Control: 2.3 Ensure no network security groups allow ingress from to port 22
Network security groups provide stateful filtering of ingress/egress network traffic to OCI resources. It is recommended that no security group allows unrestricted ingress access to port 22.
Removing unfettered connectivity to remote console services, such as Secure Shell (SSH), reduces a server's exposure to risk.
From Console
- Login to OCI Console.
- Click the search bar at the top of the screen.
- Type Advanced Resource Query and hit enter.
- Click the Advanced Resource Query button in the upper right corner of the screen.
- Enter the following query in the query box:
query networksecuritygroup resources where lifeCycleState = 'AVAILABLE'
- For each of the network security groups in the returned results, click the name and inspect each of the security rules.
- Remove all security rules with direction: Ingress, Source:, and Destination Port Range: 22.
From CLI
Issue the following command and identify the security rule to remove.
for region in `oci iam region list | jq -r '.data[] | .name'`; do for compid in `oci iam compartment list 2>/dev/null | jq -r '.data[] |.id'`; do for nsgid in `oci network nsg list --compartment-id $compid --region $region --all 2>/dev/null | jq -r '.data[] | .id'` do output=`oci network nsg rules list --nsg-id=$nsgid --all 2>/dev/null | jq -r '.data[] | select(.source == "" and .direction == "INGRESS" and ((."tcp-options"."destination-port-range".max >= 22 and ."tcp-options"."destination-port-range".min <= 22) or ."tcp-options"."destination-port-range" == null))'`
if [ ! -z "$output" ]; then echo "NSGID=", $nsgid, "Security Rules=", $output; fi done donedone
- Remove the security rules
oci network nsg rules remove --nsg-id=<NSGID from audit output>
- Update the security rules
oci network nsg rules update --nsg-id=<NSGID from audit output> --security- rules='[<updated security-rules JSON (without isValid and TimrCreated fields)>]'eg:oci network nsg rules update --nsg- id=ocid1.networksecuritygroup.oc1.iad.xxxxxxxxxxxxxxxxxxxxxx --security- rules='[{ "description": null, "destination": null, "destination-type": null, "direction": "INGRESS", "icmp-options": null, "id": "709001", "is-stateless": null, "protocol": "6", "source": "", "source-type": "CIDR_BLOCK", "tcp-options": { "destination-port-range": { "max": 22, "min": 22 }, "source-port-range": null }, "udp-options": null }]'
Run the control in your terminal:
powerpipe control run oci_compliance.control.cis_v200_2_3
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run oci_compliance.control.cis_v200_2_3 --share
This control uses a named query:
with non_compliant_rules as ( select id, count(*) as num_noncompliant_rules from oci_core_network_security_group, jsonb_array_elements(rules) as r where r ->> 'direction' = 'INGRESS' and r ->> 'sourceType' = 'CIDR_BLOCK' and r ->> 'source' = '' and ( r ->> 'protocol' = 'all' or ( (r -> 'tcpOptions' -> 'destinationPortRange' ->> 'min')::integer <= 22 and (r -> 'tcpOptions' -> 'destinationPortRange' ->> 'max')::integer >= 22 ) ) group by id)select as resource, case when is null then 'ok' else 'alarm' end as status, case when is null then nsg.display_name || ' ingress restricted for SSH from' else nsg.display_name || ' contains ' || non_compliant_rules.num_noncompliant_rules || ' ingress rule(s) allowing SSH from' end as reason , nsg.region as region, nsg.tenant_name as tenant , coalesce(, 'root') as compartmentfrom oci_core_network_security_group as nsg left join non_compliant_rules on = left join oci_identity_compartment c on = nsg.compartment_id;