oracle-devrel · oheimburger · Apr 1, 2025 · Nov 18, 2024 · Nov 18, 2024 · Nov 18, 2024
diff --git a/.gitignore b/.gitignore
@@ -1,35 +1,4 @@
-# General
-.DS_Store
-.AppleDouble
-.LSOverride
-.vscode
-.bak
-
-# Icon must end with two \r
-Icon
-
-
-# Thumbnails
-._*
-
-# Files that might appear in the root of a volume
-.DocumentRevisions-V100
-.fseventsd
-.Spotlight-V100
-.TemporaryItems
-.Trashes
-.VolumeIcon.icns
-.com.apple.timemachine.donotpresent
-
-# Directories potentially created on remote AFP share
-.AppleDB
-.AppleDesktop
-Network Trash Folder
-Temporary Items
-.apdisk
-
-# ignore common security keys
-.key
-.crt
-.csr
-.pem
+.gitignore
+shared-assets/bastion-py-script/.oci/
+shared-assets/bastion-py-script/temp/
+temp/
diff --git a/security/security-design/README.md b/security/security-design/README.md
@@ -45,6 +45,7 @@ Reviewed: 29.10.2024
 - [Importing your own key into OCI Vault](shared-assets/kms-import-keys/README.md)
 - [OCI IAM SDK Example](shared-assets/iam-py-sdk/README.md)
 - [Setting up IP-based TLS certificates on OCI Load Balancer](shared-assets/zerossl-lb-test-certificate-setup/README.md)
+- [Bastion Session Script, Python SDK version](shared-assets/bastion-py-script/README.md)      
 - [Bypassing MFA for Service Accounts for specific applications](shared-assets/iam-mfa-bypass-svc-accts/README.md)
 
 # Useful Links

diff --git a/security/security-design/shared-assets/bastion-py-script/LICENSE b/security/security-design/shared-assets/bastion-py-script/LICENSE
@@ -0,0 +1,35 @@
+Copyright (c) 2025 Oracle and/or its affiliates.
+
+The Universal Permissive License (UPL), Version 1.0
+
+Subject to the condition set forth below, permission is hereby granted to any
+person obtaining a copy of this software, associated documentation and/or data
+(collectively the "Software"), free of charge and under any and all copyright
+rights in the Software, and any and all patent rights owned or freely
+licensable by each licensor hereunder covering either (i) the unmodified
+Software as contributed to or provided by such licensor, or (ii) the Larger
+Works (as defined below), to deal in both
+
+(a) the Software, and
+(b) any piece of software and/or hardware listed in the lrgrwrks.txt file if
+one is included with the Software (each a "Larger Work" to which the Software
+is contributed by such licensors),
+
+without restriction, including without limitation the rights to copy, create
+derivative works of, display, perform, and distribute the Software and make,
+use, sell, offer for sale, import, export, have made, and have sold the
+Software and the Larger Work(s), and to sublicense the foregoing rights on
+either these or other terms.
+
+This license is subject to the following condition:
+The above copyright notice and either this complete permission notice or at
+a minimum a reference to the UPL must be included in all copies or
+substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/security/security-design/shared-assets/bastion-py-script/README.md b/security/security-design/shared-assets/bastion-py-script/README.md
@@ -0,0 +1,141 @@
+
+# Oracle Cloud Infrastructure (OCI) Bastion Service
+
+This reusable asset consist of a Python script that creates a bastion session with the Oracle OCI Bastion Service.  The main purposes of this asset are:  
+
+-	Demonstrate the usage of OCI Python SDK
+-	Create a simple OS independent command-line interface for creating bastion sessions
+-	Create a simple way to make reusable configuration
+-	Create a `ssh` command that works with Linux, Mac OS and Windows by providing the flexibility to configure either `ssh` command or `putty` commands.  
+
+The script creates bastion session over SSH, and creates an example command to set up the tunnel for the target application. Other protocols like RDP can then be tunneled over the SSH session through the OCI Bastion Service.  
+
+Some documentation for inspiraton:
+
+[https://www.ateam-oracle.com/post/openssh-proxyjump-with-oci-bastion-service](https://www.ateam-oracle.com/post/openssh-proxyjump-with-oci-bastion-service)  
+[https://fluffyclouds.blog/2022/06/02/create-oci-bastion-sessions-with-python-sdk/](https://fluffyclouds.blog/2022/06/02/create-oci-bastion-sessions-with-python-sdk/)
+
+## Why use the OCI Bastion Service
+
+Oracle Cloud Infrastructure (OCI) Bastion Service, is a fully managed service providing secure and ephemeral Secure Shell (ssh) access to the private resources in OCI. OCI Bastion Service, like the bastion fortress of medieval times, improves security posture by providing an additional layer of defense against external threats.    
+
+Accessing virtual services directly from the internet is a clear no-go. Best practices is to never expose compute resources directly, neither for SSH or RDP traffic. RDP is known to be one of the most common Initial Access Vectors for ransomware types of attacks.  
+
+Common practice is to place a compute node with a minimum OS in a DMZ as jump host, and always use this as the entrypoint.  
+The main weakness with this model is:
+-	A extra computer-node that needs to be managed, monitored and patched
+-	Extra set of required resources with risk of misconfiguration
+-	The jump server will require an additional layer of user governance.
+
+The OCI Bastion Service removes the public and private virtual cloud networking (VCN) hassle for access to a jump host. No public IP is needed, resulting in no surface attack area or zero-day vulnerabilities with a dedicated jump host. Customers also eliminate shared credentials, broad access limits, and other bad habits of using jump hosts. OCI Bastion Service integrates with OCI Identity and Access Management (IAM) and allows the organization to control who can access a bastion or a session and what they can do with those resources.
+
+The OCI Bastion Service exists in two flavors:
+-	Managed Session
+With managed sessions an agent is running on the compute node, and the bastion session connects to the agent and tunnels SSH through the agent. The managed session makes it possible to connect to a compute node from other networks without configure routing between the network where the compute node resides, and the network the bastion connection is initiated from.
+-	Port Forwarding
+In this mode the OCI Bastion Service does not tunnel though the agent, but the OCI Bastion Service must have access to the subnet where the compute node resides, and the subnet security list
+For additional description of the OCI Bastion Service please review:
+
+## Requirements  
+
+The following components needs to be installed in your environment:
+- Python 3.8 or above (latest patch version)  
+- Latest version of the OCI CLI 
+- Requirements, as defined in requirements.txt
+
+If you need to run older Python versions (below 3.8), note the changes for asyncio in the exec_command procedure.  
+
+[OCI CLI Install guide](https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/cliinstall.htm)
+
+The file requirements.txt lists the Python modules required.
+Install the required modules with 
+
+```pip install -r requirements.txt```  
+
+
+## Script Usage  
+
+In addition, the script require a JSON configuration file. 
+
+The basic structure of the config file looks like:  
+```
+{ "sessions":[  
+                { <session one points to ociconfigurations>},  
+                { <session two points to ociconfigurations>}],  
+  "ociconfigurations": [  
+                { <ociconfiguration one>},  
+                { <ociconfiguration one>}]  
+}  
+```
+For example, review [config_example.json](files/config_example.json)  
+
+The following elements exists in the configuration file.  
+
+- "sessions":  JSON array with one JSON config entry pr. Session
+- "ociconfigurations": JSON Array with one JSON element pr. OCI SDK configuration profile.
+
+Each “session” element has the following elements:
+- "sessionType":"PORT_FORWARDING" or MANAGED
+- "OCIConfig"-: name of profile, it looked up in the ociconfigurations array 
+- "bastionOCID": OCID to the configured OCI Bastion service 
+- "bastionPublicKeyFile":file with public key to the Bastion SSH session
+- "bastionPrivateKeyFile":Private key of bastion session key pair,
+- "targetPrivateKeyFile":Used for reference in the target `ssh` command,
+- "targetPort": Portnumber for the target SSH tunnel though the bastions Service. Use standard port for RDP if target is RDP,
+- "localPort":"2222",
+- "sessionDisplayName": Display name of the session in the OCI Console
+- "sshCommand":  For linux, normally, for windows, normally putty teh command that will be generated into the tunnel command
+- "sshCommandOptions": applied to the tunnel comamndline, like ssh timeout options
+- "targetOCIDID":OCID of the target service,
+- "targetPrivateIP":IP Address of the target
+- "osUserName": Used for the generated `ssh` command ,
+- "ociRegion": Region where the target resource runs,
+- "timetolive":Time the Bastion tunnel lives. Maximum value is 3600 sec.,
+- "maxWaitCount":If the script creates the tunnel after creation of the session, maximum number of retries
+- "waitRefresh": time in sec, between each retry to establish the tunnel
+- "ociconfigurations": Array of OCI configurations  
+
+Each array entry got the following JSON elements
+- "configName": Name of entry. Referenced from a session element above
+- "configFileName": Path to the OCI CLI configuration file
+- "profileName": Name of profile in the OCI CLI configuration file
+
+
+```Script commandline options.
+ --configfile  name of JSON configfile with named session and OCI CLI config info
+ --session     named session, section in config file
+ --exec        executes the `ssh` command and establishes the SSH connection
+ --loglevel    logging level, info or debug. default info
+ --log         logging output file or stdout, defaul stdout
+```
+Example command:  
+
+Example commandline:  
+```python bastionsession.py --session port-example --configfile config_examlpe.json --loglevel debug```  
+
+Sample output
+
+```
+Bastion session manager 1.0 26.02.25
+
+INFO:root:Open logfile
+Open logfile: stderr
+Successfully loaded session and OCI Config parameters
+Waiting for session state to be active. Current State ..CREATING
+Session has been created and is ACTIVE
+Bastion session created
+Port managed start cmd
+Port forwarding start cmd
+ssh -i <privateKey> -N -L <localPort>:10.10.1.229:22 -p 22 ocid1.bastionsession.oc1.eu-frankfurt-1.ama...ama@host.bastion.eu-frankfurt-1.oci.oraclecloud.com
+ssh tunnel command:
+putty -i c:\\usr\\ssh_keys\\mykey.ppk -N -ssh -L 2222:10.10.1.229:22  ocid1.bastionsession.oc1.eu-frankfurt-1.ama...ama@host.bastion.eu-frankfurt-1.oci.oraclecloud.com
+Client Connect:
+putty -i c:\\usr\\ssh_keys\\myprivatetkey.ppk -P 2222 ios@localhost
+Successfully completed bastion session(s)
+```
+
+# License
+
+Copyright (c) 2025 Oracle and/or its affiliates.
+
+Licensed under the Universal Permissive License (UPL), Version 1.0.