Merge pull request #56 from oracle-devrel/oci-security-health-check-standard-230630

OCI Security Health Check - Standard Edition, 230630

Author: AlexanderHodicke

.gitignore

@@ -2,6 +2,7 @@
 .DS_Store
 .AppleDouble
 .LSOverride
+.vscode
 
 # Icon must end with two \r
 Icon
@@ -30,4 +31,4 @@ Temporary Items
 .key
 .crt
 .csr
-.pem
+.pem

security/security-design/README.md

@@ -31,6 +31,7 @@
 ## Reusable Assets Overview
 
 - [Bastion Session Script](bastion-session-script/README.md)
+- [OCI Security Health Check Standard](oci-security-health-check-standard/README.md)
 
       
 ## Useful Links

security/security-design/oci-security-health-check-standard/LICENSE

@@ -0,0 +1,35 @@
+Copyright (c) 2023 Oracle and/or its affiliates. 
+
+The Universal Permissive License (UPL), Version 1.0
+
+Subject to the condition set forth below, permission is hereby granted to any
+person obtaining a copy of this software, associated documentation and/or data
+(collectively the "Software"), free of charge and under any and all copyright
+rights in the Software, and any and all patent rights owned or freely
+licensable by each licensor hereunder covering either (i) the unmodified
+Software as contributed to or provided by such licensor, or (ii) the Larger
+Works (as defined below), to deal in both
+
+(a) the Software, and
+(b) any piece of software and/or hardware listed in the lrgrwrks.txt file if
+one is included with the Software (each a "Larger Work" to which the Software
+is contributed by such licensors),
+
+without restriction, including without limitation the rights to copy, create
+derivative works of, display, perform, and distribute the Software and make,
+use, sell, offer for sale, import, export, have made, and have sold the
+Software and the Larger Work(s), and to sublicense the foregoing rights on
+either these or other terms.
+
+This license is subject to the following condition:
+The above copyright notice and either this complete permission notice or at
+a minimum a reference to the UPL must be included in all copies or
+substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

security/security-design/oci-security-health-check-standard/README.md

@@ -0,0 +1,104 @@
+# OCI Security Health Check - Standard Edition
+
+Owner: Olaf Heimburger
+
+## When to use this asset?
+
+The OCI Security Health Check - Standard Edition checks an OCI tenancy for CIS OCI Foundation Benchmark compliance.
+
+## Usage
+
+### Prepare the OCI Tenancy
+
+You can run the assessment as a member of the OCI `Administrator` group or
+create a group for auditing and assign the respective user to it.
+
+Running the assessment script as an OCI `Administrator` is the easiest and
+quickest way. If you decide to use this option, please continue reading in
+[Run the OCI Security Health Check in Cloud Shell](#run-the-oci-security-health-check-in-cloud-shell).
+
+For recurring usage, setting up a group for auditing is recommended. The
+steps for setting this up are described in the next chapter.
+
+#### Setting up an *Auditor* group and policy
+
+Using an auditor group is the recommended way to run the assessment script.
+To create a group for auditing do the following steps:
+
+  - Log into OCI Console as OCI administrator
+  - Create a group `grp-auditors`
+  - Create a policy `pcy-auditing` with these statements:
+    ```
+    allow group grp-auditors to inspect all-resources in tenancy
+    allow group grp-auditors to read instances in tenancy
+    allow group grp-auditors to read load-balancers in tenancy
+    allow group grp-auditors to read buckets in tenancy
+    allow group grp-auditors to read nat-gateways in tenancy
+    allow group grp-auditors to read public-ips in tenancy
+    allow group grp-auditors to read file-family in tenancy
+    allow group grp-auditors to read instance-configurations in tenancy
+    allow group grp-auditors to read network-security-groups in tenancy
+    allow group grp-auditors to read resource-availability in tenancy
+    allow group grp-auditors to read audit-events in tenancy
+    allow group grp-auditors to read users in tenancy
+    allow group grp-auditors to read vss-family in tenancy
+    allow group grp-auditors to read dns in tenancy
+    allow group grp-auditors to use cloud-shell in tenancy
+    ```
+  - Assign a user to the `grp-auditors` group
+  - Log out of the OCI Console
+
+### Run the OCI Security Health Check in OCI Cloud Shell
+
+The recommended way is to run the *OCI Security Health Check - Standard* in the OCI Cloud Shell. It does not require any additional configuration on a local desktop machine.
+
+#### Download and upload the release file
+
+  - Download the the latest distribution [oci-security-health-check-standard-\<version>.zip](releases/oci-security-health-check-standard-\<version>.zip).
+  - Log into the OCI Console.
+  - Select the *Developer Tools* icon (looks like a small window) in the header toolbar.
+  - From the menu select the *Cloud Shell* item.
+  - Wait until the Cloud Shell has been initialized.
+  - ...
+  - Upload the distribution file.
+  - Extract it
+    ```
+    $ unzip -q oci-security-health-check-standard-<version>.zip
+    ```
+
+### Run the script
+  - Change directory into `oci-security-health-check-standard-<version>`:
+    ```
+    $ cd oci-security-health-check-standard-<version>
+    ```
+  - In the `oci-security-health-check-standard-<version>` directory:
+    - Enable execution of script `standard.sh`:
+      ```
+      $ chmod +x standard.sh
+      ```
+    - Run the script for all subscribed regions:
+      ```
+      $ ./standard.sh
+      ```
+    - Run the script for one subscribed region:
+      ```
+      $ ./standard.sh -r <region_name>
+      ```
+    - Get command line options:
+      ```
+      $ ./standard.sh -h
+      ```
+
+### Getting the results
+  - In the directory `oci-security-health-check-standard-<version>` a directory will be created which
+    holds all the output created by the scripts. This directory will be
+    compressed in a single ZIP file and the resulting ZIP file will be moved to
+    the parent directory of `oci-security-health-check-standard-<version>`.
+
+# License
+
+Copyright (c) 2022-2023 Oracle and/or its affiliates.
+
+Licensed under the Universal Permissive License (UPL), Version 1.0.
+
+See [LICENSE](https://github.com/oracle-devrel/technology-engineering/blob/folder-structure/LICENSE) for more details.

security/security-design/oci-security-health-check-standard/README.txt

@@ -0,0 +1,72 @@
+
+OCI Security Health Check - Standard Edition
+============================================
+Owner: Olaf Heimburger
+
+When to use this asset?
+
+The OCI Security Health Check - Standard Edition checks an OCI tenancy for
+CIS OCI Foundation Benchmark compliance.
+
+Usage
+
+1 Prepare the OCI Tenancy
+  You can run the assessment as a member of the OCI Administrator group or
+  create a group for auditing and assign the respective user to it.
+
+  Running the assessment script as an OCI Administrator is the easiest and
+  quickest way. If you decide to use this option, please continue reading 
+  chapter 2.
+
+  For recurring usage, setting up a group for auditing is recommended. The
+  steps for setting this up are described in the next chapter.
+
+1.1 Setup an Auditor group and policy
+  Using an auditor group is the recommended way to run the assessment script.
+  To create a group for auditing do the following steps:
+
+  - Log into OCI Console as OCI administrator
+  - Create a group grp-auditors
+  - Create a policy pcy-auditing with these statements:
+    allow group grp-auditors to inspect all-resources in tenancy
+    allow group grp-auditors to read instances in tenancy
+    allow group grp-auditors to read load-balancers in tenancy
+    allow group grp-auditors to read buckets in tenancy
+    allow group grp-auditors to read nat-gateways in tenancy
+    allow group grp-auditors to read public-ips in tenancy
+    allow group grp-auditors to read file-family in tenancy
+    allow group grp-auditors to read instance-configurations in tenancy
+    allow group grp-auditors to read network-security-groups in tenancy
+    allow group grp-auditors to read resource-availability in tenancy
+    allow group grp-auditors to read audit-events in tenancy
+    allow group grp-auditors to read users in tenancy
+    allow group grp-auditors to read vss-family in tenancy
+    allow group grp-auditors to read dns in tenancy
+    allow group grp-auditors to use cloud-shell in tenancy
+  - Assign a user to the grp-auditors group
+  - Log out of OCI Console
+
+2 Using the Cloud Shell
+  - Log into the OCI Console
+  - Select the Developer Tools icon (looks like a small window).
+  - From the menu select the Cloud Shell item.
+  - When running it the first time:
+    - Upload the provided ZIP file.
+    - Extract it with unzip -q oci-security-health-check-standard-<version>.zip
+  - Change directory into oci-security-health-check-standard-<version>
+    $ cd oci-security-health-check-standard-<version>
+    $ screen
+  - In the oci-security-health-check-standard-<version> directory run the standard.sh
+    script.
+    - Run the script for all subscribed regions:
+      $ ./standard.sh
+    - Run the script for one subscribed region:
+      $ ./standard.sh -r <region_name>
+    - Get command line options:
+      $ ./standard.sh -h
+
+3 Gathering the results
+  - In the directory oci-security-health-check-standard-<version> a directory will be created which
+    holds all the output created by the scripts. This directory will be
+    compressed in a single ZIP file and the resulting ZIP file will be moved to
+    the home directory of the account running the script.

security/security-design/oci-security-health-check-standard/requirements.txt

@@ -0,0 +1,5 @@
+xlsxwriter>=3.0.3
+pandas>=1.5.2
+openpyxl>=3.0.10
+pyyaml>=6.0
+oci>=2.104