Mondoo
Docs
Cloud

Assess Oracle Cloud Infrastructure (OCI) Security with cnspec

Secure and enforce policy for Oracle Cloud Infrastructure (OCI)

Rely on cnspec to ensure your Oracle Cloud Infrastructure (OCI) environment follows recommended security and operational best practices, such as enforcing multi-factor authentication, verifying audit log retention, managing identity policies, and securing network and storage configurations.

Prerequisites

To test your OCI environment with cnspec, you must have:

Give cnspec access to your OCI environment

To scan your OCI tenancy, cnspec uses the OCI CLI configuration for authentication. You download a private API key and create a config file to automatically authenticate with Oracle.

Step 1: Generate an API key

  1. In the top-right corner of the Oracle Cloud Infrastructure Console, select your profile icon and select My profile.

    OCI profile menu

  2. Under Resources, select API keys.

    OCI API keys

  3. Select the Add API key button.

    Add OCI API key

  4. Leave Generate API key pair selected and select the Download private key button.

  5. Create a new directory on your workstation, ~/.oci/, and move the downloaded private key file into the new directory.

Step 2: Create the config file

  1. Select the Add button. OCI generates a config file for you. Copy the contents of the Configuration file preview box.

    OCI config preview

  2. In the ~/.oci/ directory, create a file named config and paste the content you copied. Replace the key_file placeholder on the last line with the path to your private key file.

    [DEFAULT]
user=ocid1.user.oc1..aaaaaaaavixjk7guncl6q7jf663vyeygprgjtgg5yiesxpwx4i6m6r23xmna
fingerprint=c9:1d:c8:e1:54:26:b7:82:2c:7d:b5:be:0a:62:b7:b8
tenancy=ocid1.tenancy.oc1..aaaaaaaabnjfuyr73mmvv6ep7heu57576abelhju5ni333c6rrfqiu6q6joq
region=us-ashburn-1
key_file=/Users/stella/.oci/stella@lunalectric.com_2023-05-31T22_43_19.044Z.pem

Test your connection

Before running a full scan, verify that cnspec can connect by opening a cnspec shell:

cnspec shell oci

If cnspec connects successfully and shows a prompt, you're ready to scan.

Scan OCI

To scan your OCI tenancy:

cnspec scan oci

To scan using a specific policy:

cnspec scan oci --policy mondoohq/oracle-cloud-infrastructure-foundation-level-1

Understand scan output

When a scan completes, cnspec prints a summary of all the checks it ran, grouped by policy. Each check shows a pass or fail result. For example:

✓ Pass:  Ensure MFA is enabled for all users with a console password
✕ Fail:  Ensure audit log retention period is set to 365 days
✓ Pass:  Ensure default security list of every VCN restricts all traffic

At the end of the output, cnspec shows a risk score from 0 (no risk) to 100 (highest risk). Failed checks include remediation guidance to help you fix issues.

To assess your OCI environment against industry benchmarks, enable the CIS Oracle Cloud Infrastructure Foundation Benchmark policy. It covers identity management, networking, logging, storage, and more. To learn how to enable policies, read Policy Hub. You can also create your own policies or specify a particular policy bundle with --policy-bundle.

Example checks

You can interactively explore and test checks using the cnspec shell. To open a shell connected to your OCI environment:

cnspec shell oci

Below are some example checks you can run from the shell.

Ensure MFA is enabled for all users

cnspec> oci.identity.users.all( mfaActivated )
[failed] [].all()
  actual:   [
    0: oci.identity.user {
      name: "mwezi@lunalectric.com"
      mfaActivated: false
    }
    1: oci.identity.user {
      name: "stella@lunalectric.com"
      mfaActivated: false
    }
  ]

Ensure audit log retention is set to 365 days

cnspec> oci.tenancy.retentionPeriod == 365 * time.day
[ok] value: true

Ensure no Object Storage buckets are publicly accessible

cnspec> oci.objectStorage.buckets.all( publicAccessType == "NoPublicAccess" )
[ok] value: true

Ensure Object Storage buckets have versioning enabled

cnspec> oci.objectStorage.buckets.all( versioning == "Enabled" )
[failed] [].all()
  actual:   [
    0: oci.objectStorage.bucket {
      name: "backup-data"
      versioning: "Disabled"
    }
  ]

List identity policies and their statements

cnspec> oci.identity.policies { name statements }
oci.identity.policies: [
  0: {
    name: "admin-policy"
    statements: ["Allow group Administrators to manage all-resources in tenancy"]
  }
]

Ensure Object Storage buckets have event notifications enabled

cnspec> oci.objectStorage.buckets.all( objectEventsEnabled == true )
[ok] value: true

Learn more

Assess a Kubernetes Manifest

Assess the security and compliance of a Kubernetes Manifest

Arista

Secure and enforce policy for Arista EOS network devices

On this page

PrerequisitesGive cnspec access to your OCI environmentStep 1: Generate an API keyStep 2: Create the config fileTest your connectionScan OCIUnderstand scan outputExample checksEnsure MFA is enabled for all usersEnsure audit log retention is set to 365 daysEnsure no Object Storage buckets are publicly accessibleEnsure Object Storage buckets have versioning enabledList identity policies and their statementsEnsure Object Storage buckets have event notifications enabledLearn more