Release 250430

Author: oheimburger

security/security-design/shared-assets/oci-security-health-check-standard/README.md

@@ -2,7 +2,7 @@
 
 Owner: Olaf Heimburger
 
-Version: 250307 (cis_report.py version 2.8.8) for CIS OCI Foundation Benchmark 2.0.0
+Version: 250430 (cis_report.py version 2.8.8+) for CIS OCI Foundation Benchmark 2.0.0
 
 Reviewed: 01.02.2024
 
@@ -15,7 +15,7 @@ Reviewed: 01.02.2024
 
 The *OCI Security Health Check - Standard Edition* checks your OCI tenancy for [CIS Oracle Cloud Infrastructure Foundations Benchmark](https://www.cisecurity.org/benchmark/Oracle_Cloud) compliance.
 
-### Disclaimer
+## Disclaimer
 
 This asset covers the OCI platform as specified in the *CIS Oracle Cloud Infrastructure Foundations Benchmark*, only. Any workload provisioned in Databases, Compute VMs (running any Operating System), the Container Engine for Kubernetes, or in the VMware Solution is *out of scope* of the *OCI Security Health Check*.
 
@@ -44,6 +44,7 @@ The file standard.sh acts as the entry point and does the following:
 - Call of cis_reports.py
 - Automatic output archive (ZIP file) creation
 - Automatic runtime protocol
+- Support for encrypted archive (ZIP file). New command line option `--zip-protect`.
 
 Tested on **OCI Cloud Shell** with **Public network**, **Oracle Linux**, **MacOS 12** and higher.
 
@@ -57,22 +58,22 @@ See the *OCI Security Health Check - Standard Edition* in action and watch the [
 
 Before running the *OCI Security Health Check - Standard Edition* you should download and verify it.
 
-  - Download the latest distribution [oci-security-health-check-standard-250307.zip](https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-250307.zip).
+  - Download the latest distribution [oci-security-health-check-standard-250430.zip](https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-250430.zip).
   - Download the respective checksum file:
-    - [oci-security-health-check-standard-250307.sha512](https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-250307.sha512).
-    - [oci-security-health-check-standard-250307.sha512256](https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-250307.sha512256).
+    - [oci-security-health-check-standard-250430.sha512](https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-250430.sha512).
+    - [oci-security-health-check-standard-250430.sha512256](https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-250430.sha512256).
   - Verify the integrity of the distribution. Both files must be in the same directory (for example, in your downloads directory).
 
     On MacOS:
     ```
     cd <your_downloads_directory>
-    shasum -a 512256 -c oci-security-health-check-standard-250307.sha512256
+    shasum -a 512256 -c oci-security-health-check-standard-250430.sha512256
     ```
 
     On Linux (including Cloud Shell):
     ```
     cd <your_downloads_directory>
-    sha512sum -c oci-security-health-check-standard-250307.sha512
+    sha512sum -c oci-security-health-check-standard-250430.sha512
     ```
 
 **Reject the downloaded file if the check fails!**
@@ -85,10 +86,10 @@ In OCI Cloud Shell you can do a short cut without downloading the files mentione
 2. Open Cloud Shell
 3. Run these commands in your Cloud Shell:
   ```
-  wget -q https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-250307.zip
-  wget -q https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-250307.sha512
-  sha512sum -c oci-security-health-check-standard-250307.sha512
-  unzip -q oci-security-health-check-standard-250307.zip
+  wget -q https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-250430.zip
+  wget -q https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-250430.sha512
+  sha512sum -c oci-security-health-check-standard-250430.sha512
+  unzip -q oci-security-health-check-standard-250430.zip
   ```
 
 ## Prepare the OCI Tenancy
@@ -150,9 +151,22 @@ To start with reviewing the results, open the file named `tenancy_name_YYYYMMDDH
 It may look like this example:
 ![Example](./files/resources/Example_Output.png)
 
+# Advanced Use
+
+The script `standard.sh` supports additional commandline options:
+
+- `-h` prints a summary of supported options
+- `-v` prints the versions of the components used
+- `--cis 'options'` if you need to pass additional options to the cis-report.py. Always use single qoutes around the options. Examples:
+  - `--cis '-h'` prints the options of cis_report.py
+  - `--cis '--debug'` runs cis_report.py in debug mode with additional output
+- `--zip-protect` asks for a password of your choice. Zero-length passwords are not supported!
+
 # Known Issues
 
-1. Diagrams are not part of the HTML page.
+1. Python 3.8 is not supported anymore.
+   OCI Cloud Shell is the minimal required environment. The Python version used in OCI Cloud Shell is 3.9.
+2. Diagrams are not part of the HTML page.
    This may be because of broken `numpy installation`. The following command should resolve this:
    `pip3 install --upgrade --force-reinstall --user numpy`
 

security/security-design/shared-assets/oci-security-health-check-standard/files/oci-security-health-check-standard/README.md

@@ -2,7 +2,7 @@
 
 Owner: Olaf Heimburger
 
-Version: 250307 (cis_report.py version 2.8.8) for CIS OCI Foundation Benchmark 2.0.0
+Version: 250430 (cis_report.py version 2.8.8.1) for CIS OCI Foundation Benchmark 2.0.0
 
 ## When to use this asset?
 
@@ -21,33 +21,53 @@ The main goals of this script are:
 - Make the run as easy and smooth as possible.
 - Do not affect your desktop whenever possible.
 
+## Benefits of this package
+
+This package includes *two* files
+- standard.sh
+- scripts/cis_reports/cis_reports.py
+
+The file standard.sh acts as the entry point and does the following:
+
+- Automatic check for Python runtime version
+- Automatic venv creation and activation
+- Automatci installation of required Python libraries
+- Automatic **OCI Cloud Shell** and tenancy name detection
+- Automatic creation of timestamped output directory
+- Call of cis_reports.py
+- Automatic output archive (ZIP file) creation
+- Automatic runtime protocol
+- Support for encrypted archive (ZIP file). New command line option `--zip-protect`.
+
+Tested on **OCI Cloud Shell** with **Public network**, **Oracle Linux**, **MacOS 12** and higher.
+
 ## Usage
 
 ### Download and verify the release file
 
 Before running the *OCI Security Health Check - Standard Edition* you should download and verify it.
 
-  - Download the latest distribution [oci-security-health-check-standard-250307.zip](https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-250307.zip).
+  - Download the latest distribution [oci-security-health-check-standard-250430.zip](https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-250430.zip).
   - Download the respective checksum file:
-    - [oci-security-health-check-standard-250307.sha512](https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-250307.sha512).
-    - [oci-security-health-check-standard-250307.sha512256](https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-250307.sha512256).
+    - [oci-security-health-check-standard-250430.sha512](https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-250430.sha512).
+    - [oci-security-health-check-standard-250430.sha512256](https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-250430.sha512256).
   - Verify the integrity of the distribution. Both files must be in the same directory (for example, in your downloads directory).
 
     On MacOS:
     ```
     cd <your_downloads_directory>
-    shasum -a 512256 -c oci-security-health-check-standard-250307.sha512256
+    shasum -a 512256 -c oci-security-health-check-standard-250430.sha512256
     ```
 
     On Linux (including Cloud Shell):
     ```
     cd <your_downloads_directory>
-    sha512sum -c oci-security-health-check-standard-250307.sha512
+    sha512sum -c oci-security-health-check-standard-250430.sha512
     ```
 
 **Reject the downloaded file when the check fails!**
 
-### Prepare the OCI Tenancy
+### <a name="preparing"></a>Prepare the OCI Tenancy
 
 You can run the assessment as a member of the OCI `Administrator` group or
 create a group for auditing and assign the respective user to it.
@@ -70,26 +90,6 @@ To create a group for auditing do the following steps:
     - If "Domains" are listed you are migrated to Identity Domains
   - Create a group `grp-auditors`
   - Create a policy `pcy-auditing` with these statements:
-    - For tenancies **without** Identity Domains use
-      ```
-      allow group grp-auditors to inspect all-resources in tenancy
-      allow group grp-auditors to read audit-events in tenancy
-      allow group grp-auditors to read buckets in tenancy
-      allow group grp-auditors to read dns in tenancy
-      allow group grp-auditors to read domains in tenancy
-      allow group grp-auditors to read file-family in tenancy
-      allow group grp-auditors to read instance-configurations in tenancy
-      allow group grp-auditors to read instances in tenancy
-      allow group grp-auditors to read load-balancers in tenancy
-      allow group grp-auditors to read nat-gateways in tenancy
-      allow group grp-auditors to read network-security-groups in tenancy
-      allow group grp-auditors to read public-ips in tenancy
-      allow group grp-auditors to read resource-availability in tenancy
-      allow group grp-auditors to read users in tenancy
-      allow group grp-auditors to read vss-family in tenancy
-      allow group grp-auditors to use cloud-shell in tenancy
-      allow group grp-auditors to use cloud-shell-public-network in tenancy
-      ```
     - For tenancies **with** Identity Domains use
       ```
       allow group 'Default'/'grp-auditors' to inspect all-resources in tenancy
@@ -110,6 +110,26 @@ To create a group for auditing do the following steps:
       allow group 'Default'/'grp-auditors' to use cloud-shell in tenancy
       allow group 'Default'/'grp-auditors' to use cloud-shell-public-network in tenancy
       ```
+    - For tenancies **without** Identity Domains use
+      ```
+      allow group grp-auditors to inspect all-resources in tenancy
+      allow group grp-auditors to read audit-events in tenancy
+      allow group grp-auditors to read buckets in tenancy
+      allow group grp-auditors to read dns in tenancy
+      allow group grp-auditors to read domains in tenancy
+      allow group grp-auditors to read file-family in tenancy
+      allow group grp-auditors to read instance-configurations in tenancy
+      allow group grp-auditors to read instances in tenancy
+      allow group grp-auditors to read load-balancers in tenancy
+      allow group grp-auditors to read nat-gateways in tenancy
+      allow group grp-auditors to read network-security-groups in tenancy
+      allow group grp-auditors to read public-ips in tenancy
+      allow group grp-auditors to read resource-availability in tenancy
+      allow group grp-auditors to read users in tenancy
+      allow group grp-auditors to read vss-family in tenancy
+      allow group grp-auditors to use cloud-shell in tenancy
+      allow group grp-auditors to use cloud-shell-public-network in tenancy
+      ```
   - Assign a user to the `grp-auditors` group
   - Log out of the OCI Console
 
@@ -187,7 +207,7 @@ allow group 'Default'/'grp-auditors' to inspect vcns in compartment <compartment
   - Upload the distribution file.
   - Extract it
     ```
-    unzip -q oci-security-health-check-standard-250307.zip
+    unzip -q oci-security-health-check-standard-250430.zip
     ```
 
 #### Run the script
@@ -261,11 +281,11 @@ allow group 'Default'/'grp-auditors' to inspect vcns in compartment <compartment
       Follow the instructions to select /usr/bin/python3.9
     - Log out
 
-  - From your desktop, upload the `oci-security-health-check-standard-250307.zip` file to the Compute VM using any SFTP client.
+  - From your desktop, upload the `oci-security-health-check-standard-250430.zip` file to the Compute VM using any SFTP client.
   - Log into the Compute VM
     - Extract the distribution
       ```
-      unzip -q oci-security-health-check-standard-250307.zip
+      unzip -q oci-security-health-check-standard-250430.zip
       ```
     - Change directory into `oci-security-health-check-standard`:
       ```
@@ -321,7 +341,7 @@ The report results are summarized in two files:
 - *cis_html_summary_report.html* &ndash; The report in HTML that displays the all recommendations and their compliance status, respectively.
 - *Consolidated_Report.xslx* &ndash; An XSLX workbook with a summary and sheets for the non-compliant recommendations.
 
-### Known Issues
+## Known Issues
 
 No known issues.
 
@@ -335,7 +355,7 @@ The *OCI Security Health Check - Standard Edition* would not be possible without
 
 The Compliance Checking Script is certified by the [CIS Center of Internet Security for the OCI Oracle Cloud Foundation Benchmark v1.2, Level 1 and 2](https://www.cisecurity.org/partner/oracle).
 
-# License
+## License
 
 Copyright (c) 2022-2025 Oracle and/or its affiliates.
 

security/security-design/shared-assets/oci-security-health-check-standard/files/oci-security-health-check-standard/README.txt

@@ -2,11 +2,11 @@
 OCI Security Health Check - Standard Edition
 ============================================
 Owner: Olaf Heimburger
-Version: 250307 (cis_report.py version 2.8.8)  for CIS OCI Foundation Benchmark 2.0.0
+Version: 250430 (cis_report.py version 2.8.8.1)  for CIS OCI Foundation Benchmark 2.0.0
 
 When to use this asset?
 
-The OCI Security Health Check - Standard Edition checks an OCI tenancy for
+The 'OCI Security Health Check - Standard Edition' checks an OCI tenancy for
 CIS OCI Foundation Benchmark compliance.
 
 Disclaimer
@@ -20,6 +20,33 @@ Kubernetes, the VMware Solution, etc. is "out of scope" of the
 This is not an official Oracle application and it is not supported
 by Oracle Support.
 
+Before you begin
+
+The main goals of this script are:
+
+- Make the run as easy and smooth as possible.
+- Do not affect your desktop whenever possible.
+
+Benefits of this package
+
+This package includes *two* files
+- standard.sh
+- scripts/cis_reports/cis_reports.py
+
+The file standard.sh acts as the entry point and does the following:
+
+- Automatic check for Python runtime version
+- Automatic venv creation and activation
+- Automatci installation of required Python libraries
+- Automatic OCI Cloud Shell and tenancy name detection
+- Automatic creation of timestamped output directory
+- Call of cis_reports.py
+- Automatic output archive (ZIP file) creation
+- Automatic runtime protocol
+- Support for encrypted archive (ZIP file). New command line option `--zip-protect`.
+
+Tested on OCI Cloud Shell with Public network, Oracle Linux, MacOS 12 and higher.
+
 Usage
 
 1 Prepare the OCI Tenancy
@@ -85,7 +112,7 @@ Usage
   - From the menu select the Cloud Shell item.
   - When running it the first time:
     - Upload the provided ZIP file.
-    - Extract it with unzip -q oci-security-health-check-standard-250307.zip
+    - Extract it with unzip -q oci-security-health-check-standard-250430.zip
   - Change directory into oci-security-health-check-standard
     $ cd oci-security-health-check-standard
     $ screen
@@ -103,7 +130,7 @@ Usage
   - Create a Dynamic Group
     'Default'/'dgp-instance-principal'
     This dynamic group must specify the compartment OCID (resource.compartment.id) or the Compute VM OCID (resource.instance.id), respectively.
-  - Create permissions for the Dynamic Group
+  - Create permissions for the Dynamic Group (with IAM domains)
       allow dynamic-group 'Default'/'dgp-instance-principal' to inspect all-resources in tenancy
       allow dynamic-group 'Default'/'dgp-instance-principal' to read audit-events in tenancy
       allow dynamic-group 'Default'/'dgp-instance-principal' to read buckets in tenancy
@@ -142,11 +169,11 @@ Usage
     - Log out
 
   - From your desktop, upload the
-    "oci-security-health-check-standard-250307.zip" file to the Compute VM
+    "oci-security-health-check-standard-250430.zip" file to the Compute VM
     using any SFTP client.
   - Log into the Compute VM
     - Extract the distribution
-      unzip -q oci-security-health-check-standard-250307.zip
+      unzip -q oci-security-health-check-standard-250430.zip
 
     - Change directory into "oci-security-health-check-standard":
       cd oci-security-health-check-standard

security/security-design/shared-assets/oci-security-health-check-standard/files/oci-security-health-check-standard/scripts/cis_reports/cis_reports.py

@@ -42,9 +42,9 @@
 except Exception:
     OUTPUT_DIAGRAMS = False
 
-RELEASE_VERSION = "2.8.8"
+RELEASE_VERSION = "2.8.8.1"
 PYTHON_SDK_VERSION = "2.147.0"
-UPDATED_DATE = "March 4, 2024"
+UPDATED_DATE = "April 24, 2025"
 
 
 ##########################################################################
@@ -1202,7 +1202,7 @@ def __identity_read_compartments(self):
 
             # Add root compartment which is not part of the list_compartments
             self.__compartments.append(self.__tenancy)
-            deep_link = self.__oci_compartment_uri + compartment.id
+            deep_link = self.__oci_compartment_uri + self.__tenancy.id
             root_compartment = {
                 "id": self.__tenancy.id,
                 "name": self.__tenancy.name,
@@ -3870,7 +3870,7 @@ def __report_cis_analyze_tenancy_data(self):
 
 
                     if domain['password_policy']['num_passwords_in_history']:
-                        if domain['password_policy']['num_passwords_in_history'] < 24:
+                        if domain['password_policy']['num_passwords_in_history'] is None or domain['password_policy']['num_passwords_in_history'] < 24:
                             self.cis_foundations_benchmark_2_0['1.6']['Findings'].append(domain)
 
                 else: