🧠 Oracle IAAS Security List allows unrestricted SSH traffic - prod.logic.yaml🟢

Contextual name: 🧠 prod.logic.yaml🟢
ID: /ce/ca/oracle/compute/security-list-allows-unrestricted-ssh-traffic/prod.logic.yaml
Tags:
- 🟢 Logic test success
- 🟢 Logic with extracts
- 🟢 Logic with test data

Uses

📗 Oracle IAAS Security List
🔌 Oracle IAAS Security List Rule - object.extracts.yaml
🧪 test-data.json

Test Results 🟢

Generated at: 2026-05-02T12:07:25.701480239Z Open

Result	Id	Condition Index	Condition Text	Runtime Error
🟢	test1	✔️ `199`	✔️ `CA10O1__Oracle_IAAS_Security_List_Rules1__r.has(INCOMPLIANT)`	✔️ `null`
🟢	test2	✔️ `199`	✔️ `CA10O1__Oracle_IAAS_Security_List_Rules1__r.has(INCOMPLIANT)`	✔️ `null`
🟢	test3	✔️ `199`	✔️ `CA10O1__Oracle_IAAS_Security_List_Rules1__r.has(INCOMPLIANT)`	✔️ `null`
🟢	test4	✔️ `200`	✔️ `otherwise`	✔️ `null`
🟢	test5	✔️ `200`	✔️ `otherwise`	✔️ `null`
🟢	test6	✔️ `200`	✔️ `otherwise`	✔️ `null`
🟢	test7	✔️ `199`	✔️ `CA10O1__Oracle_IAAS_Security_List_Rules1__r.has(INCOMPLIANT)`	✔️ `null`
🟢	test8	✔️ `200`	✔️ `otherwise`	✔️ `null`

Generation Bundle

	File	MD5
Open	`/ce/ca/oracle/compute/security-list-allows-unrestricted-ssh-traffic/policy.yaml`	`89E8F9CFADE6B4432FB1EE9367B798E2`
Open	`/ce/ca/oracle/compute/security-list-allows-unrestricted-ssh-traffic/prod.logic.yaml`	`414140FCE9136A090E0FDE457C2D95FE`
Open	`/ce/ca/oracle/compute/security-list-allows-unrestricted-ssh-traffic/test-data.json`	`072055DC822029A234D695D8AB5F53A9`
Open	`/types/CA10O1__CaOracleIaasSecurityListRule__c/object.extracts.yaml`	`F2549B6EBE1B78E0D2D7892372FD075A`

Available Commands

repo-manager policies generate FULL /ce/ca/oracle/compute/security-list-allows-unrestricted-ssh-traffic/prod.logic.yaml
repo-manager policies generate DEBUG /ce/ca/oracle/compute/security-list-allows-unrestricted-ssh-traffic/prod.logic.yaml
repo-manager policies generate CAPTURE_TEST_DATA /ce/ca/oracle/compute/security-list-allows-unrestricted-ssh-traffic/prod.logic.yaml
repo-manager policies generate TESTS /ce/ca/oracle/compute/security-list-allows-unrestricted-ssh-traffic/prod.logic.yaml
# Execute tests
repo-manager policies test /ce/ca/oracle/compute/security-list-allows-unrestricted-ssh-traffic/prod.logic.yaml

Content

Open File

---
inputType: "CA10O1__CaOracleIaasSecurityList__c"
testData:
  - file: "test-data.json"
conditions:
  - status: "INCOMPLIANT"
    currentStateMessage: "The security list has ingress rules that allow unrestricted SSH access."
    remediationMessage: "Remove public SSH ingress or restrict it to approved source CIDRs."
    check:
      RELATED_LIST_HAS:
        status: "INCOMPLIANT"
        relationshipName: "CA10O1__Oracle_IAAS_Security_List_Rules1__r"
otherwise:
  status: "COMPLIANT"
  currentStateMessage: "The security list does not allow unrestricted SSH access."
relatedLists:
  - relationshipName: "CA10O1__Oracle_IAAS_Security_List_Rules1__r"
    importExtracts:
      - file: "/types/CA10O1__CaOracleIaasSecurityListRule__c/object.extracts.yaml"
    conditions:
      - status: "INAPPLICABLE"
        currentStateMessage: "This is not an ingress rule."
        check:
          NOT_EQUAL:
            left:
              EXTRACT: "CA10O1__direction__c"
            right:
              TEXT: "Ingress"
      - status: "INAPPLICABLE"
        currentStateMessage: "This ingress rule is not sourced from the internet."
        check:
          AND:
            args:
              - NOT_EQUAL:
                  left:
                    EXTRACT: "CA10O1__source__c"
                  right:
                    TEXT: "0.0.0.0/0"
              - NOT_EQUAL:
                  left:
                    EXTRACT: "CA10O1__source__c"
                  right:
                    TEXT: "::/0"
      - status: "INAPPLICABLE"
        currentStateMessage: "This ingress rule does not use ALL or TCP protocol."
        check:
          NOT:
            arg:
              CONTAINS:
                arg:
                  SET:
                    itemType: "TEXT"
                    items:
                      - "ALL"
                      - "TCP"
                search:
                  EXTRACT: "CA10O1__protocol__c"
      - status: "INCOMPLIANT"
        currentStateMessage: "This ingress rule allows SSH access from the internet."
        remediationMessage: "Remove this rule or restrict the source CIDR to approved administrative ranges."
        check:
          OR:
            args:
              - AND:
                  args:
                    - IS_EMPTY:
                        arg:
                          EXTRACT: "CA10O1__destinationPortMin__c"
                    - IS_EMPTY:
                        arg:
                          EXTRACT: "CA10O1__destinationPortMax__c"
              - AND:
                  args:
                    - LESS_THAN_EQUAL:
                        left:
                          EXTRACT: "CA10O1__destinationPortMin__c"
                        right:
                          NUMBER: 22.0
                    - GREATER_THAN_EQUAL:
                        left:
                          EXTRACT: "CA10O1__destinationPortMax__c"
                        right:
                          NUMBER: 22.0
    otherwise:
      status: "COMPLIANT"
      currentStateMessage: "This ingress rule does not allow unrestricted SSH access."

Uses​

Test Results 🟢​

Generation Bundle​

Available Commands​

Content​

Uses

Test Results 🟢

Generation Bundle

Available Commands

Content