Skip to main content

lacework-global-682

2.1 Ensure no security lists allow ingress from 0.0.0.0/0 to port 22 (Automated)

Description

Security lists provide stateful and stateless filtering of ingress and egress network traffic to OCI resources on a subnet level. Best practices recommend that no security list allows unrestricted ingress access to port 22.

Remediation

From Console:

  1. Login into the OCI Console.

  2. Click the search bar at the top of the screen.

  3. Type Advanced Resource Query and hit enter.

  4. Click the Advanced Resource Query button in the upper right corner of the screen.

  5. Enter the following query in the query box:

    query SecurityList resources where (IngressSecurityRules.source = '0.0.0.0/0' && IngressSecurityRules.protocol = 6 && IngressSecurityRules.tcpOptions.destinationPortRange.max = 22 && IngressSecurityRules.tcpOptions.destinationPortRange.min = 22)

  6. For each security list in the returned results, click the security list name.

  7. Either edit the ingress rule to be more restrictive, delete the ingress rule or click the Virtual Cloud Network (VCN) and terminate the security list as appropriate.

From CLI:

  1. Execute the following command:

    oci search resource structured-search --query-text "query SecurityList resources where (IngressSecurityRules.source = '0.0.0.0/0' && IngressSecurityRules.protocol = 6 && IngressSecurityRules.tcpOptions.destinationPortRange.max = 22 && IngressSecurityRules.tcpOptions.destinationPortRange.min = 22)"

  2. For each of the security lists identified, execute the following command:

    oci network security-list get --security-list-id <security list id>

  3. Then either:

    Update the security list by copying the ingress-security-rules element from the JSON returned by the preceding command, edit it appropriately and use it in the following command:

    oci network security-list update --security-list-id <security-list-id> --ingress-security-rules '<ingress security rules JSON>'

    OR

    Delete the security list with the following command:

    oci network security-list delete --security-list-id <security list id>

Impact:

For updating an existing environment, take care to ensure that administrators currently relying on an existing ingress from 0.0.0.0/0 have access to ports 22 and/or 3389 through another network security group or security list.

Last updated on