Oracle Cloud Infrastructure Configuration Detector Rules
Lacework provides coverage of the Oracle Cloud Infrastructure Configuration Detector Rules (or OCI Configuration Detector Rules for short).
Once you have integrated your Oracle Cloud Infrastructure (OCI) environment with Lacework, you can check whether your resources are compliant with the benchmark recommendations.
Visibility and Usage in the Lacework Console
You can use the OCI Configuration Detector Rules in the following ways:
- Enable or disable policies through the Policies page (see OCI Configuration Detector Rule Policies).
- Create and manage Compliance Policy Exceptions as and when needed.
- Receive Compliance-related Alerts for enabled OCI Configuration Detector Rule policies (when violations occur).
- The Cloud Compliance Dashboard provides assessment results for each framework, including the CIS OCI 1.2.0 Benchmark.
- The Reports page lists all reports that are configured for your environment. Create a report configuration with the OCI Configuration Detector Rules as the template to generate a daily report that is retained for up to 90 days.
Prerequisites
Ensure you have integrated your OCI environment with the Lacework Compliance platform. Completing this will prepare your environment for the OCI Configuration Detector Rules:
Previous Integrations using Terraform
If you have previously integrated OCI with Lacework using Terraform before this benchmark was available:
- Enter the directory containing the Terraform files used for the integration.
- Run
terraform init -upgradeto initialize the working directory (containing the Terraform files). - Run
terraform planand review the changes that will be applied. - Once satisfied with the changes that will be applied, run
terraform applyto upgrade the modules.
OCI Configuration Detector Rule Policies
All policies for the OCI Configuration Detector Rules are enabled by default.
You can enable or disable them using one of the following methods outlined in this section.
Enable or Disable Policies in the Lacework Console
On the Policies page, use the framework:oci-cfg-detector tag to filter for OCI Configuration Detector Rules only.
You can enable or disable each one using the status toggle.
Alternatively, see Batch Update Policies to enable or disable multiple policies at once.
Manual policies do not have a status toggle as there is no functional check to enable. For more information about manual policies, see Automated vs Manual Policies.
Enable or Disable Policies using the Lacework CLI
If you have not set up the Lacework CLI before, see the Lacework CLI guide to get started.
Enable or disable all the OCI Configuration Detector Rules using the following commands in the Lacework CLI:
lacework policy enable --tag framework:oci-cfg-detector
lacework policy disable --tag framework:oci-cfg-detector
Enable or disable specific OCI Configuration Detector Rule policies using the following command examples in the Lacework CLI:
lacework policy enable lacework-global-724
lacework policy disable lacework-global-724
Policy Mapping for OCI Configuration Detector Rules
The mapping of Lacework policies to the resource types of the OCI Configuration Detector Rules is shown in the tables below.
Table key:
- Title - The policy/rule title.
- Lacework Policy ID - The Lacework policy identifier.
- Lacework Assessment - Whether Lacework have determined that the rule can be assessed automatically or if it requires manual verification.
- Severity - The severity of the policy (as determined by Lacework).
This framework uses CIS OCI 1.2.0 Benchmark policies when there is an overlap with the OCI CFG Detector Rules.
- Compute Resources
- Database Resources
- IAM Resources
- KMS Resources
- Multiple Resources
- Networking Resources
- Scanning Resources
- Storage Resources
| Title | Lacework Policy ID | Lacework Assessment | Severity |
|---|---|---|---|
| Instance has a public IP address | lacework-global-724 | Automated | Low |
| Instance is publicly accessible | lacework-global-725 | Automated | Medium |
| Instance is running an Oracle public image | lacework-global-717 | Manual | Low |
| Instance is not running an Oracle public image | TBA | TBA | Low |
| Instance is running without required Tags | lacework-global-661 | Automated | Low |
| Title | Lacework Policy ID | Lacework Assessment | Severity |
|---|---|---|---|
| Data Safe is not enabled | TBA | TBA | High |
| Database is not backed up automatically | TBA | TBA | High |
| Database is not registered in Data Safe | TBA | TBA | Medium |
| Database patch is not applied | TBA | TBA | Medium |
| Database System has public IP address | TBA | TBA | High |
| Database System is publicly accessible | TBA | TBA | Critical |
| Database system patch is not applied | TBA | TBA | High |
| Database System version is not sanctioned | TBA | TBA | Critical |
| Database version is not sanctioned | TBA | TBA | Critical |
| Title | Lacework Policy ID | Lacework Assessment | Severity |
|---|---|---|---|
| API key is too old | lacework-global-675 | Automated | Medium |
| IAM Auth Token is too old | lacework-global-677 | Automated | Medium |
| IAM Customer Secret Key is too old | lacework-global-676 | Automated | Medium |
| IAM group has too few members | lacework-global-211 | Automated | Medium |
| IAM group has too many members | lacework-global-212 | Manual | Medium |
| Password is too old | lacework-global-722 | Automated | Medium |
| Password policy does not meet complexity requirements | lacework-global-210 | Automated | Medium |
| Policy gives too many privileges | lacework-global-669 | Automated | High |
| Tenancy admin privilege granted to group | lacework-global-670 | Automated | High |
| User does not have MFA enabled | lacework-global-674 | Automated | High |
| User has API keys | lacework-global-208 | Automated | Medium |
| Title | Lacework Policy ID | Lacework Assessment | Severity |
|---|---|---|---|
| Key has not been rotated | TBA | TBA | High |
| Title | Lacework Policy ID | Lacework Assessment | Severity |
|---|---|---|---|
| Resource is not tagged appropriately | TBA | TBA | Low |
| Title | Lacework Policy ID | Lacework Assessment | Severity |
|---|---|---|---|
| Load balancer allows weak cipher suites | lacework-global-214 | Automated | Medium |
| Load balancer allows weak SSL communication | lacework-global-400 | Automated | Medium |
| Load balancer has no backend set | lacework-global-721 | Automated | Medium |
| Load balancer has no inbound rules or listeners | lacework-global-720 | Automated | Low |
| Load balancer SSL certificate expiring soon | lacework-global-213 | Automated | Medium |
| Load Balancer has public IP address | TBA | TBA | High |
| NSG egress rule contains disallowed IP/port | lacework-global-719 | Automated | Medium |
| NSG ingress rule contains disallowed IP/port | lacework-global-718 | Automated | Medium |
| VCN has Internet Gateway attached | lacework-global-207 | Automated | Medium |
| VCN has Local Peering Gateway attached | TBA | TBA | Medium |
| VCN has no inbound Security List | TBA | TBA | High |
| VCN Security list allows traffic to non-public port from all sources (0.0.0.0/0) | TBA | TBA | High |
| VCN Security list allows traffic to restricted port | lacework-global-686 | Automated | High |
| VNIC without associated network security group | TBA | TBA | Medium |
| Title | Lacework Policy ID | Lacework Assessment | Severity |
|---|---|---|---|
| Scanned host has open ports | TBA | TBA | Critical |
| Scanned host has vulnerabilities | TBA | TBA | Critical |
| Scanned container image has vulnerabilities | TBA | TBA | Critical |
| Title | Lacework Policy ID | Lacework Assessment | Severity |
|---|---|---|---|
| Block Volume is encrypted with Oracle-managed key | lacework-global-710 | Automated | Medium |
| Block Volume is not attached | lacework-global-209 | Automated | Medium |
| Bucket is public | lacework-global-707 | Automated | Medium |
| Object Storage bucket is encrypted with Oracle-managed key | lacework-global-708 | Automated | Medium |
| Write Log access disabled for bucket | TBA | TBA | Medium |
| Read Log access disabled for bucket | TBA | TBA | Medium |
Automated vs Manual Policies
Lacework automates compliance policies where possible. This allows the Lacework platform to monitor your environment resources to check whether they are compliant with the benchmark recommendations.
For some benchmark recommendations, it is not possible to automate the policy checks in an OCI environment. These policies are manual, and you must verify such policies manually. Lacework provides the manual remediation steps for these policies (when available).