Updates for 250623

Author: oheimburger

.DS_Store

@@ -2,7 +2,7 @@
 
 Owner: Olaf Heimburger
 
-Version: 250602 (cis_report.py version 3.0.0.4) for CIS OCI Foundation Benchmark 3.0.0
+Version: 250623 (cis_report.py version 3.0.0.5) for CIS OCI Foundation Benchmark 3.0.0
 
 # Introduction
 ![Flyer](./files/resources/OCI_Security_Health_Check_Standard.png)
@@ -56,22 +56,22 @@ See the *OCI Security Health Check - Standard Edition* in action and watch the [
 
 Before running the *OCI Security Health Check - Standard Edition* you should download and verify it.
 
-  - Download the latest distribution [oci-security-health-check-standard-250602.zip](https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-250602.zip).
+  - Download the latest distribution [oci-security-health-check-standard-250623.zip](https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-250623.zip).
   - Download the respective checksum file:
-    - [oci-security-health-check-standard-250602.sha512](https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-250602.sha512).
-    - [oci-security-health-check-standard-250602.sha512256](https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-250602.sha512256).
+    - [oci-security-health-check-standard-250623.sha512](https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-250623.sha512).
+    - [oci-security-health-check-standard-250623.sha512256](https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-250623.sha512256).
   - Verify the integrity of the distribution. Both files must be in the same directory (for example, in your downloads directory).
 
     On MacOS:
     ```
     cd <your_downloads_directory>
-    shasum -a 512256 -c oci-security-health-check-standard-250602.sha512256
+    shasum -a 512256 -c oci-security-health-check-standard-250623.sha512256
     ```
 
     On Linux (including Cloud Shell):
     ```
     cd <your_downloads_directory>
-    sha512sum -c oci-security-health-check-standard-250602.sha512
+    sha512sum -c oci-security-health-check-standard-250623.sha512
     ```
 
 **Reject the downloaded file if the check fails!**
@@ -84,10 +84,10 @@ In OCI Cloud Shell you can do a short cut without downloading the files mentione
 2. Open Cloud Shell
 3. Run these commands in your Cloud Shell:
   ```
-  wget -q https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-250602.zip
-  wget -q https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-250602.sha512
-  sha512sum -c oci-security-health-check-standard-250602.sha512
-  unzip -q oci-security-health-check-standard-250602.zip
+  wget -q https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-250623.zip
+  wget -q https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-250623.sha512
+  sha512sum -c oci-security-health-check-standard-250623.sha512
+  unzip -q oci-security-health-check-standard-250623.zip
   ```
 
 ## Prepare the OCI Tenancy

security/security-design/shared-assets/oci-security-health-check-standard/README.md

@@ -2,7 +2,7 @@
 
 Owner: Olaf Heimburger
 
-Version: 250602 (cis_report.py version 3.0.0.4) for CIS OCI Foundation Benchmark 3.0.0
+Version: 250623 (cis_report.py version 3.0.0.5) for CIS OCI Foundation Benchmark 3.0.0
 
 ## When to use this asset?
 
@@ -47,22 +47,22 @@ Tested on **OCI Cloud Shell** with **Public network**, **Oracle Linux**, **MacOS
 
 Before running the *OCI Security Health Check - Standard Edition* you should download and verify it.
 
-  - Download the latest distribution [oci-security-health-check-standard-250602.zip](https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-250602.zip).
+  - Download the latest distribution [oci-security-health-check-standard-250623.zip](https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-250623.zip).
   - Download the respective checksum file:
-    - [oci-security-health-check-standard-250602.sha512](https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-250602.sha512).
-    - [oci-security-health-check-standard-250602.sha512256](https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-250602.sha512256).
+    - [oci-security-health-check-standard-250623.sha512](https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-250623.sha512).
+    - [oci-security-health-check-standard-250623.sha512256](https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-250623.sha512256).
   - Verify the integrity of the distribution. Both files must be in the same directory (for example, in your downloads directory).
 
     On MacOS:
     ```
     cd <your_downloads_directory>
-    shasum -a 512256 -c oci-security-health-check-standard-250602.sha512256
+    shasum -a 512256 -c oci-security-health-check-standard-250623.sha512256
     ```
 
     On Linux (including Cloud Shell):
     ```
     cd <your_downloads_directory>
-    sha512sum -c oci-security-health-check-standard-250602.sha512
+    sha512sum -c oci-security-health-check-standard-250623.sha512
     ```
 
 **Reject the downloaded file when the check fails!**
@@ -207,7 +207,7 @@ allow group 'Default'/'grp-auditors' to inspect vcns in compartment <compartment
   - Upload the distribution file.
   - Extract it
     ```
-    unzip -q oci-security-health-check-standard-250602.zip
+    unzip -q oci-security-health-check-standard-250623.zip
     ```
 
 #### Run the script
@@ -281,11 +281,11 @@ allow group 'Default'/'grp-auditors' to inspect vcns in compartment <compartment
       Follow the instructions to select /usr/bin/python3.9
     - Log out
 
-  - From your desktop, upload the `oci-security-health-check-standard-250602.zip` file to the Compute VM using any SFTP client.
+  - From your desktop, upload the `oci-security-health-check-standard-250623.zip` file to the Compute VM using any SFTP client.
   - Log into the Compute VM
     - Extract the distribution
       ```
-      unzip -q oci-security-health-check-standard-250602.zip
+      unzip -q oci-security-health-check-standard-250623.zip
       ```
     - Change directory into `oci-security-health-check-standard`:
       ```

security/security-design/shared-assets/oci-security-health-check-standard/files/oci-security-health-check-standard/README.md

@@ -2,7 +2,7 @@
 OCI Security Health Check - Standard Edition
 ============================================
 Owner: Olaf Heimburger
-Version: 250602 (cis_report.py version 3.0.0.4)  for CIS OCI Foundation Benchmark 3.0.0
+Version: 250623 (cis_report.py version 3.0.0.5)  for CIS OCI Foundation Benchmark 3.0.0
 
 When to use this asset?
 
@@ -112,7 +112,7 @@ Usage
   - From the menu select the Cloud Shell item.
   - When running it the first time:
     - Upload the provided ZIP file.
-    - Extract it with unzip -q oci-security-health-check-standard-250602.zip
+    - Extract it with unzip -q oci-security-health-check-standard-250623.zip
   - Change directory into oci-security-health-check-standard
     $ cd oci-security-health-check-standard
     $ screen
@@ -169,11 +169,11 @@ Usage
     - Log out
 
   - From your desktop, upload the
-    "oci-security-health-check-standard-250602.zip" file to the Compute VM
+    "oci-security-health-check-standard-250623.zip" file to the Compute VM
     using any SFTP client.
   - Log into the Compute VM
     - Extract the distribution
-      unzip -q oci-security-health-check-standard-250602.zip
+      unzip -q oci-security-health-check-standard-250623.zip
 
     - Change directory into "oci-security-health-check-standard":
       cd oci-security-health-check-standard

security/security-design/shared-assets/oci-security-health-check-standard/files/oci-security-health-check-standard/README.txt

@@ -42,9 +42,9 @@
 except Exception:
     OUTPUT_DIAGRAMS = False
 
-RELEASE_VERSION = "3.0.0.4"
+RELEASE_VERSION = "3.0.0.5"
 PYTHON_SDK_VERSION = "2.152.1"
-UPDATED_DATE = "May 27, 2025"
+UPDATED_DATE = "June 23, 2025"
 
 
 ##########################################################################
@@ -975,7 +975,7 @@ def __init__(self, config, signer, proxy, output_bucket, report_directory, repor
             self.__raw_regions.append(record)
 
         # By Default it is today's date
-        self.__report_directory = f'{report_directory}/' if report_directory else f'{self.__tenancy.name}-{self.report_datetime}'
+        self.__report_directory = f'{report_directory}' if report_directory else f'{self.__tenancy.name}-{self.report_datetime}'
 
         self.__report_prefix = f'{report_prefix}_' if report_prefix else ''
         self.__report_summary_json = report_summary_json
@@ -4355,7 +4355,7 @@ def __report_cis_analyze_tenancy_data(self):
                         self.cis_foundations_benchmark_3_0['2.5']['Findings'].append(
                             sl)
                         break
-                    elif 'destination' in irule and irule['destination'] == "0.0.0.0/0":
+                    elif 'destination' in irule and irule['destination'] == "0.0.0.0/0" and irule['protocol'] != '1':
                         debug("Security List has bad egress rule")
                         self.cis_foundations_benchmark_3_0['2.5']['Status'] = False
                         self.cis_foundations_benchmark_3_0['2.5']['Findings'].append(
@@ -6349,8 +6349,8 @@ def execute_report():
             if OUTPUT_DIAGRAMS:
                 try:
                     worksheet = workbook.add_worksheet('cis_summary_charts')
-                    worksheet.insert_image('B2', f'{csv_report_directory}{report_prefix}cis_summary_compliance.png')
-                    worksheet.insert_image('L2', f'{csv_report_directory}{report_prefix}cis_summary_compliance_by_focus_area.png')
+                    worksheet.insert_image('B2', f'{csv_report_directory}/{report_prefix}cis_summary_compliance.png')
+                    worksheet.insert_image('L2', f'{csv_report_directory}/{report_prefix}cis_summary_compliance_by_focus_area.png')
                 except Exception:
                     pass
             csvfiles = glob.glob(f'{csv_report_directory}/{report_prefix}*.csv')

security/security-design/shared-assets/oci-security-health-check-standard/files/oci-security-health-check-standard/scripts/cis_reports/cis_reports.py

@@ -7,7 +7,7 @@
 #
 # Author: Olaf Heimburger
 #
-VERSION=250602
+VERSION=250623
 
 graal_version=24.2.1
 OS_TYPE=$(uname)
@@ -23,19 +23,26 @@ if [ ${PARENT_DIR} == "." ]; then
     PARENT_DIR=${PWD}
 fi
 
+DEBUG=0
 RUN_CIS=1
 RUN_SHOWOCI=1
 NO_ZIP=0
 NO_CSV=1
 ZIP_PROTECT=0
 QUIET=1
-NEW_STYLE=0
+NEW_STYLE=1
 PREPARE_ONLY=0
 REGION_NAME=''
 TENANCY="DEFAULT"
 INSTANCE_PRINCIPAL=0
 INSTALL_GRAAL=0
 
+debug() {
+    if [ $DEBUG -eq 1 ]; then
+        echo 'DEBUG: ' $*
+    fi
+}
+
 SCRIPT_NAME=$(basename $0)
 IS_ADVANCED=1
 PYTHON_ENV=$HOME/.venv/advanced
@@ -91,14 +98,16 @@ usage() {
         printf " --cis options                      -- Run cis_report only and provide additional options.\n"
         printf " --showoci options                  -- Run showoci only and provide additional options.\n"
         printf "                                       For example, --showoci '-h' shows available options.\n"
-        printf "                                       The options -jf, -ip, -t, -rg, -xlsx_nodate, --version can be ignored.\n"
+        printf "                                       The options -jf, -ip, -t, -rg, -xlsx_nodate, --version are detected automatically and are not required.\n"
         printf " --new-style                        -- Changes output for compliance checking.\n"
     else
         printf "\nUsage: $0 [-h] [-ip] [-r|--region region_name] [-t|--tenancy tenancy_name] [-c|--cis options]\n"
         printf "          [--no-zip] [--zip-protect] [--verbose] [-v|--version]\n"
-        printf " -h                                -- this message\n"
-        printf " -ip                               -- Use instance principal for authentication.\n"
-        printf " --cis options                     -- Run cis_report only and provide additional options.\n"
+        printf " -h                                 -- this message\n"
+        printf " -ip                                -- Use instance principal for authentication.\n"
+        printf " --cis options                      -- Run cis_report only and provide additional options.\n"
+        printf "                                       For example, --cis '-h' shows available options.\n"
+        printf "                                       The options -dt, -ip, -t, --regions are detected automatically and are not required.\n"
     fi
     printf " --no-zip                           -- Do not create a ZIP file for the contents pf the output directory.\n"
     printf " --zip-protect                      -- Encrypt ZIP file with a password of your choice.\n"
@@ -160,6 +169,7 @@ make_env() {
         PYTHON_CMD=$(which python3)
         ${PYTHON_CMD} -m pip install pip --upgrade ${PIP_OPTS}
     fi
+
     printf "INFO: Checking for required libraries...\n"
     ${PYTHON_CMD} -m pip install ${PIP_OPTS} -r ${ASSESS_DIR}/requirements.txt
     if [ $? -gt 0 ]; then
@@ -456,9 +466,9 @@ if [ $RUN_SHOWOCI -eq 1 ]; then
     fi
     SHOWOCI_XLSX="-xlsx_nodate -xlsx ${OUTPUT_DIR}/showoci_${OUTPUT_DIR_NAME}"
     SHOWOCI_JSON_FILE="${OUTPUT_DIR}/showoci_${OUTPUT_DIR_NAME}.json"
-    if [ ${NEW_STYLE} -eq 1 ]; then
-        SHOWOCI_JSON_FILE="${OUTPUT_DIR}/showoci_${OUTPUT_DIR_NAME}_new.json"
-    fi
+    # if [ ${NEW_STYLE} -eq 1 ]; then
+    #     SHOWOCI_JSON_FILE="${OUTPUT_DIR}/showoci_${OUTPUT_DIR_NAME}_new.json"
+    # fi
     SHOWOCI_JSON="-jf ${SHOWOCI_JSON_FILE}"
     SHOWOCI_QUIET=""
     if [ ${QUIET} -eq 1 ]; then
@@ -493,4 +503,7 @@ if [ ${NO_ZIP} -eq 0 ]; then
     fi
     mv ${OUTPUT_DIR_NAME}.zip ${PARENT_DIR}
     printf "\nINFO: All output can be found in the directory '%s'.\nINFO: Results are packaged as downloadable file '%s' at '%s'.\n" "${OUTPUT_DIR_NAME}" "${OUTPUT_DIR_NAME}.zip" "${PARENT_DIR}"
+    if [ ! -z "${CLOUD_SHELL_TOOL_SET}" ]; then
+        printf "\nINFO: To download the ZIP file:\nINFO: 1. Copy the filename %s\nINFO: 2. Click on the settings icon of the Cloud Shell on the right\nINFO: 3. Select 'Download'\nINFO: 4. Paste the file name into the modal window and click on 'Download'\n\n" "${OUTPUT_DIR_NAME}.zip"
+    fi
 fi