Control: 2.2 Ensure no security lists allow ingress from 0.0.0.0/0 to port 3389
Description
Security lists provide stateful or stateless filtering of ingress/egress network traffic to OCI resources on a subnet level. It is recommended that no security group allows unrestricted ingress access to port 3389.
Removing unfettered connectivity to remote console services, such as Remote Desktop Protocol (RDP), reduces a server's exposure to risk.
Remediation
From Console
- Follow the audit procedure above.
- For each security list in the returned results, click the security list name.
- Either edit the
ingress ruleto be more restrictive, delete theingress ruleor click on theVCNand terminate thesecurity listas appropriate.
From CLI
- Follow the audit procedure.
- For each of the
security listsidentified, execute the following command:
oci network security-list get --security-list-id <security list id>
- Then either:
- Update the
security list, copy theingress-security-ruleselement from the JSON returned by the above get call, edit it appropriately and use it in the following command
oci network security-list update --security-list-id <security-list-id> --ingress-security-rules '<ingress security rules JSON>'
or
- Delete the security list
oci network security-list delete --security-list-id <security list id>
Usage
Run the control in your terminal:
powerpipe control run oci_compliance.control.cis_v200_2_2Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run oci_compliance.control.cis_v200_2_2 --shareSQL
This control uses a named query:
with non_compliant_rules as ( select id, count(*) as num_noncompliant_rules from oci_core_security_list, jsonb_array_elements(ingress_security_rules) as p where p ->> 'source' = '0.0.0.0/0' and ( ( p ->> 'protocol' = 'all' and (p -> 'tcpOptions' -> 'destinationPortRange' -> 'min') is null ) or ( p ->> 'protocol' = '6' and (p -> 'tcpOptions' -> 'destinationPortRange' ->> 'min')::integer <= 3389 and (p -> 'tcpOptions' -> 'destinationPortRange' ->> 'max')::integer >= 3389 ) ) group by id)select osl.id as resource, case when non_compliant_rules.id is null then 'ok' else 'alarm' end as status, case when non_compliant_rules.id is null then osl.display_name || ' ingress restricted for port 3389 from 0.0.0.0/0' else osl.display_name || ' contains ' || non_compliant_rules.num_noncompliant_rules || ' ingress rule(s) allowing port 3389 from 0.0.0.0/0.' end as reason , osl.region as region, osl.tenant_name as tenant , coalesce(c.name, 'root') as compartmentfrom oci_core_security_list as osl left join non_compliant_rules on non_compliant_rules.id = osl.id left join oci_identity_compartment c on c.id = osl.compartment_id;