Merge pull request #866 from oracle-devrel/security-update-20240229

Updated to cis_report.py 2.8.0.
oracle-devrel · Feb 29, 2024 · 6f333c7 · 6f333c7
2 parents 69e228d + 125f7df
commit 6f333c7
Show file tree

Hide file tree

Showing 5 changed files with 996 additions and 598 deletions.
diff --git a/...rity/security-design/shared-assets/oci-security-health-check-standard/README.md b/...rity/security-design/shared-assets/oci-security-health-check-standard/README.md
@@ -2,7 +2,7 @@
 
 Owner: Olaf Heimburger
 
-Version: 240130
+Version: 240229
 
 Reviewed: 01.02.2024
 
@@ -15,6 +15,10 @@ Reviewed: 01.02.2024
 
 The *OCI Security Health Check - Standard Edition* checks an OCI tenancy for [CIS Oracle Cloud Infrastructure Foundations Benchmark](https://www.cisecurity.org/benchmark/Oracle_Cloud) compliance.
 
+### Disclaimer
+
+This asset covers the OCI platform as specified in the *CIS Oracle Cloud Infrastructure Foundations Benchmark*, only. Any workload provisioned in Databases, Compute VMs (running any Operating System), the Container Engine for Kubernetes, or in the VMware Solution is *out of scope* of the *OCI Security Health Check*.
+
 ## Complete Runtime Example
 
 See the *OCI Security Health Check - Standard Edition* in action and watch the [OCI Health Checks - Self Service video](https://www.youtube.com/watch?v=EzjKLxfxaAM).
@@ -25,24 +29,24 @@ See the *OCI Security Health Check - Standard Edition* in action and watch the [
 
 Before running the *OCI Security Health Check - Standard Edition* you should download and verify it.
 
-  - Download the latest distribution [oci-security-health-check-standard-240130.zip](https://github.com/oracle-devrel/technology-engineering/releases/download/oci-security-health-check-std-240130/oci-security-health-check-standard-240130.zip).
+  - Download the latest distribution [oci-security-health-check-standard-240229.zip](https://github.com/oracle-devrel/technology-engineering/releases/download/oci-security-health-check-std-240229/oci-security-health-check-standard-240229.zip).
   - Download the respective checksum file:
-    - [oci-security-health-check-standard-240130.sha512](https://github.com/oracle-devrel/technology-engineering/releases/download/oci-security-health-check-std-240130/oci-security-health-check-standard-240130.sha512).
-    - [oci-security-health-check-standard-240130.sha512256](https://github.com/oracle-devrel/technology-engineering/releases/download/oci-security-health-check-std-240130/oci-security-health-check-standard-240130.sha512256).
+    - [oci-security-health-check-standard-240229.sha512](https://github.com/oracle-devrel/technology-engineering/releases/download/oci-security-health-check-std-240229/oci-security-health-check-standard-240229.sha512).
+    - [oci-security-health-check-standard-240229.sha512256](https://github.com/oracle-devrel/technology-engineering/releases/download/oci-security-health-check-std-240229/oci-security-health-check-standard-240229.sha512256).
   - Verify the integrity of the distribution. Both files must be in the same directory (for example, in your downloads directory).
 
     On MacOS:
     ```
     $ cd <your_downloads_directory>
-    $ shasum -a 512256 -c oci-security-health-check-standard-240130.sha512256
-    oci-security-health-check-standard-240130.zip: OK
+    $ shasum -a 512256 -c oci-security-health-check-standard-240229.sha512256
+    oci-security-health-check-standard-240229.zip: OK
     ```
 
     On Linux (including Cloud Shell):
     ```
     $ cd <your_downloads_directory>
-    $ sha512sum -c oci-security-health-check-standard-240130.sha512
-    oci-security-health-check-standard-240130.zip: OK
+    $ sha512sum -c oci-security-health-check-standard-240229.sha512
+    oci-security-health-check-standard-240229.zip: OK
     ```
 
 **Reject the downloaded file if the check fails!**
@@ -85,7 +89,8 @@ To create a group for auditing do the following steps:
       allow group 'Default'/'grp-auditors' to read users in tenancy
       allow group 'Default'/'grp-auditors' to read vss-family in tenancy
       allow group 'Default'/'grp-auditors' to read dns in tenancy
-      allow group 'Default'/'grp-auditors' to use cloud-shell in tenancy    ```
+      allow group 'Default'/'grp-auditors' to use cloud-shell in tenancy
+    ```
   - Assign a user to the `grp-auditors` group.
   - Log out of the OCI Console.
 

diff --git a/...curity-health-check-standard/files/oci-security-health-check-standard/README.md b/...curity-health-check-standard/files/oci-security-health-check-standard/README.md
@@ -2,34 +2,38 @@
 
 Owner: Olaf Heimburger
 
-Version: 240130
+Version: 240229
 
 ## When to use this asset?
 
 The *OCI Security Health Check - Standard Edition* checks an OCI tenancy for CIS OCI Foundation Benchmark compliance.
 
+### Disclaimer
+
+This asset covers the OCI platform as specified in the *CIS Oracle Cloud Infrastructure Foundations Benchmark*, only. Any workload provisioned in Databases, Compute VMs (running any Operating System), the Container Engine for Kubernetes, or in the VMware Solution is *out of scope* of the *OCI Security Health Check*.
+
 ## Usage
 
 ### Download and verify the release file
 
 Before running the *OCI Security Health Check - Standard Edition* you should download and verify it.
 
-  - Download the latest distribution [oci-security-health-check-standard-240130.zip](https://github.com/oracle-devrel/technology-engineering/releases/download/oci-security-health-check-std-240130/oci-security-health-check-standard-240130.zip).
-  - Download the respective checksum file [oci-security-health-check-standard-240130.sha512256](https://github.com/oracle-devrel/technology-engineering/releases/download/oci-security-health-check-std-240130/oci-security-health-check-standard-240130.sha512256).
+  - Download the latest distribution [oci-security-health-check-standard-240229.zip](https://github.com/oracle-devrel/technology-engineering/releases/download/oci-security-health-check-std-240229/oci-security-health-check-standard-240229.zip).
+  - Download the respective checksum file [oci-security-health-check-standard-240229.sha512256](https://github.com/oracle-devrel/technology-engineering/releases/download/oci-security-health-check-std-240229/oci-security-health-check-standard-240229.sha512256).
   - Verify the integrity of the distribution. Both files must be in the same directory (for example, in your downloads directory).
 
     On MacOS:
     ```
     $ cd <your_downloads_directory>
-    $ shasum -a 512256 -c oci-security-health-check-standard-240130.sha512256
-    oci-security-health-check-standard-240130.zip: OK
+    $ shasum -a 512256 -c oci-security-health-check-standard-240229.sha512256
+    oci-security-health-check-standard-240229.zip: OK
     ```
 
     On Linux (including Cloud Shell):
     ```
     $ cd <your_downloads_directory>
-    $ sha512sum -c oci-security-health-check-standard-240130.sha512
-    oci-security-health-check-standard-240130.zip: OK
+    $ sha512sum -c oci-security-health-check-standard-240229.sha512
+    oci-security-health-check-standard-240229.zip: OK
     ```
 
 **Reject the downloaded file when the check fails!**

diff --git a/...ts/oci-security-health-check-standard/files/oci-security-health-check-standard/README.txt b/...ts/oci-security-health-check-standard/files/oci-security-health-check-standard/README.txt
@@ -2,13 +2,20 @@
 OCI Security Health Check - Standard Edition
 ============================================
 Owner: Olaf Heimburger
-Version: 240130
+Version: 240229
 
 When to use this asset?
 
 The OCI Security Health Check - Standard Edition checks an OCI tenancy for
 CIS OCI Foundation Benchmark compliance.
 
+Disclaimer
+
+This asset covers the OCI platform as specified in the *CIS Oracle Cloud Infrastructure
+Foundations Benchmark*, only. Any workload provisioned in Databases, Compute VMs
+(running any Operating System), the Container Engine for Kubernetes, or in the VMware
+Solution is *out of scope* of the *OCI Security Health Check*.
+
 Usage
 
 1 Prepare the OCI Tenancy
@@ -29,23 +36,23 @@ Usage
     - If "Domains" are listed you are migrated to Identity Domains
   - Create a group grp-auditors
   - Create a policy pcy-auditing with these statements:
-- For tenancies without Identity Domains use
-    allow group grp-auditors to inspect all-resources in tenancy
-    allow group grp-auditors to read instances in tenancy
-    allow group grp-auditors to read load-balancers in tenancy
-    allow group grp-auditors to read buckets in tenancy
-    allow group grp-auditors to read nat-gateways in tenancy
-    allow group grp-auditors to read public-ips in tenancy
-    allow group grp-auditors to read file-family in tenancy
-    allow group grp-auditors to read instance-configurations in tenancy
-    allow group grp-auditors to read network-security-groups in tenancy
-    allow group grp-auditors to read resource-availability in tenancy
-    allow group grp-auditors to read audit-events in tenancy
-    allow group grp-auditors to read users in tenancy
-    allow group grp-auditors to read vss-family in tenancy
-    allow group grp-auditors to read dns in tenancy
-    allow group grp-auditors to use cloud-shell in tenancy
-- For tenancies *with* Identity Domains use
+  - For tenancies without Identity Domains use
+      allow group grp-auditors to inspect all-resources in tenancy
+      allow group grp-auditors to read instances in tenancy
+      allow group grp-auditors to read load-balancers in tenancy
+      allow group grp-auditors to read buckets in tenancy
+      allow group grp-auditors to read nat-gateways in tenancy
+      allow group grp-auditors to read public-ips in tenancy
+      allow group grp-auditors to read file-family in tenancy
+      allow group grp-auditors to read instance-configurations in tenancy
+      allow group grp-auditors to read network-security-groups in tenancy
+      allow group grp-auditors to read resource-availability in tenancy
+      allow group grp-auditors to read audit-events in tenancy
+      allow group grp-auditors to read users in tenancy
+      allow group grp-auditors to read vss-family in tenancy
+      allow group grp-auditors to read dns in tenancy
+      allow group grp-auditors to use cloud-shell in tenancy
+  - For tenancies *with* Identity Domains use
       allow group 'Default'/'grp-auditors' to inspect all-resources in tenancy
       allow group 'Default'/'grp-auditors' to read instances in tenancy
       allow group 'Default'/'grp-auditors' to read load-balancers in tenancy

diff --git a/...-security-health-check-standard/files/oci-security-health-check-standard/requirements.txt b/...-security-health-check-standard/files/oci-security-health-check-standard/requirements.txt
@@ -1,4 +1,3 @@
-urllib3==1.26.18
 xlsxwriter>=3.0.3
 pandas>=1.5.2
 openpyxl>=3.0.10