Description
Ensure that Azure VM Scale Set Instances hosting Oracle DBMS instances are not configured to allow unrestricted inbound traffic to Oracle DBMS ports (1521, 1830, 2483, 2484). Network Security Group rules should be audited and modified to restrict inbound access to these ports, allowing traffic only from trusted IP addresses or internal systems to minimize exposure and secure sensitive data.
Rationalβ
Unrestricted access to Oracle DBMS ports significantly increases the risk of unauthorized access, brute-force attacks, data theft, and exploitation of known or unknown vulnerabilities within the Oracle database. As high-value assets, Oracle DBMS instances are frequently targeted by malicious actors seeking to exploit weaknesses. Exposing these instances to the public internet without appropriate access controls can lead to severe security breaches. By restricting access to trusted networks or IP address ranges, the attack surface is minimized, thereby enhancing the security posture of the Oracle DBMS and safeguarding sensitive data from unauthorized access or modification.
Impactβ
Implementing access restrictions requires careful planning and configuration to avoid disrupting legitimate business processes or applications that require access to the Oracle DBMS. Proper testing should be conducted to ensure the database remains accessible to authorized users and systems while maintaining security.
Auditβ
This policy flagged an Azure VM Scale Set Instance as INCOMPLIANT if it is associated with a Network Interface that is connected to an NSG containing at least one Inbound Security Rule that meets all of the following conditions:
Directionis Inbound.Accessis Allow.Protocolis either Tcp,*, ornull.Source Address Prefixis either Internet,*0.0.0.0, /0, or Any.Destination Portis 1521, 1830, 2483, or 2484.
If the Direction, Access, Protocol, or Source Address Prefix fields do not match the criteria above, the VM is marked as INAPPLICABLE.
If the Destination Port does not match, the VM is considered COMPLIANT.