Merge pull request #1111 from oracle-devrel/lvb_add_version_20240502_files

Added version 240502 to repo

Author: AlexanderHodicke

security/security-design/shared-assets/oci-security-health-check-standard/README.md

@@ -2,9 +2,9 @@
 
 Owner: Olaf Heimburger
 
-Version: 240315
+Version: 240502
 
-Reviewed: 01.02.2024
+Reviewed: 05.02.2024
 
 # Introduction
 ![Flyer](./files/resources/OCI_Security_Health_Check_Standard.png)
@@ -29,22 +29,22 @@ See the *OCI Security Health Check - Standard Edition* in action and watch the [
 
 Before running the *OCI Security Health Check - Standard Edition* you should download and verify it.
 
-  - Download the latest distribution [oci-security-health-check-standard-240315.zip](https://github.com/oracle-devrel/technology-engineering/releases/download/oci-security-health-check-std-240315/oci-security-health-check-standard-240315.zip).
+  - Download the latest distribution [oci-security-health-check-standard-240502.zip](./files/resources/oci-security-health-check-standard-240502.zip).
   - Download the respective checksum file:
-    - [oci-security-health-check-standard-240315.sha512](https://github.com/oracle-devrel/technology-engineering/releases/download/oci-security-health-check-std-240315/oci-security-health-check-standard-240315.sha512).
-    - [oci-security-health-check-standard-240315.sha512256](https://github.com/oracle-devrel/technology-engineering/releases/download/oci-security-health-check-std-240315/oci-security-health-check-standard-240315.sha512256).
+    - [oci-security-health-check-standard-240502.sha512](./files/resources/oci-security-health-check-standard-240502.sha512).
+    - [oci-security-health-check-standard-240502.sha512256](./files/resources/oci-security-health-check-standard-240502.sha512256).
   - Verify the integrity of the distribution. Both files must be in the same directory (for example, in your downloads directory).
 
     On MacOS:
     ```
     cd <your_downloads_directory>
-    shasum -a 512256 -c oci-security-health-check-standard-240315.sha512256
+    shasum -a 512256 -c oci-security-health-check-standard-240502.sha512256
     ```
 
     On Linux (including Cloud Shell):
     ```
     cd <your_downloads_directory>
-    sha512sum -c oci-security-health-check-standard-240315.sha512
+    sha512sum -c oci-security-health-check-standard-240502.sha512
     ```
 
 **Reject the downloaded file if the check fails!**

security/security-design/shared-assets/oci-security-health-check-standard/files/oci-security-health-check-standard/README.md

@@ -2,7 +2,7 @@
 
 Owner: Olaf Heimburger
 
-Version: 240315
+Version: 240502 (cis_report.py version 2.8.2+)
 
 ## When to use this asset?
 
@@ -12,26 +12,31 @@ The *OCI Security Health Check - Standard Edition* checks an OCI tenancy for CIS
 
 This asset covers the OCI platform as specified in the *CIS Oracle Cloud Infrastructure Foundations Benchmark*, only. Any workload provisioned in Databases, Compute VMs (running any Operating System), the Container Engine for Kubernetes, or in the VMware Solution is *out of scope* of the *OCI Security Health Check*.
 
+This is not an official Oracle application and it is not supported
+by Oracle Support.
+
 ## Usage
 
 ### Download and verify the release file
 
 Before running the *OCI Security Health Check - Standard Edition* you should download and verify it.
 
-  - Download the latest distribution [oci-security-health-check-standard-240315.zip](https://github.com/oracle-devrel/technology-engineering/releases/download/oci-security-health-check-std-240315/oci-security-health-check-standard-240315.zip).
-  - Download the respective checksum file [oci-security-health-check-standard-240315.sha512256](https://github.com/oracle-devrel/technology-engineering/releases/download/oci-security-health-check-std-240315/oci-security-health-check-standard-240315.sha512256).
+  - Download the latest distribution [oci-security-health-check-standard-240502.zip](https://github.com/oracle-devrel/technology-engineering/releases/download/oci-security-health-check-std-240502/oci-security-health-check-standard-240502.zip).
+  - Download the respective checksum file:
+    - [oci-security-health-check-standard-240502.sha512256](https://github.com/oracle-devrel/technology-engineering/releases/download/oci-security-health-check-std-240502/oci-security-health-check-standard-240502.sha512256)
+    - [oci-security-health-check-standard-240502.sha512](https://github.com/oracle-devrel/technology-engineering/releases/download/oci-security-health-check-std-240502/oci-security-health-check-standard-240502.sha512).
   - Verify the integrity of the distribution. Both files must be in the same directory (for example, in your downloads directory).
 
     On MacOS:
     ```
     cd <your_downloads_directory>
-    shasum -a 512256 -c oci-security-health-check-standard-240315.sha512256
+    shasum -a 512256 -c oci-security-health-check-standard-240502.sha512256
     ```
 
     On Linux (including Cloud Shell):
     ```
     cd <your_downloads_directory>
-    sha512sum -c oci-security-health-check-standard-240315.sha512
+    sha512sum -c oci-security-health-check-standard-240502.sha512
     ```
 
 **Reject the downloaded file when the check fails!**
@@ -48,7 +53,7 @@ quickest way. If you decide to use this option, please continue reading in
 For recurring usage, setting up a group for auditing is recommended. The
 steps for setting this up are described in the next chapter.
 
-#### Setting up an *Auditor* group and policy
+#### Setting up an *Auditor* group and related permissions
 
 Using an auditor group is the recommended way to run the assessment script.
 To create a group for auditing do the following steps:
@@ -112,7 +117,7 @@ The recommended way is to run the *OCI Security Health Check - Standard* in the
   - Upload the distribution file.
   - Extract it
     ```
-    unzip -q oci-security-health-check-standard-240315.zip
+    unzip -q oci-security-health-check-standard-240502.zip
     ```
 
 ### Run the script
@@ -123,20 +128,113 @@ The recommended way is to run the *OCI Security Health Check - Standard* in the
   - In the `oci-security-health-check-standard` directory:
     - Enable execution of script `standard.sh`:
       ```
-      $ chmod +x standard.sh
+      chmod +x standard.sh
       ```
     - Run the script for all subscribed regions:
       ```
-      $ ./standard.sh
+      ./standard.sh
       ```
     - Run the script for one subscribed region:
       ```
-      $ ./standard.sh -r <region_name>
+      ./standard.sh -r <region_name>
       ```
     - Get command line options:
       ```
-      $ ./standard.sh -h
+      ./standard.sh -h
+      ```
+### Using an OCI Compute VM (Oracle Linux)
+
+  - Create a Dynamic Group
+    `'Default'/'dgp-instance-principal'`
+
+    This dynamic group must specify the compartment OCID (`resource.compartment.id`) or the Compute VM OCID (`resource.instance.id`), respectively.
+  - Create permissions for the Dynamic Group
+      ```
+      allow dynamic-group 'Default'/'dgp-instance-principal' to inspect all-resources in tenancy
+      allow dynamic-group 'Default'/'dgp-instance-principal' to read audit-events in tenancy
+      allow dynamic-group 'Default'/'dgp-instance-principal' to read buckets in tenancy
+      allow dynamic-group 'Default'/'dgp-instance-principal' to read cloudevents-rules in tenancy
+      allow dynamic-group 'Default'/'dgp-instance-principal' to read dns in tenancy
+      allow dynamic-group 'Default'/'dgp-instance-principal' to read domains in tenancy
+      allow dynamic-group 'Default'/'dgp-instance-principal' to read file-family in tenancy
+      allow dynamic-group 'Default'/'dgp-instance-principal' to read instances in tenancy
+      allow dynamic-group 'Default'/'dgp-instance-principal' to read instance-configurations in tenancy
+      allow dynamic-group 'Default'/'dgp-instance-principal' to read keys in tenancy
+      allow dynamic-group 'Default'/'dgp-instance-principal' to read load-balancers in tenancy
+      allow dynamic-group 'Default'/'dgp-instance-principal' to read nat-gateways in tenancy
+      allow dynamic-group 'Default'/'dgp-instance-principal' to read network-security-groups in tenancy
+      allow dynamic-group 'Default'/'dgp-instance-principal' to read osms-family in tenancy
+      allow dynamic-group 'Default'/'dgp-instance-principal' to read public-ips in tenancy
+      allow dynamic-group 'Default'/'dgp-instance-principal' to read resource-availability in tenancy
+      allow dynamic-group 'Default'/'dgp-instance-principal' to read serviceconnectors in tenancy
+      allow dynamic-group 'Default'/'dgp-instance-principal' to read stream-family in tenancy
+      allow dynamic-group 'Default'/'dgp-instance-principal' to read users in tenancy
+      allow dynamic-group 'Default'/'dgp-instance-principal' to read vault in tenancy
+      allow dynamic-group 'Default'/'dgp-instance-principal' to read vlans in tenancy
+      allow dynamic-group 'Default'/'dgp-instance-principal' to read vss-family in tenancy
+      ```
+  - Preparing the Compute VM:
+    - Log into the Compute VM
+    - Make sure that Python 3 is installed:
+      ```
+      sudo yum list python39
+      ```
+    - If Python 3 is missing, install it:
+      ```
+      sudo yum install python39 -y
+      ```
+    - Update the link of python3 to /usr/bin/python3.9
       ```
+      sudo alternatives --config python3
+      ```
+      Follow the instructions to select /usr/bin/python3.9
+    - Log out
+
+  - From your desktop, upload the `oci-security-health-check-standard-240502.zip` file to the Compute VM using any SFTP client.
+  - Log into the Compute VM
+    - Extract the distribution
+      ```
+      unzip -q oci-security-health-check-standard-240502.zip
+      ```
+    - Change directory into `oci-security-health-check-standard`:
+      ```
+      cd oci-security-health-check-standard
+      ```
+    - Enable execution of script `standard.sh`:
+      ```
+      chmod +x standard.sh
+      ```
+    - In the `oci-security-health-check-standard` directory run the assess.sh
+      script.
+      - Start the `screen` program:
+        ```
+        screen
+        ```
+
+      - Run the script for all subscribed regions:
+        ```
+        ./standard.sh -ip -t <tenancy_name>
+        ```
+      - Run the script for one subscribed region, only:
+        ```
+        ./standard.sh -ip -t <tenancy_name> -r <region_name>
+        ```
+      - Get command line options:
+        ```
+        ./standard.sh -h
+        ```
+      - When your Compute VM session has been ended due to inactivity you can
+        resume without starting the script again.
+
+        To resume the screen session, follow these steps
+        (the output will be different in your *Compute VM*):
+        - Connect to your *Compute VM* again.
+          ```
+          screen -ls
+            1234.text
+          screen -d 1234
+          screen -r 1234
+          ```
 
 ### Getting the results
   - In the directory `oci-security-health-check-standard` a directory will be created which
@@ -146,7 +244,7 @@ The recommended way is to run the *OCI Security Health Check - Standard* in the
 
 ### Checking the results
 
-The report results are showing the compliance status of the related [CIS OCI Foundation Benchmark, version 1.2](https://www.cisecurity.org/benchmark/Oracle_Cloud) recommendations. Please download this benchmark before reading the report. (For license reasons, we cannot distribute the benchmark.)
+The report results are showing the compliance status of the related [CIS OCI Foundation Benchmark, version 2.0](https://www.cisecurity.org/benchmark/Oracle_Cloud) recommendations. Please download this benchmark before reading the report. (For license reasons, we cannot distribute the benchmark.)
 
 The report results are summarized in two files:
 - *cis_html_summary_report.html* &ndash; The report in HTML that displays the all recommendations and their compliance status, respectively.
@@ -158,18 +256,19 @@ No known issues.
 
 ## Credits
 
-The *OCI Security Health Check - Standard Edition* streamlines the usage of the bundled [Compliance Checking Script](https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/blob/main/compliance-script.md) provided by the [CIS OCI Landing Zone Quick Start Template](https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart).
+The *OCI Security Health Check - Standard Edition* streamlines the usage of the [Compliance Checking Script](https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/blob/main/compliance-script.md) provided by the [CIS OCI Landing Zone Quick Start Template](https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart).
 
 The *OCI Security Health Check - Standard Edition* would not be possible without the great work of the [CIS OCI Landing Zone Quick Start Template Team](https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/graphs/contributors).
 
 ## Certification
 
-The Compliance Checking Script is certified by the [CIS Center of Internet Security for the OCI Oracle Cloud Foundation Benchmark v1.2.O, Level 1 and 2](https://www.cisecurity.org/partner/oracle).
+The Compliance Checking Script is certified by the [CIS Center of Internet Security for the OCI Oracle Cloud Foundation Benchmark v1.2, Level 1 and 2](https://www.cisecurity.org/partner/oracle).
 
 # License
 
 Copyright (c) 2022-2024 Oracle and/or its affiliates.
 
 Licensed under the Universal Permissive License (UPL), Version 1.0.
 
-See [LICENSE](https://github.com/oracle-devrel/technology-engineering/blob/main/LICENSE) for more details.
+See [LICENSE](https://github.com/oracle-devrel/technology-engineering/blob/folder-structure/LICENSE) for more details.
+