CIS Oracle Cloud Infrastructure (OCI) 1.2.0 Benchmark
Lacework provides compliance policies based on CIS Oracle Cloud Infrastructure Foundations Benchmark v1.2.0 (or CIS OCI 1.2.0 Benchmark for short).
Once you have integrated your Oracle Cloud Infrastructure (OCI) environment with Lacework, you can check whether your resources are compliant with the benchmark recommendations.
Visibility and Usage in the Lacework Console
You can use the CIS OCI 1.2.0 Benchmark in the following ways:
- Enable or disable policies through the Policies page (see CIS OCI 1.2.0 Benchmark Policies).
- Create and manage Compliance Policy Exceptions as and when needed.
- Receive Compliance-related Alerts for enabled CIS OCI 1.2.0 Benchmark policies (when violations occur).
- The Cloud Compliance Dashboard provides assessment results for each framework, including the CIS OCI 1.2.0 Benchmark.
- The Reports page lists all reports that are configured for your environment. Create a report configuration with the CIS OCI 1.2.0 Benchmark as the template to generate a daily report that is retained for up to 90 days.
Prerequisites
Ensure you have integrated your OCI environment with the Lacework Compliance platform. Completing this will prepare your environment for the CIS OCI 1.2.0 Benchmark:
Previous Integrations using Terraform
If you have previously integrated OCI with Lacework using Terraform before this benchmark was available:
- Enter the directory containing the Terraform files used for the integration.
- Run
terraform init -upgradeto initialize the working directory (containing the Terraform files). - Run
terraform planand review the changes that will be applied. - Once satisfied with the changes that will be applied, run
terraform applyto upgrade the modules.
CIS OCI 1.2.0 Benchmark Policies
All policies in the CIS OCI 1.2.0 Benchmark are enabled by default.
You can enable or disable them using one of the following methods outlined in this section.
Enable or Disable Policies in the Lacework Console
On the Policies page, use the framework:cis-oci-1-2-0 tag to filter for CIS OCI 1.2.0 policies only.
You can enable or disable each one using the status toggle.
Alternatively, see Batch Update Policies to enable or disable multiple policies at once.
Manual policies do not have a status toggle as there is no functional check to enable. For more information about manual policies, see Automated vs Manual Policies.
Enable or Disable Policies using the Lacework CLI
If you have not set up the Lacework CLI before, see the Lacework CLI guide to get started.
Enable or disable all the CIS OCI 1.2.0 policies using the following commands in the Lacework CLI:
lacework policy enable --tag framework:cis-oci-1-2-0
lacework policy disable --tag framework:cis-oci-1-2-0
Enable or disable specific CIS OCI 1.2.0 policies using the following command examples in the Lacework CLI:
lacework policy enable lacework-global-676
lacework policy disable lacework-global-676
Policy Mapping for CIS OCI 1.2.0
The CIS OCI 1.2.0 controls are mapped to Lacework policies, as listed in the following tables.
Table key:
- Control ID - The CIS OCI 1.2.0 Benchmark security control identifier.
- Title - The policy/control title.
- Lacework Policy ID - The Lacework policy identifier.
- CIS Assessment - Whether CIS have determined that the security control can be assessed automatically or if it requires manual verification.
- Lacework Assessment - Whether Lacework have determined that the security control can be assessed automatically or if it requires manual verification.
- Severity - The severity of the policy (as determined by Lacework).
- 1. Identity and Access Management (IAM)
- 2. Networking
- 3. Logging and Monitoring
- 4. Storage
- 5. Asset Management
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 1.1 | Ensure service level admins are created to manage resources of particular service | TBA | Manual | TBA | High |
| 1.2 | Give permissions on all resources only to the tenancy administrator group | lacework-global-669 | Manual | Automated | High |
| 1.3 | Ensure Identity and Access Management (IAM) administrators cannot update tenancy Administrators group | lacework-global-670 | Manual | Automated | High |
| 1.4 | Ensure IAM password policy requires minimum length of 14 or greater | TBA | Manual | TBA | Medium |
| 1.5 | Ensure IAM password policy expires passwords within 365 days | TBA | Manual | TBA | Medium |
| 1.6 | Ensure IAM password policy prevents password reuse | TBA | Manual | TBA | Low |
| 1.7 | Enable Multi-Factor Authentication (MFA) for all users with console password capability | lacework-global-674 | Automated | Automated | High |
| 1.8 | Ensure user API keys rotate every 90 days | lacework-global-675 | Automated | Automated | Medium |
| 1.9 | Ensure user customer secret keys rotate every 90 days | lacework-global-676 | Automated | Automated | Medium |
| 1.10 | Ensure user auth tokens rotate within 90 days | lacework-global-677 | Automated | Automated | Medium |
| 1.11 | Ensure API keys are not created for tenancy administrator users | lacework-global-678 | Automated | Automated | High |
| 1.12 | Ensure all OCI IAM user accounts have a valid and current email address | TBA | Manual | TBA | Low |
| 1.13 | Ensure Dynamic Groups are used for OCI instances, OCI Cloud Databases and OCI Function to access OCI resources. | TBA | Manual | TBA | High |
| 1.14 | Ensure storage service-level admins cannot delete resources they manage. | TBA | Manual | TBA | High |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 2.1 | Ensure no security lists allow ingress from 0.0.0.0/0 to port 22 | lacework-global-682 | Automated | Automated | High |
| 2.2 | Ensure no security lists allow ingress from 0.0.0.0/0 to port 3389 | lacework-global-683 | Automated | Automated | High |
| 2.3 | Ensure no network security groups allow ingress from 0.0.0.0/0 to port 22 | lacework-global-684 | Manual | Automated | High |
| 2.4 | Ensure no network security groups allow ingress from 0.0.0.0/0 to port 3389 | lacework-global-685 | Manual | Automated | High |
| 2.5 | Ensure the default security list of every Virtual Cloud Network (VCN) restricts all traffic except Internet Control Message Protocol (ICMP) | lacework-global-686 | Manual | Automated | High |
| 2.6 | Ensure Oracle Integration Cloud (OIC) access is restricted to allowed sources. | TBA | Manual | TBA | High |
| 2.7 | Ensure Oracle Analytics Cloud (OAC) access is restricted to allowed sources or deployed within a Virtual Cloud Network. | TBA | Manual | TBA | High |
| 2.8 | Ensure Oracle Autonomous Shared Databases (ADB) access is restricted to allowed sources or deployed within a Virtual Cloud Network | TBA | Manual | TBA | High |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 3.1 | Set audit log retention period to 365 days | lacework-global-690 | Automated | Manual | Low |
| 3.2 | Use default tags on resources | lacework-global-691 | Manual | Automated | Low |
| 3.3 | Create at least one notification topic and subscription to receive monitoring alerts | TBA | Manual | TBA | Medium |
| 3.4 | Ensure a notification is configured for Identity Provider changes | TBA | Manual | TBA | Medium |
| 3.5 | Ensure a notification is configured for IdP group mapping changes | TBA | Manual | TBA | Medium |
| 3.6 | Ensure a notification is configured for IAM group changes | TBA | Manual | TBA | Medium |
| 3.7 | Ensure a notification is configured for IAM policy changes | TBA | Manual | TBA | Medium |
| 3.8 | Ensure a notification is configured for user changes | TBA | Manual | TBA | Medium |
| 3.9 | Ensure a notification is configured for VCN changes | TBA | Manual | TBA | Medium |
| 3.10 | Ensure a notification is configured for changes to route tables | TBA | Manual | TBA | Medium |
| 3.11 | Ensure a notification is configured for security list changes | TBA | Manual | TBA | Medium |
| 3.12 | Ensure a notification is configured for network security group changes | TBA | Manual | TBA | Medium |
| 3.13 | Ensure a notification is configured for changes to network gateways | TBA | Manual | TBA | Medium |
| 3.14 | Ensure VCN flow logging is enabled for all subnets | TBA | Manual | TBA | Medium |
| 3.15 | Ensure Cloud Guard is enabled in the root compartment of the tenancy | TBA | Manual | TBA | Medium |
| 3.16 | Ensure customer created Customer Managed Key (CMK) is rotated at least annually | TBA | Manual | TBA | Medium |
| 3.17 | Ensure write level Object Storage logging is enabled for all buckets | TBA | Manual | TBA | Medium |
- 4.1 Object Storage
- 4.2 Block Volumes
- 4.3 File Storage Service
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 4.1.1 | Ensure no Object Storage buckets are publicly visible | lacework-global-707 | Manual | Automated | Medium |
| 4.1.2 | Encrypt Object Storage Buckets with a Customer Managed Key (CMK) | lacework-global-708 | Manual | Automated | Medium |
| 4.1.3 | Enable Versioning for Object Storage Buckets | lacework-global-709 | Automated | Automated | Low |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 4.2.1 | Encrypt Block Volumes with Customer Managed Keys (CMK) | lacework-global-710 | Manual | Automated | Medium |
| 4.2.2 | Ensure boot volumes are encrypted with Customer Managed Key (CMK). | TBA | Manual | TBA | Medium |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 4.3.1 | Ensure File Storage Systems are encrypted with Customer Managed Keys (CMK) | TBA | Manual | TBA | Critical |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 5.1 | Create at least one compartment in your tenancy to store cloud resources | TBA | Manual | TBA | Medium |
| 5.2 | Ensure no resources are created in the root compartment | TBA | Manual | TBA | Medium |
Automated vs Manual Policies
Lacework automates compliance policies where possible. This allows the Lacework platform to monitor your environment resources to check whether they are compliant with the benchmark recommendations.
For some benchmark recommendations, it is not possible to automate the policy checks in an OCI environment. These policies are manual, and you must verify such policies manually. Lacework provides the manual remediation steps for these policies (when available).
Automated Policies (that were deemed manual)
In some cases, Lacework is able to automate certain CIS benchmark controls that were deemed as manual by CIS.
The following table outlines the CIS OCI 1.2.0 Benchmark policies that fall within this category:
Click to expand
| Control ID | Title | Lacework Policy ID |
|---|---|---|
| 1.2 | Give permissions on all resources only to the tenancy administrator group | lacework-global-669 |
| 1.3 | Ensure Identity and Access Management (IAM) administrators cannot update tenancy Administrators group | lacework-global-670 |
| 2.3 | Ensure no network security groups allow ingress from 0.0.0.0/0 to port 22 | lacework-global-684 |
| 2.4 | Ensure no network security groups allow ingress from 0.0.0.0/0 to port 3389 | lacework-global-685 |
| 2.5 | Ensure the default security list of every Virtual Cloud Network (VCN) restricts all traffic except Internet Control Message Protocol (ICMP) | lacework-global-686 |
| 3.2 | Use default tags on resources | lacework-global-691 |
| 4.1.1 | Ensure no Object Storage buckets are publicly visible | lacework-global-707 |
| 4.1.2 | Encrypt Object Storage Buckets with a Customer Managed Key (CMK) | lacework-global-708 |
| 4.2.1 | Encrypt Block Volumes with Customer Managed Keys (CMK) | lacework-global-710 |
Manual Policies (that were deemed automated)
In some cases, Lacework cannot automate certain CIS benchmark controls that were deemed as automated by CIS.
This is often due to one of the following reasons:
- Scope is defined by the user.
- It requires configuring other products or API permissions that are out of scope.
- Known issues for audit procedure described by the CIS control.
The following table outlines the CIS OCI 1.2.0 benchmark policies that fall within this category:
Click to expand
| Control ID | Lacework Policy ID | Title |
|---|---|---|
| 3.1 | Ensure audit log retention period is set to 365 days | lacework-global-690 |