Merge pull request #800 from oracle-devrel/oci-security-health-check-…

…update-240130 Oci security health check update 240130
oracle-devrel · Feb 5, 2024 · 5ec9d29 · 5ec9d29
2 parents 040474e + d904cbb
commit 5ec9d29
Show file tree

Hide file tree

Showing 7 changed files with 916 additions and 167 deletions.
diff --git a/...rity/security-design/shared-assets/oci-security-health-check-standard/README.md b/...rity/security-design/shared-assets/oci-security-health-check-standard/README.md
@@ -2,7 +2,7 @@
 
 Owner: Olaf Heimburger
 
-Version: 230922
+Version: 240130
 
 Reviewed: 01.02.2024
 
@@ -67,28 +67,37 @@ For recurring usage, setting up a group for auditing is recommended. For setting
 Using an auditor group is the recommended way to run the assessment script.
 To create a group for auditing do the following steps:
 
-  - Log into OCI Console as OCI administrator
-  - Create a group `grp-auditors`
-  - Create a policy `pcy-auditing` with these statements:
+  - Log into OCI Console as OCI administrator.
+  - In your Default domain create a group `grp-auditors`
+  - Create a policy `pcy-auditing` with these statements (if your tenancy does not have Domains, replace `'Default'/'grp-auditors'` with `grp-auditors`):
     ```
-    allow group grp-auditors to inspect all-resources in tenancy
-    allow group grp-auditors to read instances in tenancy
-    allow group grp-auditors to read load-balancers in tenancy
-    allow group grp-auditors to read buckets in tenancy
-    allow group grp-auditors to read nat-gateways in tenancy
-    allow group grp-auditors to read public-ips in tenancy
-    allow group grp-auditors to read file-family in tenancy
-    allow group grp-auditors to read instance-configurations in tenancy
-    allow group grp-auditors to read network-security-groups in tenancy
-    allow group grp-auditors to read resource-availability in tenancy
-    allow group grp-auditors to read audit-events in tenancy
-    allow group grp-auditors to read users in tenancy
-    allow group grp-auditors to read vss-family in tenancy
-    allow group grp-auditors to read dns in tenancy
-    allow group grp-auditors to use cloud-shell in tenancy
-    ```
-  - Assign a user to the `grp-auditors` group
-  - Log out of the OCI Console
+      allow group 'Default'/'grp-auditors' to inspect all-resources in tenancy
+      allow group 'Default'/'grp-auditors' to read instances in tenancy
+      allow group 'Default'/'grp-auditors' to read load-balancers in tenancy
+      allow group 'Default'/'grp-auditors' to read buckets in tenancy
+      allow group 'Default'/'grp-auditors' to read nat-gateways in tenancy
+      allow group 'Default'/'grp-auditors' to read public-ips in tenancy
+      allow group 'Default'/'grp-auditors' to read file-family in tenancy
+      allow group 'Default'/'grp-auditors' to read instance-configurations in tenancy
+      allow group 'Default'/'grp-auditors' to read network-security-groups in tenancy
+      allow group 'Default'/'grp-auditors' to read resource-availability in tenancy
+      allow group 'Default'/'grp-auditors' to read audit-events in tenancy
+      allow group 'Default'/'grp-auditors' to read users in tenancy
+      allow group 'Default'/'grp-auditors' to read vss-family in tenancy
+      allow group 'Default'/'grp-auditors' to read dns in tenancy
+      allow group 'Default'/'grp-auditors' to use cloud-shell in tenancy    ```
+  - Assign a user to the `grp-auditors` group.
+  - Log out of the OCI Console.
+
+## Run the OCI Security Health Check in OCI Cloud Shell
+
+For a detailed description go to [Run the OCI Security Health Check in OCI Cloud Shell](https://github.com/oracle-devrel/technology-engineering/blob/main/security/security-design/oci-security-health-check-standard/files/oci-security-health-check-standard/README.md#run-the-oci-security-health-check-in-cloud-shell)
+
+## Sample Output
+
+After a completed run you will find a directory with a name starting with your tenancy name followed by a timestamp in your working directory (like `tenancy_name_YYYYMMDDHHmmss_standard`). A zip archive for easier download using the same name will be created, too. Both hold data files for your review.
+
+To start with reviewing the results, open the file named [cis_html_summary_report.html](files/resources/cis_html_summary_report.html)(sample report).
 
 # Credits
 

diff --git a/...curity-health-check-standard/files/oci-security-health-check-standard/README.md b/...curity-health-check-standard/files/oci-security-health-check-standard/README.md
@@ -2,7 +2,7 @@
 
 Owner: Olaf Heimburger
 
-Version: 230922
+Version: 240130
 
 ## When to use this asset?
 
@@ -14,25 +14,25 @@ The *OCI Security Health Check - Standard Edition* checks an OCI tenancy for CIS
 
 Before running the *OCI Security Health Check - Standard Edition* you should download and verify it.
 
-  - Download the latest distribution [oci-security-health-check-standard-230922.zip](https://github.com/oracle-devrel/technology-engineering/releases/download/oci-security-health-check-std-230922/oci-security-health-check-standard-230922.zip).
-  - Download the respective checksum file [oci-security-health-check-standard-230922.sha512256](https://github.com/oracle-devrel/technology-engineering/releases/download/oci-security-health-check-std-230922/oci-security-health-check-standard-230922.sha512256).
+  - Download the latest distribution [oci-security-health-check-standard-240130.zip](https://github.com/oracle-devrel/technology-engineering/releases/download/oci-security-health-check-std-240130/oci-security-health-check-standard-240130.zip).
+  - Download the respective checksum file [oci-security-health-check-standard-240130.sha512256](https://github.com/oracle-devrel/technology-engineering/releases/download/oci-security-health-check-std-240130/oci-security-health-check-standard-240130.sha512256).
   - Verify the integrity of the distribution. Both files must be in the same directory (for example, in your downloads directory).
 
     On MacOS:
     ```
     $ cd <your_downloads_directory>
-    $ shasum -a 512256 -c oci-security-health-check-standard-230922.sha512256
-    oci-security-health-check-standard-230922.zip: OK
+    $ shasum -a 512256 -c oci-security-health-check-standard-240130.sha512256
+    oci-security-health-check-standard-240130.zip: OK
     ```
 
     On Linux (including Cloud Shell):
     ```
     $ cd <your_downloads_directory>
-    $ sha512sum -c oci-security-health-check-standard-230922.sha512
-    oci-security-health-check-standard-230922.zip: OK
+    $ sha512sum -c oci-security-health-check-standard-240130.sha512
+    oci-security-health-check-standard-240130.zip: OK
     ```
 
-**Reject the downloaded file if the check fails!**
+**Reject the downloaded file when the check fails!**
 
 ### Prepare the OCI Tenancy
 
@@ -51,26 +51,48 @@ steps for setting this up are described in the next chapter.
 Using an auditor group is the recommended way to run the assessment script.
 To create a group for auditing do the following steps:
 
-  - Log into OCI Console as OCI administrator
+  - Check whether your tenancy is still not migrated to Identity Domains:
+    - Login to OCI Console as OCI administrator
+    - Select "Identity & Security"
+    - If "Domains" are listed you are migrated to Identity Domains
   - Create a group `grp-auditors`
   - Create a policy `pcy-auditing` with these statements:
-    ```
-    allow group grp-auditors to inspect all-resources in tenancy
-    allow group grp-auditors to read instances in tenancy
-    allow group grp-auditors to read load-balancers in tenancy
-    allow group grp-auditors to read buckets in tenancy
-    allow group grp-auditors to read nat-gateways in tenancy
-    allow group grp-auditors to read public-ips in tenancy
-    allow group grp-auditors to read file-family in tenancy
-    allow group grp-auditors to read instance-configurations in tenancy
-    allow group grp-auditors to read network-security-groups in tenancy
-    allow group grp-auditors to read resource-availability in tenancy
-    allow group grp-auditors to read audit-events in tenancy
-    allow group grp-auditors to read users in tenancy
-    allow group grp-auditors to read vss-family in tenancy
-    allow group grp-auditors to read dns in tenancy
-    allow group grp-auditors to use cloud-shell in tenancy
-    ```
+    - For tenancies **without** Identity Domains use
+      ```
+      allow group grp-auditors to inspect all-resources in tenancy
+      allow group grp-auditors to read instances in tenancy
+      allow group grp-auditors to read load-balancers in tenancy
+      allow group grp-auditors to read buckets in tenancy
+      allow group grp-auditors to read nat-gateways in tenancy
+      allow group grp-auditors to read public-ips in tenancy
+      allow group grp-auditors to read file-family in tenancy
+      allow group grp-auditors to read instance-configurations in tenancy
+      allow group grp-auditors to read network-security-groups in tenancy
+      allow group grp-auditors to read resource-availability in tenancy
+      allow group grp-auditors to read audit-events in tenancy
+      allow group grp-auditors to read users in tenancy
+      allow group grp-auditors to read vss-family in tenancy
+      allow group grp-auditors to read dns in tenancy
+      allow group grp-auditors to use cloud-shell in tenancy
+      ```
+    - For tenancies **with** Identity Domains use
+      ```
+      allow group 'Default'/'grp-auditors' to inspect all-resources in tenancy
+      allow group 'Default'/'grp-auditors' to read instances in tenancy
+      allow group 'Default'/'grp-auditors' to read load-balancers in tenancy
+      allow group 'Default'/'grp-auditors' to read buckets in tenancy
+      allow group 'Default'/'grp-auditors' to read nat-gateways in tenancy
+      allow group 'Default'/'grp-auditors' to read public-ips in tenancy
+      allow group 'Default'/'grp-auditors' to read file-family in tenancy
+      allow group 'Default'/'grp-auditors' to read instance-configurations in tenancy
+      allow group 'Default'/'grp-auditors' to read network-security-groups in tenancy
+      allow group 'Default'/'grp-auditors' to read resource-availability in tenancy
+      allow group 'Default'/'grp-auditors' to read audit-events in tenancy
+      allow group 'Default'/'grp-auditors' to read users in tenancy
+      allow group 'Default'/'grp-auditors' to read vss-family in tenancy
+      allow group 'Default'/'grp-auditors' to read dns in tenancy
+      allow group 'Default'/'grp-auditors' to use cloud-shell in tenancy
+      ```
   - Assign a user to the `grp-auditors` group
   - Log out of the OCI Console
 
@@ -128,6 +150,12 @@ The report results are summarized in two files:
 - *cis_html_summary_report.html* &ndash; The report in HTML that displays the all recommendations and their compliance status, respectively.
 - *Consolidated_Report.xslx* &ndash; An XSLX workbook with a summary and sheets for the non-compliant recommendations.
 
+### Known Issues
+
+#### Wrong urllib3 version
+
+There is a known dependency between Python urllib3 version 2 and the OS installed version of OpenSSL. The script tries to handle this automatically using a working version of urllib3. If the handling does not work let us know.
+
 ## Credits
 
 The *OCI Security Health Check - Standard Edition* streamlines the usage of the bundled [Compliance Checking Script](https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/blob/main/compliance-script.md) provided by the [CIS OCI Landing Zone Quick Start Template](https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart).
@@ -140,8 +168,8 @@ The Compliance Checking Script is certified by the [CIS Center of Internet Secur
 
 # License
 
-Copyright (c) 2022-2023 Oracle and/or its affiliates.
+Copyright (c) 2022-2024 Oracle and/or its affiliates.
 
 Licensed under the Universal Permissive License (UPL), Version 1.0.
 
-See [LICENSE](https://github.com/oracle-devrel/technology-engineering/blob/folder-structure/LICENSE) for more details.
+See [LICENSE](https://github.com/oracle-devrel/technology-engineering/blob/main/LICENSE) for more details.
diff --git a/...ts/oci-security-health-check-standard/files/oci-security-health-check-standard/README.txt b/...ts/oci-security-health-check-standard/files/oci-security-health-check-standard/README.txt
@@ -2,7 +2,7 @@
 OCI Security Health Check - Standard Edition
 ============================================
 Owner: Olaf Heimburger
-Version: 230922
+Version: 240130
 
 When to use this asset?
 
@@ -23,12 +23,13 @@ Usage
   steps for setting this up are described in the next chapter.
 
 1.1 Setup an Auditor group and policy
-  Using an auditor group is the recommended way to run the assessment script.
-  To create a group for auditing do the following steps:
-
-  - Log into OCI Console as OCI administrator
+  - Check whether your tenancy is still not migrated to Identity Domains:
+  - Login to OCI Console as OCI Administrator
+    - Select "Identity & Security"
+    - If "Domains" are listed you are migrated to Identity Domains
   - Create a group grp-auditors
   - Create a policy pcy-auditing with these statements:
+- For tenancies without Identity Domains use
     allow group grp-auditors to inspect all-resources in tenancy
     allow group grp-auditors to read instances in tenancy
     allow group grp-auditors to read load-balancers in tenancy
@@ -44,6 +45,22 @@ Usage
     allow group grp-auditors to read vss-family in tenancy
     allow group grp-auditors to read dns in tenancy
     allow group grp-auditors to use cloud-shell in tenancy
+- For tenancies *with* Identity Domains use
+      allow group 'Default'/'grp-auditors' to inspect all-resources in tenancy
+      allow group 'Default'/'grp-auditors' to read instances in tenancy
+      allow group 'Default'/'grp-auditors' to read load-balancers in tenancy
+      allow group 'Default'/'grp-auditors' to read buckets in tenancy
+      allow group 'Default'/'grp-auditors' to read nat-gateways in tenancy
+      allow group 'Default'/'grp-auditors' to read public-ips in tenancy
+      allow group 'Default'/'grp-auditors' to read file-family in tenancy
+      allow group 'Default'/'grp-auditors' to read instance-configurations in tenancy
+      allow group 'Default'/'grp-auditors' to read network-security-groups in tenancy
+      allow group 'Default'/'grp-auditors' to read resource-availability in tenancy
+      allow group 'Default'/'grp-auditors' to read audit-events in tenancy
+      allow group 'Default'/'grp-auditors' to read users in tenancy
+      allow group 'Default'/'grp-auditors' to read vss-family in tenancy
+      allow group 'Default'/'grp-auditors' to read dns in tenancy
+      allow group 'Default'/'grp-auditors' to use cloud-shell in tenancy
   - Assign a user to the grp-auditors group
   - Log out of OCI Console
 
@@ -72,20 +89,25 @@ Usage
     compressed in a single ZIP file and the resulting ZIP file will be moved to
     the home directory of the account running the script.
 
+4 Known Issues
+
+4.1 Wrong urllib3 version
+
+There is a known dependency between Python urllib3 version 2 and the OS installed version of OpenSSL. The script tries to handle this automatically using a working version of urllib3. If the handling does not work let us know.
 
-4 Credits
+5 Credits
 
 The OCI Security Health Check - Standard Edition streamlines the usage of the bundled Compliance Checking Script (https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/blob/main/compliance-script.md) provided by the CIS OCI Landing Zone Quick Start Template (https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart).
 
 The OCI Security Health Check - Standard Edition would not be possible without the great work of the CIS OCI Landing Zone Quick Start Template Team (https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/graphs/contributors).
 
-5 Certification
+6 Certification
 
 The Compliance Checking Script is certified by the CIS Center of Internet Security for the OCI Oracle Cloud Foundation Benchmark v1.2.O, Level 1 and 2 (https://www.cisecurity.org/partner/oracle).
 
-6 License
+7 License
 
-Copyright (c) 2022-2023 Oracle and/or its affiliates.
+Copyright (c) 2022-2024 Oracle and/or its affiliates.
 
 Licensed under the Universal Permissive License (UPL), Version 1.0.
 

diff --git a/...-security-health-check-standard/files/oci-security-health-check-standard/requirements.txt b/...-security-health-check-standard/files/oci-security-health-check-standard/requirements.txt
@@ -1,5 +1,6 @@
+urllib3==1.26.17
 xlsxwriter>=3.0.3
 pandas>=1.5.2
 openpyxl>=3.0.10
 pyyaml>=6.0
-oci>=2.110
+oci>=2.119.0