Detector Recipe Reference
Review summary information for all types of Oracle-managed detector recipes.
The following sections include best practice recommendations for modifying detector recipe rules. Oracle-managed recipes allow different types of rule changes, compared with user-managed (cloned) recipes. In general, this information applies to all types of detector recipes.
Accessing a detector recipe from the Detector Recipes page allows different types of rule changes, compared with accessing from the Targets page. See Modifying Recipes at Recipe and Target Levels.
Reference material for the Oracle-managed activity detector recipe that Cloud Guard provides is grouped below by resource type. Expand a Rule Display Name to view the details.
Bastion Resources
Description: Alert when a new Bastion instance is created.
Recommendation: Ensure that only authorized users create Bastion instances.
Background: Bastions provide users with secure and seamless SSH access to target hosts in private subnets, while still restricting direct public access.
Rule Parameters:
- Service Type: Bastion
- Resource Type: Instance
- Risk Level: LOW
- Labels: Bastion
- PCI-DSS 3.2.1: Not applicable.
- Leave default settings.
Description: Alert when a new Bastion session is created.
Recommendation: Ensure that only authorized users create Bastion sessions.
Background: A Bastion Session provides time-bound, secure, and seamless SSH access to a target host in private subnets, while still restricting direct public access.
Rule Parameters:
- Service Type: Bastion
- Resource Type: Instance
- Risk Level: LOW
- Labels: Bastion
- PCI-DSS 3.2.1: Not applicable.
- Leave default settings.
Certificates Resources
Description: Alert when a CA bundle is updated.
Recommendation: Ensure that only authorized users update CA bundles. If user is not authorized, reverse the update.
Background: A CA bundle is a file that contains root and intermediate certificates. The CA in the bundle vouches for the users' intermediate certificates. When a CA bundle is updated, a user who is associated with a deleted intermediate certificate is no longer able to access resources vouched for by the CA. Similarly, a user who is associated with an intermediate certificate that is added is now able to access those resources.
Rule Parameters:
- Service Type: Certificates
- Resource Type: User
- Risk Level: MEDIUM
- Labels: Certificates
- PCI-DSS 3.2.1: Not applicable.
- Leave default settings.
Description: Alert when a certifying authority (CA) bundle is deleted.
Recommendation: Ensure that only authorized users delete CA bundles are only deleted by authorized users. If user is not authorized, cancel the deletion.
Background: A CA bundle is a file that contains root and intermediate certificates. The CA in the bundle vouches for the users' intermediate certificate. When a CA bundle is deleted, the users who are associated with the intermediate certificates are no longer able to access resources that require the CA's vouching.
Rule Parameters:
- Service Type: Certificates
- Resource Type: User
- Risk Level: MEDIUM
- Labels: Certificates
- PCI-DSS 3.2.1: Not applicable.
- Leave default settings.
Description: Alert when an intermediate certificate in a certifying authority (CA) bundle is revoked.
Recommendation: Ensure that only authorized users revoke intermediate certificates in CA bundles. If user is not authorized, cancel the revocation.
Background: When an intermediate certificate in a CA bundle is revoked, the associated user is no longer able to access resources that require the user's intermediate certificate to be vouched for by an approved CA.
Rule Parameters:
- Service Type: Certificates
- Resource Type: User
- Risk Level: MEDIUM
- Labels: Certificates
- PCI-DSS 3.2.1: Not applicable.
- Leave default settings.
Compute Resources
Description: Alert when a Compute image is exported.
Recommendation: Images that contain anything proprietary should be tagged accordingly with export privileges allowed only to suitable OCI administrators.
Background: Compute images might be equivalent to "data drives" and contain sensitive information. Images that might contain anything proprietary should be identified accordingly with export privileges permitted only to suitable OCI administrators.
Rule Parameters:
- Service Type: Compute
- Resource Type: Instance
- Risk Level: MINOR
- Labels: Compute
- PCI-DSS 3.2.1: Not applicable.
- Leave default settings.
Description: Alert when a Compute image is imported.
Recommendation: Ensure that a person expected to bring new images into your environment imports the compute image from trusted sources, such as Oracle or a trusted Compute administrator.
Background: Compute images are the foundations for compute instances. A new image impacts every future compute instance launched from that image and imported images should come from known and trusted sources.
Rule Parameters:
- Service Type: Compute
- Resource Type: Instance
- Risk Level: MINOR
- Labels: Compute
- PCI-DSS 3.2.1: Not applicable.
- Leave default settings.
Description: Alert when a Compute instance is terminated.
Recommendation: Use IAM policies to restrict instance termination operations.
Background: Compute instances might deliver critical functions.
Rule Parameters:
- Service Type: Compute
- Resource Type: Instance
- Risk Level: HIGH
- Labels: Compute
- PCI-DSS 3.2.1: Not applicable.
- Leave default settings.
Description: Alert when a Compute image is updated.
Recommendation:
Ensure that:
- A person expected to bring new images into your environment imports the image.
- The image is imported from trusted sources, such as Oracle or a trusted Compute administrator.
Background: Compute images are the foundations for compute instances. A modification to images impacts every future compute instance launched from that image. Images and any changes related to them should come from known and trusted sources.
Rule Parameters:
- Service Type: Compute
- Resource Type: Instance
- Risk Level: LOW
- Labels: Compute
- PCI-DSS 3.2.1: Not applicable.
- Leave default settings.
Database Resources
Description: Alert when a database system is terminated.
Recommendation: Ensure that a permitted administrator sanctions and performs the termination of the database system and related databases.
Background: Database systems might hold sensitive data and provide critical functionality. Termination of a database system permanently deletes the system, any databases running on it, and any storage volumes attached to it.
Rule Parameters:
- Service Type: DB System
- Resource Type: System
- Risk Level: HIGH
- Labels: Database
- PCI-DSS 3.2.1: Not applicable.
- Leave default settings.
IAM Resources
Description: Alert when IAM API keys are created for a user.
Recommendation: Ensure that API keys are created only by users who are authorized to create API keys, for themselves or for other users.
Background: API keys are needed to use one of Oracle SDKs or other developer tools. Use of these developer tools by persons whose job function doesn't require it is a security vulnerability.
Rule Parameters:
- (Status: Disabled)
- Service Type: IAM
- Resource Type: User
- Risk Level: LOW
- Labels: IAM
- PCI-DSS 3.2.1: Not applicable.
- Enable rule if you want to see which users are doing group-related operations.
- Conditional Groups: Trigger a problem only if user is not in an admin group with permission to create API keys for users.
Description: Alert when a user's IAM API key is deleted.
Recommendation: Ensure that API keys are deleted only by users who are authorized to create and delete API keys.
Background: API keys are needed to use one of Oracle SDKs or other developer tools. Deletion of API keys for a user who is working with Oracle developer tools can seriously impact productivity.
Rule Parameters:
- (Status: Disabled)
- Service Type: IAM
- Resource Type: User
- Risk Level: LOW
- Labels: IAM
- PCI-DSS 3.2.1: Not applicable.
- Enable rule if you want to see which users are doing group-related operations.
- Conditional Groups: Trigger a problem only if user is not in an admin group with permission to delete users' API keys.
Description: Alert when an IAM Auth Token is created for a user.
Recommendation: Ensure that IAM Auth Tokens are created by and for authorized users.
Background: Auth Tokens can be used to authenticate with third-party APIs. Availability of Auth Tokens to people whose job function doesn't require them creates a security vulnerability. See User Credentials.
Rule Parameters:
- (Status: Disabled)
- Service Type: IAM
- Resource Type: User
- Risk Level: LOW
- Labels: IAM
- PCI-DSS 3.2.1: Not applicable.
- Enable rule if you want to see which users are doing group-related operations.
- Conditional Groups: Trigger a problem only if user is not in an admin group with permission to create IAM Auth Tokens.
Description: Alert when an IAM Auth Token is deleted for a user.
Recommendation: Ensure that IAM Auth Tokens are deleted by authorized users.
Background: Auth Tokens can be used to authenticate with third-party APIs. Availability of Auth Tokens to people whose job function doesn't require them creates a security vulnerability. See User Credentials.
Rule Parameters:
- (Status: Disabled)
- Service Type: IAM
- Resource Type: User
- Risk Level: LOW
- Labels: IAM
- PCI-DSS 3.2.1: Not applicable.
- Enable rule if you want to see which users are doing group-related operations.
- Conditional Groups: Trigger a problem only if user is not in an admin group with permission to delete IAM Auth Tokens.
Description: Alert when IAM customer keys are created.
Recommendation: Ensure that these keys are created only for authorized users.
Background: Customer secret keys are created for Amazon S3 Compatibility API use with Object Storage.
Rule Parameters:
- (Status: Disabled)
- Service Type: IAM
- Resource Type: User
- Risk Level: LOW
- Labels: IAM
- PCI-DSS 3.2.1: Not applicable.
- Enable rule if you want to see which users are doing group-related operations.
- Conditional Groups: Trigger a problem only if user is not in an admin group with permission to create IAM customer keys.
Description: Alert when IAM customer keys are deleted.
Recommendation: Ensure that deletion of these keys is expected.
Background: Customer secret keys are created for Amazon S3 Compatibility API use with Object Storage.
Rule Parameters:
- (Status: Disabled)
- Service Type: IAM
- Resource Type: User
- Risk Level: LOW
- Labels: IAM
- PCI-DSS 3.2.1: Not applicable.
- Enable rule if you want to see which users are doing group-related operations.
- Conditional Groups: Trigger a problem only if user is not in an admin group with permission to delete IAM customer keys.
Description: Alert when an IAM group is created.
Recommendation: Ensure that only authorized users create IAM groups.
Background: Groups control access to resources and privileges.
Rule Parameters:
- Service Type: IAM
- Resource Type: Group
- Risk Level: MINOR
- Labels: IAM
- PCI-DSS 3.2.1: Not applicable.
- Leave default settings.
Description: Alert when an IAM group is deleted.
Recommendation: Ensure that only authorized users perform IAM group deletions.
Background: Groups control access to resources and privileges.
Rule Parameters:
- Service Type: IAM
- Resource Type: GROUP
- Risk Level: MINOR
- Labels: IAM
- PCI-DSS 3.2.1: Not applicable.
- Leave default settings.
Description: Alert when IAM OAuth 2.0 credentials are created.
Recommendation: Ensure that these credentials are created only for authorized users.
Background: IAM OAuth 2.0 credentials are for interacting with the APIs of those services that use OAuth 2.0 authorization. See User Credentials.
Rule Parameters:
- (Status: Disabled)
- Service Type: IAM
- Resource Type: User
- Risk Level: LOW
- Labels: IAM
- PCI-DSS 3.2.1: Not applicable.
- Enable rule if you want to see which users are doing group-related operations.
- Conditional Groups: Trigger a problem only if user is not in an admin group with permission to create IAM OAuth 2.0 credentials.
Description: Alert when IAM OAuth 2.0 credentials are deleted.
Recommendation: Ensure that deletion of these credentials is expected.
Background: IAM OAuth 2.0 credentials are for interacting with the APIs of those services that use OAuth 2.0 authorization. See User Credentials.
Rule Parameters:
- (Status: Disabled)
- Service Type: IAM
- Resource Type: User
- Risk Level: LOW
- Labels: IAM
- PCI-DSS 3.2.1: Not applicable.
- Enable rule if you want to see which users are doing group-related operations.
- Conditional Groups: Trigger a problem only if user is not in an admin group with permission to delete IAM OAuth 2.0 credentials.
Description: Alert when an IAM user's capabilities are edited.
Recommendation: Ensure that only authorized users change an IAM user's capabilities.
Background: To access Oracle Cloud Infrastructure, a user must have the required credentials like API keys, auth tokens, and, other credentials.
Rule Parameters:
- (Status: Disabled)
- Service Type: IAM
- Resource Type: User
- Risk Level: LOW
- Labels: IAM
- PCI-DSS 3.2.1: Not applicable.
- Enable rule if you want to see which users are doing group-related operations.
- Leave default settings.
Description: Alert when a local or federated user is created in OCI IAM.
Recommendation: Ensure that only authorized users create IAM users.
Background: An IAM user can be an individual employee or system that needs to manage or use your company's Oracle Cloud Infrastructure resources.
Rule Parameters:
- Service Type: IAM
- Resource Type: User
- Risk Level: MINOR
- Labels: IAM
- PCI-DSS 3.2.1: Not applicable.
- Leave default settings.
Description: Alert when a user's Console password is create or reset.
Recommendation: Ensure that a user's password is reset by the user, or by an admin user who is authorized to reset passwords.
Background: Resetting a user's password multiple times, or resetting by a user who is not authorized to reset user passwords, might indicate a security risk.
Rule Parameters:
- (Status: Disabled)
- Service Type: IAM
- Resource Type: User
- Risk Level: LOW
- Labels: IAM
- PCI-DSS 3.2.1: Not applicable.
- Enable rule if you want to see which users are doing group-related operations.
- Conditional Groups: Trigger a problem only if user is not in an admin group with permission to reset user passwords.
Description: Alert when a security policy is modified.
Recommendation:
- The policy is restricted to allow only specific users to access the resources required to accomplish their job functions
- The modification is sanctioned
Background: Changing policies impact the all users in the group and might give privileges to users who do not need them.
Rule Parameters:
- Service Type: IAM
- Resource Type: Policy
- Risk Level: LOW
- Labels: CIS_OCI_V1.1_MONITORING, IAM
- PCI-DSS 3.2.1: Not applicable.
- CIS 1.1: 3.7 - Ensure that a notification is configured for IAM policy changes.
- Leave default settings.
Description: Alert when a local user who does not have multi-factor authentication (MFA) enabled is authenticated.
Recommendation: Ensure that all users have MFA enabled.
Background: Multi-factor authentication (MFA) increases security by requiring compromise of more than one credential to impersonate a user. Unauthorized users will be unable to meet the second authentication requirement and will not be able to access the environment.
Rule Parameters:
- Service Type: IAM
- Resource Type: User
- Risk Level: HIGH
- Labels: CIS_OCI_V1.0_MONITORING, CIS_OCI_V1.1_MONITORING, IAM
- PCI-DSS 3.2.1: Not applicable.
- CIS 1.1: 3.7 - Ensure that a notification is configured for IAM policy changes.
- Leave default settings.
Description: Alert when a user is added to a group.
Recommendation: Ensure that the user is entitled to be a member of the group.
Background: Groups control access to resources and privileges. Sensitive groups should be closely monitored for membership changes.
Rule Parameters:
- Service Type: IAM
- Resource Type: Group
- Risk Level: MINOR
- Labels: CIS_OCI_V1.0_MONITORING, CIS_OCI_V1.1_MONITORING, IAM
- PCI-DSS 3.2.1: Not applicable.
- CIS 1.1: 3.6 - Ensure that a notification isthat configured for IAM group changes.
- CIS 1.0: 4.6 Ensure that a notification is configured for IAM group changes.
- Leave default settings.
Description: Alert when a user is removed from a group.
Recommendation: Ensure that the user is entitled to be a member of the group.
Background: Groups control access to resources and privileges. Sensitive groups should be closely monitored for membership changes.
Rule Parameters:
- Service Type: IAM
- Resource Type: User
- Risk Level: MINOR
- Labels: IAM
- PCI-DSS 3.2.1: Not applicable.
- Conditional Groups: Trigger a problem only if user is not in an admin group with permission to remove users from this group.
Networking Resources
Description: Alert when a dynamic routing gateway (DRG) is attached to a VCN.
Recommendation: Ensure that the attaching of this DRG to the VCN is permitted and expected in this compartment by the resource (user).
Background: DRGs are used to connect existing on-premises networks to a virtual cloud network (VCN) with IPSec VPN or FastConnect.
Rule Parameters:
- (Status: Disabled)
- Service Type: Networking
- Resource Type: DRG
- Risk Level: MINOR
- Labels: Network
- PCI-DSS 3.2.1: Not applicable.
- Enable rule if you want to see which users are doing group-related operations.
- Conditional Groups: Trigger a problem only if user is not in an admin group with permission to attach DRGs to VCNs.
Description: Alert when a dynamic routing gateway (DRG) is created.
Recommendation: Ensure that the creation of this DRG is permitted and expected in this compartment by the resource (user).
Background: DRGs are used to connect existing on-premises networks to a virtual cloud network (VCN) with IPSEC VPN or FastConnect.
Rule Parameters:
- (Status: Disabled)
- Service Type: Networking
- Resource Type: DRG
- Risk Level: MINOR
- Labels: Network
- PCI-DSS 3.2.1: Not applicable.
- Enable rule if you want to see which users are doing group-related operations.
- Conditional Groups: Trigger a problem only if user is not in an admin group with permission to create DRGs.
Description: Alert when a dynamic routing gateway (DRG) is deleted.
Recommendation: Ensure that deletion of this DRG is permitted and expected by the resource (user).
Background: DRGs are used to connect existing on-premises networks to a virtual cloud network (VCN) with IPSec VPN or FastConnect.
Rule Parameters:
- (Status: Disabled)
- Service Type: Networking
- Resource Type: DRG
- Risk Level: MINOR
- Labels: Network
- PCI-DSS 3.2.1: Not applicable.
- Enable rule if you want to see which users are doing group-related operations.
- Conditional Groups: Trigger a problem only if user is not in an admin group with permission to delete DRGs.
Description: Alert when a dynamic routing gateway (DRG) is detached from a VCN.
Recommendation: Ensure that the detaching of this DRG from the VCN is permitted and expected in this compartment by the resource (user).
Background: DRGs are used to connect existing on-premises networks to a virtual cloud network (VCN) with IPSec VPN or FastConnect.
Rule Parameters:
- (Status: Disabled)
- Service Type: Networking
- Resource Type: DRG
- Risk Level: MINOR
- Labels: Network
- PCI-DSS 3.2.1: Not applicable.
- Enable rule if you want to see which users are doing group-related operations.
- Conditional Groups: Trigger a problem only if user is not in an admin group with permission to detach DRGs from VCNs.
Description: Alert when a subnet is changed.
Recommendation: Ensure that the change to the VCN is permitted and expected in this compartment.
Background: Subnets are subdivisions of a VCN. Compute instances that are connected in the same subnet use the same route table, security lists, and DHCP options.
Rule Parameters:
- Service Type: Networking
- Resource Type: Subnet
- Risk Level: LOW
- Labels: Network
- PCI-DSS 3.2.1: Not applicable.
- Leave default settings.
Description: Alert when a subnet is deleted.
Recommendation: Enable multi-factor authentication (MFA) to ensure that the user is a genuinely logged in user and the credentials are not compromised.
Background: Subnets are subdivisions of a VCN. Compute instances that are connected in the same subnet use the same route table, security lists, and DHCP options.
Rule Parameters:
- Service Type: Networking
- Resource Type: Subnet
- Risk Level: LOW
- Labels: Network
- PCI-DSS 3.2.1: Not applicable.
- Leave default settings.
Description: Alert when a user logs in, or an API invocation is made, from a suspicious IP address. If the proper policy is in place, provide a link from the Cloud Guard problem to detailed information on the suspicious IP address in the Threat Intelligence Service. For details on the required policy, see Threat Intelligence IAM Policies.
Recommendation: Enable multi-factor authentication (MFA) to ensure that the user is a genuinely logged in user and the credentials are not compromised.
Background: A user logging in from a suspicious IP address is a potential threat.
Rule Parameters:
- Service Type: Cloud Guard
- Resource Type: Security
- Risk Level: CRITICAL
- Labels: Network
- PCI-DSS 3.2.1: Not applicable.
- Configuration: Blocklist or allowlist CIDR blocks or specific IP addresses in the rule's Input Setting section.
Description: Alert when a VCN is created.
Recommendation: Ensure that the creation of a new VCN is permitted and expected in this compartment.
Background: A VCN is a virtual, private network that you set up in Oracle data centers. Like a traditional network, it might contain firewall rules and specific types of communication gateways.
Rule Parameters:
- Service Type: Networking
- Resource Type: VCN
- Risk Level: LOW
- Labels: CIS_OCI_V1.0_MONITORING, CIS_OCI_V1.1_MONITORING, Network
- PCI-DSS 3.2.1: Not applicable.
- CIS 1.1: 3.9 - Ensure that a notification is configured for VCN changes.
- CIS 1.0: 4.6 Ensure that a notification is configured for IAM group changes.
- Leave default settings.
Description: Alert when a VCN is created.
Recommendation: Ensure that the deletion of a VCN is permitted and expected in this compartment.
Background: A VCN is a virtual, private network that you set up in Oracle data centers. Like a traditional network, it might contain firewall rules and specific types of communication gateways. VCN deletion can change routing, FQDN resolution, and other networking operations.
Rule Parameters:
- Service Type: Networking
- Resource Type: VCN
- Risk Level: MEDIUM
- Labels: CIS_OCI_V1.0_MONITORING, CIS_OCI_V1.1_MONITORING, Network
- PCI-DSS 3.2.1: Not applicable.
- CIS 1.1: 3.9 - Ensure that a notification is configured for VCN changes.
- CIS 1.0: 4.6 Ensure that a notification is configured for IAM group changes.
- Leave default settings.
Description: Alert when a VCN DHCP option is changed.
Recommendation: Ensure that the change to DHCP and DNS information is permitted for this VCN and related resources.
Background: DHCP options control certain types of configuration on the instances in a VCN, including specification of search domains and DNS resolvers that can direct communications within VCNs across to Internet resources. VCN changes can change routing, FQDN resolution, and other networking operations.
Rule Parameters:
- Service Type: Networking
- Resource Type: DHCP
- Risk Level: MEDIUM
- Labels: CIS_OCI_V1.0_MONITORING, CIS_OCI_V1.1_MONITORING, Network
- PCI-DSS 3.2.1: Not applicable.
- CIS 1.1: 3.9 - Ensure that a notification is configured for VCN changes.
- CIS 1.0: 4.6 Ensure that a notification is configured for IAM group changes.
- Leave default settings.
Description: Alert when a VCN internet gateway is created.
Recommendation: Ensure that the creation of an internet gateway is permitted for this VCN and its related resources.
Background: Internet gateways are virtual routers you can add to your VCN to enable direct connectivity (inbound from or outbound) to the internet. VCN changes can change routing, FQDN resolution, and other networking operations.
Rule Parameters:
- Service Type: Networking
- Resource Type: Internet Gateway
- Risk Level: MEDIUM
- Labels: CIS_OCI_V1.0_MONITORING, CIS_OCI_V1.1_MONITORING, Network
- PCI-DSS 3.2.1: Not applicable.
- CIS 1.1: 3.13 - Ensure that a notification is configured for changes to network gateways.
- CIS 1.0: 4.6 Ensure that a notification is configured for IAM group changes.
- Leave default settings.
Description: Alert when a VCN internet gateway is terminated.
Recommendation: Ensure that the deletion of an internet gateway is permitted for this VCN and its related resources.
Background: Internet gateways are virtual routers you can add to your VCN to enable direct connectivity (inbound from or outbound) to the internet. VCN changes can change routing, FQDN resolution, and other networking operations.
Rule Parameters:
- Service Type: Networking
- Resource Type: Internet Gateway
- Risk Level: LOW
- Labels: CIS_OCI_V1.0_MONITORING, CIS_OCI_V1.1_MONITORING, Network
- PCI-DSS 3.2.1: Not applicable.
- CIS 1.1: 3.13 - Ensure that a notification is configured for changes to network gateways.
- CIS 1.0: 4.6 Ensure that a notification is configured for IAM group changes.
- Leave default settings.
Description: Alert when a VCN local peering gateway is changed.
Recommendation: Ensure that the changes to the LPG are permitted for this VCN and its related resources.
Background: VCN local peering gateways (LPG) connect two VCNs in the same region without routing traffic over the internet. LPG resources in the VCNs to communicate directly with private IP addresses. Changes to LPGs can impact resource access and cross-VCN communications. VCN changes can change routing, FQDN resolution, and other networking operations.
Rule Parameters:
- Service Type: Networking
- Resource Type: Local Peering Gateway
- Risk Level: MEDIUM
- Labels: CIS_OCI_V1.0_MONITORING, CIS_OCI_V1.1_MONITORING, Network
- PCI-DSS 3.2.1: Not applicable.
- CIS 1.1: 3.13 - Ensure that a notification is configured for changes to network gateways.
- CIS 1.0: 4.6 Ensure that a notification is configured for IAM group changes.
- Leave default settings.
Description: Alert when a VCN's NSG is deleted.
Recommendation: Ensure that the removal of the NSG is permitted for this VCN and its related resources.
Background: Network security groups (NSGs) act as a virtual firewall for compute instances and other kinds of resources. NSGs have a set of inbound (ingress) and outbound (egress) security rules applied to a set of virtual NICs in a VCN. Deleting NSGs can remove protections between resources in the VCN, and cause denial of access to resources or data loss.
Rule Parameters:
- Service Type: Networking
- Resource Type: Network Security Group
- Risk Level: HIGH
- Labels: CIS_OCI_V1.0_MONITORING, CIS_OCI_V1.1_MONITORING, Network
- PCI-DSS 3.2.1: Not applicable.
- CIS 1.1: 3.12 - Ensure that a notification is configured for network security group changes.
- CIS 1.0: 4.6 Ensure that a notification is configured for IAM group changes.
- Leave default settings.
Description: Alert when a VCN's NSG egress rule is changed.
Recommendation: Ensure that the new egress rules are permitted for this NSG and its related resources.
Background: Network security groups (NSGs) act as a virtual firewall for compute instances and other kinds of resources. NSGs have a set of inbound (ingress) and outbound (egress) security rules applied to a set of virtual NICs in a VCN. Egress rule changes can cause denial of access to resources.
Rule Parameters:
- Service Type: Networking
- Resource Type: Network Security Group
- Risk Level: MEDIUM
- Labels: CIS_OCI_V1.0_MONITORING, CIS_OCI_V1.1_MONITORING, Network
- PCI-DSS 3.2.1: Not applicable.
- CIS 1.1: 3.12 - Ensure that a notification is configured for network security group changes.
- CIS 1.0: 4.6 Ensure that a notification is configured for IAM group changes.
- Leave default settings.
Description: Alert when a VCN's NSG ingress rule is changed.
Recommendation: Ensure that the new ingress rules are permitted for this NSG and its related resources.
Background: Network security groups (NSGs) act as a virtual firewall for compute instances and other kinds of resources. NSGs have a set of inbound (ingress) and outbound (egress) security rules applied to a set of virtual NICs in a VCN. Changes to NSGs ingress rules might allow connections and traffic to new resources and VNICs in the VCN.
Rule Parameters:
- Service Type: Networking
- Resource Type: Network Security Group
- Risk Level: MEDIUM
- Labels: CIS_OCI_V1.0_MONITORING, CIS_OCI_V1.1_MONITORING, Network
- PCI-DSS 3.2.1: Not applicable.
- CIS 1.1: 3.12 - Ensure that a notification is configured for network security group changes.
- CIS 1.0: 4.6 Ensure that a notification is configured for IAM group changes.
- Leave default settings.
Description: Alert when a VCN's route table is changed.
Recommendation: Ensure that the change to the route table is permitted and expected in this compartment.
Background: Virtual route tables have rules that look and act like traditional network route rules. Misconfigured route tables might send network traffic to be dropped (blackholed) or sent to an unintended target. VCN changes can change routing, FQDN resolution, and other networking operations.
Rule Parameters:
- Service Type: Networking
- Resource Type: Route Table
- Risk Level: MEDIUM
- Labels: CIS_OCI_V1.0_MONITORING, CIS_OCI_V1.1_MONITORING, Network
- PCI-DSS 3.2.1: Not applicable.
- CIS 1.1: 3.10 - Ensure that a notification is configured for changes to route tables.
- CIS 1.0: 4.6 Ensure that a notification is configured for IAM group changes.
- Leave default settings.
Description: Alert when security list is created for a VCN.
Recommendation: Ensure that the creation of this security list is permitted for this VCN and its related resources.
Background: Security lists act as virtual firewalls for compute instances and other resources and consists of sets of ingress and egress rules that apply to all the VNICs in any subnet associated with that security list. Multiple security lists might apply to resources and give access to ports and IP addresses for those resources. VCN changes can change routing, FQDN resolution, and other networking operations.
Rule Parameters:
- Service Type: Networking
- Resource Type: Security List
- Risk Level: LOW
- Labels: CIS_OCI_V1.0_MONITORING, CIS_OCI_V1.1_MONITORING, Network
- PCI-DSS 3.2.1: Not applicable.
- CIS 1.1: 3.11 - Ensure that a notification is configured for security list changes.
- CIS 1.0: 4.6 Ensure that a notification is configured for IAM group changes.
- Leave default settings.
Description: Alert when security list for a VCN is deleted.
Recommendation: Ensure that the removal of this security list is permitted for this VCN and its related resources.
Background: Security lists act as virtual firewalls for compute instances and other resources and consists of sets of ingress and egress rules that apply to all the VNICs in any subnet associated with that security list. Multiple security lists might apply to resources and give access to ports and IP addresses for those resources. VCN changes can change routing, FQDN resolution, and other networking operations.
Rule Parameters:
- Service Type: Networking
- Resource Type: Security List
- Risk Level: MEDIUM
- Labels: CIS_OCI_V1.0_MONITORING, CIS_OCI_V1.1_MONITORING, Network
- PCI-DSS 3.2.1: Not applicable.
- CIS 1.1: 3.11 - Ensure that a notification is configured for security list changes.
- CIS 1.0: 4.6 Ensure that a notification is configured for IAM group changes.
- Leave default settings.
Description: Alert when a VCN's security list egress rules are changed.
Recommendation: Ensure that the changes to the egress rules are permitted for this security list and its related resources.
Background: Security lists act as virtual firewalls for compute instances and other resources and consists of sets of ingress and egress rules that apply to all the VNICs in any subnet associated with that security list. Multiple security lists might apply to resources and give access to ports and IP addresses for those resources. VCN changes can change routing, FQDN resolution, and other networking operations.
Rule Parameters:
- Service Type: Networking
- Resource Type: Security List
- Risk Level: MEDIUM
- Labels: CIS_OCI_V1.0_MONITORING, CIS_OCI_V1.1_MONITORING, Network
- PCI-DSS 3.2.1: Not applicable.
- CIS 1.1: 3.11 - Ensure that a notification is configured for security list changes.
- CIS 1.0: 4.6 Ensure that a notification is configured for IAM group changes.
- Leave default settings.
Description: Alert when a VCN's security list ingress rules are changed.
Recommendation: Ensure that the changes to the ingress rules are permitted for this security list and its related resources.
Background: Security lists act as virtual firewalls for compute instances and other resources and consists of sets of ingress and egress rules that apply to all the VNICs in any subnet associated with that security list. Multiple security lists might apply to resources and give access to ports and IP addresses for those resources. VCN changes can change routing, FQDN resolution, and other networking operations.
Rule Parameters:
- Service Type: Networking
- Resource Type: Security List
- Risk Level: MEDIUM
- Labels: CIS_OCI_V1.0_MONITORING, CIS_OCI_V1.1_MONITORING, Network
- PCI-DSS 3.2.1: Not applicable.
- CIS 1.1: 3.11 - Ensure that a notification is configured for security list changes.
- CIS 1.0: 4.6 Ensure that a notification is configured for IAM group changes.
- Leave default settings.
Reference material for the Oracle-managed configuration detector recipes that Cloud Guard provides is grouped below by resource type. Expand a Rule Display Name to view the details.
Compute Resources
Description: Alert when a Compute instance has a public IP address.
Recommendation: Carefully consider allowing internet access to any instances. For example, you do not want to accidentally allow internet access to sensitive database instances.
Background: For an instance to be publicly addressable, it must:
- Have a public IP address
- Exist in a public virtual computer network (VCN) subnet
- Be on a VCN that has an internet gateway enabled that is configured for outbound traffic
- Be on a subnet where the security list is configured for all IP addresses and all ports (0.0.0.0/0)
Rule Parameters:
- Service Type: Compute
- Resource Type: Instance
- Risk Level: HIGH
- Labels: CIS_OCI_V1.0_NETWORK, CIS_OCI_V1.1_NETWORK, Compute
- PCI-DSS 3.2.1: 1.3 - Prohibit direct public access between the Internet and any system component in the cardholder data environment.
- CIS 1.1:
2.1 - Ensure that no security lists allow ingress from 0.0.0.0/0 to port 22.
2.2 - Ensure that no security lists allow ingress from 0.0.0.0/0 to port 3389.
2.3 - Ensure that no network security groups allow ingress from 0.0.0.0/0 to port 22.
2.4 - Ensure that no network security groups allow ingress from 0.0.0.0/0 to port 3389.
- CIS 1.0:
2.1 - Ensure that no security lists allow ingress from 0.0.0.0/0 to port 22.
2.2 - Ensure that no security lists allow ingress from 0.0.0.0/0 to port 3389.
2.3 - Ensure that no network security groups allow ingress from 0.0.0.0/0 to port 22.
2.4 - Ensure that no network security groups allow ingress from 0.0.0.0/0 to port 3389.
- Delete the public IP from the instance: Follow the instructions in To delete an ephemeral public IP from an instance.
Description: Alert when a Compute instance is not built from an Oracle public image.
Recommendation: Ensure that your instances are all running sanctioned images from trusted sources.
Rule Parameters:
- Service Type: Compute
- Resource Type: Instance
- Risk Level: LOW
- Labels: Compute
- PCI-DSS 3.2.1: 2.2 - Develop configuration standards for all system components. Ensure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.
Sources of industry-accepted system hardening standards might include, but are not limited to:
- Center for Internet Security (CIS)
- International Organization for Standardization (ISO)
- SysAdmin Audit Network Security (SANS) Institute
- National Institute of Standards Technology (NIST)
- CIS 1.1: Not Covered by CIS 1.1.
- CIS 1.0: Not Covered by CIS 1.0.
- Leave default settings.
Description: Alert when an instance is publicly accessible.
Recommendation: Carefully consider allowing internet access to any instances.
Background: For an instance to be publicly addressable, it must:
- Have a public IP address
- Exist in a public VCN subnet
- Be on a VCN that has an internet gateway enabled that is configured for outbound traffic
- Be on a subnet where the security list is configured for all IP addresses and all ports (0.0.0.0/0)
Rule Parameters:
- Service Type: Compute
- Resource Type: Instance
- Risk Level: CRITICAL
- Labels: Compute
- PCI-DSS 3.2.1: 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.
- CIS 1.1:
2.1 - Ensure that no security lists allow ingress from 0.0.0.0/0 to port 22.
2.2 - Ensure that no security lists allow ingress from 0.0.0.0/0 to port 3389.
2.3 - Ensure that no network security groups allow ingress from 0.0.0.0/0 to port 22.
2.4 - Ensure that no network security groups allow ingress from 0.0.0.0/0 to port 3389.
- CIS 1.0:
2.1 - Ensure that no security lists allow ingress from 0.0.0.0/0 to port 22.
2.2 - Ensure that no security lists allow ingress from 0.0.0.0/0 to port 3389.
2.3 - Ensure that no network security groups allow ingress from 0.0.0.0/0 to port 22.
2.4 - Ensure that no network security groups allow ingress from 0.0.0.0/0 to port 3389.
- Conditional Groups: Filter out instance OCIDs for any that should have a public IP address.
Description: Alert when a Compute instance that's running is built from an Oracle public image.
Recommendation: Ensure that your instances are all running sanctioned images from trusted sources.
Rule Parameters:
- Service Type: Compute
- Resource Type: Instance
- Risk Level: LOW
- Labels: Compute
- PCI-DSS 3.2.1: Not applicable.
- Leave default settings.
Description: Alert when a Compute instance is running without required configured tags.
Recommendation: Ensure that the instances are using required tags.
Background: Tags are important for auditing and tracking purposes.
Rule Parameters:
- Service Type: Compute
- Resource Type: Instance
- Risk Level: MEDIUM
- Labels: CIS_OCI_V1.0_MONITORING, CIS_OCI_V1.1_MONITORING, TAGS
- PCI-DSS 3.2.1: Not applicable.
- Configuration: Add required tags in the rule's Input Setting section.
These formats are allowed in the Input Setting box. Separate multiple entries with commas.
<namespace>.<definedkey>=<definedValue>
<namespace>.<definedKey>
<freeformkey>=<freeformValue>
<freeformkey>
Examples:
<namespace>.<definedkey>=<definedValue>
Operations.Environment=Production
- If resource has a tag set toOperations
namespace, defined key ofEnvironment
, and defined value ofProduction
, rule doesn't trigger a problem.Operations.*=*
- If resource has a tag setOperations
namespace, with any defined key and any defined value, rule doesn't trigger a problem.
<namespace>.<definedkey>
Operations.Environment
- If resource has a tag set toOperations
namespace, with a defined key ofEnvironment
, and any defined value, rule doesn't trigger a problem.
<freeformKey>
Project
- If resource has a tag set to freeform keyProject
, rule doesn't trigger a problem.
<freeformKey>=
freeformValue
Project=APPROVED
- If resource has a tag set to freeform keyProject
with a value ofAPPROVED
, rule doesn't trigger a problem.
Database Resources
Description: Alert when a database is detected for which Data Safe is not enabled.
Recommendation: Ensure that Data Safe is enabled for all compartments that Cloud Guard is monitoring, which contain databases. See Get Started.
Background: Data Safe helps ensure that your databases are securely configured. This service should be activated to help monitor, secure, and mitigate risks inside your Oracle cloud databases.
Rule Parameters:
- Service Type: Data Safe
- Resource Type: Tenancy
- Risk Level: HIGH
- Labels: Database Security
- PCI-DSS 3.2.1: Not applicable.
- Leave default settings.
Description: Alert when automatic backup isn't enabled for a database.
Recommendation: Ensure that automatic backup is enabled.
Background: Enabling automatic backup ensures that if a catastrophic hardware failure occurs, you are able to restore the database with minimal data loss,
Rule Parameters:
- Service Type: Database
- Resource Type: DB System
- Risk Level: HIGH
- Labels: Database
- PCI-DSS 3.2.1: Not applicable.
- Conditional Groups: Filter out database OCIDs for any that do not need to be backed up automatically, for example, OCIDs in developer test environments.
Description: Alert when a database instance is detected which is not registered in Data Safe.
Recommendation: Register this database instance with Data Safe and configure assessments to evaluate and monitor configuration, check user activities, and mitigate risks. See Target Database Registration.
Background: Data Safe helps ensure that your databases are securely configured. All cloud databases This service should be activated to help monitor, secure, and mitigate risks inside your Oracle cloud databases.
Rule Parameters:
- Service Type: Data Safe
- Resource Type: Tenancy
- Risk Level: MEDIUM
- Labels: Database Security
- PCI-DSS 3.2.1: Not applicable.
- Leave default settings.
Description: Alert when an available database patch has not been applied within your specified number of days.
Recommendation: Apply released patches to the database when they are available.
Background: Database patches address functionality, security, and performance issues. Most security breaches can be prevented by applying available patches.
Rule Parameters:
- Service Type: Database
- Resource Type: DB System
- Risk Level: MEDIUM
- Labels: Database
- PCI-DSS 3.2.1: Not applicable.
- Configuration: Set Number of days to apply patch in the rule's Input Setting section.
- Conditional Groups: Filter out database OCIDs for any that do not need to have latest patch applied, for example, OCIDs in developer test environments.
Cloud Guard currently monitors only bare metal virtual machine (VM) databases.
Recommendation: Ensure that the database system does not have a public IP address.
Background: Use of a public IP address to access a database increases your exposure to potential security and business continuity risks.
Rule Parameters:
- Service Type: Database
- Resource Type: DB System
- Risk Level: HIGH
- Labels: Database
- PCI-DSS 3.2.1: Not applicable.
- Conditional Groups: Filter out database OCIDs for any that are supposed to be public.
Description: Alert when a database is publicly accessible.
Recommendation: Carefully consider allowing internet access to any database system.
Background: For a database to be publicly accessible, it must:
- Have a public IP address.
- Be in a public VCN subnet.
- Be on a subnet that has an internet gateway enabled that is configured for outbound traffic.
- Be on:
- A subnet where the security list allows traffic from any source CIDR range and "All protocols," or...
- Be on network security group which allows traffic from any source CIDR range and "All protocols."
Rule Parameters:
- Service Type: Database
- Resource Type: ExadataBareMetalVM
- Risk Level: CRITICAL
- Labels: Database
- PCI-DSS 3.2.1: Not applicable.
- Conditional Groups: Filter out database OCIDs for any that are supposed to be public.
Description: Alert when an available database system patch has not been applied.
Recommendation: Apply released patches to the database system when they are available.
Background: Database system patches often include updates that eliminate known security vulnerabilities.
Rule Parameters:
- Service Type: Database
- Resource Type: DB System
- Risk Level: MEDIUM
- Labels: Database
- PCI-DSS 3.2.1: Not applicable.
- Configuration: Set Number of days to apply patch in the rule's Input Setting section.
- Conditional Groups: Filter out database system OCIDs for any that do not need to have latest patch applied, for example, OCIDs in developer test environments.
Description: Alert when a database system is running with a version that's not sanctioned.
Recommendation: Ensure that the deployed database system version is approved and tested.
Background: Running unsanctioned versions of database systems might increase your chances of a security breach, putting your data confidentiality, integrity, and availability at risk.
Rule Parameters:
- Service Type: Database
- Resource Type: DB System
- Risk Level: CRITICAL
- Labels: Database
- PCI-DSS 3.2.1: Not applicable.
- Conditional Groups: Filter out database system OCIDs for any that do not need to have a sanctioned version, for example, OCIDs in developer test environments.
Description: Alert when a database is running with a version that's not sanctioned.
Recommendation: Ensure that the deployed database version is approved and tested.
Background: The sanctioned version of a database has the most recent security features and vulnerability patches. Running unsanctioned versions of a database might increase your chances of a security breach, putting your data confidentiality, integrity, and availability at risk.
Rule Parameters:
- Service Type: Database
- Resource Type: DB System
- Risk Level: CRITICAL
- Labels: Database
- PCI-DSS 3.2.1: Not applicable.
- Conditional Groups: Filter out database OCIDs for any that do not need to have a sanctioned version, for example, OCIDs in developer test environments.
IAM Resources
Description: Alert when an IAM private/public key pair assigned to a user is too old.
Recommendation: Rotate API keys regularly, at least every 90 days.
Background: Changing IAM API keys at least every 90 days is a security best practice. The longer that IAM credentials remain unchanged, the greater the risk that they can become compromised.
Rule Parameters:
- Service Type: IAM
- Resource Type: IAMKey
- Risk Level: MEDIUM
- Labels: CIS_OCI_V1.0_IAM, CIS_OCI_V1.1_IAM, IAM
- PCI-DSS 3.2.1: 8.2.4 - Credentials must be rotated at least every 90 days.
- CIS 1.1: 1.8 - Ensure that user API keys rotate within 90 days or less.
- CIS 1.0: Doesn't cover.
- Configuration: (Optional) You can change the value of 90 days in the rule's Input Setting section.
Description: Alert when IAM Auth Tokens are older than your specified maximum number of days.
Recommendation: Rotate IAM Auth Tokens regularly, at least every 90 days.
Background: Changing IAM Auth Tokens at least every 90 days is a security best practice. The longer that IAM Auth Tokens remain unchanged, the greater the risk that they can become compromised.
Rule Parameters:
- Service Type: IAM
- Resource Type: User
- Risk Level: MEDIUM
- Labels: CIS_OCI_V1.1_IAM, IAM
- PCI-DSS 3.2.1: 8.2.4 - Credentials must be rotated at least every 90 days.
- CIS 1.1: 1.9 Ensure user Auth tokens rotate within 90 days or less.
- CIS 1.0: None
- Configuration: Set the maximum number of days for IAM Auth Tokens ( is 90) in the rule's Input Setting section.
Description: Alert when IAM Customer Secret Keys are older than your specified maximum number of days.
Recommendation: Rotate IAM Customer Secret Keys regularly, at least every 90 days.
Background: Changing IAM Customer Secret Keys at least every 90 days is a security best practice. The longer that IAM Customer Secret Keys remain unchanged, the greater the risk that they can become compromised.
Rule Parameters:
- Service Type: IAM
- Resource Type: User
- Risk Level: MEDIUM
- Labels: CIS_OCI_V1.1_IAM, IAM
- PCI-DSS 3.2.1: 8.2.4 - Credentials must be rotated at least every 90 days.
- CIS 1.1: 1.9 Ensure user customer secret keys rotate within 90 days or less.
- CIS 1.0: None
- Configuration: Set the maximum number of days for IAM Customer Secret Keys ( is 90) in the rule's Input Setting section.
Description: Alert when an IAM group has fewer than your specified minimum number of members.
Recommendation: Increase the number of group members to be fewer than your specified minimum number of members.
Background: IAM group membership frequently grants access to resources and features. Group memberships that have too few members might represent excess privileges being "orphaned" (no longer available to any users).
Rule Parameters:
- Service Type: IAM
- Resource Type: Group
- Risk Level: LOW
- Labels: IAM
- PCI-DSS 3.2.1: Not applicable.
- Leave default settings.
Description: Alert when an IAM group has more than your specified maximum number of members.
Recommendation: Reduce number of group members to be less than your specified maximum number of members.
Background: IAM group membership frequently grants access to resources and features. Group memberships that have too many members might represent overly permissive privileges being given to too many users.
Rule Parameters:
- Service Type: IAM
- Resource Type: Group
- Risk Level: MEDIUM
- Labels: IAM
- PCI-DSS 3.2.1: Not applicable.
- Leave default settings.
Description: Alert when an IAM password is older than your specified maximum number of days.
Recommendation: Rotate IAM passwords regularly, at least every 90 days.
Background: Changing IAM passwords at least every 90 days is a security best practice. The longer that IAM credentials remain unchanged, the greater the risk that they can become compromised.
Rule Parameters:
- Service Type: IAM
- Resource Type: User
- Risk Level: MEDIUM
- Labels: CIS_OCI_V1.0_IAM, CIS_OCI_V1.1_IAM, IAM
- PCI-DSS 3.2.1: 8.2.4 - Credentials must be rotated at least every 90 days.
- CIS 1.1: 1.5 - Ensure that IAM password policy expires passwords within 365 days.
- CIS 1.0: 1.9 Ensure that IAM password policy expires passwords within 365 days.
- Configuration: Set the maximum number of days for passwords (default is 90) in the rule's Input Setting section.
Description: Password policy does not meet complexity requirements.
Recommendation: Oracle recommends that a strong password policy include at least one lower case letter.
Background: Complex passwords are harder to guess and can decrease the chances of unauthorized access or compromised data.
Rule Parameters:
- Service Type: IAM
- Resource Type: Policy
- Risk Level: LOW
- Labels: CIS_OCI_V1.1_IAM, CIS_OCI_V1.0_IAM, IAM
- PCI-DSS 3.2.1: 8.2.3 - Passwords/passphrases must meet the following:
- Require a minimum length of at least seven characters.
- Contain both numeric and alphabetic characters.
Alternatively, the passwords or passphrases must have complexity and strength at least equivalent to the parameters specified above.
- CIS 1.1: 1.4 - Ensure that IAM password policy requires minimum length of 14 or greater.
- CIS 1.0:
1.4 - Ensure that IAM password policy requires minimum length of 14 or greater.
1.5 - Ensure that IAM password policy requires at least one uppercase letter.
1.6 - Ensure that IAM password policy requires at least one lowercase letter.
1.7 - Ensure that IAM password policy requires at least one symbol.
1.8 - Ensure that IAM password policy requires at least one number.
- Leave default settings.
Description: Alert when an IAM policy grants any administrator role access to a user who is not member of the Administrators group.
Recommendation: Ensure that the policy is restricted to allow only specific users to access the resources required to accomplish their job functions.
Background: A policy is a document that specifies who can access which OCI resources that your company has, and how. A policy simply allows a group to work in certain ways with specific types of resources in a particular compartment.
Rule Parameters:
- Service Type: IAM
- Resource Type: Policy
- Risk Level: MEDIUM
- Labels: CIS_OCI_V1.1_IAM, CIS_OCI_V1.0_IAM, IAM
- PCI-DSS 3.2.1: 7.1.2 - Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.
- CIS 1.1: - 1.2 Ensure that permissions on all resources are given only to the tenancy administrator group.
- CIS 1.0: - 1.2 Ensure that permissions on all resources are given only to the tenancy administrator group.
- Configuration: Add OCIDs for any groups that should be allowed these privileges in the rule's Input Setting section.
Description: Alert when the tenancy administrator privilege is granted to an extra IAM group.
Recommendation: Verify with the OCI administrator that this entitlement grant was sanctioned, and that the membership of the group remains valid after the grant of the administrator privilege.
Background: Default tenancy administrator group members can perform any action on all resources in that tenancy. This high-privilege entitlement must be controlled and restricted to only those users who need it to perform their job functions.
Rule Parameters:
- Service Type: IAM
- Resource Type: Policy
- Risk Level: LOW
- Labels: CIS_OCI_V1.1_IAM, CIS_OCI_V1.0_IAM, IAM
- PCI-DSS 3.2.1: 7.1.2 - Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.
- CIS 1.1: 1.3 Ensure that IAM administrators cannot update tenancy Administrators group.
- CIS 1.0: 1.3 - Ensure that IAM administrators cannot update tenancy Administrators group.
- Configuration: Add OCIDs of groups that should have admin privilege in the rule's Input Setting section.
Description: Alert when a user doesn't have multifactor authentication (MFA) enabled.
Recommendation: Enable MFA for all users, using the Oracle Mobile Authenticator (OMA) application on each user's mobile device and the one-time passcode (OTP) sent to the user's registered email address.
Only applicable to local users. Not applicable to IDCS users, unless they are mapped to local users.
Rule Parameters:
- Service Type: IAM
- Resource Type: User
- Risk Level: CRITICALNote
If your organization started using Cloud Guard before April, 2023, the default Risk Level is MEDIUM. - Labels: CIS_OCI_V1.0_IAM, CIS_OCI_V1.1_IAM, IAM
- PCI-DSS 3.2.1: 8.3 - Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication.
- CIS 1.1: 1.7 - Ensure that MFA is enabled for all users with a console password.
- CIS 1.0: 1.11 - Ensure that MFA is enabled for all users with a console password.
- Leave default settings.
Description: Alert when a user has API keys enabled.
Recommendation: Ensure that OCI access by administrators through API keys is performed as an exception. Do not hard-code IAM credentials directly in software or documents to a wide audience.
Background: IAM API keys are credentials used to grant programmatic access to resources. Actual human users should not use API keys.
Rule Parameters:
- Service Type: IAM
- Resource Type: User
- Risk Level: LOW
- Labels: CIS_OCI_V1.0_IAM, CIS_OCI_V1.1_IAM, IAM
- PCI-DSS 3.2.1: 8.6 - Where other authentication mechanisms are used, such as physical or logical security tokens, smart cards, or certificates, use of these mechanisms must be assigned as follows:
- Authentication mechanisms must be assigned to an individual account and not shared among multiple accounts.
- Physical or logical controls, or both, must be in place to ensure that only the intended account can use that mechanism to gain access.
- CIS 1.1: 1.11 - Ensure that API keys are not created for tenancy administrator users.
- CIS 1.0: 1.13 - Ensure that API keys are not created for tenancy administrator users.
- Leave default settings.
KMS Resources
Description: Alert when a KMS key has not been rotated within your specified time period.
Recommendation: Ensure that you rotate the KMS keys regularly.
Background: For information security, you should periodically change or rotate, passwords, keys, and cryptographic materials. Rotating your keys in KMS reduces the impact and probability of key compromise. Set the minimum. You can change the default time for rotating keys from 180 days in the rule's Input Setting section.
Rule Parameters:
- Service Type: KMS
- Resource Type: KMS Key
- Risk Level: CRITICAL
- Labels: CIS_OCI_V1.1_MONITORING, KMS
- PCI-DSS 3.2.1: 8.2.4 - Credentials must be rotated at least every 90 days.
- CIS 1.1: 3.16 - Ensure that customer created Customer Managed Key (CMK) is rotated at least annually.
- CIS 1.0: Not Covered by CIS 1.0
- Configuration: Set the default time for rotating keys in the rule's Input Setting section.
Multiple Resources
Description: Alert when a resource is not tagged in compliance with the tagging requirements you've specified.
Recommendation: Verify that the configured tags are in use for compute images, compute instances, database systems, VCNs, object storage, and storage block volumes.
Background: Verify that the configured tags are in use for compute images, compute instances, database systems, VCNs, object storage, and storage block volumes.
Rule Parameters:
- Service Type: Multiple
- Resource Type: Multiple
- Risk Level: LOW
- Labels: CIS_OCI_V1.0_MONITORING, CIS_OCI_V1.1_MONITORING, TAGS
- PCI-DSS 3.2.1: 2.4 - Maintain an inventory of system components that are in scope for PCI DSS.
- CIS 1.1: 3.2 - Ensure that default tags are used on resources.
- CIS 1.0: 4.2 - Ensure that default tags are used on resources.
- Configuration: Add appropriate tags in the rule's Input Setting section.
Networking Resources
Description: Alert when a load balancer has a cipher suite configured that is oci-wider-compatible-ssl-cipher-suite-v1
. This cipher suite includes algorithms like DES and RC4 that are considered weak and prone to attacks. Only applicable for predefined cipher suites and not the custom cipher suite values.
Recommendation: Use default, modern cipher suites that support stronger encryption.
Background: Certain versions of cipher suites with algorithms like DES are not recommended.
Rule Parameters:
- Service Type: Networking
- Resource Type: Load Balancer
- Risk Level: MEDIUM
- Labels: Network
- PCI-DSS 3.2.1: Not applicable.
- Leave default settings.
Description: Alert when a load balancer has a protocol configured as part its SSL policy that includes any version less than Transport Layer Security (TLS) 1.2.
Recommendation: Ensure that the SSL policy version configured is at least TLS 1.2.
Background: Older versions of are risky and vulnerable to many types of attacks. Several standards, such as PCI-DSS and NIST, strongly encourage the use of TLS 1.2.
Rule Parameters:
- Service Type: Networking
- Resource Type: Load Balancer
- Risk Level: HIGH
- Labels: Network
- PCI-DSS 3.2.1: Not applicable.
- Leave default settings.
Description: Alert when a load balancer has no associated backend sets.
Recommendation: Ensure that you configure load balancers with backend sets to control the health and access to a load balancer by defined instances.
Background: A backend set is a logical entity defined by a load balancing policy, a health check policy, and a list of backend servers.
Rule Parameters:
- Service Type: Networking
- Resource Type: Load Balancer
- Risk Level: CRITICAL
- Labels: Network
- PCI-DSS 3.2.1: Not applicable.
- Leave default settings.
Description: Alert when a security list of a load balancer has ingress rules that accept traffic from an open source (0.0.0.0/0).
Recommendation: Ensure that your OCI load balancers use inbound rules or listeners to only allow access from known resources.
Background: OCI load balancers enable end-to-end TLS connections between a client's applications and your VCN. A listener is a logical entity that checks for incoming traffic on the load balancer's IP address. To handle TCP, HTTP, and HTTPS traffic, you must configure at least one listener per traffic type.
Rule Parameters:
- Service Type: Networking
- Resource Type: Load Balancer
- Risk Level: MINOR
- Labels: Network
- PCI-DSS 3.2.1: Not applicable.
- Leave default settings.
Description: Alert when a load balancer is running with a public IP address.
Recommendation: Ensure that all load balancers not required to be publicly accessible are running with private IP addresses.
Background: A public IP address on a load balancer that is not intended to be used for publicly available content creates an unnecessary security vulnerability.
Rule Parameters:
- Service Type: Networking
- Resource Type: Load Balancer
- Risk Level: High
- Labels: Network
- PCI-DSS 3.2.1: Not applicable.
- Conditional Groups: Filter out OCIDs for any load balancer that should have a public IP address.
Description: Alert when the SSL certificate in a load balancer is set to expire within your specified time period.
Cloud Guard monitors for expiring certificates for listeners and backend sets in the load balancer.
To prevent generation of "false positive" problems, check the expiration date of SSL certificates added to both backend sets and listener of the load balancer. If an expired certificate, or a soon-to-expire certificate, is still attached to a load balancer's backend set, a problem will be generated.
Recommendation: Ensure that certificates are rotated on a timely basis.
Background: To ensure continuous security and usability, SSL certificates must be rotated in OCI.
Rule Parameters:
- Service Type: Networking
- Resource Type: Load Balancer
- Risk Level: CRITICAL
- Labels: Network
- PCI-DSS 3.2.1: Not applicable.
- Configuration: Set Days before expiring (default is 48) in the rule's Input Setting section.
Description: Alert when the egress rule for a network security group (NSG) contains a disallowed destination IP address and port number.
Recommendation: Ensure that the egress rules for communication with the IP/port are permitted for this NSG.
Background: NSGs act as a virtual firewall for compute instances and other kinds of resources. NSG's outbound (egress) security rules apply to a set of virtual NICs in a VCN to allow access to specific ports and IP addresses.
Rule Parameters:
- Service Type: Networking
- Resource Type: Network Security Group
- Risk Level: MEDIUM
- Labels: CIS_OCI_V1.0_NETWORK, CIS_OCI_V1.1_NETWORK, Network
- PCI-DSS 3.2.1: 1.3.4 - Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.
- CIS 1.1:
2.3 - Ensure that no network security groups allow ingress from 0.0.0.0/0 to port 22.
2.4 - Ensure that no network security groups allow ingress from 0.0.0.0/0 to port 3389.
- CIS 1.0:
2.3 - Ensure that no network security groups allow ingress from 0.0.0.0/0 to port 22.
2.4 - Ensure that no network security groups allow that ingress from 0.0.0.0/0 to port 3389.
- Configuration: Add disallowed ports in the rule's Input Setting section.
Description: Alert when the ingress rule for a network security group contains a disallowed destination IP address and port number.
Recommendation: Ensure that the ingress rules for communication with the IP/port are permitted for this NSG.
Background: NSGs act as a virtual firewall for compute instances and other kinds of resources. NSGs inbound (ingress) security rules apply to a set of virtual NICs in a VCN to allow access to specific ports and IP addresses.
Rule Parameters:
- Service Type: Networking
- Resource Type: Network Security Group
- Risk Level: HIGH
- Labels: CIS_OCI_V1.0_NETWORK, CIS_OCI_V1.1_NETWORK, Network
- PCI-DSS 3.2.1: 1.2.1 - Restrict inbound and outbound traffic to what's necessary for the cardholder data environment, and specifically deny all other traffic.
- CIS 1.1:
2.3 - Ensure that no network security groups allow ingress from 0.0.0.0/0 to port 22.
2.4 - Ensure that no network security groups allow ingress from 0.0.0.0/0 to port 3389.
- CIS 1.0:
2.3 - Ensure that no network security groups allow ingress from 0.0.0.0/0 to port 22.
2.4 - Ensure that no network security groups allow ingress from 0.0.0.0/0 to port 3389.
- Configuration: Add disallowed ports in the rule's Input Setting section.
Description: Alert when a VCN is attached to an internet gateway.
Recommendation: Ensure that internet gateways are authorized to be attached to a VCN, and that this attachment doesn't expose resources to the internet. Ensure that security lists with ingress / inbound rules and those security lists are not configured to allow access from all IP addresses 0.0.0.0/0.
Background: Gateways provide external connectivity to hosts in a VCN. They include internet gateway (IGW) for internet connectivity.
Rule Parameters:
- Service Type: Networking
- Resource Type: VCN
- Risk Level: LOW
- Labels: CIS_OCI_V1.0_NETWORK, CIS_OCI_V1.1_NETWORK, CIS_OCI_V1.1_MONITORING, Network
- PCI-DSS 3.2.1: 1.3.4 - Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.
- CIS 1.1:
2.1 - Ensure that no security lists allow ingress from 0.0.0.0/0 to port 22
2.2 - Ensure that no security lists allow ingress from 0.0.0.0/0 to port 3389
2.5 - Ensure that the default security list of every VCN restricts all traffic except ICMP
3.13 - Ensure that a notification is configured for changes to network gateways
- CIS 1.0:
2.1 - Ensure that no security lists allow ingress from 0.0.0.0/0 to port 22
2.2 - Ensure that no security lists allow ingress from 0.0.0.0/0 to port 3389
2.7 - Ensure that the default security list of every VCN restricts all traffic except ICMP
- Leave default settings.
Description: Alert when a VCN is attached to a local peering gateway.
Recommendation: Ensure that local peering gateways are authorized to be attached to a VCN, and that this attachment doesn't expose resources to the internet.
Background: Gateways provide external connectivity to hosts in a VCN. They include local peering gateway (LPG) for connectivity to peered VCN.
Rule Parameters:
- Service Type: Networking
- Resource Type: VCN
- Risk Level: LOW
- Labels: CIS_OCI_V1.0_NETWORK, CIS_OCI_V1.1_NETWORK, CIS_OCI_V1.1_MONITORING, Network
- PCI-DSS 3.2.1: 1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment.
- CIS 1.1:
2.1 - Ensure that no security lists allow ingress from 0.0.0.0/0 to port 22.
2.2 - Ensure that no security lists allow ingress from 0.0.0.0/0 to port 3389.
2.5 - Ensure that the default security list of every VCN restricts all traffic except ICMP.
3.13 - Ensure that a notification is configured for changes to network gateways.
- CIS 1.0:
2.1 - Ensure that no security lists allow ingress from 0.0.0.0/0 to port 22.
2.2 - Ensure that no security lists allow ingress from 0.0.0.0/0 to port 3389.
2.5 - Ensure that the default security list of every VCN restricts all traffic except ICMP.
- Leave default settings.
Description: Alert when a VCN has no inbound security list.
Recommendation: Ensure that your OCI VCN's use security lists with ingress or inbound rules to only allow access from known resources.
Background: Security lists provide stateful and stateless firewall capability to control network access to your instances. A security list is configured at the subnet level and enforced at the instance level. You can apply multiple security lists to a subnet where a network packet is allowed, if it matches any rule in the security lists.
Rule Parameters:
- Service Type: Networking
- Resource Type: VCN
- Risk Level: MEDIUM
- Labels: Network
- PCI-DSS 3.2.1: Not applicable.
- Leave default settings.
Description: Alert when a VCN security list allows unrestricted traffic to a non-public port from an open source (0.0.0.0/0).
Recommendation: Use VCN security lists to restrict network access to instances in a subnet. To prevent unauthorized access or attacks on compute instances, Oracle recommends that you:
- Use a VCN security list to allow SSH or RDP access only from authorized CIDR blocks
- Do not leave compute instances open to the internet (0.0.0.0/0)
Background: A VCN has a collection of features for enforcing network access control and securing VCN traffic. Security lists provide stateful and stateless firewall capability to control network access to your instances. A security list is configured at the subnet level and enforced at the instance level. You can apply multiple security lists to a subnet where a network packet is allowed, if it matches any rule in the security lists.
Rule Parameters:
- Service Type: Networking
- Resource Type: VCN
- Risk Level: CRITICAL
- Labels: CIS_OCI_V1.0_NETWORK, CIS_OCI_V1.1_NETWORK, Network
- PCI-DSS 3.2.1: 1.3 - Prohibit direct public access between the Internet and any system component in the cardholder data environment.
- CIS 1.1:
2.1 - Ensure that no security lists allow ingress from 0.0.0.0/0 to port 22.
2.2 - Ensure that no security lists allow ingress from 0.0.0.0/0 to port 3389.
- CIS 1.0:
2.1 - Ensure that no security lists allow ingress from 0.0.0.0/0 to port 22.
2.2 - Ensure that no security lists allow ingress from 0.0.0.0/0 to port 3389.
- Leave default settings.
Description: Alert when a VCN security list allows certain restricted ports (see Input Settings, Restricted Protocol:Ports List) as part of the Security list ingress rule.
Recommendation: Ensure that your OCI VCNs use security lists that do not include a port that's listed in the "Restricted Protocol:Ports List" in the Input setting of this detector rule with any ingress or inbound rule. The Additional Details section of a problem lists the specific open restricted ports that triggered this problem.
Background: Security lists provide stateful and stateless firewall capability to control network access to your instances. A security list is configured at the subnet level and enforced at the instance level. You can apply multiple security lists to a subnet where a network packet is allowed, if it matches any rule in the security lists.
Rule Parameters:
- Service Type: Networking
- Resource Type: VCN
- Risk Level: MINOR
- Labels: CIS_OCI_V1.0_NETWORK, CIS_OCI_V1.1_NETWORK, Network
- PCI-DSS 3.2.1: 1.2 - Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment.
- CIS 1.1: 2.5 - Ensure that the default security list of every VCN restricts all traffic except ICMP.
- CIS 1.0: 2.7 - Ensure that the default security list of every VCN restricts all traffic except ICMP.
- Configuration:
- Modify Restricted Protocol:Ports List as needed, in the rule's Input Setting section.
You can enter ports lists manually, or you can enter names of one or more security lists that you've defined. See Security Lists.
Description: Alert when a virtual network interface card (VNIC) has no associated (NSG).
Recommendation: Ensure that all VNICs have an associated NSG.
Background: A VNIC is a networking component that enables a resource such as a compute instance to connect to a VCN. The VNIC determines how the instance connects with endpoints inside and outside the VCN. Each VNIC resides in a subnet in a VCN. A VNIC without an NSG might trigger a connectivity issue.
Rule Parameters:
- Service Type: Networking
- Resource Type: VCN
- Risk Level: MINOR
- Labels: Network
- PCI-DSS 3.2.1: Not applicable.
- Configuration: Modify Restricted Protocol:Ports List as needed, in the rule's Input Setting section.
Scanning Resources
Description: Alert when Oracle Vulnerability Scanning Service (VSS) scans containers and identifies known cybersecurity vulnerabilities. To use this rule, you must create a Host Scan Recipe and a Host Scan Target in the Scanning service. See Scanning: Getting Started in the Scanning documentation.
Recommendation: Perform the recommended actions that are documented for each vulnerability, such as applying an OS patch.
Background: The Scanning service identifies vulnerabilities for applications, libraries, operating systems, and services. Each vulnerability in the database has a distinct identifier or CVE.
Rule Parameters:
- Service Type: Scanning, Compute
- Resource Type: Container
- Risk Level: CRITICAL
- Labels: VSS
- PCI-DSS 3.2.1: Not applicable.
- Leave default settings (all CVEs are detected)
Description: Alert when Oracle Vulnerability Scanning Service (VSS) scans Compute instances (hosts) and identifies open ports. To use this rule, you must create a Host Scan Recipe and a Host Scan Target in the Scanning service. See Scanning: Getting Started in the Scanning documentation.
Recommendation: Review the identified ports and close them if you determine that they should not be open on this host.
Background: Certain ports are required for operation and delivery of services, but any open ports beyond the intended list can potentially be used to exploit the services.
Rule Parameters:
- Service Type: Scanning, Compute
- Resource Type: Compute
- Risk Level: CRITICAL
- Labels: VSS
- PCI-DSS 3.2.1: Not applicable.
- Configuration: Add any ports that should be ignored to the Allowed ports list in the rule's Input Setting section.Note
If you add the same port number to both the Allowed ports list and the Disallowed ports list in the rule's Input Setting section, the Disallowed ports list takes precedence; a problem is still triggered when Cloud Guard finds the port open.
Description: Alert when Oracle Vulnerability Scanning Service (VSS) scans Compute instances (hosts) and identifies known cybersecurity vulnerabilities. To use this rule, you must create a Host Scan Recipe and a Host Scan Target in the Scanning service. See Scanning: Getting Started in the Scanning documentation.
Recommendation: Perform the recommended actions that are documented for each vulnerability, such as applying an OS patch.
Background: The Scanning service identifies vulnerabilities for applications, libraries, operating systems, and services. Each vulnerability in the database has a distinct identifier or CVE.
Rule Parameters:
- Service Type: Scanning, Compute
- Resource Type: Compute
- Risk Level: CRITICAL
- Labels: VSS
- PCI-DSS 3.2.1: Not applicable.
- Leave default settings (all CVEs are detected)
Storage Resources
Description: Alert when a block volume is encrypted with Oracle-managed keys.
Recommendation: Assign a KMS key to this volume.
Background: Encryption of volumes provides an extra level of security on your data. Management of encryption keys is critical to protecting and accessing protected data. Some customers want to identify block volumes encrypted Oracle-managed keys vs the user-managed keys.
Rule Parameters:
- Service Type: Storage
- Resource Type: Block Volume
- Risk Level: MINOR
- Labels: KMS
- PCI-DSS 3.2.1: Not applicable.
- Oracle-Managed Keys: Recommended to secure block volumes.
- User-Managed Keys:
- Use KMS wherever possible.
- Implement Oracle Security Zones on compartments to ensure that practice is followed.
- Conditional Groups: Avoid using, because of the large number of volumes.
Description: Alert when a block volume is not attached to its associated instance.
Recommendation: Ensure that the volume is attached.
This rule is disabled by default in new Cloud Guard tenancies.
Rule Parameters:
- Service Type: Storage
- Resource Type: Block Volume
- Risk Level: MEDIUM
- Labels: Storage
- PCI-DSS 3.2.1: Not applicable.
- Conditional Groups: Avoid using, because of large number of volumes.
Description: Alert when a bucket is public.
Recommendation: Ensure that the bucket is sanctioned for public access, and if not, direct the OCI administrator to restrict the bucket policy to allow only specific users access to the resources required to accomplish their job functions.
Background: Object Storage supports anonymous, unauthenticated access to a bucket. A public bucket that has read access enabled for anonymous users allows anyone to obtain object metadata, download bucket objects, and optionally list bucket contents.
Rule Parameters:
- Service Type: Storage
- Resource Type: Bucket
- Risk Level: CRITICAL
- Labels: CIS_OCI_V1.1_ObjectStorage, ObjectStorage
- PCI-DSS 3.2.1: 1.2.1 - Restrict inbound and outbound traffic to what's necessary for the cardholder data environment, and specifically deny all other traffic.
- CIS 1.1: 4.1 - Ensure that no Object Storage buckets are publicly visible.
- CIS 1.0: Not Covered by CIS 1.0.
- Conditional Groups: Filter out bucket names (<namespace>/<name>) for any that are supposed to be public.
Description: Alert when an Object Storage bucket is encrypted with an Oracle-managed key.
Recommendation: Assign a Vault key to this bucket.
Background: Encryption of storage buckets provides an extra level of security on your data. Management of encryption keys is critical to protecting and accessing protected data. Some customers want to identify storage buckets encrypted Oracle-managed keys.
Rule Parameters:
- Service Type: Storage
- Resource Type: Bucket
- Risk Level: MINOR
- Labels: CIS_OCI_V1.1_ObjectStorage, ObjectStorage, KMS
- PCI-DSS 3.2.1: Not an issue for PCI.
- CIS 1.1: 4.2 -Ensure Object Storage Buckets are encrypted with a Customer Managed Key (CMK).
- CIS 1.0: Not Covered by CIS 1.0.
- Configuration: This rule is disabled by default in the OCI Configuration Detector, because it could generate problems that may not be critical to many Cloud Guard operators. If you enable this rule, ensure that you carefully set Conditional Groups to target only those specific buckets that you do NOT want to be encrypted with an Oracle-managed key. If you require strict key control using user-managed keys through Vault, create an Oracle Security Zone compartment and create resources in that compartment.
Description: Alert when the read access logs are not enabled for an Object Storage bucket.
Recommendation: Ensure that read logs are enabled for the bucket and that the logs are being continuously monitored by the security tools.
Background: Access logs help you secure your sensitive objects by providing visibility into the activities around read and write operations on the objects within the Object storage bucket.
Rule Parameters:
- Service Type: Storage
- Resource Type: Bucket
- Risk Level: LOW
- Labels: CIS_OCI_V1.1_ObjectStorage, ObjectStorage
- PCI-DSS 3.2.1: 1.2.1 - Restrict inbound and outbound traffic to what's necessary for the cardholder data environment, and specifically deny all other traffic.
- CIS 1.1: 4.1 - Ensure that no Object Storage buckets are publicly visible.
- CIS 1.0: Not Covered by CIS 1.0.
- Configuration: This rule is disabled by default in the OCI Configuration Detector and can't be enabled there. Enable this rule:
- Cloning the OCI Configuration Detector. See Cloning an OCI Detector Recipe.
- Enable the rule in the user-managed (cloned) copy of the OCI Configuration Detector. See Editing Rule Settings in an OCI Detector Recipe.
- Attach the user-managed (cloned) copy of the OCI Configuration Detector to all targets where you want the rule to be enabled. See Editing an OCI Target and Its Attached Recipes.
Description: Alert when the write access logs are not enabled for an Object Storage bucket.
Recommendation: Ensure that write logs are enabled for the bucket and that the logs are being continuously monitored by the security tools.
Background: Access logs help you secure your sensitive objects by providing visibility into the activities around read and write operations on the objects within the Object storage bucket.
Rule Parameters:
- Service Type: Storage
- Resource Type: Bucket
- Risk Level: LOW
- Labels: CIS_OCI_V1.1_MONITORING, CIS_OCI_V1.1_ObjectStorage, ObjectStorage
- PCI-DSS 3.2.1: 1.2.1 - Restrict inbound and outbound traffic to what's necessary for the cardholder data environment, and specifically deny all other traffic.
- CIS 1.1: 4.1 - Ensure that no Object Storage buckets are publicly visible.
- CIS 1.0: Not Covered by CIS 1.0.
- Configuration: This rule is disabled by default in the OCI Configuration Detector and can't be enabled there. Enable this rule:
- Cloning the OCI Configuration Detector. See Cloning an OCI Detector Recipe.
- Enable the rule in the user-managed (cloned) copy of the OCI Configuration Detector. See Editing Rule Settings in an OCI Detector Recipe.
- Attach the user-managed (cloned) copy of the OCI Configuration Detector to all targets where you want the rule to be enabled. See s.
Reference material for Oracle managed Instance Security detector recipes.
If any detector rule exceeds expected CPU or memory utilization, we may temporarily disable and modify the rule.
This rule is present in the OCI Instance Security Detector Recipe—Enterprise (Oracle managed) recipe.
OS: Linux/Windows
Description: Detects when Instance Security is either not installed or not running as expected. For example:
InstanceOCID: <redacted>, currently in active state. The agent was last detected on 2024-03-19 21:11:27.41, more than 24 hours ago
Recommendation: There are a few reasons why you could receive this alert:
- If your compute host is down and the instance security agent is unable to reach the host for more than 24 hours. Investigate your compute host to see if this is what has happened.
- If the instance security policies aren't correct. Check that all these policies have been added.
- If the latest version of instance security isn't present. Oracle Cloud Agent (OCA) automatically updates the instance security agent on a host, so if this hasn't happened check the following:
On Linux:
- Is Oracle Cloud Agent (OCA) is enabled and running in your instance.
sudo systemctl status oracle-cloud-agent.service
- Check whether the instance security plugin is running. It's responsible for managing the instance security agent life cycle. If the instance security plugin is running but you have this problem it means there may be something wrong with the instance security agent, or that the plugin is getting a 4xx error and the agent is not installed or is not running.
pgrep oci-wlp
- Check whether the instance security plugin is getting a 404 error in the log.
sudo vim /var/log/oracle-cloud-agent/plugins/oci-wlp/oci-wlp.log
- Confirm that the instance security agent is running on your instance.
sudo systemctl status wlp-agent-osqueryd.service
If the command output has errors in it, try to restart the service.
sudo systemctl restart wlp-agent-osqueryd.service
On Windows:
- Check that the instance security plugin enabled in Oracle Cloud Agent (OCA) for your instance.
- Go to Start Menu > Windows Administrative Tools > Services.
- Check the status of Oracle Cloud Agent Cloud Guard Workload Protection. It should show that it's running.
- If it's stopped, right-click and choose Start.
- Check whether the instance security agent is running on your instance.
- Go to Start Menu > Windows Administrative Tools > Services.
- Check the status of the wlp-agent service. It should show that it's running.
- If it's stopped, right-click and choose Start.
- Is Oracle Cloud Agent (OCA) is enabled and running in your instance.
Once you have found the problem and fixed it, allow 24 hours for this problem to go away. If you are still seeing it after 24 hours and you've rechecked the steps above, contact Oracle support.
Rule Parameters:
- Service Type: Compute
- Resource Type: Instance
- Risk Level: HIGH
- Labels: Instance Security
This rule is present in the OCI Instance Security Detector Recipe—Enterprise (Oracle managed) recipe.
OS: Windows
Description: WMI is the infrastructure for management data and operations on Windows based operating systems. It is a service level process used to execute scripts, and it can be used to launch scripts terminals, or to attempt to download a payload.
Recommendation: Monitor for newly constructed WMI objects that might establish persistence and/or elevate privileges using system mechanisms.
Rule Parameters:
- Service Type: Compute
- Resource Type: Instance
- Risk Level: HIGH
- Labels: MITRE_T1546
- Tactic: Persistence
- Technique or Subtechnique: Event Triggered Execution: Windows Management Instrumentation Event Subscription (T1546.003)
This rule is present in the OCI Instance Security Detector Recipe—Enterprise (Oracle managed) recipe.
OS: Windows
Description: Detects potential disabling of Windows security features. Alerts if services Windows Defender (windefend), Windows Firewall) mpssvc, and Windows Security Service (wscvcs) are not running. For example:
Windows security service in stopped state: windefend
Recommendation: Disabling Windows security rule can leave resources at risk. Weigh the risks and reactivate applicable rules.
Rule Parameters:
- Service Type: Compute
- Resource Type: Instance
- Risk Level: HIGH
- Labels: MITRE_T1562.001
- Tactic: Defense Evasion
- Technique or Subtechnique: Impair Defences: Disable or Modify Tools (T1562.001)
This rule is present in the OCI Instance Security Detector Recipe—Enterprise (Oracle managed) recipe.
OS: Windows
Description: This can indicate password spraying on Windows accounts, that is the repeated use of the same password on multiple accounts.
Recommendation: Determine whether the user account in question is the actual user attempting to login.
Use multifactor authentication. Where possible enable multifactor authentication on externally facing services. Set policies to lock accounts after a certain number of failed login attempts to prevent passwords from being guessed.
Rule Parameters:
- Service Type: Compute
- Resource Type: Instance
- Risk Level: HIGH
- Labels: MITRE_T1110
- Tactic: Credential Access
- Technique or Subtechnique: Brute Force (T1110)
This rule is present in the OCI Instance Security Detector Recipe—Enterprise (Oracle managed) recipe.
OS: Linux
Description: It's common for threat actors to upload a web shell to HTTP services. This looks for open sockets in common HTTP services like Apache.
Recommendation: Confirm with the system owner whether the web server path is supposed to have a file with a server port listening.
Rule Parameters:
- Service Type: Compute
- Resource Type: Instance
- Risk Level: MEDIUM
- Labels: MITRE_T1505.003
- Tactic: Persistence
- Technique or Subtechnique: Server Software Component: Web Shell (T1505.003)
This rule is present in the OCI Instance Security Detector Recipe—Enterprise (Oracle managed) recipe.
OS: Linux
Description: Returns possible Reverse Shells on system processes. For example:
Possible reverse shell on system process (pid | path | remote_address | remote_port): 10129 | /usr/bin/bash | | 0, 10164 | /usr/bin/bash | | 0]
Recommendation: Gather the list of IP's that are connecting to the reverse shell and determine whether the IP is on bad reputation list. Investigate whether there are other processes associated with reverse shell PID.
Rule Parameters:
- Service Type: Compute
- Resource Type: Instance
- Risk Level: HIGH
- Labels: MITRE_T1505.003
- Tactic: Persistence
- Technique or Subtechnique: Server Software Component: Web Shell (T1505.003)
This rule is present in the OCI Instance Security Detector Recipe—Enterprise (Oracle managed) recipe.
OS: Windows
Description: Malware attempts to run from user privilege space. In this query we are limiting it to temp space and looking at the command line for common tools used to lateral/reconnaissance the environment.
Recommendation: Investigate the binary to determine if it is legitimate execution. Consider isolating the instance for further investigation.
Rule Parameters:
- Service Type: Compute
- Resource Type: Instance
- Risk Level: HIGH
- Labels: MITRE_T1059
- Tactic: Execution
- Technique or Subtechnique: Command and Scripting Interpreter (T1059)
This rule is present in the OCI Instance Security Detector Recipe—Enterprise (Oracle managed) recipe.
OS: Windows
Description:Detects processes attempting to masquerade as legitimate Windows processes via incorrect paths. For example:
Process masquerading as legitimate windows process explorer.exe at path(s): c:\users\opc\downloads\new folder\explorer\bin\debug\explorer.exe
Recommendation: Gather the hash of the file and determine whether it is a known bad binary. Determine if the masquerade binary is attempting call or execute other files on the system.
Rule Parameters:
- Service Type: Compute
- Resource Type: Instance
- Risk Level: HIGH
- Labels: MITRE_T1574.009
- Tactic: Persistence
- Technique or Subtechnique: Hijack Execution Flow: Path Interception by Unquoted Path
This rule is present in the following recipes:
OS: Linux/Windows
- OCI Instance Security Detector Recipe—Enterprise (Oracle managed)
- OCI Instance Security Detector Recipe (Oracle managed)
Description: Detects processes that are listening for network connections. For example:
Disallowed open ports: {"scannedIps":[{"hostIp":"127.0.0.53","ports":[{"port":"53","type":null,"process":"systemd-resolve : /lib/systemd/systemd-resolved","family":"ipv4","protocol":"tcp"}
Recommendation: Review whether these ports should be open on this host, and close them if they're not required to be open.
Rule Parameters:
- Service Type: Compute
- Resource Type: Instance
- Risk Level: CRITICAL
- Labels: MITRE_T1505.003
- Tactic: Persistence
- Technique or Subtechnique: Server Software Component: Web Shell (T1505.003)
This rule is present in the OCI Instance Security Detector Recipe—Enterprise (Oracle managed) recipe.
OS: Windows
Description: Looking for Putty in listening mode to create a SSH tunnel.
Recommendation: Gather the list of IP addresses that are connecting to the Putty process and investigate any that look suspicious.
Rule Parameters:
- Service Type: Compute
- Resource Type: Instance
- Risk Level: HIGH
- Labels: MITRE_T1572
- Tactic: Command and Control
- Technique or Subtechnique: Protocol Tunneling
This rule is present in the following recipes:
OS: Linux
- OCI Instance Security Detector Recipe—Enterprise (Oracle managed)
- OCI Instance Security Detector Recipe (Oracle managed)
Description: Scans compute instances to identify known cybersecurity vulnerabilities related to applications, libraries, operating systems, and services. This detector reports problems when the service finds that an instance has one or more vulnerabilities at the configured CVE severity level or higher. Vulnerabilities with CVE severity level below the level you selected won't have a Cloud Guard problem created, but will be reflected as part of the aggregated problems shown in the Cloud Guard Resources page.
- This rule can help you quickly correct vulnerabilities and exposures, but the service isn't a Payment Card Industry (PCI) compliant scanner. Don't use this to meet PCI compliance requirements.
- We don't recommend using this rule to identify issues in Virtual Machine DB Systems, and then modifying the OS to address each issue. Instead, follow the instructions at Updating a DB System to apply the latest security updates to the OS.
- This rule currently scans for vulnerabilities in rpm and debian packages only.
Recommendation: Review the vulnerabilities found and prioritize them. Take remediation or mitigation steps appropriate for the vulnerability.
Rule Parameters:
- Service Type: Compute
- Resource Type: Instance
- Risk Level: CRITICAL
- Labels: Instance Security
This rule is present in the OCI Instance Security Detector Recipe—Enterprise (Oracle managed) recipe.
OS: Linux
Description: Looking for Putty in listening mode to create a SSH tunnel for a Linux built-in terminal command.
Recommendation: Gather the list of IP addresses that are connecting to the Putty process and investigate any that look suspicious.
Where possible, only permit signed scripts to run. Use application control where appropriate.
Rule Parameters:
- Service Type: Compute
- Resource Type: Instance
- Risk Level: HIGH
- Labels: MITRE_T1572
- Tactic: Command and Control
- Technique or Subtechnique: Protocol Tunneling
This rule is present in the OCI Instance Security Detector Recipe—Enterprise (Oracle managed) recipe.
OS: Linux
Description: Malware can use cron jobs running on a periodic schedule to check for backdoors.
Recommendation: Investigate the binary to determine if it is legitimate execution. Consider isolating the instance for further investigation.
Where possible, only permit signed scripts to run. Use application control where appropriate.
Rule Parameters:
- Service Type: Compute
- Resource Type: Instance
- Risk Level: MEDIUM
- Labels: MITRE_T1547
- Tactic: Persistence
- Technique or Subtechnique: Boot or Logon Autostart Execution
This rule is present in the OCI Instance Security Detector Recipe—Enterprise (Oracle managed) recipe.
OS: Windows
Description: Malware can use a scheduled task running from the temp folder to run a backdoor again on restart.
Recommendation: Investigate the binary to determine if it is legitimate execution. Consider isolating the instance for further investigation.
Rule Parameters:
- Service Type: Compute
- Resource Type: Instance
- Risk Level: HIGH
- Labels: MITRE_T1053
- Tactic: Execution
- Technique or Subtechnique: Scheduled Task/Job
This rule is present in the OCI Instance Security Detector Recipe—Enterprise (Oracle managed) recipe.
OS: Windows
Description: This detection looks for suspicious windows services running from the temp folder which can be a common mechanism used by malware to ensure the backdoor runs on a periodic schedule.
Recommendation: Investigate the binary to determine if it is legitimate execution. Consider isolating the instance for further investigation.
Rule Parameters:
- Service Type: Compute
- Resource Type: Instance
- Risk Level: HIGH
- Labels: MITRE_T1547
- Tactic: Persistence
- Technique or Subtechnique: Boot or Logon Autostart Execution
This rule is present in the OCI Instance Security Detector Recipe—Enterprise (Oracle managed) recipe.
OS: Windows
Description: Malware can use a startup run a backdoor again on restart.
Recommendation: Investigate the binary to determine if it is legitimate execution. Consider isolating the instance for further investigation.
Rule Parameters:
- Service Type: Compute
- Resource Type: Instance
- Risk Level: MEDIUM
- Labels: MITRE_T1547
- Tactic: Persistence
- Technique or Subtechnique: Boot or Logon Autostart Execution
Reference material for the Oracle-managed threat detector recipe that Cloud Guard provides.
Expand a Rule Display Name to view the details. Expand the "Sighting Type Reference" at the end to view technical information about the different sighting types that feed into OCI Threat Detector processing.
Description: Alert when a user has performed activities that generate a risk score that above the problem threshold, which could indicate a compromised account or an insider threat. Adversaries can use brute force techniques to gain access to accounts when passwords are unknown. Users could abuse their assigned privileges and perform tasks well beyond business requirements, which can be detrimental to the organization.
Recommendation: Consider temporarily disabling the account while you investigate the activity, and require a password reset if the user doesn't recognize the activity.
Background: A user's risk score that exceeds the problem threshold could indicate a compromised account or a disgruntled employee.
Rule Parameters: This rule has no parameters that you can modify.
- Not applicable
- Leave default settings.
Review details of how sighting type data is derived and how it enters into calculation of risk score and security score.
For all sighting types, more detailed information can be available from the reported problem, through a link that accesses the Threat Intelligence Service. This link requires a policy to be in place that grants the user permission:
... to read threat-intel-family in tenancy
Description: Adversaries could perform privileged activities that are beyond the users' day-to-day responsibilities or privileges could have been overprovisioned.
- Tactic: Privilege Escalation
- Technique or Subtechnique: Valid Accounts: Cloud Account (T1078.004)
- OCI audit events
- IP address reputation
Learning Period: Cloud Guard takes 90 days to learn a new user's activity pattern, before starting to identify privilege escalation sightings.
Severity and Confidence: Cloud Guard assigns both the severity and confidence levels, based on factors like these:
- Is the requested permission the new highest permission for the service in the last few weeks?
- Did the request originate from a suspicious IP address or a new geographical location?
- Was a new user-agent used?
- Was the user dormant for at least seven days before the request?
- Was the request made through a TOR exit node, a public proxy, or an anonymous VPN?
The more factors such as these are involved, the higher the severity and confidence levels that are assigned.
Description: Abnormal creation of pre-authenticated requests. Pre-authenticated requests provide a way to let users access a private bucket or an object without having their own credentials, which could help an attacker exfiltrate data instead of going through a command and control channel.
- Tactic: Exfiltration
- Technique or Subtechnique: Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002)
- OCI audit events
Learning Period: If the PARs are not spaced out in time, Cloud Guard can start detecting PARs within a few hours of the start of this type of attack. The more that PARs are spaced out in time, the longer it takes for Cloud Guard to detect.
Severity: Cloud Guard assigns the severity level based on the duration, quantity, and type of the PARs. The longer the duration and higher the quantity of PARs, the higher the severity level that's assigned.
Confidence: Cloud Guard assigns the confidence level based on the patterns of PAR-related activity detected. The more suspicious the pattern of PAR-related activity, the higher the confidence level that's assigned.
Description: Adversaries might exploit acquired privileges to disable defensive mechanisms such as cloud security tools, virtual cloud networks (VCN) security lists, and data backup.
- Tactic: Defense Evasion
- Technique or Subtechnique: Impair Defenses: Disable or Modify Tools (T1562.001)
- OCI audit events
Learning Period: Cloud Guard starts detecting impair-defenses within a few hours of the start of this type of attack.
Severity: Cloud Guard assigns the severity level based on the request status of the impair-defenses-related APIs and the impacted service type. The more security-related services that are impacted, the higher the severity level that's assigned.
Confidence: Cloud Guard assigns the confidence level based on the patterns of impair-defenses activity detected. The more instances of suspicious activity that occurred, and the more suspicious the pattern of impair-defenses-related activity is, the higher the confidence level that's assigned.
Description: Adversaries could obtain and abuse credentials for a cloud account, providing access to restricted resources. One way to detect illegitimate use of legitimate credentials is to identify access by the same account from different geographic locations, when the time period between accesses is too short to be physically possible.
- Tactic: Initial Access (TA0001)
- Technique or Subtechnique: Valid Accounts: Cloud Account (T1078.004)
- IP
addressesNote
To qualify as impossible travel, the two accesses by the account must be from IP address that are:- Originating from different countries.
- Not listed as trusted.
A machine learning algorithm ignores obvious false positives that appear to be instances of impossible travel, such as VPNs and locations regularly used by other users in the organization.
Learning Period: Cloud Guard takes seven days to learn a new user's activity pattern, before starting to compare IP addresses in successive accesses.
Severity: Cloud Guard assigns the severity level based on the observed IAM privilege level of the targeted user. The broader the user's privileges within your environment, the higher the severity level that's assigned.
Confidence: Cloud Guard assigns the confidence level based primarily on the patterns detected in the time and distance between sequential accesses. The shorter the time vs. the distance, the higher the confidence level that's assigned. Cloud Guard also factors in differences in patterns of privilege usage: the more the current pattern of privileges used diverges from past patterns, the higher the confidence level that's assigned.
Description: Brute force attack, against a single user, by adversaries with no prior knowledge of legitimate credentials could guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary can try to systematically guess the password using a repetitive, iterative mechanism, or using a list of common passwords. If the attacker's automated process has a sufficient built-in wait time between failed authentication attempts, it doesn't cause account lockout.
- Tactic: Credential Access
- Technique or Subtechnique: Brute Force: Password Guessing (T1110.001)
- Login events
- IP address reputation
- Password change logs
Learning Period: Cloud Guard starts detecting password guessing within a few hours of the start of this type of attack.
Severity: Cloud Guard assigns the severity level based on the observed IAM privilege level of the targeted user. The broader the user's privileges within your environment, the higher the severity level that's assigned.
Confidence: Cloud Guard assigns the confidence level based on the patterns of suspicious activity detected. The more instances of suspicious activity that occurred, and the more suspicious the individual instances are, the higher the confidence level that's assigned.
Description: Brute force attack, against multiple users, by adversaries with no prior knowledge of legitimate credentials could guess passwords to try to get access to accounts. Adversaries could use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Logins are attempted against many different accounts to avoid lockouts that would normally occur when brute forcing a single account with many passwords.
- Tactic: Credential Access
- Technique or Subtechnique: Brute Force: Password Spraying (T1110.003)
- Login events
- IP address reputation
- Password change logs
Learning Period: Cloud Guard starts detecting password spraying within a few hours of the start of this type of attack.
Severity: Cloud Guard assigns the severity level based on the observed IAM privilege level of the targeted user. The broader the user's privileges within your environment, the higher the severity level that's assigned.
Confidence: Cloud Guard assigns the confidence level based on the patterns of suspicious activity detected. The more instances of suspicious activity that occurred, and the more suspicious the individual instances are, the higher the confidence level that's assigned.
Description: Adversaries might add an adversary-controlled API key to maintain persistent access to victim accounts and instances.
- Tactic: Persistence
- Technique: Account Manipulation: Additional Cloud Credentials
- IP Reputation
- OCI audit events
Learning Period: Cloud Guard starts detecting persistence within a few days of the start of this type of attack.
Severity: Cloud Guard assigns the severity level based on the observed IAM privilege level of the victim user. The broader the user's privileges within your environment, the higher the severity level that's assigned.
Confidence: Cloud Guard assigns the confidence level based on the patterns of persistence activity detected. The more instances of suspicious activity that occurred, and the more suspicious the pattern of persistence-related activity is, the higher the confidence level that's assigned.