Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

Owner: Olaf Heimburger

Version: 251104 (cis_report.py version 3.1.0) for CIS OCI Foundation Benchmark 3.0.0
Version: 251128 (cis_report.py version 3.1.0) for CIS OCI Foundation Benchmark 3.0.0

## When to use this asset?

Expand Down Expand Up @@ -47,22 +47,22 @@ Tested on **OCI Cloud Shell** with **Public network**, **Oracle Linux**, **MacOS

Before running the *OCI Security Health Check - Standard Edition* you should download and verify it.

- Download the latest distribution [oci-security-health-check-standard-251104.zip](https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-251104.zip).
- Download the latest distribution [oci-security-health-check-standard-251128.zip](https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-251128.zip).
- Download the respective checksum file:
- [oci-security-health-check-standard-251104.sha512](https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-251104.sha512).
- [oci-security-health-check-standard-251104.sha512256](https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-251104.sha512256).
- [oci-security-health-check-standard-251128.sha512](https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-251128.sha512).
- [oci-security-health-check-standard-251128.sha512256](https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-251128.sha512256).
- Verify the integrity of the distribution. Both files must be in the same directory (for example, in your downloads directory).

On MacOS:
```
cd <your_downloads_directory>
shasum -a 512256 -c oci-security-health-check-standard-251104.sha512256
shasum -a 512256 -c oci-security-health-check-standard-251128.sha512256
```

On Linux (including Cloud Shell):
```
cd <your_downloads_directory>
sha512sum -c oci-security-health-check-standard-251104.sha512
sha512sum -c oci-security-health-check-standard-251128.sha512
```

**Reject the downloaded file when the check fails!**
Expand Down Expand Up @@ -225,7 +225,7 @@ allow group 'Default'/'grp-auditors' to inspect vcns in compartment <compartment
- Upload the distribution file.
- Extract it
```
unzip -q oci-security-health-check-standard-251104.zip
unzip -q oci-security-health-check-standard-251128.zip
```

#### Run the script
Expand Down Expand Up @@ -302,11 +302,11 @@ allow group 'Default'/'grp-auditors' to inspect vcns in compartment <compartment
Follow the instructions to select /usr/bin/python3.9
- Log out

- From your desktop, upload the `oci-security-health-check-standard-251104.zip` file to the Compute VM using any SFTP client.
- From your desktop, upload the `oci-security-health-check-standard-251128.zip` file to the Compute VM using any SFTP client.
- Log into the Compute VM
- Extract the distribution
```
unzip -q oci-security-health-check-standard-251104.zip
unzip -q oci-security-health-check-standard-251128.zip
```
- Change directory into `oci-security-health-check-standard`:
```
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,7 @@ Usage
- From the menu select the Cloud Shell item.
- When running it the first time:
- Upload the provided ZIP file.
- Extract it with unzip -q oci-security-health-check-standard-251104.zip
- Extract it with unzip -q oci-security-health-check-standard-251128.zip
- Change directory into oci-security-health-check-standard
$ cd oci-security-health-check-standard
$ screen
Expand Down Expand Up @@ -190,11 +190,11 @@ Usage
- Log out

- From your desktop, upload the
"oci-security-health-check-standard-251104.zip" file to the Compute VM
"oci-security-health-check-standard-251128.zip" file to the Compute VM
using any SFTP client.
- Log into the Compute VM
- Extract the distribution
unzip -q oci-security-health-check-standard-251104.zip
unzip -q oci-security-health-check-standard-251128.zip

- Change directory into "oci-security-health-check-standard":
cd oci-security-health-check-standard
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -41,9 +41,9 @@
except Exception:
OUTPUT_DIAGRAMS = False

RELEASE_VERSION = "3.1.0"
RELEASE_VERSION = "3.1.0.1"
PYTHON_SDK_VERSION = "2.161.1"
UPDATED_DATE = "October 24, 2025"
UPDATED_DATE = "November 28, 2025"


##########################################################################
Expand All @@ -52,7 +52,9 @@
# DEBUG = False
def debug(msg):
if DEBUG:
print(msg)
log_datetime = datetime.datetime.now().replace(tzinfo=pytz.UTC)
log_time_str = str(log_datetime.strftime("%Y-%m-%dT%H:%M:%S"))
print(log_time_str+": "+msg)

##########################################################################
# Print header centered
Expand Down Expand Up @@ -475,7 +477,7 @@ def __init__(self, config, signer, proxy, output_bucket, report_directory, repor
"Description": "Using default tags is a way to ensure all resources that support tags are tagged during creation. Tags can be based on static values or based on computed values. It is recommended to setup default tags early on to ensure all created resources will get tagged.\nTags are scoped to Compartments and are inherited by Child Compartments. The recommendation is to create default tags like “CreatedBy” at the Root Compartment level to ensure all resources get tagged.\nWhen using Tags it is important to ensure that Tag Namespaces are protected by IAM Policies otherwise this will allow users to change tags or tag values.\nDepending on the age of the OCI Tenancy there may already be Tag defaults setup at the Root Level and no need for further action to implement this action.",
"Rationale": "In the case of an incident having default tags like “CreatedBy” applied will provide info on who created the resource without having to search the Audit logs.",
"Impact": "There is no performance impact when enabling the above described features",
"Remediation": "Update the root compartments tag default link.In the Tag Defaults table verify that there is a Tag with a value of \"${iam.principal.name}\" and a Tag Key Status of Active. Also create a Tag key definition by providing a Tag Key, Description and selecting 'Static Value' for Tag Value Type.",
"Remediation": "Update the root compartments tag default link. In the Tag Defaults table verify that there is a Tag with a value of \"${iam.principal.name}\" and a Tag Key Status of Active. Also create a Tag key definition by providing a Tag Key, Description and selecting 'Static Value' for Tag Value Type.",
"Recommendation": "",
"Observation": "default tags are used on resources."
},
Expand All @@ -491,7 +493,7 @@ def __init__(self, config, signer, proxy, output_bucket, report_directory, repor
"Description": "It is recommended to setup an Event Rule and Notification that gets triggered when Identity Providers are created, updated or deleted. Event Rules are compartment scoped and will detect events in child compartments. It is recommended to create the Event rule at the root compartment level.",
"Rationale": "OCI Identity Providers allow management of User ID / passwords in external systems and use of those credentials to access OCI resources. Identity Providers allow users to single sign-on to OCI console and have other OCI credentials like API Keys.\nMonitoring and alerting on changes to Identity Providers will help in identifying changes to the security posture.",
"Impact": "There is no performance impact when enabling the above described features but depending on the amount of notifications sent per month there may be a cost associated.",
"Remediation": "Create a Rule Condition in the Events services by selecting Identity in the Service Name Drop-down and selecting Identity Provider – Create, Identity Provider - Delete and Identity Provider – Update. In the Actions section select Notifications as Action Type and selct the compartment and topic to be used.",
"Remediation": "Create a Rule Condition in the Events services by selecting Identity in the Service Name Drop-down and selecting Identity Provider – Create, Identity Provider - Delete and Identity Provider – Update. In the Actions section select Notifications as Action Type and select the compartment and topic to be used.",
"Recommendation": "",
"Observation": "notifications have been configured for Identity Provider changes."
},
Expand All @@ -507,15 +509,15 @@ def __init__(self, config, signer, proxy, output_bucket, report_directory, repor
"Description": "It is recommended to setup an Event Rule and Notification that gets triggered when IAM Groups are created, updated or deleted. Event Rules are compartment scoped and will detect events in child compartments, it is recommended to create the Event rule at the root compartment level.",
"Rationale": "IAM Groups control access to all resources within an OCI Tenancy.\n Monitoring and alerting on changes to IAM Groups will help in identifying changes to satisfy least privilege principle.",
"Impact": "There is no performance impact when enabling the above described features but depending on the amount of notifications sent per month there may be a cost associated.",
"Remediation": "Create a Rule Condition by selecting Identity in the Service Name Drop-down and selecting Group – Create, Group – Delete and Group – Update. In the Actions section select Notifications as Action Type and selct the compartment and topic to be used.",
"Remediation": "Create a Rule Condition by selecting Identity in the Service Name Drop-down and selecting Group – Create, Group – Delete and Group – Update. In the Actions section select Notifications as Action Type and select the compartment and topic to be used.",
"Recommendation": "",
"Observation": "notifications have been configured for IAM Group changes."
},
"4.6": {
"Description": "It is recommended to setup an Event Rule and Notification that gets triggered when IAM Policies are created, updated or deleted. Event Rules are compartment scoped and will detect events in child compartments, it is recommended to create the Event rule at the root compartment level.",
"Rationale": "IAM Policies govern access to all resources within an OCI Tenancy.\n Monitoring and alerting on changes to IAM policies will help in identifying changes to the security posture.",
"Impact": "There is no performance impact when enabling the above described features but depending on the amount of notifications sent per month there may be a cost associated.",
"Remediation": "Create a Rule Condition by selecting Identity in the Service Name Drop-down and selecting Policy – Change Compartment, Policy – Create, Policy - Delete and Policy – Update. In the Actions section select Notifications as Action Type and selct the compartment and topic to be used.",
"Remediation": "Create a Rule Condition by selecting Identity in the Service Name Drop-down and selecting Policy – Change Compartment, Policy – Create, Policy - Delete and Policy – Update. In the Actions section select Notifications as Action Type and select the compartment and topic to be used.",
"Recommendation": "",
"Observation": "notifications have been configured for IAM Policy changes."
},
Expand Down Expand Up @@ -1744,7 +1746,7 @@ def get_date_ranges(start_date, end_date, date_ranges, max_days_between=9):
##########################################################################
def run_logging_search_query_api_usage(search_query, api_key_used, start_date: datetime, end_date: datetime):
if self.__disable_api_keys:
print("***Skipping Processing Audit Logs for API Key Usage...***")
# print("***Skipping Processing Audit Logs for API Key Usage...***")
return api_key_used
else:
print("Processing Audit Logs for API Key Usage...")
Expand Down Expand Up @@ -2017,7 +2019,7 @@ def __identity_read_dynamic_groups(self):
id_domain_deep_link = self.__oci_identity_domains_uri + identity_domain['id']
for dynamic_group in dynamic_groups_data:
debug("__identity_read_dynamic_groups: reading dynamic groups" + str(dynamic_group.display_name))
deep_link = self.__oci_identity_domains_uri + "/domains/" + identity_domain['id'] + "/dynamic-groups/" + dynamic_group.id
deep_link = f"{self.__oci_identity_domains_uri}/domains/{identity_domain['id']}/dynamic-groups/{dynamic_group.id}"
record = oci.util.to_dict(dynamic_group)
record['deep_link'] = self.__generate_csv_hyperlink(deep_link, dynamic_group.display_name)
record['domain_deeplink'] = self.__generate_csv_hyperlink(id_domain_deep_link, identity_domain['display_name'])
Expand Down Expand Up @@ -2717,7 +2719,6 @@ def __network_read_fastonnects(self):
# Looping through compartments in tenancy
fastconnects = self.__search_resource_in_region("VirtualCircuit", region_values)


compartments = set()

for vc in fastconnects:
Expand Down Expand Up @@ -3610,7 +3611,7 @@ def __ons_read_subscriptions(self):
return self.__subscriptions

except Exception as e:
raise RuntimeError("Error in ons_read_subscription " + str(e.args))
print("Error in ons_read_subscription " + str(e.args))

##########################################################################
# Identity Tag Default
Expand Down Expand Up @@ -4279,8 +4280,8 @@ def __cis_check_users(self):
# CIS Total 1.10 Adding - Keys to CIS Total
self.cis_foundations_benchmark_3_0['1.10']['Total'].append(
key)
# CIS 1.11 Check - Old DB Password
#__iso_time_format1 = "%Y-%m-%dT%H:%M:%S.%fZ"
# CIS 1.11 Check - Old DB Password
# __iso_time_format1 = "%Y-%m-%dT%H:%M:%S.%fZ"
for user in self.__users:
if user['database_passwords']:
for key in user['database_passwords']:
Expand Down Expand Up @@ -4351,7 +4352,7 @@ def __cis_check_users(self):
login_over_45_days = False

if user['api_keys'] and user['lifecycle_state']:
print("__report_cis_analyze_tenancy_data CIS 1.16 API Key Check")
debug("__report_cis_analyze_tenancy_data CIS 1.16 API Key Check")
api_key_over_45_days = not(all(key.get('apikey_used_in_45_days', False) for key in user['api_keys']))
else:
api_key_over_45_days = False
Expand Down Expand Up @@ -4392,11 +4393,16 @@ def __cis_check_dynamic_groups(self):
# CIS 1.14 Check - Ensure Dynamic Groups are used for OCI instances, OCI Cloud Databases and OCI Function to access OCI resources
# Iterating through all dynamic groups ensure there are some for fnfunc, instance or autonomous. Using reverse logic so starts as a false
for dynamic_group in self.__dynamic_groups:
if any(oci_resource.upper() in str(dynamic_group['matching_rule'].upper()) for oci_resource in self.cis_iam_checks['1.14']['resources']):
self.cis_foundations_benchmark_3_0['1.14']['Status'] = True
else:
self.cis_foundations_benchmark_3_0['1.14']['Findings'].append(
dynamic_group)
for oci_resource in self.cis_iam_checks['1.14']['resources']:
if dynamic_group['matching_rule'] and any(oci_resource.upper() in str(dynamic_group['matching_rule'].upper())):
self.cis_foundations_benchmark_3_0['1.14']['Status'] = True
else:
self.cis_foundations_benchmark_3_0['1.14']['Findings'].append(dynamic_group)

# if (oci_resource and any(oci_resource.upper() in str(dynamic_group['matching_rule'].upper())) for oci_resource in self.cis_iam_checks['1.14']['resources']):
# self.cis_foundations_benchmark_3_0['1.14']['Status'] = True
# else:
# self.cis_foundations_benchmark_3_0['1.14']['Findings'].append(dynamic_group)
# Clearing finding
if self.cis_foundations_benchmark_3_0['1.14']['Status']:
self.cis_foundations_benchmark_3_0['1.14']['Findings'] = []
Expand Down Expand Up @@ -5414,7 +5420,7 @@ def __obp_check_adbs(self):
self.obp_foundations_checks['ADB_MTLS']['Findings'].append(adb)
else:
self.obp_foundations_checks['ADB_MTLS']['OBP'].append(adb)
if not adb['encryption_key']['provider'] == 'ORACLE_MANAGED':
if adb['encryption_key'] and adb['encryption_key']['provider'] and not adb['encryption_key']['provider'] == 'ORACLE_MANAGED':
self.obp_foundations_checks['ADB_CMK']['Findings'].append(adb)
else:
self.obp_foundations_checks['ADB_CMK']['OBP'].append(adb)
Expand Down Expand Up @@ -5860,6 +5866,8 @@ def __report_generate_html_summary_report(self, header, file_subject, data):
t = row['Total']
tmp = ''
if t != ' ':
if f == ' ':
f = t
tmp = f'<br><br><b>{str(f)}</b> of <b>{str(t)}</b> item'
if int(t) > 1:
tmp += 's'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
#
# Author: Olaf Heimburger
#
VERSION=251104
VERSION=251128

graal_version=24.2.2
OS_TYPE=$(uname)
Expand Down

This file was deleted.

This file was deleted.

Binary file not shown.
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
850f037a7ed548d43a789c827821012ebd57750265a875625888f56d3fb2534a410b59f54a3e882084d38a29d691dc8b9768c4c05e105bff5948db6887374bea /Users/OHEIMBUR/Desktop/demo/oci-security-health-check-standard-251128.zip

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

File path should not be in here.

Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
bcad762c63ddf7aa1cce1fc1dcf2944965fc9636d371f68a9ca653bb3c67d450 /Users/OHEIMBUR/Desktop/demo/oci-security-health-check-standard-251128.zip

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

File path should not be in here.

Binary file not shown.