lacework-global-719
Network Security Group egress rule contains disallowed IP/port (Automated)
Description
Alert when the egress rule for a network security group contains a disallowed destination IP address and port number.
Remediation
This policy checks for a specific set of ports considered most commonly scanned. The disallowed ports are:
TCP: 11, 17-19, 21, 23-25, 43, 49, 53, 70-74, 79-81, 88, 111, 123, 389, 636, 445, 500, 3306, 3389, 5901, 5985, 5986, 7001, 8000, 8080, 8443, 8888
User Datagram Protocol (UDP): 11, 17-19, 49, 69, 80, 82, 83-85, 389, 443, 656, 8080
From Console:
Login into the OCI Console.
Click the search bar at the top of the screen.
Type Advanced Resource Query and hit enter.
Click the Advanced Resource Query button in the upper right corner of the screen.
Enter the following query in the query box:
query networksecuritygroup resources where lifeCycleState = 'AVAILABLE'
For each of the network security groups in the returned results, click the name and inspect each of the security rules.
Identify security rules with direction: Egress, Destination: 0.0.0.0/0, and Destination Port Range include the disallowed ports.
Either Edit the Security rules to restrict the destination and/or port range or delete the rule.
From CLI:
Execute the following command:
for region in $(oci iam region list | jq -r '.data[] | .name')
do
echo "Enumerating region $region"
for compid in $(oci iam compartment list --include-root --compartment-id-in-subtree TRUE 2>/dev/null | jq -r '.data[] | .id')
do
echo "Enumerating compartment $compid"
for nsgid in $(oci network nsg list --compartment-id $compid --region $region --all 2>/dev/null | jq -r '.data[] | .id')
do
output=$(oci network nsg rules list --nsg-id=$nsgid --all 2>/dev/null | jq -r '.data[] | select(.destination == "0.0.0.0/0" and .direction == "EGRESS"')
if [ ! -z "$output" ]; then echo "nsgid=", $nsgid, "Security Rules=", $output; fi
done
done
doneFor each of the network security group security rules identified, compare the ports against the disallowed ports and either:
Remove the security rules
oci network nsg rules remove --nsg-id=<nsg-id>
OR
Update the security rules
oci network nsg rules update --nsg-id=<nsg-id> --security-rules='[<updated security-rules JSON (without isValid and TimeCreated fields)>]'
For example:
oci network nsg rules update --nsg-id=ocid1.networksecuritygroup.oc1.iad.xxxxxxxxxxxxxxxxxxxxxx --security-rules='[{ "description": null, "source": null, "source-type": null, "direction": "EGRESS", "icmp-options": null, "id": "709001", "is-stateless": null, "protocol": "6", "destination": "140.238.154.0/24", "destination-type": "cidr_block", "tcp-options": { "destination-port-range": { "max": 29, "min": 29 }, "source-port-range": null }, "udp-options": null }]'