v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/oci_compliance
Overview
3Dashboards
133Controls
43Queries
2Variables
GitHub

Control: 2.5 Ensure the default security list of every VCN restricts all traffic except ICMP

Description

A default security list is created when a Virtual Cloud Network (VCN) is created. Security lists provide stateful filtering of ingress and egress network traffic to OCI resources. It is recommended no security list allows unrestricted ingress access to resources such as Secure Shell (SSH) via port 22.

Remediation

From Console

  1. Login to OCI Console.
  2. Click on Networking -> Virtual Cloud Networks from the services menu.
  3. For each VCN listed Click on Security Lists.
  4. Click on Default Security List for <VCN Name>.
  5. Identify the Ingress Rule with 'Source 0.0.0.0/0, IP Protocol 6 (TCP) and Destination Port Range 22'.
  6. Either Edit the Security rule to restrict the source and/or port range or delete the rule.

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v200_2_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v200_2_5 --share

SQL

This control uses a named query:

core_default_security_list_allow_icmp_only

Tags

category = Compliance
cis = true
cis_item_id = 2.5
cis_level = 1
cis_section_id = 2
cis_type = automated
cis_version = v2.0.0
plugin = oci
service = OCI/VCN