search

oci-landing-zones / oci-cis-landingzone-quickstart

Quickstart Terraform configuration for tenancy setup according to CIS OCI Foundations Benchmark.
Universal Permissive License v1.0
145 stars 125 forks source link

Issues with recommendation checks for 1.4, 1.5 and 1.6 #107

Closed PaulICannon closed 1 year ago

PaulICannon commented 1 year ago

Hi,

I've been investigating some of the checks this script runs against my tenancy and found a few issues.

first 1.4, checking for password length is actually looking at the is_lowercase_characters_required field, not minimum_password_length, plus the code would never return a false value. I think the following lines:

        if self.__tenancy_password_policy.password_policy.is_lowercase_characters_required:
            self.cis_foundations_benchmark_1_2['1.4']['Status'] = True

should be replaced by:

        if self.__tenancy_password_policy.password_policy.minimum_password_length >= 14:
            self.cis_foundations_benchmark_1_2['1.4']['Status'] = True
        else:
            self.cis_foundations_benchmark_1_2['1.4']['Status'] = False

Also, this is only checking the OCI Native IAM password length, not the IDCS password policy password length.

Secondly, checks for 1.5 and 1.6 (password expiry = 365 & password reuse = 24) are entirely missing from the code. As these are also in the IDCS password policy, is the script unable to check the IDCS password policy?

Regards, Paul.

Halimer commented 1 year ago

The fix for CIS 1.4 is in PR https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/pull/109. Release 2.5.11

The script is not able to check IDCS because its APIs are not supported by the OCI SDK. However, with the migration to tenancies with Identity Domains, we will be able to check Identity Domains. We are planning to add these checks in the upcoming months.