Overview
Using this feature you can run CIS benchmark tests (v1.2.0) for your Oracle Cloud Infra subscription. This includes CIS level 1 and level 2 checks for OCI as specified here: https://www.cisecurity.org/benchmark/oracle_cloud
Pre-requisites
Please setup OCI SDK and CLI as described here. Twigs uses default configuration file from following location “~/.oci/config” and it refers to the DEFAULT profile in the configuration file. You can specify your custom configuration file location and profile name on the twigs command-line.
The user specified in the OCI configuration file should have below mentioned read/view permissions for Oracle Cloud resources. It is recommended to create a “Auditor-Group” and assign the user as a member to it.
allow group Auditor-Group to inspect all-resources in tenancy
allow group Auditor-Group to read instances in tenancy
allow group Auditor-Group to read load-balancers in tenancy
allow group Auditor-Group to read buckets in tenancy
allow group Auditor-Group to read nat-gateways in tenancy
allow group Auditor-Group to read public-ips in tenancy
allow group Auditor-Group to read file-family in tenancy
allow group Auditor-Group to read instance-configurations in tenancy
allow group Auditor-Group to read network-security-groups in tenancy
allow group Auditor-Group to read resource-availability in tenancy
allow group Auditor-Group to read audit-events in tenancy
allow group Auditor-Group to read users in tenancy
allow group Auditor-Group to use cloud-shell in tenancy
allow group Auditor-Group to read vss-family in tenancy
allow group Auditor-Group to read usage-budgets in tenancy
allow group Auditor-Group to read usage-reports in tenancy
allow group Auditor-Group to read data-safe-family in tenancy
allow group Auditor-Group to read vaults in tenancy
allow group Auditor-Group to read keys in tenancy
allow group Auditor-Group to read tag-namespaces in tenancy
allow group Auditor-Group to use ons-family in tenancy where any {request.operation!=/Create/, request.operation!=/Update/, request.operation!=/Delete/, request.operation!=/Change/}Note – Access to audit retention requires the user to be part of the Administrator group – the only recommendation affected is CIS recommendation 3.1.
Steps involved
- Open a new shell / terminal.
- You can run the command:
twigs oci_ci --assetid UNIQUE_ASSET_ID --assetname NAME_LABEL_FOR_ASSET [--config_file CONFIG_FILE] [--config_profile CONFIG_PROFILE]
- Asset id is not optional. Use a unique identifier for your OCI cloud instance as an asset.
- After discovery is complete, you can login into ThreatWorx Console to view the newly discovered OCI instance as an asset as well as results of the CIS benchmark tests.
- You can specify your custom configuration file location (CONFIG_FILE) and profile name (CONFIG_PROFILE) on the twigs command-line.
- If you do not wish to run Oracle Best Practice checks, then you can include the “–no_obp” switch as follows:
twigs oci_ci --assetid UNIQUE_ASSET_ID --assetname NAME_LABEL_FOR_ASSET --no_obp - Twigs will automatically mark/resolve any fixed issues that were discovered as part of a previous run.
Example
$ twigs oci_ci --assetid prod_oci_cis --assetname "Production OCI CIS"
Run CIS benchmark checks (CSPM) for your OCI Cloud environment. Note you need to configure OCI SDK and CLI first.
$ twigs oci_ci --assetid prod_oci_cis --assetname "Production OCI CIS" --no_obp
Run CIS benchmark checks (CSPM) for your OCI Cloud environment, but do not run “Oracle Best Practice” checks.