diff --git a/templates/standards/cis-oci-foundations/v2.0.0.json b/templates/standards/cis-oci-foundations/v2.0.0.json new file mode 100644 index 0000000..7ceb49d --- /dev/null +++ b/templates/standards/cis-oci-foundations/v2.0.0.json @@ -0,0 +1,343 @@ +{ + "standard": "CIS Oracle Cloud Foundations 2.0.0", + "webLink": "#", + "version": "2.0.0", + "domains": [ + { + "title": "Identity and Access Management", + "controls": [ + { + "ref": "1.1", + "title": "Ensure service level admins are created to manage\nresources of particular service (Manual)", + "summary": "To apply least-privilege security principle, one can create service-level administrators in corresponding groups and assigning specific users to each service-level administrative group in a tenancy. This limits administrative access in a tenancy. It means service-level administrators can only manage resources of a specific service.", + "applicable": true + }, + { + "ref": "1.2", + "title": "Ensure permissions on all resources are given only to\nthe tenancy administrator group (Automated)", + "summary": "There is a built-in OCI IAM policy enabling the Administrators group to perform any action within a tenancy. In the OCI IAM console, this policy reads:\nAllow group Administrators to manage all-resources in tenancy\nAdministrators create more users, groups, and policies to provide appropriate access to other groups. Administrators should not allow any-other-group full access to the tenancy by writing a policy like this -\nAllow group any-other-group to manage all-resources in tenancy\nThe access should be narrowed down to ensure the least-privileged principle is applied.", + "applicable": true + }, + { + "ref": "1.3", + "title": "Ensure IAM administrators cannot update tenancy\nAdministrators group (Automated)", + "summary": "Tenancy administrators can create more users, groups, and policies to provide other service administrators access to OCI resources. For example, an IAM administrator will need to have access to manage resources like compartments, users, groups, dynamic-groups, policies, identity-providers, tenancy tag- namespaces, tag-definitions in the tenancy.\nThe policy that gives IAM-Administrators or any other group full access to 'groups' resources should not allow access to the tenancy 'Administrators' group.", + "applicable": true + }, + { + "ref": "1.4", + "title": "Ensure IAM password policy requires minimum length of\n14 or greater (Automated)", + "summary": "Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure passwords are at least a certain length and\nare composed of certain characters. It is recommended the password policy require a minimum password length 14 characters and contain 1 non-alphabetic character (Number or \u201cSpecial Character\u201d).", + "applicable": true + }, + { + "ref": "1.5", + "title": "Ensure IAM password policy expires passwords within\n365 days (Manual)", + "summary": "IAM password policies can require passwords to be rotated or expired after a given\nnumber of days. It is recommended that the password policy expire passwords after 365\nand are changed immediately based on events.", + "applicable": true + }, + { + "ref": "1.6", + "title": "Ensure IAM password policy prevents password reuse\n(Manual)", + "summary": "IAM password policies can prevent the reuse of a given password by the same user. It\nis recommended the password policy prevent the reuse of passwords.", + "applicable": true + }, + { + "ref": "1.7", + "title": "Ensure MFA is enabled for all users with a console\npassword (Automated)", + "summary": "Multi-factor authentication is a method of authentication that requires the use of more\nthan one factor to verify a user\u2019s identity.\nWith MFA enabled in the IAM service, when a user signs in to Oracle Cloud\nInfrastructure, they are prompted for their user name and password, which is the first\nfactor (something that they know). The user is then prompted to provide a verification\ncode from a registered MFA device, which is the second factor (something that they\nhave). The two factors work together, requiring an extra layer of security to verify the\nuser\u2019s identity and complete the sign-in process.\nOCI IAM supports two-factor authentication using a password (first factor) and a device\nthat can generate a time-based one-time password (TOTP) (second factor).", + "applicable": true + }, + { + "ref": "1.8", + "title": "Ensure user API keys rotate within 90 days (Automated)", + "summary": "API keys are used by administrators, developers, services and scripts for accessing\nOCI APIs directly or via SDKs/OCI CLI to search, create, update or delete OCI\nresources.\nThe API key is an RSA key pair. The private key is used for signing the API requests\nand the public key is associated with a local or synchronized user's profile.", + "applicable": true + }, + { + "ref": "1.9", + "title": "Ensure user customer secret keys rotate every 90 days\n(Automated)", + "summary": "Object Storage provides an API to enable interoperability with Amazon S3. To use this\nAmazon S3 Compatibility API, you need to generate the signing key required to\nauthenticate with Amazon S3.\nThis special signing key is an Access Key/Secret Key pair. Oracle generates the\nCustomer Secret key to pair with the Access Key.", + "applicable": true + }, + { + "ref": "1.10", + "title": "Ensure user auth tokens rotate within 90 days or less\n(Automated)", + "summary": "Auth tokens are authentication tokens generated by Oracle. You use auth tokens to authenticate with APIs that do not support the Oracle Cloud Infrastructure signaturebased authentication. If the service requires an auth token, the service-specific documentation instructs you to generate one and how to use it.", + "applicable": true + }, + { + "ref": "1.11", + "title": "Ensure user IAM Database Passwords rotate within 90\ndays (Manual)", + "summary": "Users can create and manage their database password in their IAM user profile and use that password to authenticate to databases in their tenancy. An IAM database password is a different password than an OCI Console password. Setting an IAM database password allows an authorized IAM user to sign in to one or more Autonomous Databases in their tenancy. An IAM database password is a different password than an OCI Console password. Setting an IAM database password allows an authorized IAM user to sign in to one or more Autonomous Databases in their tenancy.", + "applicable": true + }, + { + "ref": "1.12", + "title": "Ensure API keys are not created for tenancy\nadministrator users (Automated)", + "summary": "Tenancy administrator users have full access to the organization's OCI tenancy. API\nkeys associated with user accounts are used for invoking the OCI APIs via custom\nprograms or clients like CLI/SDKs. The clients are typically used for performing day-today operations and should never require full tenancy access. Service-level\nadministrative users with API keys should be used instead.", + "applicable": true + }, + { + "ref": "1.13", + "title": "Ensure all OCI IAM user accounts have a valid and\ncurrent email address (Manual)", + "summary": "All OCI IAM local user accounts have an email address field associated with the\naccount. It is recommended to specify an email address that is valid and current.\nIf you have an email address in your user profile, you can use the Forgot Password link\non the sign on page to have a temporary password sent to you", + "applicable": true + }, + { + "ref": "1.14", + "title": "Ensure Instance Principal authentication is used for OCI\ninstances, OCI Cloud Databases and OCI Functions to\naccess OCI resources. (Manual)", + "summary": "OCI instances, OCI database and OCI functions can access other OCI resources either via an OCI API key associated to a user or via Instance Principal. Instance Principal authentication can be achieved by inclusion in a Dynamic Group that has an IAM policy granting it the required access or using an OCI IAM policy that has request.principal added to the where clause. Access to OCI Resources refers to making API calls to another OCI resource like Object Storage, OCI Vaults, etc.", + "applicable": true + }, + { + "ref": "1.15", + "title": "Ensure storage service-level admins cannot delete\nresources they manage. (Manual)", + "summary": "To apply the separation of duties security principle, one can restrict service-level administrators from being able to delete resources they are managing. It means servicelevel administrators can only manage resources of a specific service but not delete resources for that specific service.", + "applicable": true + } + ] + }, + { + "title": "Networking", + "controls": [ + { + "ref": "2.1", + "title": "Ensure no security lists allow ingress from 0.0.0.0/0 to\nport 22 (Automated)", + "summary": "Security lists provide stateful and stateless filtering of ingress and egress network traffic to OCI resources on a subnet level. It is recommended that no security list allows unrestricted ingress access to port 22.", + "applicable": true + }, + { + "ref": "2.2", + "title": "Ensure no security lists allow ingress from 0.0.0.0/0 to\nport 3389 (Automated)", + "summary": "Security lists provide stateful and stateless filtering of ingress and egress network traffic to OCI resources on a subnet level. It is recommended that no security group allows unrestricted ingress access to port 3389.", + "applicable": true + }, + { + "ref": "2.3", + "title": "Ensure no network security groups allow ingress from\n0.0.0.0/0 to port 22 (Automated)", + "summary": "Network security groups provide stateful filtering of ingress/egress network traffic to OCI resources. It is recommended that no security group allows unrestricted ingress to port 22.", + "applicable": true + }, + { + "ref": "2.4", + "title": "Ensure no network security groups allow ingress from\n0.0.0.0/0 to port 3389 (Automated)", + "summary": "Network security groups provide stateful filtering of ingress/egress network traffic to OCI resources. It is recommended that no security group allows unrestricted ingress access to port 3389.", + "applicable": true + }, + { + "ref": "2.5", + "title": "Ensure the default security list of every VCN restricts all\ntraffic except ICMP (Automated)", + "summary": "A default security list is created when a Virtual Cloud Network (VCN) is created. Security lists provide stateful filtering of ingress and egress network traffic to OCI\nresources. It is recommended no security list allows unrestricted ingress access to resources such as Secure Shell (SSH) via port 22.", + "applicable": true + }, + { + "ref": "2.6", + "title": "Ensure Oracle Integration Cloud (OIC) access is\nrestricted to allowed sources. (Manual)", + "summary": "Oracle Integration (OIC) is a complete, secure, but lightweight integration solution that enables you to connect your applications in the cloud. It simplifies connectivity between your applications and connects both your applications that live in the cloud and your applications that still live on premises. Oracle Integration provides secure, enterprisegrade connectivity regardless of the applications you are connecting or where they reside. OIC instances are created within an Oracle managed secure private network with each having a public endpoint. The capability to configure ingress filtering of network traffic to protect your OIC instances from unauthorized network access is included. It is recommended that network access to your OIC instances be restricted to your approved corporate IP Addresses or Virtual Cloud Networks (VCN)s.", + "applicable": true + }, + { + "ref": "2.7", + "title": "Ensure Oracle Analytics Cloud (OAC) access is\nrestricted to allowed sources or deployed within a Virtual\nCloud Network. (Manual)", + "summary": "Oracle Analytics Cloud (OAC) is a scalable and secure public cloud service that provides a full set of capabilities to explore and perform collaborative analytics for you,\nyour workgroup, and your enterprise. OAC instances provide ingress filtering of network traffic or can be deployed with in an existing Virtual Cloud Network VCN. It is recommended that all new OAC instances be deployed within a VCN and that the Access Control Rules are restricted to your corporate IP Addresses or VCNs for existing OAC instances.", + "applicable": true + }, + { + "ref": "2.8", + "title": "Ensure Oracle Autonomous Shared Databases (ADB)\naccess is restricted to allowed sources or deployed\nwithin a Virtual Cloud Network (Manual)", + "summary": "Oracle Autonomous Database Shared (ADB-S) automates database tuning, security, backups, updates, and other routine management tasks traditionally performed by DBAs. ADB-S provide ingress filtering of network traffic or can be deployed within an existing Virtual Cloud Network (VCN). It is recommended that all new ADB-S databases be deployed within a VCN and that the Access Control Rules are restricted to your corporate IP Addresses or VCNs for existing ADB-S databases.", + "applicable": true + } + ] + }, + { + "title": "Compute", + "controls": [ + { + "ref": "3.1", + "title": "Ensure Compute Instance Legacy Metadata service\nendpoint is disabled (Automated)", + "summary": "Compute Instances that utilize Legacy MetaData service endpoints (IMDSv1) are susceptible to potential SSRF attacks. To bolster security measures, it is strongly advised to reconfigure Compute Instances to adopt Instance Metadata Service v2, aligning with the industry's best security practices.", + "applicable": true + }, + { + "ref": "3.2", + "title": "Ensure Secure Boot is enabled on Compute Instance\n(Automated)", + "summary": "Shielded Instances with Secure Boot enabled prevents unauthorized boot loaders and operating systems from booting. This prevent rootkits, bootkits, and unauthorized software from running before the operating system loads. Secure Boot verifies the digital signature of the system's boot software to check its authenticity. The digital signature ensures the operating system has not been tampered with and is from a trusted source. When the system boots and attempts to execute the software, it will first check the digital signature to ensure validity. If the digital signature is not valid, the system will not allow the software to run. Secure Boot is a feature of UEFI(Unified Extensible Firmware Interface) that only allows approved operating systems to boot up.", + "applicable": true + }, + { + "ref": "3.3", + "title": "Ensure In-transit Encryption is enabled on Compute\nInstance (Automated)", + "summary": "The Block Volume service provides the option to enable in-transit encryption for paravirtualized volume attachments on virtual machine (VM) instances.", + "applicable": true + } + ] + }, + { + "title": "Logging and Monitoring", + "controls": [ + { + "ref": "4.1", + "title": "Ensure default tags are used on resources (Automated)", + "summary": "Using default tags is a way to ensure all resources that support tags are tagged during creation. Tags can be based on static or computed values. It is recommended to set up default tags early after root compartment creation to ensure all created resources will get tagged. Tags are scoped to Compartments and are inherited by Child Compartments. The recommendation is to create default tags like \u201cCreatedBy\u201d at the Root Compartment level to ensure all resources get tagged. When using Tags it is important to ensure that Tag Namespaces are protected by IAM Policies otherwise this will allow users to change tags or tag values. Depending on the age of the OCI Tenancy there may already be Tag defaults setup at the Root Level and no need for further action to implement this action.", + "applicable": true + }, + { + "ref": "4.2", + "title": "Create at least one notification topic and subscription to\nreceive monitoring alerts (Automated)", + "summary": "Notifications provide a multi-channel messaging service that allow users and applications to be notified of events of interest occurring within OCI. Messages can be sent via eMail, HTTPs, PagerDuty, Slack or the OCI Function service. Some channels, such as eMail require confirmation of the subscription before it becomes active.", + "applicable": true + }, + { + "ref": "4.3", + "title": "Ensure a notification is configured for Identity Provider\nchanges (Automated)", + "summary": "It is recommended to setup an Event Rule and Notification that gets triggered when Identity Providers are created, updated or deleted. Event Rules are compartment scoped and will detect events in child compartments. It is recommended to create the Event rule at the root compartment level.", + "applicable": true + }, + { + "ref": "4.4", + "title": "Ensure a notification is configured for IdP group mapping\nchanges (Automated)", + "summary": "It is recommended to setup an Event Rule and Notification that gets triggered when Identity Provider Group Mappings are created, updated or deleted. Event Rules are compartment scoped and will detect events in child compartments. It is recommended to create the Event rule at the root compartment level.", + "applicable": true + }, + { + "ref": "4.5", + "title": "Ensure a notification is configured for IAM group\nchanges (Automated)", + "summary": "It is recommended to setup an Event Rule and Notification that gets triggered when IAM Groups are created, updated or deleted. Event Rules are compartment scoped and will detect events in child compartments, it is recommended to create the Event rule at the root compartment level.", + "applicable": true + }, + { + "ref": "4.6", + "title": "Ensure a notification is configured for IAM policy\nchanges (Automated)", + "summary": "It is recommended to setup an Event Rule and Notification that gets triggered when IAM Policies are created, updated or deleted. Event Rules are compartment scoped and will detect events in child compartments, it is recommended to create the Event rule at the root compartment level.", + "applicable": true + }, + { + "ref": "4.7", + "title": "Ensure a notification is configured for user changes\n(Automated)", + "summary": "It is recommended to setup an Event Rule and Notification that gets triggered when IAM Users are created, updated, deleted, capabilities updated, or state updated. Event Rules are compartment scoped and will detect events in child compartments, it is recommended to create the Event rule at the root compartment level.", + "applicable": true + }, + { + "ref": "4.8", + "title": "Ensure a notification is configured for VCN changes\n(Automated)", + "summary": "It is recommended to setup an Event Rule and Notification that gets triggered when Virtual Cloud Networks are created, updated or deleted. Event Rules are compartment scoped and will detect events in child compartments, it is recommended to create the Event rule at the root compartment level.", + "applicable": true + }, + { + "ref": "4.9", + "title": "Ensure a notification is configured for\ntables (Automated)", + "summary": "It is recommended to setup an Event Rule and Notification that gets triggered when route tables are created, updated or deleted. Event Rules are compartment scoped and will detect events in child compartments, it is recommended to create the Event rule at the root compartment level.", + "applicable": true + }, + { + "ref": "4.10", + "title": "Ensure a notification is configured for\nchanges (Automated)", + "summary": "It is recommended to setup an Event Rule and Notification that gets triggered when security lists are created, updated or deleted. Event Rules are compartment scoped and will detect events in child compartments, it is recommended to create the Event rule at the root compartment level.", + "applicable": true + }, + { + "ref": "4.11", + "title": "Ensure a notification is configured for network security\ngroup changes (Automated)", + "summary": "It is recommended to setup an Event Rule and Notification that gets triggered when network security groups are created, updated or deleted. Event Rules are compartment scoped and will detect events in child compartments, it is recommended to create the Event rule at the root compartment level.", + "applicable": true + }, + { + "ref": "4.12", + "title": "Ensure a notification is configured for changes to\nnetwork gateways (Automated)", + "summary": "It is recommended to setup an Event Rule and Notification that gets triggered when Network Gateways are created, updated, deleted, attached, detached, or moved. This recommendation includes Internet Gateways, Dynamic Routing Gateways, Service Gateways, Local Peering Gateways, and NAT Gateways. Event Rules are compartment scoped and will detect events in child compartments, it is recommended to create the Event rule at the root compartment level.", + "applicable": true + }, + { + "ref": "4.13", + "title": "Ensure VCN flow logging is enabled for all subnets\n(Automated)", + "summary": "VCN flow logs record details about traffic that has been accepted or rejected based on the security list rule.", + "applicable": true + }, + { + "ref": "4.14", + "title": "Ensure Cloud Guard is enabled in the root compartment\nof the tenancy (Automated)", + "summary": "Cloud Guard detects misconfigured resources and insecure activity within a tenancy and provides security administrators with the visibility to resolve these issues. Upon detection, Cloud Guard can suggest, assist, or take corrective actions to mitigate these issues. Cloud Guard should be enabled in the root compartment of your tenancy with the default configuration, activity detectors and responders.", + "applicable": true + }, + { + "ref": "4.15", + "title": "Ensure a notification is configured for Oracle Cloud\nGuard problems detected (Automated)", + "summary": "Cloud Guard detects misconfigured resources and insecure activity within a tenancy and provides security administrators with the visibility to resolve these issues. Upon detection, Cloud Guard generates a Problem. It is recommended to setup an Event Rule and Notification that gets triggered when Oracle Cloud Guard Problems are created, dismissed or remediated. Event Rules are compartment scoped and will detect events in child compartments. It is recommended to create the Event rule at the root compartment level.", + "applicable": true + }, + { + "ref": "4.16", + "title": "Ensure customer created Customer Managed Key\n(CMK) is rotated at least annually (Automated)", + "summary": "Oracle Cloud Infrastructure Vault securely stores master encryption keys that protect your encrypted data. You can use the Vault service to rotate keys to generate new cryptographic material. Periodically rotating keys limits the amount of data encrypted by one key version.", + "applicable": true + }, + { + "ref": "4.17", + "title": "Ensure write level Object Storage logging is enabled for\nall buckets (Automated)", + "summary": "Object Storage write logs will log all write requests made to objects in a bucket.", + "applicable": true + } + ] + }, + { + "title": "Storage", + "controls": [ + { + "ref": "5.1.1", + "title": "Ensure no Object Storage buckets are publicly visible.\n(Automated)", + "summary": "A bucket is a logical container for storing objects. It is associated with a single compartment that has policies that determine what action a user can perform on a bucket and on all the objects in the bucket. By Default a newly created bucket is private. It is recommended that no bucket be publicly accessible.", + "applicable": true + }, + { + "ref": "5.1.2", + "title": "Ensure Object Storage Buckets are encrypted with a\nCustomer Managed Key (CMK). (Automated)", + "summary": "Oracle Object Storage buckets support encryption with a Customer Managed Key (CMK). By default, Object Storage buckets are encrypted with an Oracle managed key.", + "applicable": true + }, + { + "ref": "5.1.3", + "title": "Ensure Versioning is Enabled for Object Storage\nBuckets (Automated)", + "summary": "A bucket is a logical container for storing objects. Object versioning is enabled at the bucket level and is disabled by default upon creation. Versioning directs Object Storage to automatically create an object version each time a new object is uploaded, an existing object is overwritten, or when an object is deleted. You can enable object versioning at bucket creation time or later.", + "applicable": true + }, + { + "ref": "5.2.1", + "title": "Ensure Block Volumes are encrypted with Customer\nManaged Keys (CMK). (Automated)", + "summary": "Oracle Cloud Infrastructure Block Volume service lets you dynamically provision and manage block storage volumes. By default, the Oracle service manages the keys that encrypt block volumes. Block Volumes can also be encrypted using a customer managed key.\nTerminated Block Volumes cannot be recovered and any data on a terminated volume is permanently lost. However, Block Volumes can exist in a terminated state within the OCI Portal and CLI for some time after deleting. As such, any Block Volumes in this state should not be considered when assessing this policy.", + "applicable": true + }, + { + "ref": "5.2.2", + "title": "Ensure boot volumes are encrypted with Customer\nManaged Key (CMK). (Automated)", + "summary": "When you launch a virtual machine (VM) or bare metal instance based on a platform image or custom image, a new boot volume for the instance is created in the same\ncompartment. That boot volume is associated with that instance until you terminate the instance. By default, the Oracle service manages the keys that encrypt this boot volume. Boot Volumes can also be encrypted using a customer managed key.", + "applicable": true + }, + { + "ref": "5.3.1", + "title": "Ensure File Storage Systems are encrypted with\nCustomer Managed Keys (CMK) (Automated)", + "summary": "Oracle Cloud Infrastructure File Storage service (FSS) provides a durable, scalable, secure, enterprise-grade network file system. By default, the Oracle service manages\nthe keys that encrypt FSS file systems. FSS file systems can also be encrypted using a customer managed key.", + "applicable": true + } + ] + }, + { + "title": "Asset Management", + "controls": [ + { + "ref": "6.1", + "title": "Create at least one compartment in your tenancy to store cloud resources (automated)", + "summary": "When you sign up for Oracle Cloud Infrastructure, Oracle creates your tenancy, which is the root compartment that holds all your cloud resources. You then create additional compartments within the tenancy (root compartment) and corresponding policies to control access to the resources in each compartment.\nCompartments allow you to organize and control access to your cloud resources. A compartment is a collection of related resources (such as instances, databases, virtual cloud networks, block volumes) that can be accessed only by certain groups that have been given permission by an administrator.", + "applicable": true + }, + { + "ref": "6.2", + "title": "Ensure no resources are created in the root compartment (automated)", + "summary": "When you create a cloud resource such as an instance, block volume, or cloud network, you must specify to which compartment you want the resource to belong. Placing resources in the root compartment makes it difficult to organize and isolate those resources.", + "applicable": true + } + ] + } + ] +} \ No newline at end of file