Skip to content

Releases: oci-landing-zones/oci-cis-landingzone-quickstart

2.4.1

15 Sep 22:03
@andrecorreaneto andrecorreaneto
v2.4.1
f522d73
Compare
Choose a tag to compare
2.4.1

September 16, 2022 Release Notes - 2.4.1

  1. Compliance Checking Report Identity Domain Fix

Compliance Checking Report Identity Domain Fix

Until this update, a user in the CIS Landing Zone Auditor group would not have been able to successfully run the compliance checking script in tenancies with Identity Domains. The reason is tenancies with Identity Domains require elevated privileges to check the tenancies password policy. With release 2.4.1 if the user doesn't have permissions to check password policy the script will continue running and just print an alert.

Assets 2
Loading

2.4.0

12 Sep 15:18
@andrecorreaneto andrecorreaneto
v2.4.0
4c4d6c7
Compare
Choose a tag to compare
2.4.0

September 09, 2022 Release Notes - 2.4.0

  1. Terraform Requirements
  2. CIS OCI Benchmark Configuration Profiles
  3. Custom Security Zones
  4. Service Connector Hub Improved Configuration
  5. Vulnerability Scanning Improved Configuration
  6. Application Bucket Improved Configuration
  7. Data Safe Permissions

Terraform Requirements

The Terraform features in this release and future releases of the CIS Landing Zone will require Terraform binary 1.1.0 or higher, where the moved block feature is available. The moved block provides a transparent way for preserving backwards compatibility in face of required code changes. We have consolidated all moved blocks in moved.tf. For details on this feature, please see: Terraform's documentation on refactoring.

CIS OCI Benchmark Configuration Profiles

CIS Landing Zone introduces the ability to choose the CIS OCI configuration profile defined in the Benchmark.

When deploying CIS Landing Zone, users can now specify the CIS configuration profile level using the variable cis_level and it defines the configuration of some Landing Zone managed resources. For this release, the affected resources are Object Storage Buckets and Security Zones. The cis_level setting drives how buckets are encrypted and the minimum set of policies in a Security Zone.

Security Zones

CIS Landing Zone adds to the overall tenancy security posture with the support for Security Zones. Landing Zone users can now enable Security Zones for Landing Zone managed compartments and specify which policies to apply. These policies are the preventive controls that make sure a tenancy stays within the defined track as it evolves over time.

Aligning with the CIS OCI Benchmark Configuration Profile feature, if cis_level is set to 1, the provided Security Zone policies are aligned to the CIS OCI Benchmark configuration profile Level 1. If cis_level is set to 2, the provided Security Zone policies are aligned to the CIS OCI Benchmark configuration profile Level 2. Below are the Security Zone policies to configuration profile level.

CIS Recommendation CIS Level Security Zone Policy Name Security Zone Policy Description
4.1.1 1 deny public_buckets Object Storage buckets in a security zone can't be public.
2.8.0 1 deny db_instance_public_access Databases in a security zone can't be assigned to public subnets. They must use private subnets.
4.2.1 2 deny block_volume_without_vault_key Block volumes in a security zone must use a customer-managed master encryption key in the Vault service. They can't use the default encryption key managed by Oracle.
4.2.2 2 deny boot_volume_without_vault_key Boot volumes in a security zone must use a customer-managed master encryption key in the Vault service. They can't use the default encryption key managed by Oracle.
4.1.2 2 deny buckets_without_vault_key Object Storage buckets in a security zone must use a customer-managed master encryption key in the Vault service. They can't use the default encryption key managed by Oracle.
4.3.1 2 deny file_system_without_vault_key File systems in the security zone must use a customer-managed master encryption key in the Vault service. They can't use the default encryption key managed by Oracle.

Service Connector Hub Improved Configuration

The Service Connector Hub module as announced in Updated Logging Architecture has been updated to optionally deploy Service Connector Hub related resources. As a result, existing users need to set enable_service_connector and activate_service_connector variables to true for Service Connector Hub resources to be created and to activate the service. For details, look at enable_service_connector and activate_service_connector variables in VARIABLES.md.

When deploying an Object Storage bucket as Service Connector target, users can now bring an existing key for bucket encryption. For details, look at existing_service_connector_bucket_vault_compartment_id, existing_service_connector_bucket_vault_id and existing_service_connector_bucket_key_id variables in VARIABLES.md. Aligning with the CIS Profile Levels feature, if cis_level is set to 1, the bucket is encrypted with an Oracle-managed key; if cis_level is set to 2, a customer-managed key (either provided or managed by Landing Zone) is used for bucket encryption.

Vulnerability Scanning Improved Configuration

Users have more control on Landing Zone Vulnerability Scanning recipes. It is now possible to specify the levels for port scan, agent-based scan and CIS setting for agent-based scans. Additionally, users can enable file scanning for Linux systems and specify the folders to scan. Variables are described in VARIABLES.md.

Vulnerability Scanning is now disabled by default in CIS Landing Zone. Moving forward, the intent is enabling by default only those services that are required by CIS Benchmark. Existing users who are managing Vulnerability Scanning resources with Landing Zone should simply enable it back, by setting vss_create variable to true.

A bug preventing Vulnerability Scanning target creation in default enclosing compartment has been fixed.

Application Bucket Improved Configuration

Previous to this release, CIS Landing Zone would manage a sample bucket in the Application compartment (a.k.a AppDev) and encrypt it with a customer-managed key. This has changed. Now the bucket creation is optional, and when deployed, the user has a choice to bring an existing key for encryption. Aligning with the CIS Profile Levels feature, if cis_level is set to 1, the bucket is encrypted with an Oracle-managed key; if cis_level is set to 2, a customer-managed key (either provided or managed by Landing Zone) is used for bucket encryption.

Data Safe Permissions

In the config directory, management permission for the Data Safe family has been added to the Database Administrators and Exadata Infrastructure Administrators groups. Read permission for the Data Safe family has been added to the Auditors group.

In the pre-config directory, read permission for the Data Safe family has been added to the Database Administrators and Auditors groups.

Assets 2
Loading

2.3.5

13 Jun 21:51
@andrecorreaneto andrecorreaneto
v2.3.5
d892cb4
Compare
Choose a tag to compare
2.3.5

CIS 1.2 updates

Assets 2
Loading