Merge branch 'main' into ai-infra-bg-02-02-2024

Author: bruno-garbaccio

LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2023 Oracle and/or its affiliates.
+Copyright (c) 2024 Oracle and/or its affiliates.
 
 The Universal Permissive License (UPL), Version 1.0
 

security/identity-and-access-management/oracle-access-governance/README.md

@@ -0,0 +1,36 @@
+# Oracle Access Governance
+
+Access Governance is a cloud native identity governance and administration (IGA) service that provides enterprisewide visibility to govern access to cloud and on-premises environments. With an intuitive user experience, dynamic access control, and a prescriptive analytics-driven access review process, it helps customers automate access provisioning, get insights into access permission and cloud infrastructure policy reviews, identify anomalies, and remediate security risks.
+
+Reviewed: 31.01.2024
+
+# Useful Links
+
+## General Product Links
+
+- [Oracle Access Governance Product Page](https://www.oracle.com/in/security/cloud-security/access-governance/)
+    - Official page for OAG
+- Oracle Access Governance Documentation
+    - [OAG Public Documentation](https://docs.oracle.com/en/cloud/paas/access-governance/index.html)
+- FAQs
+    - [FAQs](https://www.oracle.com/uk/security/cloud-security/access-governance/faq/)
+- Product Tour
+    - [Product Tour](https://www.oracle.com/webfolder/s/quicktours/paas/pt-sec-access-governance/index.html)
+- Blog
+    - [Blog](https://blogs.oracle.com/cloudsecurity/post/intelligent-cloud-delivered-access-governance-with-prescriptive-analytics)
+- Recorded Demo
+    - [OAG Demo]( https://www.youtube.com/watch?v=GJEPEJlQOmQ)
+   
+
+## OAG Training & Live Labs
+- Demos & Labs
+    - [Demo & Labs](https://luna.oracle.com/lab/6345863c-42c4-4f17-96fc-130278ac4b1f/steps) 
+
+
+# License
+
+Copyright (c) 2024 Oracle and/or its affiliates.
+
+Licensed under the Universal Permissive License (UPL), Version 1.0.
+
+See [LICENSE](https://github.com/oracle-devrel/technology-engineering/blob/main/LICENSE) for more details.

security/identity-and-access-management/oracle-access-manager/README.md

@@ -0,0 +1,22 @@
+# Oracle Access Manager
+
+Oracle Access Management provides innovative new services that complement traditional access management capabilities. It provides Web SSO with MFA, coarse-grained authorization, session management, standard SAML Federation, and OAuth capabilities to enable secure access to external cloud and mobile applications. It can be easily integrated with the Oracle Identity Cloud Service to support hybrid access management capabilities that can help customers protect on-premises and cloud applications seamlessly.
+
+Reviewed: 31.01.2024
+
+# Useful Links
+
+## General Product Links
+
+- [Oracle Access Manager Product Page](https://www.oracle.com/middleware/technologies/access-management.html)
+    - Official page for OAM
+- Oracle Access Manager Documentation
+    - [OAM Public Documentation](https://docs.oracle.com/en/middleware/idm/suite/12.2.1.3/)
+    
+# License
+
+Copyright (c) 2024 Oracle and/or its affiliates.
+
+Licensed under the Universal Permissive License (UPL), Version 1.0.
+
+See [LICENSE](https://github.com/oracle-devrel/technology-engineering/blob/main/LICENSE) for more details.

security/identity-and-access-management/oracle-directory-services/README.md

@@ -0,0 +1,22 @@
+# Oracle Directory Services
+
+Oracle Unified Directory is part of Oracle's comprehensive directory solution offering for robust identity management deployments. Enable enterprise directory scalability with an all-in-one solution that provides the services required for high performance and massive scale.
+
+Reviewed: 31.01.2024
+
+# Useful Links
+
+## General Product Links
+
+- [Oracle Directory Services  Product Page](https://www.oracle.com/in/security/identity-management/directory-services/)
+    - Official page for Directory Services
+- Oracle Directory Services Product Tour
+    - [Product Tour](https://www.oracle.com/webfolder/s/quicktours/paas/pt-sec-oud/index.html)
+    
+# License
+
+Copyright (c) 2024 Oracle and/or its affiliates.
+
+Licensed under the Universal Permissive License (UPL), Version 1.0.
+
+See [LICENSE](https://github.com/oracle-devrel/technology-engineering/blob/main/LICENSE) for more details.

security/security-design/shared-assets/oci-security-health-check-standard/README.md

@@ -2,7 +2,7 @@
 
 Owner: Olaf Heimburger
 
-Version: 230922
+Version: 240130
 
 Reviewed: 01.02.2024
 
@@ -67,28 +67,37 @@ For recurring usage, setting up a group for auditing is recommended. For setting
 Using an auditor group is the recommended way to run the assessment script.
 To create a group for auditing do the following steps:
 
-  - Log into OCI Console as OCI administrator
-  - Create a group `grp-auditors`
-  - Create a policy `pcy-auditing` with these statements:
+  - Log into OCI Console as OCI administrator.
+  - In your Default domain create a group `grp-auditors`
+  - Create a policy `pcy-auditing` with these statements (if your tenancy does not have Domains, replace `'Default'/'grp-auditors'` with `grp-auditors`):
     ```
-    allow group grp-auditors to inspect all-resources in tenancy
-    allow group grp-auditors to read instances in tenancy
-    allow group grp-auditors to read load-balancers in tenancy
-    allow group grp-auditors to read buckets in tenancy
-    allow group grp-auditors to read nat-gateways in tenancy
-    allow group grp-auditors to read public-ips in tenancy
-    allow group grp-auditors to read file-family in tenancy
-    allow group grp-auditors to read instance-configurations in tenancy
-    allow group grp-auditors to read network-security-groups in tenancy
-    allow group grp-auditors to read resource-availability in tenancy
-    allow group grp-auditors to read audit-events in tenancy
-    allow group grp-auditors to read users in tenancy
-    allow group grp-auditors to read vss-family in tenancy
-    allow group grp-auditors to read dns in tenancy
-    allow group grp-auditors to use cloud-shell in tenancy
-    ```
-  - Assign a user to the `grp-auditors` group
-  - Log out of the OCI Console
+      allow group 'Default'/'grp-auditors' to inspect all-resources in tenancy
+      allow group 'Default'/'grp-auditors' to read instances in tenancy
+      allow group 'Default'/'grp-auditors' to read load-balancers in tenancy
+      allow group 'Default'/'grp-auditors' to read buckets in tenancy
+      allow group 'Default'/'grp-auditors' to read nat-gateways in tenancy
+      allow group 'Default'/'grp-auditors' to read public-ips in tenancy
+      allow group 'Default'/'grp-auditors' to read file-family in tenancy
+      allow group 'Default'/'grp-auditors' to read instance-configurations in tenancy
+      allow group 'Default'/'grp-auditors' to read network-security-groups in tenancy
+      allow group 'Default'/'grp-auditors' to read resource-availability in tenancy
+      allow group 'Default'/'grp-auditors' to read audit-events in tenancy
+      allow group 'Default'/'grp-auditors' to read users in tenancy
+      allow group 'Default'/'grp-auditors' to read vss-family in tenancy
+      allow group 'Default'/'grp-auditors' to read dns in tenancy
+      allow group 'Default'/'grp-auditors' to use cloud-shell in tenancy    ```
+  - Assign a user to the `grp-auditors` group.
+  - Log out of the OCI Console.
+
+## Run the OCI Security Health Check in OCI Cloud Shell
+
+For a detailed description go to [Run the OCI Security Health Check in OCI Cloud Shell](https://github.com/oracle-devrel/technology-engineering/blob/main/security/security-design/oci-security-health-check-standard/files/oci-security-health-check-standard/README.md#run-the-oci-security-health-check-in-cloud-shell)
+
+## Sample Output
+
+After a completed run you will find a directory with a name starting with your tenancy name followed by a timestamp in your working directory (like `tenancy_name_YYYYMMDDHHmmss_standard`). A zip archive for easier download using the same name will be created, too. Both hold data files for your review.
+
+To start with reviewing the results, open the file named [cis_html_summary_report.html](files/resources/cis_html_summary_report.html)(sample report).
 
 # Credits
 

security/security-design/shared-assets/oci-security-health-check-standard/files/oci-security-health-check-standard/README.md

@@ -2,7 +2,7 @@
 
 Owner: Olaf Heimburger
 
-Version: 230922
+Version: 240130
 
 ## When to use this asset?
 
@@ -14,25 +14,25 @@ The *OCI Security Health Check - Standard Edition* checks an OCI tenancy for CIS
 
 Before running the *OCI Security Health Check - Standard Edition* you should download and verify it.
 
-  - Download the latest distribution [oci-security-health-check-standard-230922.zip](https://github.com/oracle-devrel/technology-engineering/releases/download/oci-security-health-check-std-230922/oci-security-health-check-standard-230922.zip).
-  - Download the respective checksum file [oci-security-health-check-standard-230922.sha512256](https://github.com/oracle-devrel/technology-engineering/releases/download/oci-security-health-check-std-230922/oci-security-health-check-standard-230922.sha512256).
+  - Download the latest distribution [oci-security-health-check-standard-240130.zip](https://github.com/oracle-devrel/technology-engineering/releases/download/oci-security-health-check-std-240130/oci-security-health-check-standard-240130.zip).
+  - Download the respective checksum file [oci-security-health-check-standard-240130.sha512256](https://github.com/oracle-devrel/technology-engineering/releases/download/oci-security-health-check-std-240130/oci-security-health-check-standard-240130.sha512256).
   - Verify the integrity of the distribution. Both files must be in the same directory (for example, in your downloads directory).
 
     On MacOS:
     ```
     $ cd <your_downloads_directory>
-    $ shasum -a 512256 -c oci-security-health-check-standard-230922.sha512256
-    oci-security-health-check-standard-230922.zip: OK
+    $ shasum -a 512256 -c oci-security-health-check-standard-240130.sha512256
+    oci-security-health-check-standard-240130.zip: OK
     ```
 
     On Linux (including Cloud Shell):
     ```
     $ cd <your_downloads_directory>
-    $ sha512sum -c oci-security-health-check-standard-230922.sha512
-    oci-security-health-check-standard-230922.zip: OK
+    $ sha512sum -c oci-security-health-check-standard-240130.sha512
+    oci-security-health-check-standard-240130.zip: OK
     ```
 
-**Reject the downloaded file if the check fails!**
+**Reject the downloaded file when the check fails!**
 
 ### Prepare the OCI Tenancy
 
@@ -51,26 +51,48 @@ steps for setting this up are described in the next chapter.
 Using an auditor group is the recommended way to run the assessment script.
 To create a group for auditing do the following steps:
 
-  - Log into OCI Console as OCI administrator
+  - Check whether your tenancy is still not migrated to Identity Domains:
+    - Login to OCI Console as OCI administrator
+    - Select "Identity & Security"
+    - If "Domains" are listed you are migrated to Identity Domains
   - Create a group `grp-auditors`
   - Create a policy `pcy-auditing` with these statements:
-    ```
-    allow group grp-auditors to inspect all-resources in tenancy
-    allow group grp-auditors to read instances in tenancy
-    allow group grp-auditors to read load-balancers in tenancy
-    allow group grp-auditors to read buckets in tenancy
-    allow group grp-auditors to read nat-gateways in tenancy
-    allow group grp-auditors to read public-ips in tenancy
-    allow group grp-auditors to read file-family in tenancy
-    allow group grp-auditors to read instance-configurations in tenancy
-    allow group grp-auditors to read network-security-groups in tenancy
-    allow group grp-auditors to read resource-availability in tenancy
-    allow group grp-auditors to read audit-events in tenancy
-    allow group grp-auditors to read users in tenancy
-    allow group grp-auditors to read vss-family in tenancy
-    allow group grp-auditors to read dns in tenancy
-    allow group grp-auditors to use cloud-shell in tenancy
-    ```
+    - For tenancies **without** Identity Domains use
+      ```
+      allow group grp-auditors to inspect all-resources in tenancy
+      allow group grp-auditors to read instances in tenancy
+      allow group grp-auditors to read load-balancers in tenancy
+      allow group grp-auditors to read buckets in tenancy
+      allow group grp-auditors to read nat-gateways in tenancy
+      allow group grp-auditors to read public-ips in tenancy
+      allow group grp-auditors to read file-family in tenancy
+      allow group grp-auditors to read instance-configurations in tenancy
+      allow group grp-auditors to read network-security-groups in tenancy
+      allow group grp-auditors to read resource-availability in tenancy
+      allow group grp-auditors to read audit-events in tenancy
+      allow group grp-auditors to read users in tenancy
+      allow group grp-auditors to read vss-family in tenancy
+      allow group grp-auditors to read dns in tenancy
+      allow group grp-auditors to use cloud-shell in tenancy
+      ```
+    - For tenancies **with** Identity Domains use
+      ```
+      allow group 'Default'/'grp-auditors' to inspect all-resources in tenancy
+      allow group 'Default'/'grp-auditors' to read instances in tenancy
+      allow group 'Default'/'grp-auditors' to read load-balancers in tenancy
+      allow group 'Default'/'grp-auditors' to read buckets in tenancy
+      allow group 'Default'/'grp-auditors' to read nat-gateways in tenancy
+      allow group 'Default'/'grp-auditors' to read public-ips in tenancy
+      allow group 'Default'/'grp-auditors' to read file-family in tenancy
+      allow group 'Default'/'grp-auditors' to read instance-configurations in tenancy
+      allow group 'Default'/'grp-auditors' to read network-security-groups in tenancy
+      allow group 'Default'/'grp-auditors' to read resource-availability in tenancy
+      allow group 'Default'/'grp-auditors' to read audit-events in tenancy
+      allow group 'Default'/'grp-auditors' to read users in tenancy
+      allow group 'Default'/'grp-auditors' to read vss-family in tenancy
+      allow group 'Default'/'grp-auditors' to read dns in tenancy
+      allow group 'Default'/'grp-auditors' to use cloud-shell in tenancy
+      ```
   - Assign a user to the `grp-auditors` group
   - Log out of the OCI Console
 
@@ -128,6 +150,12 @@ The report results are summarized in two files:
 - *cis_html_summary_report.html* &ndash; The report in HTML that displays the all recommendations and their compliance status, respectively.
 - *Consolidated_Report.xslx* &ndash; An XSLX workbook with a summary and sheets for the non-compliant recommendations.
 
+### Known Issues
+
+#### Wrong urllib3 version
+
+There is a known dependency between Python urllib3 version 2 and the OS installed version of OpenSSL. The script tries to handle this automatically using a working version of urllib3. If the handling does not work let us know.
+
 ## Credits
 
 The *OCI Security Health Check - Standard Edition* streamlines the usage of the bundled [Compliance Checking Script](https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/blob/main/compliance-script.md) provided by the [CIS OCI Landing Zone Quick Start Template](https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart).
@@ -140,8 +168,8 @@ The Compliance Checking Script is certified by the [CIS Center of Internet Secur
 
 # License
 
-Copyright (c) 2022-2023 Oracle and/or its affiliates.
+Copyright (c) 2022-2024 Oracle and/or its affiliates.
 
 Licensed under the Universal Permissive License (UPL), Version 1.0.
 
-See [LICENSE](https://github.com/oracle-devrel/technology-engineering/blob/folder-structure/LICENSE) for more details.
+See [LICENSE](https://github.com/oracle-devrel/technology-engineering/blob/main/LICENSE) for more details.

security/security-design/shared-assets/oci-security-health-check-standard/files/oci-security-health-check-standard/README.txt

@@ -2,7 +2,7 @@
 OCI Security Health Check - Standard Edition
 ============================================
 Owner: Olaf Heimburger
-Version: 230922
+Version: 240130
 
 When to use this asset?
 
@@ -23,12 +23,13 @@ Usage
   steps for setting this up are described in the next chapter.
 
 1.1 Setup an Auditor group and policy
-  Using an auditor group is the recommended way to run the assessment script.
-  To create a group for auditing do the following steps:
-
-  - Log into OCI Console as OCI administrator
+  - Check whether your tenancy is still not migrated to Identity Domains:
+  - Login to OCI Console as OCI Administrator
+    - Select "Identity & Security"
+    - If "Domains" are listed you are migrated to Identity Domains
   - Create a group grp-auditors
   - Create a policy pcy-auditing with these statements:
+- For tenancies without Identity Domains use
     allow group grp-auditors to inspect all-resources in tenancy
     allow group grp-auditors to read instances in tenancy
     allow group grp-auditors to read load-balancers in tenancy
@@ -44,6 +45,22 @@ Usage
     allow group grp-auditors to read vss-family in tenancy
     allow group grp-auditors to read dns in tenancy
     allow group grp-auditors to use cloud-shell in tenancy
+- For tenancies *with* Identity Domains use
+      allow group 'Default'/'grp-auditors' to inspect all-resources in tenancy
+      allow group 'Default'/'grp-auditors' to read instances in tenancy
+      allow group 'Default'/'grp-auditors' to read load-balancers in tenancy
+      allow group 'Default'/'grp-auditors' to read buckets in tenancy
+      allow group 'Default'/'grp-auditors' to read nat-gateways in tenancy
+      allow group 'Default'/'grp-auditors' to read public-ips in tenancy
+      allow group 'Default'/'grp-auditors' to read file-family in tenancy
+      allow group 'Default'/'grp-auditors' to read instance-configurations in tenancy
+      allow group 'Default'/'grp-auditors' to read network-security-groups in tenancy
+      allow group 'Default'/'grp-auditors' to read resource-availability in tenancy
+      allow group 'Default'/'grp-auditors' to read audit-events in tenancy
+      allow group 'Default'/'grp-auditors' to read users in tenancy
+      allow group 'Default'/'grp-auditors' to read vss-family in tenancy
+      allow group 'Default'/'grp-auditors' to read dns in tenancy
+      allow group 'Default'/'grp-auditors' to use cloud-shell in tenancy
   - Assign a user to the grp-auditors group
   - Log out of OCI Console
 
@@ -72,20 +89,25 @@ Usage
     compressed in a single ZIP file and the resulting ZIP file will be moved to
     the home directory of the account running the script.
 
+4 Known Issues
+
+4.1 Wrong urllib3 version
+
+There is a known dependency between Python urllib3 version 2 and the OS installed version of OpenSSL. The script tries to handle this automatically using a working version of urllib3. If the handling does not work let us know.
 
-4 Credits
+5 Credits
 
 The OCI Security Health Check - Standard Edition streamlines the usage of the bundled Compliance Checking Script (https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/blob/main/compliance-script.md) provided by the CIS OCI Landing Zone Quick Start Template (https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart).
 
 The OCI Security Health Check - Standard Edition would not be possible without the great work of the CIS OCI Landing Zone Quick Start Template Team (https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/graphs/contributors).
 
-5 Certification
+6 Certification
 
 The Compliance Checking Script is certified by the CIS Center of Internet Security for the OCI Oracle Cloud Foundation Benchmark v1.2.O, Level 1 and 2 (https://www.cisecurity.org/partner/oracle).
 
-6 License
+7 License
 
-Copyright (c) 2022-2023 Oracle and/or its affiliates.
+Copyright (c) 2022-2024 Oracle and/or its affiliates.
 
 Licensed under the Universal Permissive License (UPL), Version 1.0.
 

security/security-design/shared-assets/oci-security-health-check-standard/files/oci-security-health-check-standard/requirements.txt

@@ -1,5 +1,6 @@
+urllib3==1.26.17
 xlsxwriter>=3.0.3
 pandas>=1.5.2
 openpyxl>=3.0.10
 pyyaml>=6.0
-oci>=2.110
+oci>=2.119.0