Known Issues for Cloud Guard

Details: Detector and responder rules apply to a particular resource type. Conditional groups allow you specify particular resources of that type to be included or excluded from applying a rule.

Scenario 1: You can provide resource OCIDs to a conditional group as custom values or in a managed list. Cloud Guard does not check the validity of these values.

Scenario 2: When you add a country or region as a conditional group parameter to an Activity Detector, Cloud Guard does not check the validity of these values.

Workaround: In both scenarios above, ensure that you provide valid values. For a list of valid country and region values, see Using Conditional Groups with Recipe Rules.

Direct link to this issue: No value checking for conditional groups

Details: When a load balancer's SSL certificate is issued by Oracle Cloud Infrastructure Certificate service, and the expiration date for the certificate is within the expiration warning time, the 'Load balancer SSL certificate expiring soon' rule in the OCI Configuration Detector does not detect the condition and report a problem.

Workaround: None at this time, other than switching the load balancer to an SSL certificate issued by a different certificate authority.

Direct link to this issue: "Load balancer SSL certificate expiring soon" Configuration Detector Rule not working for OCI Issued Certificates

Details: Two issues have been identified that can cause the "Local user authenticated without MFA" detector rule to falsely report a problem:

1. Conditional groups that use freeform tags or defined tags are sometimes not processed correctly, or are ignored.

   Workaround: Specify the exact resource OCID to be excluded by the rule.

2. The MFA information that this rule relies on is sometimes missing.

   Workaround: None at this time.

Direct link to this issue: False positives on "Local user authenticated without MFA" detector rule