lacework-global-717

Instance is running an Oracle public image (Manual)

Description

Alert when running a Compute instance built from an Oracle public image.

Remediation

There is currently no way to determine if a running instance is using a trusted source via the OCI Portal or CLI. It is necessary to use the steps below in conjunction with the OCI documentation.

From Console:

1. Login into the OCI Console.

2. Click the search bar at the top of the screen.

3. Type Advanced Resource Query and hit enter.

4. Click the Advanced Resource Query button in the upper right corner of the screen.

5. Enter the following query in the query box:

   query instance resources where lifeCycleState = 'RUNNING'

6. For each of the instances in the returned results, click the instance name.

7. Click Image under the Instance details.

8. Terminate Compute instances that are running with an image Oracle Cloud Identifier (OCID) contained within OCI's documentation (https://docs.oracle.com/en-us/iaas/images/).

From CLI:

1. Execute the following command:

   for region in $(oci iam region list | jq -r '.data[] | .name')
   do
     echo "Enumerating region $region"
     for compid in $(oci iam compartment list --include-root --compartment-id-in-subtree TRUE 2>/dev/null | jq -r '.data[] | .id')
     do
       echo "Enumerating compartment $compid"
       output=$(oci compute instance list --compartment-id $compid --region $region 2>/dev/null | jq -r '.data[] | ."image-id"')
       if [ ! -z "$output" ]; then echo $output; fi
       done
     done
   done

2. Terminate Compute instances that are running with an image OCID contained within OCI's documentation (https://docs.oracle.com/en-us/iaas/images/).

References

https://docs.oracle.com/en-us/iaas/cloud-guard/using/detect-recipes.htm#detect-recipes-ref-config__INSTANCE_RUNNING_OPC
https://docs.oracle.com/en-us/iaas/images/
https://docs.oracle.com/en-us/iaas/Content/Compute/References/images.htm