X

Best Practices from Oracle Development's A‑Team

How to Monitor CIS Compliance with Oracle Cloud Guard

Josh Hammer
Cloud Security Advisor

Oracle Cloud customers can now use Oracle Cloud Guard to monitor their Oracle Cloud Infrastructure (OCI) tenancy’s compliance with the Center for Internet Security (CIS) OCI Foundations Benchmark. The CIS OCI Foundations Benchmark is a set of step-by-step security configuration best practices for OCI tenancies. Cloud Guard now provides visibility into specific CIS security configuration practices that a tenancy is not in compliance with.

When Cloud Guard finds a setting or action that can impact an OCI tenancy’s security posture it will log this as a Problem and label whether it impacts compliance with the CIS OCI Foundations Benchmark. Problems are Cloud Guard security findings that are detected by Cloud Guard  and provided to the customer for review and action. Additionally, Cloud Guard Problems provide the customer with information like why it is a problem, what resource is affected and how to remediate it. 

In the step-by-step example below, we will show you how to locate a specific CIS OCI configuration issues using the Cloud Guard console.

1. Login to the OCI Console and navigate to Cloud Guard

2. Click on Problems on the left side menu

3. In the Filter box select Labels

4. Then select =

5. Now enter on of the below as the filter for CIS OCI Foundations Benchmark v1.1 Problems:

  • CIS_OCI_V1.1_IAM
  • CIS_OCI_V1.1_MONITORING
  • CIS_OCI_V1.1_NETWORK
  • CIS_OCI_V1.1_OBJECTSTORAGE

6. Then press the enter key to view Cloud Guard's Problems related to CIS OCI Foundations Benchmark

 

With this filter applied you can see all the Cloud Guard Problems that are out of compliance with the Identity and Access Management (IAM) recommendations from the CIS OCI Foundations Benchmark v1.1

 

CIS
Section
#

CIS
Recommendation
#

CIS
Title

Cloud Guard
Problem Name

Cloud Guard
Problem
Labels

1 Identity and Access Management

 

 

 

 

1

1.1

Ensure service level admins are created to manage resources of particular service

 

 

1

1.2

Ensure permissions on all resources are given only to the tenancy administrator group

Policy gives too many privileges

['CIS_OCI_V1.1_IAM',
'CIS_OCI_V1.0_IAM', 'IAM']

1

1.3

Ensure IAM administrators cannot update tenancy Administrators group

Tenancy admin privilege granted to group

['CIS_OCI_V1.1_IAM',
 'CIS_OCI_V1.0_IAM', 'IAM']

1

1.4

Ensure IAM password policy requires minimum length of 14 or greater

Password policy does not meet complexity requirements

['CIS_OCI_V1.1_IAM',
'CIS_OCI_V1.0_IAM', 'IAM']

1

1.5

Ensure IAM password policy expires passwords within 365 days

Password is too old

['CIS_OCI_V1.1_IAM',
 'CIS_OCI_V1.0_IAM', 'IAM']

1

1.6

Ensure IAM password policy prevents password reuse

 

 

1

1.7

Ensure MFA is enabled for all users with a console password

User does not have MFA enabled

['CIS_OCI_V1.1_IAM',
 'CIS_OCI_V1.0_IAM', 'IAM']

1

1.8

Ensure user API keys rotate within 90 days or less

API key is too old

['CIS_OCI_V1.1_IAM',
'CIS_OCI_V1.0_IAM', 'IAM']

1

1.9

Ensure user customer secret keys rotate within 90 days or less

 

 

1

1.10

Ensure user auth tokens rotate within 90 days or less

 

 

1

1.11

Ensure API keys are not created for tenancy administrator users

User has API keys

['CIS_OCI_V1.1_IAM',
 'CIS_OCI_V1.0_IAM', 'IAM']

1

1.12

Ensure all OCI IAM user accounts have a valid and current email address

 

 

2 Networking

 

 

 

 

2

2.1

Ensure no security lists allow ingress from 0.0.0.0/0 to port 22

VCN Security list allows traffic to non-public port from all sources (0.0.0.0/0)

 

2

2.2

Ensure no security lists allow ingress from 0.0.0.0/0 to port 3389

VCN Security list allows traffic to non-public port from all sources (0.0.0.0/0)

 

2

2.3

Ensure no network security groups allow ingress from 0.0.0.0/0 to port 22

NSG egress rule contains disallowed IP/port

 

2

2.4

Ensure no network security groups allow ingress from 0.0.0.0/0 to port 3389

NSG egress rule contains disallowed IP/port

 

2

2.5

Ensure the default security list of every VCN restricts all traffic except ICMP

VCN Security list allows traffic to restricted port

 

3 Logging and Monitoring

 

 

 

 

3

3.1

Ensure audit log retention period is set to 365 days

 

 

3

3.2

Ensure default tags are used on resources

Resource is not tagged appropriately

['CIS_OCI_V1.0_MONITORING',
'CIS_OCI_V1.1_MONITORING', 'TAGS']

3

3.3

Create at least one notification topic and subscription to receive monitoring alerts

 

 

3

3.4

Ensure a notification is configured for Identity Provider changes

 

 

3

3.5

Ensure a notification is configured for IdP group mapping changes

 

 

3

3.6

Ensure a notification is configured for IAM group changes

User added to group

['CIS_OCI_V1.0_MONITORING',
'CIS_OCI_V1.1_MONITORING', 'IAM']

3

3.7

Ensure a notification is configured for IAM policy changes

Security policy modified

['CIS_OCI_V1.1_MONITORING', 'IAM']

3

3.8

Ensure a notification is configured for user changes

User added to group

['CIS_OCI_V1.0_MONITORING',
'CIS_OCI_V1.1_MONITORING', 'IAM']

3

3.9

Ensure a notification is configured for VCN changes

VCN created
VCN deleted

['CIS_OCI_V1.0_MONITORING',
'CIS_OCI_V1.1_MONITORING', 'Network']

3

3.10

Ensure a notification is configured for  changes to route tables

VCN Route Table changed

['CIS_OCI_V1.0_MONITORING',
 'CIS_OCI_V1.1_MONITORING', 'Network']

3

3.11

Ensure a notification is configured for  security list changes

VCN Security List created
VCN Security List deleted
VCN Security List egress rules changed
VCN Security List ingress rules changed

['CIS_OCI_V1.0_MONITORING',
 'CIS_OCI_V1.1_MONITORING', 'Network']

3

3.12

Ensure a notification is configured for  network security group changes

VCN Network Security Group Deleted
VCN Network Security Group egress rule changed
VCN Network Security Group ingress rule changed

['CIS_OCI_V1.0_MONITORING',
'CIS_OCI_V1.1_MONITORING', 'Network']

3

3.13

Ensure a notification is configured for  changes to network gateways

VCN Internet Gateway created
VCN Internet Gateway terminated
VCN has Local Peering Gateway attached
VCN Local Peering Gateway changed
VCN has InternetGateway attached

['CIS_OCI_V1.0_MONITORING',
'CIS_OCI_V1.1_MONITORING', 'Network']

3

3.14

Ensure VCN flow logging is enabled for all subnets

 

 

3

3.15

Ensure Cloud Guard is enabled in the root compartment of the tenancy

 

 

3

3.16

Ensure customer created Customer Managed Key (CMK) is rotated at least annually

Key has not been rotated

['CIS_OCI_V1.1_MONITORING', 'KMS']

3

3.17

Ensure write level Object Storage logging is enabled for all buckets

 

 

4 Object Storage

 

 

 

 

4

4.1

Ensure no Object Storage buckets are publicly visible

Bucket is public

['CIS_OCI_V1.1_OBJECTSTORAGE',
'ObjectStorage']

4

4.2

Ensure Object Storage Buckets are encrypted with a Customer Managed Key (CMK)

Object Storage bucket is encrypted with Oracle-managed key

['CIS_OCI_V1.1_OBJECTSTORAGE',
'ObjectStorage', 'KMS']

5 Asset Management

 

 

 

 

5

5.1

Create at least one compartment in your tenancy to store cloud resources

 

 

5

5.2

Ensure no resources are created in the root compartment

 

 

 

Now when you want to know which CIS recommendation a Cloud Guard Problem is mapped to, we have provided the above table that maps Cloud Guard Problem names to CIS recommendations.  Going back to our example the Cloud Guard Problem API key is too old is mapped to CIS recommendation 1.8 “Ensure user API keys rotate within 90 days”. Now that you have looked the IAM issues, remove that filter and go check to see if you have any network related issues by filtering on CIS_OCI_V1.1_NETWORK.

A complete list of current Cloud Guard Detectors and other compliance mappings like CIS1.0 and PCI-DSS 3.2.1 please refer to Cloud Guard detector and Compliance Control mappings.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha