Control: 4.18 Ensure a notification is configured for Local OCI User Authentication

Description

It is recommended that an Event Rule and Notification be set up when a user signs in via OCI local authentication. Event Rules are compartment-scoped and will detect events in child compartments. This Event rule is required to be created at the root compartment level.

Remediation

From Console

Go to the Events Service page: https://cloud.oracle.com/events/rules.
Select the Root compartment that should host the rule.
Click Create Rule.
Provide a Display Name and Description.
Create a Rule Condition by selecting Identity SignOn in the Service Name Drop-down and selecting Interactive Login.
In the Actions section select Notifications as Action Type.
Select the Compartment that hosts the Topic to be used.
Select the Topic to be used.
Optionally add Tags to the Rule.
Click Create Rule.

From CLI

Find the topic-id of the topic the Event Rule should use for sending notifications by using the topic name and Tenancy OCID.

oci ons topic list --compartment-id <tenancy-ocid> --all --query "data [?name=='<topic-name>']".{"name:name,topic_id:\"topic-id\""} --output table

Create a JSON file to be used when creating the Event Rule. Replace topic id, display name, description and compartment OCID.

{
 "actions":
    {
    "actions": [
      {
      "actionType": "ONS",
      "isEnabled": true,
      "topicId": "<topic-id>"
      }]
    },
  "condition":
  "{\"eventType\":[\"com.oraclecloud.identitysignon.interactivelogin\"],\"data\":{}}",
  "displayName": "<display-name>",
  "description": "<description>",
  "isEnabled": true,
  "compartmentId": "<tenancy-ocid>"
}

Create the actual event rule

oci events rule create --from-json file://event_rule.json

Note in the JSON returned that it lists the parameters specified in the JSON file provided and that there is an OCID provided for the Event Rule.

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v300_4_18

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v300_4_18 --share

SQL

This control uses a named query:

with candidate_rules as (
  select distinct
    r.tenant_id,
    r.id,
    r.display_name
  from
    oci_events_rule r
    cross join lateral jsonb_array_elements(
      coalesce(r.actions::jsonb, '[]'::jsonb)
    ) as action
  where
    r.compartment_id = r.tenant_id
    and r.lifecycle_state = 'ACTIVE'
    and coalesce(r.is_enabled, false)
    and (r.condition::text ilike '%com.oraclecloud.identitycontrolplane.signin.login%'
        or r.condition::text ilike '%Identity SignOn%')
    and r.condition::text ilike '%LOCAL%'
    and action->>'actionType' in ('ONS', 'NOTIFICATIONS')
    and coalesce((action->>'isEnabled')::boolean, false)
    and coalesce(action->>'topicId', '') <> ''
)
select
  t.id as resource,
  case
    when exists (
      select 1
      from candidate_rules cr
      where cr.tenant_id = t.id
    )
      then 'ok'
    else 'alarm'
  end as status,
  case
    when exists (
      select 1
      from candidate_rules cr
      where cr.tenant_id = t.id
    )
      then name || ' root compartment has an enabled events rule that notifies on local interactive logins.'
    else name || ' root compartment does not have an events rule that notifies on local interactive logins.'
  end as reason
  
  , tenant_name as tenant
from
  oci_identity_tenancy t;