โญ Repository โ ๐ Compliance Engine โ ๐ CloudAware โ ๐ Azure โ ๐ Virtual Network
๐ก๏ธ Azure Network Security Group allows public access to Oracle DBMS ports๐ข
- Contextual name: ๐ก๏ธ Security Group allows public access to Oracle DBMS ports๐ข
- ID:
/ce/ca/azure/virtual-network/security-group-allows-unrestricted-traffic-to-oracle-dbms - Tags:
- ๐ข Policy with categories
- ๐ข Policy with type
- ๐ข Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logicโ
- ๐ง prod.logic.yaml๐ข
Descriptionโ
Descriptionโ
Ensure that Azure Network Security Groups hosting Oracle DBMS instances are not configured to allow unrestricted inbound traffic to Oracle DBMS ports (1521, 1830, 2483, 2484). Network Security Group rules should be audited and modified to restrict inbound access to these ports, allowing traffic only from trusted IP addresses or internal systems to minimize exposure and secure sensitive data.
Rationalโ
Unrestricted access to Oracle DBMS ports significantly increases the risk of unauthorized access, brute-force attacks, data theft, and exploitation of known or unknown vulnerabilities within the Oracle database. As high-value assets, Oracle DBMS instances are frequently targeted by malicious actors seeking to exploit weaknesses. Exposing these instances to the public internet without appropriate access controls can lead to severe security breaches. By restricting access to trusted networks or IP address ranges, the attack surface is minimized, thereby enhancing the security posture of the Oracle DBMS and safeguarding sensitive data from unauthorized access or modification.
... see more
Remediationโ
Remediationโ
Modify or Remove Insecure NSG Ruleโ
Review the security rules associated with the relevant Network Security Group (NSG) and determine whether they are required. Take appropriate action based on necessity and scope:
If the rule is not required: Remove the rule entirely.
If the rule is required but overly permissive: Update the rule to narrowly scope access, restricting the source IP range to only what is strictly necessary.
Azure CLIโ
Delete the rule:
az network nsg rule delete \
--resource-group {{resource-group-name}} \
--nsg-name {{nsg-name}} \
--name {{rule-name}}Restrict the rule:
az network nsg rule update \
--resource-group {{resource-group-name}} \
--nsg-name {{nsg-name}} \
--name {{rule-name}} \
--source-address-prefixes {{trusted-cidr}}Replace placeholders with the appropriate values. Use space-separated values for multiple source prefixes or destination ports (e.g.,
--source-address-prefixes "1.2.3.4/32 5.6.7.8/32").... see more
policy.yamlโ
Linked Framework Sectionsโ
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| ๐ผ Cloudaware Framework โ ๐ผ Public and Anonymous Access | 80 | no data |