Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-oci-compliance
Overview
4Dashboards
187Benchmarks
49Queries
2Variables
GitHub

Control: 2.5 Ensure the default security list of every VCN restricts all traffic except ICMP within VCN

Description

A default security list is created when a Virtual Cloud Network (VCN) is created and attached to the public subnets in the VCN. Security lists provide stateful or stateless filtering of ingress and egress network traffic to OCI resources in the VCN. It is recommended that the default security list does not allow unrestricted ingress and egress access to resources in the VCN.

Removing unfettered connectivity to OCI resource, reduces a server's exposure to unauthorized access or data exfiltration.

Remediation

From Console

  1. Login to OCI Console.
  2. Click on Networking -> Virtual Cloud Networks from the services menu.
  3. For each VCN listed Click on Security Lists.
  4. Click on Default Security List for <VCN Name>.
  5. Identify the Ingress Rule with 'Source 0.0.0.0/0'.
  6. Either Edit the Security rule to restrict the source and/or port range or delete the rule.
  7. Identify the Egress Rule with 'Destination 0.0.0.0/0, All Protocols'.
  8. Either Edit the Security rule to restrict the source and/or port range or delete the rule.

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v300_2_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v300_2_5 --share

SQL

This control uses a named query:

with default_security_list as (
  select
    id,
    count (display_name)
  from
    oci_core_security_list,
    jsonb_array_elements(ingress_security_rules) as p
  where
    p ->> 'protocol' != '1'
  group by id
)
select
  a.id as resource,
  case
    when p.count > 0 then 'alarm'
    else 'ok'
  end as status,
  case
    when p.count > 0 then a.display_name || ' configured with non ICMP ports.'
    else a.display_name || ' configured with ICMP ports only.'
  end as reason
  
  , a.region as region, a.tenant_name as tenant
  , coalesce(c.name, 'root') as compartment
from
  oci_core_security_list a
  left join oci_core_vcn b on a.vcn_id = b.id
  left join default_security_list as p on p.id = a.id
  left join oci_identity_compartment c on c.id = a.compartment_id
where
  a.display_name = concat('Default Security List for ', b.display_name);

Tags

category = Compliance
cis = true
cis_item_id = 2.5
cis_level = 1
cis_section_id = 2
cis_type = automated
cis_version = v3.0.0
plugin = oci
service = OCI/VCN