADB) access is restricted to allowed sources or deployed within a Virtual Cloud Network

Description

Oracle Autonomous Database Shared (ADB-S) automates database tuning, security, backups, updates, and other routine management tasks traditionally performed by DBAs. ADB-S provide ingress filtering of network traffic or can be deployed within an existing Virtual Cloud Network (VCN). It is recommended that all new ADB-S databases be deployed within a VCN and that the Access Control Rules are restricted to your corporate IP Addresses or VCNs for existing ADB-S databases.

Remediation

  1. Login to OCI Console.
  2. Click in the search bar, top of the screen.
  3. Type Advanced Resource Query and click enter.
  4. Click the Advanced Resource Query button in the upper right of the screen.
  5. Enter the following query in the query box:
query autonomousdatabase resources
  1. For each ABD-S database returned click on the link under Display name.
  2. Click Edit next to Access Control List.
  3. Ensure Access Control Rules IP Address/CIDR Block as well as VCNs are correct.
  4. Repeat for other subscribed regions.
  5. For each ADB-S database in the returned results, click the ADB-S database name.
  6. Click Edit next to Access Control Rules.
  7. Click +Another Rule and add rules as required.
  8. Click Save Changes.

From Command Line

  1. Executethefollowingcommand:
for region in `oci iam region list | jq -r '.data[] | .name'`;
do
for compid in `oci iam compartment list --compartment-id-in-subtree TRUE 2>/dev/null | jq -r '.data[] | .id'`
do
for adbid in `oci db autonomous-database list --compartment-id
$compid --region $region --all 2>/dev/null | jq -r '.data[] | select(."nsg- ids" == null).id'`
do
output=`oci db autonomous-database get --autonomous-database-id $adbid --region $region --query=data.{"WhiteListIPs:\"whitelisted- ips\","id:id""} --output table 2>/dev/null`
if [ ! -z "$output" ]; then echo $output; fi
done
done
done
  1. Ensure WhiteListIPs are correct.
  2. Get the json input format by executing the following command:
oci db autonomous-database update --generate-full-command-json-input
  1. For each of the ADB-S Database identified get its details.
  2. Update the whitelistIps, copy the WhiteListIPs element from the JSON returned by the above get call, edit it appropriately and use it in the following command:
oci db autonomous-database update –-autonomous-database-id <ABD-S OCID> -- from-json '<network endpoints JSON>'

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v120_2_8

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v120_2_8 --share

SQL

This control uses a named query:

oracle_autonomous_database_not_publicly_accessible

Tags