Giter Site home page Giter Site logo

turbot / steampipe-mod-oci-compliance Goto Github PK

View Code? Open in Web Editor NEW
4.0 12.0 1.0 2.26 MB

Run individual configuration, compliance and security controls or full compliance benchmarks for CIS across all of your Oracle Cloud Infrastructure accounts using Powerpipe and Steampipe.

Home Page: https://hub.powerpipe.io/mods/turbot/oci_compliance

License: Apache License 2.0

HCL 100.00%
steampipe steampipe-mod security cis sql compliance cis-benchmark oci oracle-cloud oracle-cloud-infrastructure

steampipe-mod-oci-compliance's Introduction

Oracle Cloud Compliance Mod for Powerpipe

Important

Powerpipe is now the preferred way to run this mod! Migrating from Steampipe →

All v0.x versions of this mod will work in both Steampipe and Powerpipe, but v1.0.0 onwards will be in Powerpipe format only.

30+ checks covering industry defined security best practices across all Oracle Cloud regions.

Includes full support for v1.1.0 and v1.2.0 CIS benchmarks.

Run checks in a dashboard:

image

Or in a terminal:

image

Documentation

Getting Started

Installation

Install Powerpipe (https://powerpipe.io/downloads), or use Brew:

brew install turbot/tap/powerpipe

This mod also requires Steampipe with the OCI plugin as the data source. Install Steampipe (https://steampipe.io/downloads), or use Brew:

brew install turbot/tap/steampipe
steampipe plugin install oci

Steampipe will automatically use your default OCI credentials. Optionally, you can setup multiple tenant.

Finally, install the mod:

mkdir dashboards
cd dashboards
powerpipe mod init
powerpipe mod install github.com/turbot/steampipe-mod-oci-compliance

Browsing Dashboards

Start Steampipe as the data source:

steampipe service start

Start the dashboard server:

powerpipe server

Browse and view your dashboards at http://localhost:9033.

Running Checks in Your Terminal

Instead of running benchmarks in a dashboard, you can also run them within your terminal with the powerpipe benchmark command:

List available benchmarks:

powerpipe benchmark list

Run a benchmark:

powerpipe benchmark run oci_compliance.benchmark.cis_v200

Different output formats are also available, for more information please see Output Formats.

Common and Tag Dimensions

The benchmark queries use common properties (like compartment, compartment_id, connection_name, region, tenant and tenant_id) and tags that are defined in the form of a default list of strings in the variables.sp file. These properties can be overwritten in several ways:

It's easiest to setup your vars file, starting with the sample:

cp steampipe.spvars.example steampipe.spvars
vi steampipe.spvars

Alternatively you can pass variables on the command line:

powerpipe benchmark run oci_compliance.benchmark.cis_v200 --var 'common_dimensions=["connection_name", "region", "tenant"]'

Or through environment variables:

export PP_VAR_common_dimensions='["connection_name", "region", "tenant"]'
export PP_VAR_tag_dimensions='["Department", "Environment"]'
powerpipe benchmark run oci_compliance.benchmark.cis_v200

Open Source & Contributing

This repository is published under the Apache 2.0 license. Please see our code of conduct. We look forward to collaborating with you!

Steampipe and Powerpipe are products produced from this open source software, exclusively by Turbot HQ, Inc. They are distributed under our commercial terms. Others are allowed to make their own distribution of the software, but cannot use any of the Turbot trademarks, cloud services, etc. You can learn more in our Open Source FAQ.

Get Involved

Join #powerpipe on Slack →

Want to help but don't know where to start? Pick up one of the help wanted issues:

steampipe-mod-oci-compliance's People

Contributors

cbruno10 avatar dboeke avatar khushboo9024 avatar krishna5891 avatar madhushreeray30 avatar misraved avatar priyanka-chatterjee-2000 avatar rajlearner17 avatar shivani1982 avatar subhajit97 avatar

Stargazers

avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

steampipe-mod-oci-compliance's Issues

Add OCI CIS_v.1.1.0 section-3 (Logging and Monitoring) Docs.

Is your feature request related to a problem? Please describe.
Add supporting documents for CIS Oracle Cloud Infrastructure foundations benchmark.

Describe the solution you'd like
Add support documents for OCI CIS v1.1.0 section-3(Logging and Monitoring).

Describe alternatives you've considered
N/A

Additional context
N/A

Add initial OCI CIS_v.1.1.0 section benchmarks and controls

Is your feature request related to a problem? Please describe.
Add CIS Oracle Cloud Infrastructure foundations benchmarks and controls.

Describe the solution you'd like
Implement CIS Oracle Cloud Infrastructure foundations benchmark and control.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Update benchmark and control tags for compatibility with dashboard page

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Add CIS v1.2.0 benchmark

Is your feature request related to a problem? Please describe.
I'd like to run a benchmark to check for CIS v1.2.0 controls

Reference

Describe the solution you'd like
Add CIS v1.2.0 benchmark and controls.

Describe alternatives you've considered
Run controls manually today.

Additional context
Add any other context or screenshots about the feature request here.

Controls should reference their query using `query =` rather than `sql =`

It's simpler in code and readability to reference queries using the query = attribute rather than the sql = attribute.

This occurs throughout the mod, but as a specific example:

steampipe-mod-oci-compliance/cis_v110/section_1.sp

Lines 83 to 95 in 12beca9

control "cis_v110_1_9" {
title = "1.9 Ensure user customer secret keys rotate within 90 days or less"
description = "Object Storage provides an API to enable interoperability with Amazon S3. To use this Amazon S3 Compatibility API, you need to generate the signing key required to authenticate with Amazon S3. This special signing key is an Access Key/Secret Key pair. Oracle generates the Customer Secret key to pair with the Access Key."
sql = query.identity_user_customer_secret_key_age_90.sql
documentation = file("./cis_v110/docs/cis_v110_1_9.md")
tags = merge(local.cis_v110_1_common_tags, {
cis_item_id = "1.9"
cis_level = "1"
cis_type = "automated"
service = "OCI/Identity"
})
}

Could be changed from:

sql           = query.identity_user_customer_secret_key_age_90.sql

to:

query         = query.identity_user_customer_secret_key_age_90

Update index doc and README for Steampipe v0.14.0 release

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Add OCI CIS_v.1.1.0 section-1 (IAM) Docs.

Is your feature request related to a problem? Please describe.
Add supporting documents for CIS Oracle Cloud Infrastructure foundations benchmark.

Describe the solution you'd like
Add support documents for OCI CIS v1.1.0 section-1(IAM).

Describe alternatives you've considered
N/A

Additional context
N/A

Add missing controls for CIS Oracle Cloud Infrastructure Foundations Benchmark v1.1.0

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

  • 1.2 Ensure permissions on all resources are given only to the tenancy administrator group
  • 1.3 Ensure IAM administrators cannot update tenancy Administrators group

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Please add CIS Benchmark checks for MySQL

Is your feature request related to a problem? Please describe.
I can see no compliance checks for MySQL in this mod.

Describe the solution you'd like
It would be nice to have good volumes of checks for MySQL .

Additional context
I can see RDS compliance check for AWS. Would be really helpful if we can get MySQL checks included in this mod.

Please add CIS Benchmark checks for OCI OKE

Is your feature request related to a problem? Please describe.
I can see no compliance checks for OKE in this mod.

Describe the solution you'd like
It would be nice to have good volumes of checks for OKE.

Additional context
I can see EKS compliance check for AWS. Would be really helpful if we can get OKE included in this mod.

Please add additional CIS Benchmark checks for OCI Bucket

Is your feature request related to a problem? Please describe.
Currently I could see very limited checks when it comes to OCI Bucket (I guess, just 1 check is there)

Describe the solution you'd like
More compliance checks such as encryption, logging, versioning can be implemented on OCI Bucket

Describe alternatives you've considered
I can see a lot of checks for S3 bucket in AWS. Would be very helpful if we can get additional checks for OCI Bucket too.

Add query for OCI CIS 3.16.

Is your feature request related to a problem? Please describe.
3.16 Ensure customer created Customer Managed Key (CMK) is rotated at least annually.

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Add query to validate API key for tenancy administrator users.

Is your feature request related to a problem? Please describe.
OCI >. CIS 1.11 Ensure API keys are not created for tenancy administrator users (Automated)

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Add OCI cis_v110_1_1 control

Is your feature request related to a problem? Please describe.
Add CIS Oracle Cloud Infrastructure foundations cis_v110_1_1 control

Describe the solution you'd like
Implement CIS Oracle Cloud Infrastructure foundations cis_v110_1_1 control

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Please add CIS Benchmark checks for OCI instance

Is your feature request related to a problem? Please describe.
I can see no compliance checks for OCI instance in this mod.

Describe the solution you'd like
It would be nice to have good volumes of checks for OCI instance.

Additional context
I can see ec2 compliance check for AWS. Would be really helpful if we can get OCI instance checks included in this mod.

Add OCI CIS_v.1.1.0 section-5 (Asset Management) Docs.

Is your feature request related to a problem? Please describe.
Add supporting documents for CIS Oracle Cloud Infrastructure foundations benchmark.

Describe the solution you'd like
Add support documents for OCI CIS v1.1.0 section-5(Asset Management).

Describe alternatives you've considered
N/A

Additional context
N/A

Add OCI CIS_v.1.1.0 section-2 (Networking) Docs.

Is your feature request related to a problem? Please describe.
Add supporting documents for CIS Oracle Cloud Infrastructure foundations benchmark.

Describe the solution you'd like
Add support documents for OCI CIS v1.1.0 section-2(Networking).

Describe alternatives you've considered
N/A

Additional context
N/A

Add CIS Oracle Cloud Infrastructure Foundations Benchmark v2.0.0

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

CIS reference

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Add OCI cis_v110_1_11 and cis_v110_3_16 controls

Is your feature request related to a problem? Please describe.
Add CIS Oracle Cloud Infrastructure foundations cis_v110_1_11 and cis_v110_3_16 control.

Describe the solution you'd like
Implement CIS Oracle Cloud Infrastructure foundations cis_v110_1_11 and cis_v110_3_16 control.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Add OCI CIS_v.1.1.0 section-4 (Object Storage) Docs.

Is your feature request related to a problem? Please describe.
Add supporting documents for CIS Oracle Cloud Infrastructure foundations benchmark.

Describe the solution you'd like
Add support documents for OCI CIS v1.1.0 section-4(Object Storage).

Describe alternatives you've considered
N/A

Additional context
N/A

Please add CIS Benchmark checks for Autonomous DB

Is your feature request related to a problem? Please describe.
I can see no compliance checks for Autonomous DB in this mod.

Describe the solution you'd like
It would be nice to have good volumes of checks for Autonomous DB.

Additional context
I can see RDS compliance check for AWS. Would be really helpful if we can get Autonomous DB checks included in this mod.

Support for steampipe check of a particular compartment

Is your feature request related to a problem? Please describe.
steampipe check will not work if the account that is used for access has read permissions only to a particular compartment.

Describe the solution you'd like
steampipe check should be able to perform a check only in a particular compartment.

Add CIS Oracle Cloud Infrastructure Foundations Benchmark v1.2.0 - (04-14-2022)

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

CIS reference

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Update mod.sp to address deprecation warning

Describe the bug
The current version of the mod returns a warning due to using the deprecated option version instead of min_version for the oci plugin.

This issue can be trivially resolved by updating

  require {
    plugin "oci" {
      version = "0.23.0"
    }
  }

to

  require {
    plugin "oci" {
      min_version = "0.23.0"
    }
  }

Steampipe version (steampipe -v)
Example: v0.3.0

Plugin version (steampipe plugin list)
Example: v0.5.0

To reproduce
Steps to reproduce the behavior (please include relevant code and/or commands).

Expected behavior
A clear and concise description of what you expected to happen.

Additional context
Add any other context about the problem here.

Add common and tag dimensions across compliance queries

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Common & tag dimensions will allow the end user with options to render compliance output based on tags key, connection name, subscription name & region.

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.