I previously wrote about how ShowOCI can be used to automagically document the configuration of an OCI tenant.
My next top tip is to run the OCI Security Health Check against your tenant. This tool compares the configuration of a tenant against the CIS OCI Foundations Benchmark and reports any issues that require remediation π.
In today’s risky world where security breaches are a regular occurrence, it’s critical that you assess your security posture on a regular basis and perform any required remediation to ensure that you are a step ahead of the attackers – this is where the OCI Security Health check makes this a lot simpler for you (for your OCI workloads at least π.)
Instructions on how to run the assessment can be found here. I had an issue downloading the Zip file that contains the assessment scripts (I ran into a 404 error), the correct link is currently this (as of July 2024). Should this link not work, the folder within the repo that should contain the Zip file can be found here.
I ran this against my test tenancy using the Cloud Shell (it can also be run from a compute instance), with the following commands:
Step 1 – Download and Unzip the Assessment Scripts β¬οΈ
wget https://github.com/oracle-devrel/technology-engineering/raw/main/security/security-design/shared-assets/oci-security-health-check-standard/files/resources/oci-security-health-check-standard-251104.zip
unzip oci-security-health-check-standard-251104.zip
Step 2 – Run the Assessment π
cd oci-security-health-check-standard-251104
chmod +x standard.sh
./standard.sh
Step 3 – Inspect the Findings π
Within the directory that the script is run from a folder is created that stores the output of the assessment:
In my case this was brendankgriffin_20240712102613_standard. This directory contained the following files:
I created a Zip file of this directory to make it easier to transfer it to my local machine for analysis using the following command:
zip -r SecurityAssessmentOutput.zip brendankgriffin_20240712102613_standard/
This created a ZIP file name SecurityAssessmentOutput.zip with the contents of the output folder (brendankgriffin_20240712102613_standard). I transferred this to my local machine using the download option within the Cloud Console.
I could then open these to review the findings, the first file I opened was standard_cis_html_summary_report.html, which contains a summary of the findings of the assessment.
It didn’t take too much scrolling to start to see some red! βοΈ
Clicking into the identifier of a finding (e.g. 6.2) provides additional background and context, which is useful for understanding the finding in greater detail and helping with remediation planning.
Each finding includes a link to the respective CSV file, where you can get additional details on the affected resources/configurations – below you can see a list of the resources that I naughtily created in the root compartment π€¦ββοΈ.
My recommendation would be to run the Security Assesment regularly (e.g. monthly), to proactively identify and resolve any security issues.
That’s all for now π.
Brendan's Tech Ramblings 
Leave a comment