Original post can be found of A-Team Chronicals Blog.
Oracle Cloud customers can now use Oracle Cloud Guard to monitor their Oracle Cloud Infrastructure (OCI) tenancy’s compliance with the Center for Internet Security (CIS) OCI Foundations Benchmark. The CIS OCI Foundations Benchmark is a set of step-by-step security configuration best practices for OCI tenancies. Cloud Guard now provides visibility into specific CIS security configuration practices that a tenancy is not in compliance with.
When Cloud Guard finds a setting or action that can impact an OCI tenancy’s security posture it will log this as a Problem and label whether it impacts compliance with the CIS OCI Foundations Benchmark. Problems are Cloud Guard security findings that are detected by Cloud Guard and provided to the customer for review and action. Additionally, Cloud Guard Problems provide the customer with information like why it is a problem, what resource is affected and how to remediate it.
In the step-by-step example below, we will show you how to locate a specific CIS OCI configuration issues using the Cloud Guard console.
1. Login to the OCI Console and navigate to Cloud Guard
2. Click on Problems on the left side menu
3. In the Filter box select Labels
4. Then select =
5. Now enter on of the below as the filter for CIS OCI Foundations Benchmark v1.1 Problems:
- CIS_OCI_V1.1_IAM
- CIS_OCI_V1.1_MONITORING
- CIS_OCI_V1.1_NETWORK
- CIS_OCI_V1.1_OBJECTSTORAGE
6. Then press the enter key to view Cloud Guard’s Problems related to CIS OCI Foundations Benchmark
With this filter applied you can see all the Cloud Guard Problems that are out of compliance with the Identity and Access Management (IAM) recommendations from the CIS OCI Foundations Benchmark v1.1.
| CIS |
CIS |
CIS |
Cloud Guard |
Cloud Guard |
| 1 Identity and Access Management |
|
|
|
|
| 1 |
1.1 |
Ensure service level admins are created to manage resources of particular service |
|
|
| 1 |
1.2 |
Ensure permissions on all resources are given only to the tenancy administrator group |
Policy gives too many privileges |
[‘CIS_OCI_V1.1_IAM’, |
| 1 |
1.3 |
Ensure IAM administrators cannot update tenancy Administrators group |
Tenancy admin privilege granted to group |
[‘CIS_OCI_V1.1_IAM’, |
| 1 |
1.4 |
Ensure IAM password policy requires minimum length of 14 or greater |
Password policy does not meet complexity requirements |
[‘CIS_OCI_V1.1_IAM’, |
| 1 |
1.5 |
Ensure IAM password policy expires passwords within 365 days |
Password is too old |
[‘CIS_OCI_V1.1_IAM’, |
| 1 |
1.6 |
Ensure IAM password policy prevents password reuse |
|
|
| 1 |
1.7 |
Ensure MFA is enabled for all users with a console password |
User does not have MFA enabled |
[‘CIS_OCI_V1.1_IAM’, |
| 1 |
1.8 |
Ensure user API keys rotate within 90 days or less |
API key is too old |
[‘CIS_OCI_V1.1_IAM’, |
| 1 |
1.9 |
Ensure user customer secret keys rotate within 90 days or less |
|
|
| 1 |
1.10 |
Ensure user auth tokens rotate within 90 days or less |
|
|
| 1 |
1.11 |
Ensure API keys are not created for tenancy administrator users |
User has API keys |
[‘CIS_OCI_V1.1_IAM’, |
| 1 |
1.12 |
Ensure all OCI IAM user accounts have a valid and current email address |
|
|
| 2 Networking |
|
|
|
|
| 2 |
2.1 |
Ensure no security lists allow ingress from 0.0.0.0/0 to port 22 |
VCN Security list allows traffic to non-public port from all sources (0.0.0.0/0) |
|
| 2 |
2.2 |
Ensure no security lists allow ingress from 0.0.0.0/0 to port 3389 |
VCN Security list allows traffic to non-public port from all sources (0.0.0.0/0) |
|
| 2 |
2.3 |
Ensure no network security groups allow ingress from 0.0.0.0/0 to port 22 |
NSG egress rule contains disallowed IP/port |
|
| 2 |
2.4 |
Ensure no network security groups allow ingress from 0.0.0.0/0 to port 3389 |
NSG egress rule contains disallowed IP/port |
|
| 2 |
2.5 |
Ensure the default security list of every VCN restricts all traffic except ICMP |
VCN Security list allows traffic to restricted port |
|
| 3 Logging and Monitoring |
|
|
|
|
| 3 |
3.1 |
Ensure audit log retention period is set to 365 days |
|
|
| 3 |
3.2 |
Ensure default tags are used on resources |
Resource is not tagged appropriately |
[‘CIS_OCI_V1.0_MONITORING’, |
| 3 |
3.3 |
Create at least one notification topic and subscription to receive monitoring alerts |
|
|
| 3 |
3.4 |
Ensure a notification is configured for Identity Provider changes |
|
|
| 3 |
3.5 |
Ensure a notification is configured for IdP group mapping changes |
|
|
| 3 |
3.6 |
Ensure a notification is configured for IAM group changes |
User added to group |
[‘CIS_OCI_V1.0_MONITORING’, |
| 3 |
3.7 |
Ensure a notification is configured for IAM policy changes |
Security policy modified |
[‘CIS_OCI_V1.1_MONITORING’, ‘IAM’] |
| 3 |
3.8 |
Ensure a notification is configured for user changes |
User added to group |
[‘CIS_OCI_V1.0_MONITORING’, |
| 3 |
3.9 |
Ensure a notification is configured for VCN changes |
VCN created |
[‘CIS_OCI_V1.0_MONITORING’, |
| 3 |
3.10 |
Ensure a notification is configured for changes to route tables |
VCN Route Table changed |
[‘CIS_OCI_V1.0_MONITORING’, |
| 3 |
3.11 |
Ensure a notification is configured for security list changes |
VCN Security List created |
[‘CIS_OCI_V1.0_MONITORING’, |
| 3 |
3.12 |
Ensure a notification is configured for network security group changes |
VCN Network Security Group Deleted |
[‘CIS_OCI_V1.0_MONITORING’, |
| 3 |
3.13 |
Ensure a notification is configured for changes to network gateways |
VCN Internet Gateway created |
[‘CIS_OCI_V1.0_MONITORING’, |
| 3 |
3.14 |
Ensure VCN flow logging is enabled for all subnets |
|
|
| 3 |
3.15 |
Ensure Cloud Guard is enabled in the root compartment of the tenancy |
|
|
| 3 |
3.16 |
Ensure customer created Customer Managed Key (CMK) is rotated at least annually |
Key has not been rotated |
[‘CIS_OCI_V1.1_MONITORING’, ‘KMS’] |
| 3 |
3.17 |
Ensure write level Object Storage logging is enabled for all buckets |
|
|
| 4 Object Storage |
|
|
|
|
| 4 |
4.1 |
Ensure no Object Storage buckets are publicly visible |
Bucket is public |
[‘CIS_OCI_V1.1_OBJECTSTORAGE’, |
| 4 |
4.2 |
Ensure Object Storage Buckets are encrypted with a Customer Managed Key (CMK) |
Object Storage bucket is encrypted with Oracle-managed key |
[‘CIS_OCI_V1.1_OBJECTSTORAGE’, |
| 5 Asset Management |
|
|
|
|
| 5 |
5.1 |
Create at least one compartment in your tenancy to store cloud resources |
|
|
| 5 |
5.2 |
Ensure no resources are created in the root compartment |
|
|
Now when you want to know which CIS recommendation a Cloud Guard Problem is mapped to, we have provided the above table that maps Cloud Guard Problem names to CIS recommendations. Going back to our example the Cloud Guard Problem API key is too old is mapped to CIS recommendation 1.8 “Ensure user API keys rotate within 90 days”. Now that you have looked the IAM issues, remove that filter and go check to see if you have any network related issues by filtering on CIS_OCI_V1.1_NETWORK.
A complete list of current Cloud Guard Detectors and other compliance mappings like CIS1.0 and PCI-DSS 3.2.1 please refer to Cloud Guard detector and Compliance Control mappings.