Control: 2.1 Ensure no security lists allow ingress from 0.0.0.0/0 to port 22
Description
Security lists provide stateful or stateless filtering of ingress/egress network traffic to OCI resources on a subnet level. It is recommended that no security group allows unrestricted ingress access to port 22.
Removing unfettered connectivity to remote console services, such as Secure Shell (SSH), reduces a server's exposure to risk.
Remediation
From Console
- Follow the audit procedure above.
- For each security list in the returned results, click the security list name.
- Either edit the
ingress ruleto be more restrictive, delete theingress ruleor click on the VCN and terminate thesecurity listas appropriate.
From CLI
- Follow the audit procedure.
- For each of the
security listsidentified, execute the following command:
oci network security-list get --security-list-id <security list id>
- Then either:
- Update the security list by copying the ingress-security-rules element from the JSON returned by the above command, edit it appropriately and use it in the following command:
oci network security-list update --security-list-id <security-list-id> -- ingress-security-rules '<ingress security rules JSON>'
or
- Delete the security list
oci network security-list delete --security-list-id <security list id>
Usage
Run the control in your terminal:
powerpipe control run oci_compliance.control.cis_v200_2_1Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run oci_compliance.control.cis_v200_2_1 --shareSQL
This control uses a named query:
core_security_list_restrict_ingress_ssh_all