🛡️ Oracle IAAS Default Security List allows unrestricted non-ICMP traffic🟢

• Contextual name: 🛡️ IAAS Default Security List allows unrestricted non-ICMP traffic🟢
• ID: /ce/ca/oracle/compute/default-security-list-does-not-restrict-all-traffic
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Oracle IAAS Security List
  • 🔌 Oracle IAAS Security List - object.extracts.yaml
  • 🔌 Oracle IAAS Security List Rule - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Internal: dec-x-d3512f61

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-d3512f61	1

Description

Open File

Description

This policy identifies Default Oracle IAAS Security Lists that allow non-ICMP traffic from or to the internet.

Rationale

A default security list is created when a VCN is created and can be attached to public subnets in the VCN. Security lists provide stateful or stateless filtering of ingress and egress network traffic to OCI resources in the VCN. Leaving internet-reachable ingress or broad internet egress in the default security list increases the risk of unauthorized access and data exfiltration. Restricting these default rules reduces baseline exposure and encourages the use of explicitly approved network controls.

ICMP is excepted because it is commonly required for network diagnostics and control-plane behavior such as reachability testing and path MTU discovery. ICMP does not provide application-layer access in the same way as TCP or UDP services, but it should still be limited to approved operational needs.

Impact

For existing environments, before removing an ingress rule with a source of 0.0.0.0/0, confirm that the required access is provided through another Network Security Group or Security List.

... see more

Remediation

Open File

Remediation

Restrict the Default Security List

From OCI CLI

Retrieve the current default security list configuration:

oci network security-list get \
    --security-list-id {{default-security-list-ocid}}

Create updated rule files that remove:

• non-ICMP ingress rules with source 0.0.0.0/0
• non-ICMP egress rules with destination 0.0.0.0/0

Then apply the revised ingress and egress rule sets:

oci network security-list update \
    --security-list-id {{default-security-list-ocid}} \
    --ingress-security-rules file://ingress-rules.json \
    --egress-security-rules file://egress-rules.json

The ingress-rules.json and egress-rules.json files must contain the complete final rule sets for the default security list. Preserve only the rules that are still required after remediation, and verify that any removed public ingress or public egress is replaced by dedicated Security Lists or Network Security Groups where appropriate. Keep ICMP rules only when they are required for approved diagnostics or network control behavior.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS Oracle v3.1.0 → 💼 2.5 Ensure the default security list of every VCN restricts all traffic except ICMP within VCN - Level 1 (Automated)		1	1		no data
💼 Cloudaware Framework → 💼 Network Exposure			137		no data
💼 FedRAMP High Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)		11	68		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)			68		no data
💼 ISO/IEC 27001:2013 → 💼 A.9.1.2 Access to networks and network services		18	19		no data
💼 ISO/IEC 27001:2022 → 💼 8.21 Security of network services		5	5		no data
💼 NIST CSF v1.1 → 💼 PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties		23	62		no data
💼 NIST CSF v1.1 → 💼 PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals' security and privacy risks and other organizational risks)		20	24		no data
💼 NIST CSF v1.1 → 💼 PR.DS-5: Protections against data leaks are implemented		54	98		no data
💼 NIST CSF v1.1 → 💼 PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities		22	31		no data
💼 NIST CSF v2.0 → 💼 PR.AA-03: Users, services, and hardware are authenticated			54		no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			144		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			196		no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			167		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			197		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows		42	68		no data
💼 PCI DSS v3.2.1 → 💼 1.1 Establish and implement firewall and router configuration standards	7	1	45		no data
💼 PCI DSS v3.2.1 → 💼 1.1.6 Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.		1	32		no data
💼 PCI DSS v3.2.1 → 💼 7.2.3 Default “deny-all” setting.			1		no data
💼 PCI DSS v4.0.1 → 💼 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.			40		no data
💼 PCI DSS v4.0.1 → 💼 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.			32		no data
💼 PCI DSS v4.0.1 → 💼 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.			32		no data
💼 PCI DSS v4.0.1 → 💼 7.3.3 The access control system(s) is set to “deny all” by default.			1		no data
💼 PCI DSS v4.0 → 💼 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.		30	40		no data
💼 PCI DSS v4.0 → 💼 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.		20	32		no data
💼 PCI DSS v4.0 → 💼 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.		8	32		no data
💼 PCI DSS v4.0 → 💼 7.3.3 The access control system(s) is set to “deny all” by default.		1	1		no data
💼 UK Cyber Essentials → 💼 1.2 Prevent access to the administrative interface from the internet		42	44		no data