diff --git a/security/security-design/shared-assets/oci-security-health-check-standard/README.md b/security/security-design/shared-assets/oci-security-health-check-standard/README.md index 7a1a755c3..de7703cee 100644 --- a/security/security-design/shared-assets/oci-security-health-check-standard/README.md +++ b/security/security-design/shared-assets/oci-security-health-check-standard/README.md @@ -2,7 +2,7 @@ Owner: Olaf Heimburger -Version: 241011 +Version: 241206 Reviewed: 01.02.2024 @@ -19,6 +19,15 @@ The *OCI Security Health Check - Standard Edition* checks an OCI tenancy for [CI This asset covers the OCI platform as specified in the *CIS Oracle Cloud Infrastructure Foundations Benchmark*, only. Any workload provisioned in Databases, Compute VMs (running any Operating System), the Container Engine for Kubernetes, or in the VMware Solution is *out of scope* of the *OCI Security Health Check*. +**This is not an official Oracle application and it is not supported by Oracle Support.** + +## Before you begin + +The main goals of this script are: + +- Make the run as easy and smooth as possible. +- Do not affect your desktop whenever possible. + ## Complete Runtime Example See the *OCI Security Health Check - Standard Edition* in action and watch the [OCI Health Checks - Self Service video](https://www.youtube.com/watch?v=EzjKLxfxaAM). @@ -29,22 +38,22 @@ See the *OCI Security Health Check - Standard Edition* in action and watch the [ Before running the *OCI Security Health Check - Standard Edition* you should download and verify it. - - Download the latest distribution [oci-security-health-check-standard-241011.zip](https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-241011.zip). + - Download the latest distribution [oci-security-health-check-standard-241206.zip](https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-241206.zip). - Download the respective checksum file: - - [oci-security-health-check-standard-241011.sha512](https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-241011.sha512). - - [oci-security-health-check-standard-241011.sha512256](https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-241011.sha512256). + - [oci-security-health-check-standard-241206.sha512](https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-241206.sha512). + - [oci-security-health-check-standard-241206.sha512256](https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-241206.sha512256). - Verify the integrity of the distribution. Both files must be in the same directory (for example, in your downloads directory). On MacOS: ``` cd - shasum -a 512256 -c oci-security-health-check-standard-241011.sha512256 + shasum -a 512256 -c oci-security-health-check-standard-241206.sha512256 ``` On Linux (including Cloud Shell): ``` cd - sha512sum -c oci-security-health-check-standard-241011.sha512 + sha512sum -c oci-security-health-check-standard-241206.sha512 ``` **Reject the downloaded file if the check fails!** @@ -57,10 +66,10 @@ In OCI Cloud Shell you can do a short cut without downloading the files mentione 2. Open Cloud Shell 3. Run these commands in your Cloud Shell: ``` - wget -q https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-241011.zip - wget -q https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-241011.sha512 - sha512sum -c oci-security-health-check-standard-241011.sha512 - unzip -q oci-security-health-check-standard-241011.zip + wget -q https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-241206.zip + wget -q https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-241206.sha512 + sha512sum -c oci-security-health-check-standard-241206.sha512 + unzip -q oci-security-health-check-standard-241206.zip ``` ## Prepare the OCI Tenancy @@ -76,7 +85,8 @@ quickest way. If you decide to use this option, please continue reading in ### Recurring usage -For recurring usage, setting up a group for auditing is recommended. For setting this up follow the steps documented next. +For recurring usage, setting up a group for auditing is recommended. For setting this up follow the steps documented in the next section. +This applies for scenarios using the OCI Cloud Shell with public Internet access. For additional usage scenarios see the detailed instructions [README](files/oci-security-health-check-standard/README.md). ### Setting up an *Auditor* group and policy @@ -88,20 +98,22 @@ To create a group for auditing do the following steps: - Create a policy `pcy-auditing` with these statements (if your tenancy does not have Domains, replace `'Default'/'grp-auditors'` with `grp-auditors`): ``` allow group 'Default'/'grp-auditors' to inspect all-resources in tenancy - allow group 'Default'/'grp-auditors' to read instances in tenancy - allow group 'Default'/'grp-auditors' to read load-balancers in tenancy + allow group 'Default'/'grp-auditors' to read audit-events in tenancy allow group 'Default'/'grp-auditors' to read buckets in tenancy - allow group 'Default'/'grp-auditors' to read nat-gateways in tenancy - allow group 'Default'/'grp-auditors' to read public-ips in tenancy + allow group 'Default'/'grp-auditors' to read dns in tenancy + allow group 'Default'/'grp-auditors' to read domains in tenancy allow group 'Default'/'grp-auditors' to read file-family in tenancy allow group 'Default'/'grp-auditors' to read instance-configurations in tenancy + allow group 'Default'/'grp-auditors' to read instances in tenancy + allow group 'Default'/'grp-auditors' to read load-balancers in tenancy + allow group 'Default'/'grp-auditors' to read nat-gateways in tenancy allow group 'Default'/'grp-auditors' to read network-security-groups in tenancy + allow group 'Default'/'grp-auditors' to read public-ips in tenancy allow group 'Default'/'grp-auditors' to read resource-availability in tenancy - allow group 'Default'/'grp-auditors' to read audit-events in tenancy allow group 'Default'/'grp-auditors' to read users in tenancy allow group 'Default'/'grp-auditors' to read vss-family in tenancy - allow group 'Default'/'grp-auditors' to read dns in tenancy allow group 'Default'/'grp-auditors' to use cloud-shell in tenancy + allow group 'Default'/'grp-auditors' to use cloud-shell-public-network in tenancy ``` - Assign a user to the `grp-auditors` group. - Log out of the OCI Console. @@ -117,7 +129,7 @@ After a completed run you will find a directory with a name starting with your t To start with reviewing the results, open the file named `tenancy_name_YYYYMMDDHHmmss_standard_cis_html_summary_report.html`. It may look like this example: -![Flyer](./files/resources/Example_Output.png) +![Example](./files/resources/Example_Output.png) # Known Issues diff --git a/security/security-design/shared-assets/oci-security-health-check-standard/files/oci-security-health-check-standard/README.md b/security/security-design/shared-assets/oci-security-health-check-standard/files/oci-security-health-check-standard/README.md index 76e73fb61..e963d5c36 100644 --- a/security/security-design/shared-assets/oci-security-health-check-standard/files/oci-security-health-check-standard/README.md +++ b/security/security-design/shared-assets/oci-security-health-check-standard/files/oci-security-health-check-standard/README.md @@ -2,7 +2,7 @@ Owner: Olaf Heimburger -Version: 241011 (cis_report.py version 2.8.4+) +Version: 241206 (cis_report.py version 2.8.6) ## When to use this asset? @@ -12,8 +12,14 @@ The *OCI Security Health Check - Standard Edition* checks an OCI tenancy for CIS This asset covers the OCI platform as specified in the *CIS Oracle Cloud Infrastructure Foundations Benchmark*, only. Any workload provisioned in Databases, Compute VMs (running any Operating System), the Container Engine for Kubernetes, or in the VMware Solution is *out of scope* of the *OCI Security Health Check*. -This is not an official Oracle application and it is not supported -by Oracle Support. +**This is not an official Oracle application and it is not supported by Oracle Support.** + +## Before you begin + +The main goals of this script are: + +- Make the run as easy and smooth as possible. +- Do not affect your desktop whenever possible. ## Usage @@ -21,22 +27,22 @@ by Oracle Support. Before running the *OCI Security Health Check - Standard Edition* you should download and verify it. - - Download the latest distribution [oci-security-health-check-standard-241011.zip](https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-241011.zip). + - Download the latest distribution [oci-security-health-check-standard-241206.zip](https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-241206.zip). - Download the respective checksum file: - - [oci-security-health-check-standard-241011.sha512](https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-241011.sha512). - - [oci-security-health-check-standard-241011.sha512256](https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-241011.sha512256). + - [oci-security-health-check-standard-241206.sha512](https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-241206.sha512). + - [oci-security-health-check-standard-241206.sha512256](https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-241206.sha512256). - Verify the integrity of the distribution. Both files must be in the same directory (for example, in your downloads directory). On MacOS: ``` cd - shasum -a 512256 -c oci-security-health-check-standard-241011.sha512256 + shasum -a 512256 -c oci-security-health-check-standard-241206.sha512256 ``` On Linux (including Cloud Shell): ``` cd - sha512sum -c oci-security-health-check-standard-241011.sha512 + sha512sum -c oci-security-health-check-standard-241206.sha512 ``` **Reject the downloaded file when the check fails!** @@ -67,45 +73,109 @@ To create a group for auditing do the following steps: - For tenancies **without** Identity Domains use ``` allow group grp-auditors to inspect all-resources in tenancy - allow group grp-auditors to read instances in tenancy - allow group grp-auditors to read load-balancers in tenancy + allow group grp-auditors to read audit-events in tenancy allow group grp-auditors to read buckets in tenancy - allow group grp-auditors to read nat-gateways in tenancy - allow group grp-auditors to read public-ips in tenancy + allow group grp-auditors to read dns in tenancy + allow group grp-auditors to read domains in tenancy allow group grp-auditors to read file-family in tenancy allow group grp-auditors to read instance-configurations in tenancy + allow group grp-auditors to read instances in tenancy + allow group grp-auditors to read load-balancers in tenancy + allow group grp-auditors to read nat-gateways in tenancy allow group grp-auditors to read network-security-groups in tenancy + allow group grp-auditors to read public-ips in tenancy allow group grp-auditors to read resource-availability in tenancy - allow group grp-auditors to read audit-events in tenancy allow group grp-auditors to read users in tenancy allow group grp-auditors to read vss-family in tenancy - allow group grp-auditors to read dns in tenancy allow group grp-auditors to use cloud-shell in tenancy + allow group grp-auditors to use cloud-shell-public-network in tenancy ``` - For tenancies **with** Identity Domains use ``` allow group 'Default'/'grp-auditors' to inspect all-resources in tenancy - allow group 'Default'/'grp-auditors' to read instances in tenancy - allow group 'Default'/'grp-auditors' to read load-balancers in tenancy + allow group 'Default'/'grp-auditors' to read audit-events in tenancy allow group 'Default'/'grp-auditors' to read buckets in tenancy - allow group 'Default'/'grp-auditors' to read nat-gateways in tenancy - allow group 'Default'/'grp-auditors' to read public-ips in tenancy + allow group 'Default'/'grp-auditors' to read dns in tenancy + allow group 'Default'/'grp-auditors' to read domains in tenancy allow group 'Default'/'grp-auditors' to read file-family in tenancy allow group 'Default'/'grp-auditors' to read instance-configurations in tenancy + allow group 'Default'/'grp-auditors' to read instances in tenancy + allow group 'Default'/'grp-auditors' to read load-balancers in tenancy + allow group 'Default'/'grp-auditors' to read nat-gateways in tenancy allow group 'Default'/'grp-auditors' to read network-security-groups in tenancy + allow group 'Default'/'grp-auditors' to read public-ips in tenancy allow group 'Default'/'grp-auditors' to read resource-availability in tenancy - allow group 'Default'/'grp-auditors' to read audit-events in tenancy allow group 'Default'/'grp-auditors' to read users in tenancy allow group 'Default'/'grp-auditors' to read vss-family in tenancy - allow group 'Default'/'grp-auditors' to read dns in tenancy allow group 'Default'/'grp-auditors' to use cloud-shell in tenancy + allow group 'Default'/'grp-auditors' to use cloud-shell-public-network in tenancy ``` - Assign a user to the `grp-auditors` group - Log out of the OCI Console ### Run the OCI Security Health Check in OCI Cloud Shell -The recommended way is to run the *OCI Security Health Check - Standard* in the OCI Cloud Shell. It does not require any additional configuration on a local desktop machine. +The recommended way is to run the *OCI Security Health Check - Standard* in the [OCI Cloud Shell](https://docs.oracle.com/en-us/iaas/Content/API/Concepts/cloudshellintro.htm). It does not require any additional configuration on a local desktop machine. + +#### Required IAM Policy statements + +The following policy statement is part of the recommended policy statements for the `grp-auditors` group: +``` +allow group 'Default'/'grp-auditors' to use cloud-shell in tenancy +``` + +#### Networking Options for OCI Cloud Shell + +OCI Cloud Shell sessions do not allow for any incoming connections, and there is no public IP address available. + +So far, the *OCI Security Health Check - Standard Edition* in OCI Cloud Shell has been tested with Public Network Access only. + +For details on OCI Cloud Shell Networking refer to [OCI Cloud Shell Networking](https://docs.oracle.com/en-us/iaas/Content/API/Concepts/cloudshellintro_topic-Cloud_Shell_Networking.htm#cloudshellintro_topic-Cloud_Shell_Networking) documentation. + + + #### Upload the release file @@ -117,10 +187,10 @@ The recommended way is to run the *OCI Security Health Check - Standard* in the - Upload the distribution file. - Extract it ``` - unzip -q oci-security-health-check-standard-241011.zip + unzip -q oci-security-health-check-standard-241206.zip ``` -### Run the script +#### Run the script - Change directory into `oci-security-health-check-standard`: ``` $ cd oci-security-health-check-standard @@ -142,6 +212,7 @@ The recommended way is to run the *OCI Security Health Check - Standard* in the ``` ./standard.sh -h ``` + ### Using an OCI Compute VM (Oracle Linux) - Create a Dynamic Group @@ -190,11 +261,11 @@ The recommended way is to run the *OCI Security Health Check - Standard* in the Follow the instructions to select /usr/bin/python3.9 - Log out - - From your desktop, upload the `oci-security-health-check-standard-241011.zip` file to the Compute VM using any SFTP client. + - From your desktop, upload the `oci-security-health-check-standard-241206.zip` file to the Compute VM using any SFTP client. - Log into the Compute VM - Extract the distribution ``` - unzip -q oci-security-health-check-standard-241011.zip + unzip -q oci-security-health-check-standard-241206.zip ``` - Change directory into `oci-security-health-check-standard`: ``` diff --git a/security/security-design/shared-assets/oci-security-health-check-standard/files/oci-security-health-check-standard/README.txt b/security/security-design/shared-assets/oci-security-health-check-standard/files/oci-security-health-check-standard/README.txt index 256dd75fa..528308620 100644 --- a/security/security-design/shared-assets/oci-security-health-check-standard/files/oci-security-health-check-standard/README.txt +++ b/security/security-design/shared-assets/oci-security-health-check-standard/files/oci-security-health-check-standard/README.txt @@ -2,7 +2,7 @@ OCI Security Health Check - Standard Edition ============================================ Owner: Olaf Heimburger -Version: 241011 (cis_report.py version 2.8.4) +Version: 241206 (cis_report.py version 2.8.6) When to use this asset? @@ -42,36 +42,40 @@ Usage - Create a policy pcy-auditing with these statements: - For tenancies without Identity Domains use allow group grp-auditors to inspect all-resources in tenancy - allow group grp-auditors to read instances in tenancy - allow group grp-auditors to read load-balancers in tenancy + allow group grp-auditors to read audit-events in tenancy allow group grp-auditors to read buckets in tenancy - allow group grp-auditors to read nat-gateways in tenancy - allow group grp-auditors to read public-ips in tenancy + allow group grp-auditors to read dns in tenancy + allow group grp-auditors to read domains in tenancy allow group grp-auditors to read file-family in tenancy allow group grp-auditors to read instance-configurations in tenancy + allow group grp-auditors to read instances in tenancy + allow group grp-auditors to read load-balancers in tenancy + allow group grp-auditors to read nat-gateways in tenancy allow group grp-auditors to read network-security-groups in tenancy + allow group grp-auditors to read public-ips in tenancy allow group grp-auditors to read resource-availability in tenancy - allow group grp-auditors to read audit-events in tenancy allow group grp-auditors to read users in tenancy allow group grp-auditors to read vss-family in tenancy - allow group grp-auditors to read dns in tenancy allow group grp-auditors to use cloud-shell in tenancy + allow group grp-auditors to use cloud-shell-public-network in tenancy - For tenancies *with* Identity Domains use allow group 'Default'/'grp-auditors' to inspect all-resources in tenancy - allow group 'Default'/'grp-auditors' to read instances in tenancy - allow group 'Default'/'grp-auditors' to read load-balancers in tenancy + allow group 'Default'/'grp-auditors' to read audit-events in tenancy allow group 'Default'/'grp-auditors' to read buckets in tenancy - allow group 'Default'/'grp-auditors' to read nat-gateways in tenancy - allow group 'Default'/'grp-auditors' to read public-ips in tenancy + allow group 'Default'/'grp-auditors' to read dns in tenancy + allow group 'Default'/'grp-auditors' to read domains in tenancy allow group 'Default'/'grp-auditors' to read file-family in tenancy allow group 'Default'/'grp-auditors' to read instance-configurations in tenancy + allow group 'Default'/'grp-auditors' to read instances in tenancy + allow group 'Default'/'grp-auditors' to read load-balancers in tenancy + allow group 'Default'/'grp-auditors' to read nat-gateways in tenancy allow group 'Default'/'grp-auditors' to read network-security-groups in tenancy + allow group 'Default'/'grp-auditors' to read public-ips in tenancy allow group 'Default'/'grp-auditors' to read resource-availability in tenancy - allow group 'Default'/'grp-auditors' to read audit-events in tenancy allow group 'Default'/'grp-auditors' to read users in tenancy allow group 'Default'/'grp-auditors' to read vss-family in tenancy - allow group 'Default'/'grp-auditors' to read dns in tenancy allow group 'Default'/'grp-auditors' to use cloud-shell in tenancy + allow group 'Default'/'grp-auditors' to use cloud-shell-public-network in tenancy - Assign a user to the grp-auditors group - Log out of OCI Console @@ -81,7 +85,7 @@ Usage - From the menu select the Cloud Shell item. - When running it the first time: - Upload the provided ZIP file. - - Extract it with unzip -q oci-security-health-check-standard-241011.zip + - Extract it with unzip -q oci-security-health-check-standard-241206.zip - Change directory into oci-security-health-check-standard $ cd oci-security-health-check-standard $ screen @@ -138,11 +142,11 @@ Usage - Log out - From your desktop, upload the - "oci-security-health-check-standard-241011.zip" file to the Compute VM + "oci-security-health-check-standard-241206.zip" file to the Compute VM using any SFTP client. - Log into the Compute VM - Extract the distribution - unzip -q oci-security-health-check-standard-241011.zip + unzip -q oci-security-health-check-standard-241206.zip - Change directory into "oci-security-health-check-standard": cd oci-security-health-check-standard diff --git a/security/security-design/shared-assets/oci-security-health-check-standard/files/oci-security-health-check-standard/scripts/cis_reports/cis_reports.py b/security/security-design/shared-assets/oci-security-health-check-standard/files/oci-security-health-check-standard/scripts/cis_reports/cis_reports.py index c9d0822ad..5a49f7398 100644 --- a/security/security-design/shared-assets/oci-security-health-check-standard/files/oci-security-health-check-standard/scripts/cis_reports/cis_reports.py +++ b/security/security-design/shared-assets/oci-security-health-check-standard/files/oci-security-health-check-standard/scripts/cis_reports/cis_reports.py @@ -42,9 +42,9 @@ except Exception: OUTPUT_DIAGRAMS = False -RELEASE_VERSION = "2.8.4" -PYTHON_SDK_VERSION = "2.129.4" -UPDATED_DATE = "July 26, 2024" +RELEASE_VERSION = "2.8.6" +PYTHON_SDK_VERSION = "2.139.0" +UPDATED_DATE = "November 20, 2024" ########################################################################## @@ -1730,7 +1730,8 @@ def __identity_read_tenancy_policies(self): policies_data = oci.pagination.list_call_get_all_results( self.__regions[self.__home_region]['search_client'].search_resources, search_details=oci.resource_search.models.StructuredSearchDetails( - query="query Policy resources return allAdditionalFields where compartmentId != '" + self.__managed_paas_compartment_id + "'") + query="query Policy resources return allAdditionalFields where compartmentId != '" + self.__managed_paas_compartment_id + "'"), + tenant_id=self.__tenancy.id ).data for policy in policies_data: @@ -1826,7 +1827,9 @@ def __os_read_buckets(self): buckets_data = oci.pagination.list_call_get_all_results( region_values['search_client'].search_resources, search_details=oci.resource_search.models.StructuredSearchDetails( - query="query Bucket resources return allAdditionalFields where compartmentId != '" + self.__managed_paas_compartment_id + "'") + query="query Bucket resources return allAdditionalFields where compartmentId != '" + self.__managed_paas_compartment_id + "'"), + tenant_id=self.__tenancy.id + ).data # Getting Bucket Info for bucket in buckets_data: @@ -1890,7 +1893,9 @@ def __block_volume_read_block_volumes(self): volumes_data = oci.pagination.list_call_get_all_results( region_values['search_client'].search_resources, search_details=oci.resource_search.models.StructuredSearchDetails( - query="query Volume resources return allAdditionalFields where compartmentId != '" + self.__managed_paas_compartment_id + "'") + query="query Volume resources return allAdditionalFields where compartmentId != '" + self.__managed_paas_compartment_id + "'"), + tenant_id=self.__tenancy.id + ).data # Getting Block Volume inf @@ -1961,7 +1966,8 @@ def __boot_volume_read_boot_volumes(self): boot_volumes_data = oci.pagination.list_call_get_all_results( region_values['search_client'].search_resources, search_details=oci.resource_search.models.StructuredSearchDetails( - query="query BootVolume resources return allAdditionalFields where compartmentId != '" + self.__managed_paas_compartment_id + "'") + query="query BootVolume resources return allAdditionalFields where compartmentId != '" + self.__managed_paas_compartment_id + "'"), + tenant_id=self.__tenancy.id ).data for boot_volume in boot_volumes_data: @@ -2031,7 +2037,8 @@ def __fss_read_fsss(self): fss_data = oci.pagination.list_call_get_all_results( region_values['search_client'].search_resources, search_details=oci.resource_search.models.StructuredSearchDetails( - query="query FileSystem resources return allAdditionalFields where compartmentId != '" + self.__managed_paas_compartment_id + "'") + query="query FileSystem resources return allAdditionalFields where compartmentId != '" + self.__managed_paas_compartment_id + "'"), + tenant_id=self.__tenancy.id ).data for fss in fss_data: @@ -2093,7 +2100,8 @@ def __network_read_network_security_groups_rules(self): nsgs_data = oci.pagination.list_call_get_all_results( region_values['search_client'].search_resources, search_details=oci.resource_search.models.StructuredSearchDetails( - query="query NetworkSecurityGroup resources return allAdditionalFields where compartmentId != '" + self.__managed_paas_compartment_id + "'") + query="query NetworkSecurityGroup resources return allAdditionalFields where compartmentId != '" + self.__managed_paas_compartment_id + "'"), + tenant_id=self.__tenancy.id ).data # Looping through NSGs to to get @@ -2157,7 +2165,8 @@ def __network_read_network_security_lists(self): security_lists_data = oci.pagination.list_call_get_all_results( region_values['search_client'].search_resources, search_details=oci.resource_search.models.StructuredSearchDetails( - query="query SecurityList resources return allAdditionalFields where compartmentId != '" + self.__managed_paas_compartment_id + "'") + query="query SecurityList resources return allAdditionalFields where compartmentId != '" + self.__managed_paas_compartment_id + "'"), + tenant_id=self.__tenancy.id ).data # Looping through Security Lists to to get @@ -2224,7 +2233,8 @@ def __network_read_network_subnets(self): subnets_data = oci.pagination.list_call_get_all_results( region_values['search_client'].search_resources, search_details=oci.resource_search.models.StructuredSearchDetails( - query="query Subnet resources return allAdditionalFields where compartmentId != '" + self.__managed_paas_compartment_id + "'") + query="query Subnet resources return allAdditionalFields where compartmentId != '" + self.__managed_paas_compartment_id + "'"), + tenant_id=self.__tenancy.id ).data try: @@ -2303,7 +2313,8 @@ def __network_read_drg_attachments(self): drg_resources = oci.pagination.list_call_get_all_results( region_values['search_client'].search_resources, search_details=oci.resource_search.models.StructuredSearchDetails( - query="query DrgAttachment resources return allAdditionalFields where compartmentId != '" + self.__managed_paas_compartment_id + "'") + query="query DrgAttachment resources return allAdditionalFields where compartmentId != '" + self.__managed_paas_compartment_id + "'"), + tenant_id=self.__tenancy.id ).data compartments = set() @@ -2388,7 +2399,8 @@ def __network_read_drgs(self): drg_resources = oci.pagination.list_call_get_all_results( region_values['search_client'].search_resources, search_details=oci.resource_search.models.StructuredSearchDetails( - query="query Drg resources return allAdditionalFields where compartmentId != '" + self.__managed_paas_compartment_id + "'") + query="query Drg resources return allAdditionalFields where compartmentId != '" + self.__managed_paas_compartment_id + "'"), + tenant_id=self.__tenancy.id ).data compartments = set() @@ -2472,7 +2484,8 @@ def __network_read_fastonnects(self): fastconnects = oci.pagination.list_call_get_all_results( region_values['search_client'].search_resources, search_details=oci.resource_search.models.StructuredSearchDetails( - query="query VirtualCircuit resources return allAdditionalFields where compartmentId != '" + self.__managed_paas_compartment_id + "'") + query="query VirtualCircuit resources return allAdditionalFields where compartmentId != '" + self.__managed_paas_compartment_id + "'"), + tenant_id=self.__tenancy.id ).data compartments = set() @@ -2586,7 +2599,8 @@ def __network_read_ip_sec_connections(self): ip_sec_connections_data = oci.pagination.list_call_get_all_results( region_values['search_client'].search_resources, search_details=oci.resource_search.models.StructuredSearchDetails( - query="query IPSecConnection resources return allAdditionalFields where compartmentId != '" + self.__managed_paas_compartment_id + "'") + query="query IPSecConnection resources return allAdditionalFields where compartmentId != '" + self.__managed_paas_compartment_id + "'"), + tenant_id=self.__tenancy.id ).data for ip_sec in ip_sec_connections_data: @@ -2728,7 +2742,8 @@ def __adb_read_adbs(self): adb_query_resources = oci.pagination.list_call_get_all_results( region_values['search_client'].search_resources, search_details=oci.resource_search.models.StructuredSearchDetails( - query="query AutonomousDatabase resources return allAdditionalFields where compartmentId != '" + self.__managed_paas_compartment_id + "'") + query="query AutonomousDatabase resources return allAdditionalFields where compartmentId != '" + self.__managed_paas_compartment_id + "'"), + tenant_id=self.__tenancy.id ).data compartments = set() @@ -2777,7 +2792,8 @@ def __oic_read_oics(self): oic_resources = oci.pagination.list_call_get_all_results( region_values['search_client'].search_resources, search_details=oci.resource_search.models.StructuredSearchDetails( - query="query IntegrationInstance resources return allAdditionalFields where compartmentId != '" + self.__managed_paas_compartment_id + "'") + query="query IntegrationInstance resources return allAdditionalFields where compartmentId != '" + self.__managed_paas_compartment_id + "'"), + tenant_id=self.__tenancy.id ).data compartments = set() @@ -2854,7 +2870,8 @@ def __oac_read_oacs(self): oac_resources = oci.pagination.list_call_get_all_results( region_values['search_client'].search_resources, search_details=oci.resource_search.models.StructuredSearchDetails( - query="query AnalyticsInstance resources return allAdditionalFields where compartmentId != '" + self.__managed_paas_compartment_id + "'") + query="query AnalyticsInstance resources return allAdditionalFields where compartmentId != '" + self.__managed_paas_compartment_id + "'"), + tenant_id=self.__tenancy.id ).data compartments = set() @@ -2924,7 +2941,8 @@ def __events_read_event_rules(self): events_rules_data = oci.pagination.list_call_get_all_results( region_values['search_client'].search_resources, search_details=oci.resource_search.models.StructuredSearchDetails( - query="query EventRule resources return allAdditionalFields where compartmentId != '" + self.__managed_paas_compartment_id + "'") + query="query EventRule resources return allAdditionalFields where compartmentId != '" + self.__managed_paas_compartment_id + "'"), + tenant_id=self.__tenancy.id ).data for event_rule in events_rules_data: @@ -2959,7 +2977,8 @@ def __logging_read_log_groups_and_logs(self): log_groups = oci.pagination.list_call_get_all_results( region_values['search_client'].search_resources, search_details=oci.resource_search.models.StructuredSearchDetails( - query="query LogGroup resources return allAdditionalFields where compartmentId != '" + self.__managed_paas_compartment_id + "'") + query="query LogGroup resources return allAdditionalFields where compartmentId != '" + self.__managed_paas_compartment_id + "'"), + tenant_id=self.__tenancy.id ).data # Looping through log groups to get logs @@ -3063,7 +3082,8 @@ def __kms_read_keys(self): keys_data = oci.pagination.list_call_get_all_results( region_values['search_client'].search_resources, search_details=oci.resource_search.models.StructuredSearchDetails( - query="query Key resources return allAdditionalFields where compartmentId != '" + self.__managed_paas_compartment_id + "'") + query="query Key resources return allAdditionalFields where compartmentId != '" + self.__managed_paas_compartment_id + "'"), + tenant_id=self.__tenancy.id ).data vaults_set = set() @@ -3308,7 +3328,8 @@ def __ons_read_subscriptions(self): subs_data = oci.pagination.list_call_get_all_results( region_values['search_client'].search_resources, search_details=oci.resource_search.models.StructuredSearchDetails( - query="query OnsSubscription resources return allAdditionalFields where compartmentId != '" + self.__managed_paas_compartment_id + "'") + query="query OnsSubscription resources return allAdditionalFields where compartmentId != '" + self.__managed_paas_compartment_id + "'"), + tenant_id=self.__tenancy.id ).data debug("\t__ons_read_subscriptions: Recieved " + str(len(subs_data)) + " subscriptions in region " + str(region_key)) for sub in subs_data: @@ -3380,7 +3401,8 @@ def __sch_read_service_connectors(self): service_connectors_data = oci.pagination.list_call_get_all_results( region_values['search_client'].search_resources, search_details=oci.resource_search.models.StructuredSearchDetails( - query="query ServiceConnector resources return allAdditionalFields where compartmentId != '" + self.__managed_paas_compartment_id + "'") + query="query ServiceConnector resources return allAdditionalFields where compartmentId != '" + self.__managed_paas_compartment_id + "'"), + tenant_id=self.__tenancy.id ).data # Getting Bucket Info @@ -3457,7 +3479,8 @@ def __search_resources_in_root_compartment(self): structured_search_query = oci.resource_search.models.StructuredSearchDetails(query=query_non_compliant) search_results = oci.pagination.list_call_get_all_results( region_values['search_client'].search_resources, - search_details=structured_search_query + search_details=structured_search_query, + tenant_id=self.__tenancy.id ).data for item in search_results: @@ -3472,7 +3495,8 @@ def __search_resources_in_root_compartment(self): structured_search_all_query = oci.resource_search.models.StructuredSearchDetails(query=query_all_resources) structured_search_all_resources = oci.pagination.list_call_get_all_results( region_values['search_client'].search_resources, - search_details=structured_search_all_query + search_details=structured_search_all_query, + tenant_id=self.__tenancy.id ).data for item in structured_search_all_resources: @@ -3506,7 +3530,8 @@ def __search_query_resource_type(self, resource_type, search_client): results = oci.pagination.list_call_get_all_results( search_client.search_resources, search_details=oci.resource_search.models.StructuredSearchDetails( - query=query) + query=query), + tenant_id=self.__tenancy.id ).data return oci.util.to_dict(results) @@ -3598,7 +3623,8 @@ def __certificates_read_certificates(self): certificates_data = oci.pagination.list_call_get_all_results( region_values['search_client'].search_resources, search_details=oci.resource_search.models.StructuredSearchDetails( - query="query certificate resources return allAdditionalFields") + query="query certificate resources return allAdditionalFields"), + tenant_id=self.__tenancy.id ).data cert_compartments = {} debug("\t__certificates_read_certificates: Got Ceritificates from ") @@ -4608,13 +4634,16 @@ def __obp_analyze_tenancy_data(self): elif attachment['network_type'].upper() == 'VIRTUAL_CIRCUIT': # Checking for Provision and BGP enabled Virtual Circuits and that it is associated - for virtual_circuit in self.__network_fastconnects[attachment['drg_id']]: - if attachment['network_id'] == virtual_circuit['id']: - if virtual_circuit['lifecycle_state'].upper() == 'PROVISIONED' and virtual_circuit['bgp_session_state'].upper() == "UP": - # Good VC to increment number of VCs and append the provider name - fast_connect_providers.add(virtual_circuit['provider_name']) - number_of_valid_fast_connect_circuits += 1 - + try: + for virtual_circuit in self.__network_fastconnects[attachment['drg_id']]: + if attachment['network_id'] == virtual_circuit['id']: + if virtual_circuit['lifecycle_state'].upper() == 'PROVISIONED' and virtual_circuit['bgp_session_state'].upper() == "UP": + # Good VC to increment number of VCs and append the provider name + fast_connect_providers.add(virtual_circuit['provider_name']) + number_of_valid_fast_connect_circuits += 1 + except Exception: + debug("__obp_analyze_tenancy_data: Fast Connect Connections check: DRG ID not found " + str(drg_id)) + self.__errors.append({"id" : str(drg_id), "error" : str("__obp_analyze_tenancy_data: Fast Connect Connections check: DRG ID not found")}) try: record = { "drg_id": drg_id, diff --git a/security/security-design/shared-assets/oci-security-health-check-standard/files/oci-security-health-check-standard/standard.sh b/security/security-design/shared-assets/oci-security-health-check-standard/files/oci-security-health-check-standard/standard.sh index 44996f5e0..2a235bfd5 100755 --- a/security/security-design/shared-assets/oci-security-health-check-standard/files/oci-security-health-check-standard/standard.sh +++ b/security/security-design/shared-assets/oci-security-health-check-standard/files/oci-security-health-check-standard/standard.sh @@ -7,7 +7,7 @@ # # Author: Olaf Heimburger # -VERSION=241011 +VERSION=241206 OS_TYPE=$(uname) ASSESS_DIR=$(dirname $0) @@ -175,12 +175,13 @@ done if [ $IS_ADVANCED -ne 1 ]; then RUN_SHOWOCI=0 RUN_CIS=1 + CIS_DATA_OPT="" else if [ -z "$CIS_DATA_OPT" ]; then CIS_DATA_OPT="--obp --all-resources" fi if [ -z "$SHOWOCI_DATA_OPT" ]; then - SHOWOCI_DATA_OPT="-nsum -a -dsa" + SHOWOCI_DATA_OPT="-ns -a -dsa" fi fi @@ -214,12 +215,14 @@ if [ ! -d ${PYTHON_ENV} ]; then ${PYTHON_CMD} -m venv ${PYTHON_ENV} fi -PIP_OPTS="-q --user --no-warn-script-location" +PIP_OPTS="-q --no-warn-script-location" if [ -d ${PYTHON_ENV} ]; then source ${PYTHON_ENV}/bin/activate - if [ -z "${CLOUD_SHELL_TOOL_SET}" ]; then - ${PYTHON_CMD} -m pip install pip --upgrade ${PIP_OPTS} - fi + PYTHON_CMD=$(which python3) + # if [ -z "${CLOUD_SHELL_TOOL_SET}" ]; then + # ${PYTHON_CMD} -m pip install pip --upgrade ${PIP_OPTS} + # fi + ${PYTHON_CMD} -m pip install pip --upgrade ${PIP_OPTS} fi printf "INFO: Checking for required libraries...\n" @@ -268,37 +271,39 @@ else fi printf "INFO: %s\n" "${INFO_STR}" -CIS_OPTS="-t ${TENANCY} ${CIS_REGION_OPT} ${CIS_DATA_OPT} ${AUTH_OPT}" +CIS_OPTS="-t ${TENANCY} ${CIS_REGION_OPT} ${CIS_DATA_OPT} ${AUTH_OPT} --report-summary-json --report-prefix ${OUTPUT_DIR_NAME}" SHOWOCI_OPTS="-t ${TENANCY} ${SHOWOCI_REGION_OPT} ${AUTH_OPT} ${SHOWOCI_DATA_OPT}" trap "cleanup; echo The script has been canceled; exiting" 1 2 3 6 _W_=$(which script | wc -c) if [ $RUN_CIS -eq 1 ]; then out=$(echo -n ${OUTPUT_DIR} | sed -e 's;\./;;g') + CIS_OPTS="${CIS_OPTS} --report-directory ${out}" if [ ${_W_} -gt 0 ]; then if [ "${OS_TYPE}" == 'Darwin' ]; then - ${SCRIPT_CMD} -q ${out}/assess_cis_report.txt ${PYTHON_CMD} ${CIS_SCRIPT} ${CIS_OPTS} --report-summary-json --report-directory ${out} --report-prefix ${OUTPUT_DIR_NAME} + ${SCRIPT_CMD} -q ${out}/assess_cis_report.txt ${PYTHON_CMD} ${CIS_SCRIPT} ${CIS_OPTS} else - ${SCRIPT_CMD} -c "${PYTHON_CMD} ${CIS_SCRIPT} ${CIS_OPTS} --report-directory ${out} --report-prefix ${OUTPUT_DIR_NAME}" ${out}/assess_cis_report.txt + ${SCRIPT_CMD} -c "${PYTHON_CMD} ${CIS_SCRIPT} ${CIS_OPTS}" ${out}/assess_cis_report.txt fi else - ${PYTHON_CMD} ${CIS_SCRIPT} ${CIS_OPTS} --report-directory ${out} + ${PYTHON_CMD} ${CIS_SCRIPT} ${CIS_OPTS} fi fi if [ $RUN_SHOWOCI -eq 1 ]; then if [ -z "${BUFFERED}" ]; then export PYTHONUNBUFFERED=TRUE fi + # SHOWOCI_CSV="-csv_nodate -csv ${OUTPUT_DIR}/showoci_${OUTPUT_DIR_NAME}" + SHOWOCI_XLSX="-xlsx_nodate -xlsx ${OUTPUT_DIR}/showoci_${OUTPUT_DIR_NAME}" + SHOWOCI_JSON="-jf ${OUTPUT_DIR}/showoci_${OUTPUT_DIR_NAME}.json" if [ ${_W_} -gt 0 ]; then if [ "${OS_TYPE}" == 'Darwin' ]; then - echo "${SCRIPT_CMD} -q ${OUTPUT_DIR}/assess_showoci.txt ${PYTHON_CMD} ${SHOWOCI_SCRIPT} ${SHOWOCI_OPTS} -jf ${OUTPUT_DIR}/showoci_${OUTPUT_DIR_NAME}.json -xlsx_nodate -xlsx ${OUTPUT_DIR}/showoci_${OUTPUT_DIR_NAME}" - ${SCRIPT_CMD} -q ${OUTPUT_DIR}/assess_showoci.txt ${PYTHON_CMD} ${SHOWOCI_SCRIPT} ${SHOWOCI_OPTS} -jf ${OUTPUT_DIR}/showoci_${OUTPUT_DIR_NAME}.json -xlsx_nodate -xlsx ${OUTPUT_DIR}/showoci_${OUTPUT_DIR_NAME} + ${SCRIPT_CMD} -q ${OUTPUT_DIR}/assess_showoci.txt ${PYTHON_CMD} ${SHOWOCI_SCRIPT} ${SHOWOCI_OPTS} ${SHOWOCI_JSON} ${SHOWOCI_XLSX} ${SHOWOCI_CSV} else - echo "${SCRIPT_CMD} -c "${PYTHON_CMD} ${SHOWOCI_SCRIPT} ${SHOWOCI_OPTS} -jf ${OUTPUT_DIR}/showoci_${OUTPUT_DIR_NAME}.json -xlsx_nodate -xlsx ${OUTPUT_DIR}/showoci_${OUTPUT_DIR_NAME}" ${OUTPUT_DIR}/assess_showoci.txt" - ${SCRIPT_CMD} -c "${PYTHON_CMD} ${SHOWOCI_SCRIPT} ${SHOWOCI_OPTS} -jf ${OUTPUT_DIR}/showoci_${OUTPUT_DIR_NAME}.json -xlsx_nodate -xlsx ${OUTPUT_DIR}/showoci_${OUTPUT_DIR_NAME}" ${OUTPUT_DIR}/assess_showoci.txt + ${SCRIPT_CMD} -c "${PYTHON_CMD} ${SHOWOCI_SCRIPT} ${SHOWOCI_OPTS} ${SHOWOCI_JSON} ${SHOWOCI_XLSX} ${SHOWOCI_CSV}" ${OUTPUT_DIR}/assess_showoci.txt fi else - ${PYTHON_CMD} ${SHOWOCI_SCRIPT} ${SHOWOCI_OPTS} -jf ${OUTPUT_DIR}/showoci_${OUTPUT_DIR_NAME}.json -xlsx_nodate -xlsx ${OUTPUT_DIR}/showoci_${OUTPUT_DIR_NAME} + ${PYTHON_CMD} ${SHOWOCI_SCRIPT} ${SHOWOCI_OPTS} ${SHOWOCI_JSON} ${SHOWOCI_XLSX} ${SHOWOCI_CSV} fi fi DIR_PARENT_OUTPUT="$(dirname ${OUTPUT_DIR})" diff --git a/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-241011.sha512 b/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-241011.sha512 deleted file mode 100644 index 3bf3349cd..000000000 --- a/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-241011.sha512 +++ /dev/null @@ -1 +0,0 @@ -b73309d7fae146aa3464ade684f9728c1d7d258bf5d6325f81914417a74c9678111f7bdbdbfcd046d9a30826fcc66af12dd622dc68f8099a5c1ce1ed5fd76a1c oci-security-health-check-standard-241011.zip diff --git a/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-241011.sha512256 b/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-241011.sha512256 deleted file mode 100644 index c742319b3..000000000 --- a/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-241011.sha512256 +++ /dev/null @@ -1 +0,0 @@ -df870a5770f37e353d84bbb6e56185e092729636b5fe2525b6659b55300b2353 oci-security-health-check-standard-241011.zip diff --git a/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-241011.zip b/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-241011.zip deleted file mode 100644 index df38da373..000000000 Binary files a/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-241011.zip and /dev/null differ diff --git a/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-241206.sha512 b/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-241206.sha512 new file mode 100644 index 000000000..2d0ca88d9 --- /dev/null +++ b/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-241206.sha512 @@ -0,0 +1 @@ +20869ea4d8dc39230092329356e408bccf1bef64c794e27758e5be6b78b91101c4d3779376076dd0c94528eaae3ecaa5ba0c9ed332a9404c1aa9b5f4d4bbfcc9 oci-security-health-check-standard-241206.zip diff --git a/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-241206.sha512256 b/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-241206.sha512256 new file mode 100644 index 000000000..efbd3830b --- /dev/null +++ b/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-241206.sha512256 @@ -0,0 +1 @@ +79f33b82702de4f482850e34a91a1c69c435b8e33e6e247387dabc567d295b5f oci-security-health-check-standard-241206.zip diff --git a/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-241206.zip b/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-241206.zip new file mode 100644 index 000000000..27f2860d5 Binary files /dev/null and b/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-241206.zip differ