🛡️ Oracle IAAS Instance Secure Boot is disabled🟢

• Contextual name: 🛡️ Oracle IAAS Instance Secure Boot is disabled🟢
• ID: /ce/ca/oracle/compute/instance-secure-boot
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Oracle IAAS Instance
  • 🔌 Oracle IAAS Instance - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

This policy identifies Oracle IAAS Instances where Secure Boot is disabled when platform configuration data is available.

Rationale

Secure Boot helps verify the integrity of the boot process by allowing the instance to start only trusted boot components. Enabling Secure Boot reduces exposure to bootkits, rootkits, and other boot-level tampering that can compromise an instance before the operating system security controls are fully active.

Secure Boot is part of OCI shielded instance platform configuration. Where this platform configuration is available, Secure Boot should be enabled unless the workload has a documented compatibility exception, such as a dependency on unsigned boot components or drivers.

Audit

This policy flags an Oracle IAAS Instance as INCOMPLIANT when the Platform Config JSON field does not contain isSecureBootEnabled set to true.

Instances where Platform Config JSON contains isSecureBootEnabled set to true are marked as COMPLIANT.

Instances where the platform configuration JSON is empty, malformed, or does not contain a boolean Secure Boot value are marked as UNDETERMINED.

... see more

Remediation

Open File

Remediation

Recreate the Instance with Secure Boot Enabled

Existing OCI compute instances cannot be converted in place to Shielded instances with Secure Boot enabled. To remediate this finding, replace the affected instance with a new compatible Shielded instance that has Secure Boot enabled at launch.

Before remediation, review workload compatibility and availability requirements:

• Secure Boot is not available for every instance shape or operating system image.
• Secure Boot can prevent startup if the image, bootloader, kernel modules, or drivers are not compatible with Secure Boot verification.
• Shielded instances with Secure Boot do not support live migration because the hardware TPM is not migratable.
• During OCI infrastructure maintenance, an instance that cannot live migrate might experience an outage instead of being moved to a healthy host with minimal disruption.

From Oracle Cloud Console

1. Identify the affected instance, its image, shape, boot volume, attached block volumes, VNICs, network configuration, metadata, tags, and application dependencies.

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS Oracle v3.1.0 → 💼 3.2 Ensure Secure Boot is enabled on Compute Instance - Level 2 (Automated)			1		no data
💼 Cloudaware Framework → 💼 Threat Protection			33		no data