๐ง Oracle IAAS Default Security List allows unrestricted non-ICMP traffic - prod.logic.yaml๐ข
- Contextual name: ๐ง prod.logic.yaml๐ข
- ID:
/ce/ca/oracle/compute/default-security-list-does-not-restrict-all-traffic/prod.logic.yaml - Tags:
- ๐ข Logic test success
- ๐ข Logic with extracts
- ๐ข Logic with test data
Usesโ
- ๐ Oracle IAAS Security List
- ๐ Oracle IAAS Security List - object.extracts.yaml
- ๐ Oracle IAAS Security List Rule - object.extracts.yaml
- ๐งช test-data.json
Test Results ๐ขโ
Generated at: 2026-05-02T12:07:21.623908283Z Open
| Result | Id | Condition Index | Condition Text | Runtime Error |
|---|---|---|---|---|
| ๐ข | sec-list-custom-1 | โ๏ธ 199 | โ๏ธ not(extract('Name').startsWith('Default Security List for ')) | โ๏ธ null |
| ๐ข | sec-list-default-1 | โ๏ธ 299 | โ๏ธ CA10O1__Oracle_IAAS_Security_List_Rules1__r.has(INCOMPLIANT) | โ๏ธ null |
| ๐ข | sec-list-default-2 | โ๏ธ 299 | โ๏ธ CA10O1__Oracle_IAAS_Security_List_Rules1__r.has(INCOMPLIANT) | โ๏ธ null |
| ๐ข | sec-list-default-3 | โ๏ธ 399 | โ๏ธ CA10O1__Oracle_IAAS_Security_List_Rules1__r.has(UNDETERMINED) | โ๏ธ null |
| ๐ข | sec-list-default-4 | โ๏ธ 299 | โ๏ธ CA10O1__Oracle_IAAS_Security_List_Rules1__r.has(INCOMPLIANT) | โ๏ธ null |
| ๐ข | sec-list-default-5 | โ๏ธ 400 | โ๏ธ otherwise | โ๏ธ null |
Generation Bundleโ
| File | MD5 | |
|---|---|---|
| Open | /ce/ca/oracle/compute/default-security-list-does-not-restrict-all-traffic/policy.yaml | D26C37C13DE5EABC0E9E2178C2DDF90A |
| Open | /ce/ca/oracle/compute/default-security-list-does-not-restrict-all-traffic/prod.logic.yaml | 18BCD8CA4E73A2C52D14D5A16EC77FCE |
| Open | /ce/ca/oracle/compute/default-security-list-does-not-restrict-all-traffic/test-data.json | FD18DAE38AEFF9E37AC7ADE9CC9E237B |
| Open | /types/CA10O1__CaOracleIaasSecurityList__c/object.extracts.yaml | 0F4DFEF55C38BF80C91B032738EC4801 |
| Open | /types/CA10O1__CaOracleIaasSecurityListRule__c/object.extracts.yaml | F2549B6EBE1B78E0D2D7892372FD075A |
Available Commandsโ
repo-manager policies generate FULL /ce/ca/oracle/compute/default-security-list-does-not-restrict-all-traffic/prod.logic.yaml
repo-manager policies generate DEBUG /ce/ca/oracle/compute/default-security-list-does-not-restrict-all-traffic/prod.logic.yaml
repo-manager policies generate CAPTURE_TEST_DATA /ce/ca/oracle/compute/default-security-list-does-not-restrict-all-traffic/prod.logic.yaml
repo-manager policies generate TESTS /ce/ca/oracle/compute/default-security-list-does-not-restrict-all-traffic/prod.logic.yaml
# Execute tests
repo-manager policies test /ce/ca/oracle/compute/default-security-list-does-not-restrict-all-traffic/prod.logic.yaml
Contentโ
---
inputType: "CA10O1__CaOracleIaasSecurityList__c"
testData:
- file: test-data.json
importExtracts:
- file: /types/CA10O1__CaOracleIaasSecurityList__c/object.extracts.yaml
conditions:
- status: "INAPPLICABLE"
currentStateMessage: "This is not a default security list."
check:
NOT:
arg:
STARTS_WITH:
arg:
EXTRACT: "Name"
search:
TEXT: "Default Security List for "
- status: "INCOMPLIANT"
currentStateMessage: "The default security list allows non-ICMP traffic to or from the internet."
remediationMessage: "Remove non-ICMP ingress from 0.0.0.0/0 and non-ICMP egress to 0.0.0.0/0."
check:
RELATED_LIST_HAS:
status: "INCOMPLIANT"
relationshipName: "CA10O1__Oracle_IAAS_Security_List_Rules1__r"
- status: "UNDETERMINED"
currentStateMessage: "The default security list has rules with incomplete data required to evaluate internet access."
check:
RELATED_LIST_HAS:
status: "UNDETERMINED"
relationshipName: "CA10O1__Oracle_IAAS_Security_List_Rules1__r"
otherwise:
status: "COMPLIANT"
currentStateMessage: "The default security list does not allow non-ICMP traffic to or from the internet."
relatedLists:
- relationshipName: "CA10O1__Oracle_IAAS_Security_List_Rules1__r"
importExtracts:
- file: /types/CA10O1__CaOracleIaasSecurityListRule__c/object.extracts.yaml
conditions:
- status: "INAPPLICABLE"
currentStateMessage: "This is an ICMP rule."
check:
IS_EQUAL:
left:
EXTRACT: "CA10O1__protocol__c"
right:
TEXT: "ICMP"
- status: "INCOMPLIANT"
currentStateMessage: "This ingress rule allows non-ICMP traffic from 0.0.0.0/0."
remediationMessage: "Remove this rule or restrict the source CIDR to approved addresses."
check:
AND:
args:
- IS_EQUAL:
left:
EXTRACT: "CA10O1__direction__c"
right:
TEXT: "Ingress"
- IS_EQUAL:
left:
EXTRACT: "CA10O1__source__c"
right:
TEXT: "0.0.0.0/0"
- status: "INCOMPLIANT"
currentStateMessage: "This egress rule allows non-ICMP traffic to 0.0.0.0/0."
remediationMessage: "Remove this rule or restrict the destination CIDR."
check:
AND:
args:
- IS_EQUAL:
left:
EXTRACT: "CA10O1__direction__c"
right:
TEXT: "Egress"
- IS_EQUAL:
left:
EXTRACT: "CA10O1__destination__c"
right:
TEXT: "0.0.0.0/0"
otherwise:
status: "COMPLIANT"
currentStateMessage: "This rule does not allow non-ICMP internet access covered by this policy."