Control: 2.1 Ensure no security lists allow ingress from 0.0.0.0/0 to port 22

Description

Security lists provide stateful or stateless filtering of ingress/egress network traffic to OCI resources on a subnet level. It is recommended that no security group allows unrestricted ingress access to port 22.

Removing unfettered connectivity to remote console services, such as Secure Shell (SSH), reduces a server's exposure to risk.

Remediation

From Console

Follow the audit procedure above.
For each security list in the returned results, click the security list name.
Either edit the ingress rule to be more restrictive, delete the ingress rule or click on the VCN and terminate the security list as appropriate.

From CLI

Follow the audit procedure.
For each of the security lists identified, execute the following command:

oci network security-list get --security-list-id <security list id>

Then either:

Update the security list by copying the ingress-security-rules element from the JSON returned by the above command, edit it appropriately and use it in the following command:

oci network security-list update --security-list-id <security-list-id> -- ingress-security-rules '<ingress security rules JSON>'

Delete the security list

oci network security-list delete --security-list-id <security list id>

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v200_2_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v200_2_1 --share

SQL

This control uses a named query:

core_security_list_restrict_ingress_ssh_all