Mondoo
Docs
CloudOracle Cloud

Assess an OCI Tenancy

Assess the security and compliance of an OCI tenancy with cnspec.

Scan your OCI tenancy to find security risks before they become incidents. cnspec evaluates tenancy-level settings like user MFA enrollment, audit log retention periods, identity policy statements, VCN security lists, and Object Storage bucket access. All you need is your existing OCI CLI configuration.

Prerequisites

To test your OCI environment with cnspec, you must have:

Give cnspec access to your OCI environment

To scan your OCI tenancy, cnspec uses the OCI CLI configuration for authentication. You download a private API key and create a config file to automatically authenticate with Oracle.

Step 1: Generate an API key

  1. In the top-right corner of the Oracle Cloud Infrastructure Console, select your profile icon and select My profile.

    OCI profile menu

  2. Under Resources, select API keys.

    OCI API keys

  3. Select the Add API key button.

    Add OCI API key

  4. Leave Generate API key pair selected and select the Download private key button.

  5. Create a new directory on your workstation, ~/.oci/, and move the downloaded private key file into the new directory.

Step 2: Create the config file

  1. Select the Add button. OCI generates a config file for you. Copy the contents of the Configuration file preview box.

    OCI config preview

  2. In the ~/.oci/ directory, create a file named config and paste the content you copied. Replace the key_file placeholder on the last line with the path to your private key file.

    [DEFAULT]
user=ocid1.user.oc1..aaaaaaaavixjk7guncl6q7jf663vyeygprgjtgg5yiesxpwx4i6m6r23xmna
fingerprint=c9:1d:c8:e1:54:26:b7:82:2c:7d:b5:be:0a:62:b7:b8
tenancy=ocid1.tenancy.oc1..aaaaaaaabnjfuyr73mmvv6ep7heu57576abelhju5ni333c6rrfqiu6q6joq
region=us-ashburn-1
key_file=/Users/stella/.oci/stella@lunalectric.com_2023-05-31T22_43_19.044Z.pem

Verify with a quick OCI check

To quickly confirm that cnspec can access your OCI environment, run this check from your terminal:

cnspec run oci -c 'oci.tenancy.name != empty'

If cnspec can connect, it returns the tenancy name and confirms the check passed:

[ok] value: "my-tenancy"

If the command fails, verify that your ~/.oci/config file is configured correctly.

Scan OCI

To scan your OCI tenancy:

cnspec scan oci

cnspec automatically applies all enabled policies that are applicable to OCI. Enable the Mondoo Oracle Cloud Infrastructure (OCI) Security policy to assess identity management, networking, logging, storage, and more. To learn how to enable policies, read Manage Policies.

Open source cnspec users can find this policy in the cnspec GitHub repository and scan with a local copy or directly from a URL using --policy-bundle:

cnspec scan oci --policy-bundle mondoo-oracle-cloud-infrastructure-foundation-level-1.mql.yaml

Understand scan output

When a scan completes, cnspec prints a summary of all the checks it ran, grouped by policy. Each check shows a pass or fail result. For example:

✓ Pass:  Ensure MFA is enabled for all users with a console password
✕ Fail:  Ensure audit log retention period is set to 365 days
✓ Pass:  Ensure default security list of every VCN restricts all traffic

At the end of the output, cnspec shows a risk score from 0 (no risk) to 100 (highest risk). Failed checks include remediation guidance to help you fix issues.

Example checks

You can interactively explore and test checks using the cnspec shell. To open a shell connected to your OCI environment:

cnspec shell oci

Below are some example checks you can run from the shell.

Ensure MFA is enabled for all users

cnspec> oci.identity.users.all( mfaActivated )
[failed] [].all()
  actual:   [
    0: oci.identity.user {
      name: "mwezi@lunalectric.com"
      mfaActivated: false
    }
    1: oci.identity.user {
      name: "stella@lunalectric.com"
      mfaActivated: false
    }
  ]

Ensure audit log retention is set to 365 days

cnspec> oci.tenancy.retentionPeriod == 365 * time.day
[ok] value: true

Ensure no Object Storage buckets are publicly accessible

cnspec> oci.objectStorage.buckets.all( publicAccessType == "NoPublicAccess" )
[ok] value: true

Ensure Object Storage buckets have versioning enabled

cnspec> oci.objectStorage.buckets.all( versioning == "Enabled" )
[failed] [].all()
  actual:   [
    0: oci.objectStorage.bucket {
      name: "backup-data"
      versioning: "Disabled"
    }
  ]

List identity policies and their statements

cnspec> oci.identity.policies { name statements }
oci.identity.policies: [
  0: {
    name: "admin-policy"
    statements: ["Allow group Administrators to manage all-resources in tenancy"]
  }
]

Ensure Object Storage buckets have event notifications enabled

cnspec> oci.objectStorage.buckets.all( objectEventsEnabled == true )
[ok] value: true

Learn more

Overview

Secure your Oracle Cloud Infrastructure environment by scanning for vulnerabilities and misconfigurations with cnspec.

Overview

Secure your VMware environment by scanning for vulnerabilities and misconfigurations with cnspec.

On this page

PrerequisitesGive cnspec access to your OCI environmentStep 1: Generate an API keyStep 2: Create the config fileVerify with a quick OCI checkScan OCIUnderstand scan outputExample checksEnsure MFA is enabled for all usersEnsure audit log retention is set to 365 daysEnsure no Object Storage buckets are publicly accessibleEnsure Object Storage buckets have versioning enabledList identity policies and their statementsEnsure Object Storage buckets have event notifications enabledLearn more