Powerpipe Detection Mods →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-oci-compliance
Overview
3Dashboards
133Benchmarks
43Queries
2Variables
GitHub

Control: 2.4 Ensure no network security groups allow ingress from 0.0.0.0/0 to port 3389

Description

Network security groups provide stateful filtering of ingress/egress network traffic to OCI resources. It is recommended that no security group allows unrestricted ingress access to port 3389.

Removing unfettered connectivity to remote console services, such as Remote Desktop Protocol (RDP), reduces a server's exposure to risk.

Remediation

From CLI

Using the details returned from the audit procedure either:

  • Remove the security rules
oci network nsg rules remove --nsg-id=<NSGID from audit output>

or

  • Update the security rules
oci network nsg rules update --nsg-id=<NSGID from audit output> --security- rules=<updated security-rules JSON (without the isValid or TimeCreated fields)>
eg:
oci network nsg rules update --nsg- id=ocid1.networksecuritygroup.oc1.iad.xxxxxxxxxxxxxxxxxxxxxx --security- rules='[{ "description": null, "destination": null, "destination-type": null, "direction": "INGRESS", "icmp-options": null, "id": "709001", "is-stateless": null, "protocol": "6", "source": "140.238.154.0/24", "source-type": "CIDR_BLOCK", "tcp-options": { "destination-port-range": { "max": 3389, "min": 3389 }, "source-port-range": null }, "udp-options": null }]'

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v200_2_4

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v200_2_4 --share

SQL

This control uses a named query:

with non_compliant_rules as (
  select
    id,
    count(*) as num_noncompliant_rules
  from
    oci_core_network_security_group,
    jsonb_array_elements(rules) as r
  where
    r ->> 'direction' = 'INGRESS'
    and r ->> 'sourceType' = 'CIDR_BLOCK'
    and r ->> 'source' = '0.0.0.0/0'
    and (
      r ->> 'protocol' = 'all'
      or (
        (r -> 'tcpOptions' -> 'destinationPortRange' ->> 'min')::integer <= 3389
        and (r -> 'tcpOptions' -> 'destinationPortRange' ->> 'max')::integer >= 3389
      )
    )
    group by id
)
select
  nsg.id as resource,
  case
    when non_compliant_rules.id is null then 'ok'
    else 'alarm'
  end as status,
  case
    when non_compliant_rules.id is null then nsg.display_name || ' ingress restricted for port 3389 from 0.0.0.0/0.'
    else nsg.display_name || ' contains ' || non_compliant_rules.num_noncompliant_rules || ' ingress rule(s) allowing port 3389 from 0.0.0.0/0.'
  end as reason
  
  , nsg.region as region, nsg.tenant_name as tenant
  , coalesce(c.name, 'root') as compartment
from
  oci_core_network_security_group as nsg
  left join non_compliant_rules on non_compliant_rules.id = nsg.id
  left join oci_identity_compartment c on c.id = nsg.compartment_id;

Tags

category = Compliance
cis = true
cis_item_id = 2.4
cis_level = 1
cis_section_id = 2
cis_type = automated
cis_version = v2.0.0
plugin = oci
service = OCI/VCN