lacework-global-682
Ensure no security lists allow ingress from 0.0.0.0/0 to port 22 (Automated)
Description
Security lists provide stateful and stateless filtering of ingress and egress network traffic to OCI resources on a subnet level. Best practices recommend that no security list allows unrestricted ingress access to port 22.
Remediation
From Console:
- Login into the OCI Console.
- Click the search bar at the top of the screen.
- Type Advanced Resource Query and hit enter.
- Click the Advanced Resource Query button in the upper right corner of the screen.
- Enter the following query in the query box:
query SecurityList resources where (IngressSecurityRules.source = '0.0.0.0/0' && IngressSecurityRules.protocol = 6 && IngressSecurityRules.tcpOptions.destinationPortRange.max = 22 && IngressSecurityRules.tcpOptions.destinationPortRange.min = 22)
- For each security list in the returned results, click the security list name.
- Either edit the ingress rule to be more restrictive, delete the ingress rule or click the Virtual Cloud Network (VCN) and terminate the security list as appropriate.
From CLI:
- Execute the following command:
oci search resource structured-search --query-text "query SecurityList resources where (IngressSecurityRules.source = '0.0.0.0/0' && IngressSecurityRules.protocol = 6 && IngressSecurityRules.tcpOptions.destinationPortRange.max = 22 && IngressSecurityRules.tcpOptions.destinationPortRange.min = 22)"
- For each of the security lists identified, execute the following command:
oci network security-list get --security-list-id <security list id>
- Then either:
Update the security list by copying the ingress-security-rules element from the JSON returned by the preceding command, edit it appropriately and use it in the following command:
oci network security-list update --security-list-id <security-list-id> --ingress-security-rules '<ingress security rules JSON>'
OR
Delete the security list with the following command:
oci network security-list delete --security-list-id <security list id>
Impact:
For updating an existing environment, take care to ensure that administrators currently relying on an existing ingress from 0.0.0.0/0 have access to ports 22 and/or 3389 through another network security group or security list.