/
vcn.sp
107 lines (85 loc) · 5.13 KB
/
vcn.sp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
locals {
vcn_compliance_common_tags = merge(local.terraform_oci_compliance_common_tags, {
service = "OCI/VCN"
})
}
benchmark "vcn" {
title = "VCN"
description = "This benchmark provides a set of controls that detect Terraform OCI Network resources deviating from security best practices."
children = [
control.vcn_default_security_group_allow_icmp_only,
control.vcn_has_inbound_security_list_configured,
control.vcn_inbound_security_lists_are_stateless,
control.vcn_network_security_group_restrict_ingress_rdp_all,
control.vcn_network_security_group_restrict_ingress_ssh_all,
control.vcn_security_group_has_stateless_ingress_security_rules,
control.vcn_security_list_restrict_ingress_rdp_all,
control.vcn_security_list_restrict_ingress_ssh_all,
control.vcn_subnet_public_access_blocked
]
tags = local.vcn_compliance_common_tags
}
control "vcn_default_security_group_allow_icmp_only" {
title = "Ensure the Network default security list of every VCN restricts all traffic except ICMP"
description = "A default security list is created when a Virtual Cloud Network (VCN) is created. Security lists provide stateful filtering of ingress and egress network traffic to OCI resources. It is recommended no security list allows unrestricted ingress access to Secure Shell (SSH) via port 22."
query = query.vcn_default_security_group_allow_icmp_only
tags = merge(local.vcn_compliance_common_tags, {
cis = true
})
}
control "vcn_network_security_group_restrict_ingress_rdp_all" {
title = "Ensure no Network security groups allow ingress from 0.0.0.0/0 to port 3389"
description = "Network security groups provide stateful filtering of ingress/egress network traffic to OCI resources. It is recommended that no security group allows unrestricted ingress access to port 3389."
query = query.vcn_network_security_group_restrict_ingress_rdp_all
tags = merge(local.vcn_compliance_common_tags, {
cis = true
})
}
control "vcn_network_security_group_restrict_ingress_ssh_all" {
title = "Ensure no Network security groups allow ingress from 0.0.0.0/0 to port 22"
description = "Network security groups provide stateful filtering of ingress/egress network traffic to OCI resources. It is recommended that no security group allows unrestricted ingress access to port 22."
query = query.vcn_network_security_group_restrict_ingress_ssh_all
tags = merge(local.vcn_compliance_common_tags, {
cis = true
})
}
control "vcn_security_list_restrict_ingress_rdp_all" {
title = "Ensure no security lists allow ingress from 0.0.0.0/0 to port 3389"
description = "Security lists provide stateful or stateless filtering of ingress/egress network traffic to OCI resources on a subnet level. It is recommended that no security group allows unrestricted ingress access to port 3389."
query = query.vcn_security_list_restrict_ingress_rdp_all
tags = merge(local.vcn_compliance_common_tags, {
cis = true
})
}
control "vcn_security_list_restrict_ingress_ssh_all" {
title = "Ensure no security lists allow ingress from 0.0.0.0/0 to port 22"
description = "Security lists provide stateful or stateless filtering of ingress/egress network traffic to OCI resources on a subnet level. It is recommended that no security group allows unrestricted ingress access to port 22."
query = query.vcn_security_list_restrict_ingress_ssh_all
tags = merge(local.vcn_compliance_common_tags, {
cis = true
})
}
control "vcn_subnet_public_access_blocked" {
title = "Ensure subnets are not publicly accessible"
description = "Public access to a Network's subnet increases resource attack surface and unnecessarily raises the risk of resource compromise. A network source is a set of defined IP addresses. The IP addresses can be public IP addresses or IP addresses from VCNs within your tenancy. After you create a network source, you can reference it in policy or in your tenancy's authentication settings to control access based on the originating IP address."
query = query.vcn_subnet_public_access_blocked
tags = local.vcn_compliance_common_tags
}
control "vcn_has_inbound_security_list_configured" {
title = "Ensure VCN has at least one inbound security list configured"
description = "This control checks if a VCN has at least one inbound security list configured."
query = query.vcn_has_inbound_security_list_configured
tags = local.vcn_compliance_common_tags
}
control "vcn_security_group_has_stateless_ingress_security_rules" {
title = "Ensure Network Security Group has stateless ingress security rules"
description = "This control checks if a Network Security Group has stateless ingress security rules."
query = query.vcn_security_group_has_stateless_ingress_security_rules
tags = local.vcn_compliance_common_tags
}
control "vcn_inbound_security_lists_are_stateless" {
title = "Ensure VCN inbound security lists are stateless"
description = "This control checks if a VCN has inbound security lists that are stateless."
query = query.vcn_inbound_security_lists_are_stateless
tags = local.vcn_compliance_common_tags
}