Release 2.8.5

October 23, 2024 Release Notes - 2.8.5

1. Updates/Fixes to the CIS Compliance Script
2. Updates to the Terraform
3. Documentation Updates

Updates/Fixes to the CIS Compliance Script

• Updates
  • CIS Summary HTML report now has Dashboard Graphics. Showing overall CIS Recommendation Compliance and CIS Recommendation Compliance per Focus Area.
• Fixes:
  • Fixed a bug related to legacy DRGs with stale states creating exceptions
  • Minor HTML fixes to the CIS Summary report

Updates/Fixes to the Terraform

• Updated Network Admin Group IAM permissions for ZPR and OCI Network Firewall
  • Allow reading of ZPR namespaces, attributes, and configurations
  • Allow management of OCI Network Firewall
• Updated Security Admin Group IAM permissions for ZPR and OCI Network Firewall
  • Allow management of ZPR namespaces, attributes, and configurations
  • Allow use of OCI Network Firewall

Documentation Updates

• Updated README.md with the current CIS OCI Foundations Benchmark version

Release 2.8.4

July 26, 2024 Release Notes - 2.8.4

1. CIS OCI Benchmark Logging and Monitoring Workload
2. SIEM (Security information and event management) Workload
3. Updates/Fixes to the CIS Compliance Script
4. Documentation Updates

CIS OCI Benchmark Logging and Monitoring Workload

The CIS OCI Benchmark Logging and Monitoring Workload adds the following to an existing OCI tenancy:

• Logging Monitoring and Alerting Events and Notifications as recommended by the CIS OCI Foundation Benchmark
• Enables Cloud Guard as recommended by the CIS OCI Foundations Benchmark
• Enables Budgets for Cloud Governance

SIEM (Security information and event management) Workload

The workload can be used to partially set up SIEM integration from the OCI side for integration with SIEMs like Stellar Cyber, Splunk, or SIEMs that read from OCI Streams.

Updates/Fixes to the CIS Compliance Script

Fixes

• Fixed issue on 4.15, “Ensure a notification is configured for Oracle Cloud Guard problems detect” check, which defaulted to True

Updates

• Updated CIS recommendation 4.3 - 4.12 to ensure event notifications are created in all OCI subscribed regions.

Documentation Updates

• Logo Updated.
• Updated README.md, CONTRIBUTING.md, and LICENSE.txt files.
• Added SECURITY.md file.

v2.8.3

June 7, 2024 Release Notes - 2.8.3

1. Cloud Guard Detector and Security Zones Rules Mapped to CIS OCI Benchmark 2.0.0
2. Updates/Fixes to the CIS Compliance Script
3. Updates/Fixes to the Terraform

Cloud Guard Detector and Security Zones Rules Mapped to CIS OCI Benchmark 2.0.0

The CIS OCI Benchmark mapping in the compliance-script.md now maps to Cloud Guard Detectors and Security Zone Rules.

Updates/Fixes to the CIS Compliance Script

Fixes

• Fixed numbering issue for Logging and Monitoring checks 4.3 - 4.12.
• Fixed to Auditor policy documented in the compliance-script.md to support running OBP checks.
• Fixed language for observations and error messages.

Updates

• Reduced code associated with ADB collection function.
• Added additional debugging statements.

Updates/Fixes to the Terraform

Updates

• Updated to Auditor policy to align with the compliance-script.md update.
• Updated Network and Database Admins with permissions to include repo management.

v2.8.2

April 18, 2024 Release Notes - 2.8.2

1. New OBP for Certificate Service Certificate Expiration
2. OCI CIS Landing Zone Oracle Access Governance Support
3. Updates/Fixes to the Terraform
4. Updates/Fixes to the CIS Compliance Script

New OBP for Certificate Service Certificate Expiration

A new Oracle Best Practice (OBP) check scans certificates stored in the OCI Certificate Service and finds those that will expire in under 30 days. This check will help customers prevent unintended outages for OCI Services using certificates stored in the certificate service that expires before causing connectivity errors.

OCI CIS Landing Zone Oracle Access Governance Support

The OCI CIS Landing Zone enables accelerated Oracle Access Governance (OAG) deployment. The policies and groups required for OAG are created and aligned with the OCI CIS Foundations Benchmark. To deploy OAG using the CIS Landing Zone, review the Oracle Access Governance section under Governance in the Deployment Guide.

Updates/Fixes to the Terraform

Fixes

• Fixed the issue when deploying the CIS Landing Zone to other realms. Issue 140

Updates/Fixes to the CIS Compliance Script

Updates

• Added support to override https://cloud.oracle.com in deep link URLs in CSV reports with a customer provided deep link URL using the --deeplink-url-override argument. This provides support for other realms. The following --deeplink-url-override https://console.us-langley-1.oraclegovcloud.com will support OC2's Ashburn region.
• Added new actions attribute to OCI Event records.
• Added new compliance checking script FAQ item.

v2.8.1

March 25, 2024 Release Notes - 2.8.1

1. Updates/Fixes to the CIS Compliance Script

Updates/Fixes to the CIS Compliance Script

Updates:

• Added flag --report-prefix to allow unique files for better baseline comparison.
• Improved performance in querying Identity Domains users’ API keys.
• Improved Identity Domains checking for federated users by using is_federated flag.
• Added Deep Link with Identity Domain name to user, group, and dynamic group records.
• The audit configuration check has been removed because it is no longer in the benchmark.
• Boot Volume resources were added to the check 6.2 resources in the root compartment.

Fixes:

• Handling KMS keys with date issues.
• Removed duplication of Identity Groups for Identity Domains.
• Consistency and commenting updates.

v2.8.0

February 23, 2024 Release Notes - 2.8.0

1. Updates for CIS OCI Benchmark 2.0.0
2. Compliance Checker Script Update for Identity Domains
3. Updates/Fixes to the CIS Compliance Script
4. Readme Updates

Updates for CIS OCI Benchmark 2.0.0

On January 4th, 2024 the CIS Oracle Cloud Infrastructure Foundations Benchmark 2.0.0 was published. To align to this new release the compliance checking script has updated the numbering and added the following new checks:

• Compute checks for secure boot, IMDSv2, and in-transit encryption enabled
• Logging and Monitoring Check added to ensure there is a notification for Cloud Guard events
• IAM check for Database Password rotation
  In addition, the CIS OCI Benchmark to CIS Landing Zone Architecture Mapping table and architecture where updated to align to the updated benchmark.

Compliance Checker Script Update for Identity Domains

To align with the migration from OCI tenancies to those without Identity Domains to those with Identity Domains. All IAM checks have been updated to search all Identity Domains in a tenancy. Checks that were updated are:

• 1.4 Ensure IAM password policy requires minimum length of 14 or greater
• 1.5 Ensure IAM password policy expires passwords within 365 days
• 1.6 Ensure IAM password policy prevents password reuse
• 1.7 Ensure MFA is enabled for all users with a console password
• 1.8 Ensure user API keys rotate within 90 days or less
• 1.9 Ensure user customer secret keys rotate within 90 days or less
• 1.10 Ensure user auth tokens rotate within 90 days or less
• 1.11 Ensure user IAM Database Passwords rotate within 90 days
• 1.12 Ensure API keys are not created for tenancy administrator users
• 1.13 Ensure all OCI IAM user accounts have a valid and current email address
• 1.14 Ensure Instance Principal authentication is used for OCI instances, OCI Cloud Databases and OCI Functions to access OCI resources.

Updates/Fixes to the CIS Compliance Script

Fixes:
- Check Ensure customer created Customer Managed Key (CMK) is rotated at least annually. was updated to check current key version instead of key creation date.
- Updated checks 1.6, 1.5, 6.2 totals to prevent negative numbers.
- Resolved case sensitivity issue relating to policy check for "PSM-root-policy".
Updates:
- Added a new item to the FAQ.

Readme Updates

The README.md was updated to add a click to deploy option for the EU Sovereign regions. Closing issue 136

Release 2.7.1

January 5, 2024 Release Notes - 2.7.1

1. Links to Deploy in Non-commercial Regions
2. Terraform Updates
3. Script Updates

Links to Deploy in Non-commercial Regions

Links have been added to README.md allowing the initiation of Terraform deployments in non-commercial regions through OCI Resource Manager service. The existing "Deploy to Oracle Cloud" button is unchanged, initiating deployments to commercial regions only. Use the links when deploying to Gov cloud.

Terraform Updates

config module

• tenancy_ocid, user_ocid and region variables are now hidden in generic_workload_compartments RMS UI.
• IAM policies have been added to allow OKE clusters deployment with NPN (Native Pod Networking) and split compartment topology (i.e., networking in Network compartment and cluster in AppDev compartment).
• Tenancy wide audit logs for Service Connector Hub are now collected using "_Audit_Include_Subcompartment" construct instead of explicitly looping through all tenancy compartments.

pre-config module

• Auditor grants in pre-config module aligned with auditor grants in config module.

Script Updates

• Fixes:
  • Added additional error handling in __search_resources_in_root_compartment to resolve issue 134.

Release 2.7.0

November 17, 2023 Release Notes - 2.7.0

1. CIS Compliance Script Gets Network Topology
2. CIS Compliance Script Gets All Resources
3. Landing Zone Architecture to CIS OCI Benchmark Documentation
4. Terraform Updates

CIS Compliance Script Gets Network Topology

The CIS compliance Script now queries the OCI Network Visualizer to download a text version of the tenancy's network topology in JSON and PKL file format. This feature is run using the --obp --raw flags or the all-resources flag.

CIS Compliance Script Gets All Resources

The CIS compliance Script now uses the Search service to query all available resources in a tenancy. The data returned is in a JSON file and is limited to resource types supported by Search and the fields for each resource are limited to the additional details available to the Search service. This feature is run using the --all-resources flag.

Landing Zone Architecture to CIS OCI Benchmark Documentation

The CIS OCI Benchmark to CIS Landing Zone Architecture Mapping document details how the OCI CIS Landing Zone configuration aligns with the CIS Benchmark v1.2.

Terraform Updates

config module

• Existing dynamic groups can now be selected in Resource Manager UI.
• All IAM remote modules have been pinned to version 0.1.7. If you are managing the Landing Zone with terraform CLI, make sure to run terraform init -upgrade when adopting this release.
• Bug fix: when extending Landing Zone to another region, groups were being processed and an "invalid index" error generated during terraform plan. With this fix, groups are no longer processed when extending the Landing Zone.
• Bug fix: when running Landing Zone config as a user with limited permissions, service policies were being processed and failing during terraform apply due to insufficient permissions. With this fix, service policies are no longer processed when running config as a user with limited permissions.

pre-config module

• Storage admin group has been added.
• Existing provisioning group can now be selected in Resource Manager UI.
• Policies for dynamic groups have been removed, as they can be managed in the config module.
• Ability to use existing dynamic groups has been removed, as the feature is already present in the config module.
• deploy_dynamic_groups variable added, set to true by default. If reusing existing dynamic groups is needed, set this variable to false and select the existing dynamic groups in the config module.

Release 2.6.5

October 6, 2023 Release Notes - 2.6.5

1. CIS Compliance Script Updates
2. Terraform Quick Start Updates
3. Terraform Workloads Updates

Updates to the CIS Compliance Script

Updates:
- Added debugging Identity Groups collection

Terraform Quick Start Updates

Updates:

• Compartments management has been pinned to Compartments module v0.1.6.

Terraform Quick Start Updates

Updates:
- Generic Workloads outputs compartments created
Fixes:

• Dynamic Group AppDev

v2.6.4

September 18, 2023 Release Notes - 2.6.4

1. CIS Compliance Script Adds Identity Domains
2. Updates to the CIS Compliance Script
3. Workload Expansion Terraform for Quick Start

CIS Compliance Script Adds Identity Domains

CIS compliance checking scripts adds collection of Identity Domains password policy. This allows the compliance checking script to access CIS recommendation 1.5 Ensure IAM password policy expires passwords within 365 days and recommendation 1.6 Ensure IAM password policy prevents password reuse.

Updates to the CIS Compliance Script

• Updates:
  • Improved navigation for CIS Summary Report HTML
  • Added error_report.csv for errors when collection OCI resources
• Fixes:
  • Improved OCI logging error handling
  • Fixed compliance for Storage Admin policies for CIS recommendation 1.14 Ensure storage service-level admins cannot delete resources they manage

Workload Expansion Terraform for Quick Start

The terraform code in this folder expands an existing CIS Landing Zone deployment. It does this by adding one or more workload compartment(s) in the AppDev compartment and, optionally, the associated OCI IAM groups, dynamic groups, and OCI IAM policies to manage OCI resources in the workload compartment. For more information please see the readme.md