π§ Oracle IAAS Network Security Group allows unrestricted SSH traffic - prod.logic.yamlπ’
- Contextual name: π§ prod.logic.yamlπ’
- ID:
/ce/ca/oracle/network/network-security-group-allows-unrestricted-ssh-traffic/prod.logic.yaml - Tags:
- π’ Logic test success
- π’ Logic with extracts
- π’ Logic with test data
Usesβ
- π Oracle IAAS Network Security Group
- π Oracle IAAS Network Security Group Rule - object.extracts.yaml
- π§ͺ test-data.json
Test Results π’β
Generated at: 2026-05-02T12:07:27.786526580Z Open
| Result | Id | Condition Index | Condition Text | Runtime Error |
|---|---|---|---|---|
| π’ | test1 | βοΈ 199 | βοΈ CA10O1__Oracle_IAAS_Network_Security_Group_Rules__r.has(INCOMPLIANT) | βοΈ null |
| π’ | test2 | βοΈ 200 | βοΈ otherwise | βοΈ null |
Generation Bundleβ
| File | MD5 | |
|---|---|---|
| Open | /ce/ca/oracle/network/network-security-group-allows-unrestricted-ssh-traffic/policy.yaml | D114DC33F52328B7E9542E7E356BB340 |
| Open | /ce/ca/oracle/network/network-security-group-allows-unrestricted-ssh-traffic/prod.logic.yaml | 83C134E0E3154254C0313E86EE19039E |
| Open | /ce/ca/oracle/network/network-security-group-allows-unrestricted-ssh-traffic/test-data.json | 9D1983BFCDFD7E2B5EAD0C4CB01677E3 |
| Open | /types/CA10O1__CaOracleIaasNetworkSecurityGroupRule__c/object.extracts.yaml | 11138716137450A863FB5835E1C9375B |
Available Commandsβ
repo-manager policies generate FULL /ce/ca/oracle/network/network-security-group-allows-unrestricted-ssh-traffic/prod.logic.yaml
repo-manager policies generate DEBUG /ce/ca/oracle/network/network-security-group-allows-unrestricted-ssh-traffic/prod.logic.yaml
repo-manager policies generate CAPTURE_TEST_DATA /ce/ca/oracle/network/network-security-group-allows-unrestricted-ssh-traffic/prod.logic.yaml
repo-manager policies generate TESTS /ce/ca/oracle/network/network-security-group-allows-unrestricted-ssh-traffic/prod.logic.yaml
# Execute tests
repo-manager policies test /ce/ca/oracle/network/network-security-group-allows-unrestricted-ssh-traffic/prod.logic.yaml
Contentβ
---
inputType: "CA10O1__CaOracleIaasNetworkSecurityGroup__c"
testData:
- file: "test-data.json"
conditions:
- status: "INCOMPLIANT"
currentStateMessage: "The network security group has ingress rules that allow unrestricted SSH access."
remediationMessage: "Remove public SSH ingress or restrict it to approved source CIDRs."
check:
RELATED_LIST_HAS:
status: "INCOMPLIANT"
relationshipName: "CA10O1__Oracle_IAAS_Network_Security_Group_Rules__r"
otherwise:
status: "COMPLIANT"
currentStateMessage: "The network security group does not allow unrestricted SSH access."
relatedLists:
- relationshipName: "CA10O1__Oracle_IAAS_Network_Security_Group_Rules__r"
importExtracts:
- file: "/types/CA10O1__CaOracleIaasNetworkSecurityGroupRule__c/object.extracts.yaml"
conditions:
- status: "INAPPLICABLE"
currentStateMessage: "This is not an ingress rule."
check:
NOT_EQUAL:
left:
EXTRACT: "CA10O1__direction__c"
right:
TEXT: "INGRESS"
- status: "INAPPLICABLE"
currentStateMessage: "This ingress rule is not sourced from the internet."
check:
AND:
args:
- NOT_EQUAL:
left:
EXTRACT: "CA10O1__source__c"
right:
TEXT: "0.0.0.0/0"
- NOT_EQUAL:
left:
EXTRACT: "CA10O1__source__c"
right:
TEXT: "::/0"
- status: "INAPPLICABLE"
currentStateMessage: "This ingress rule does not use ALL or TCP protocol."
check:
NOT:
arg:
CONTAINS:
arg:
SET:
itemType: "TEXT"
items:
- "ALL"
- "TCP"
search:
EXTRACT: "CA10O1__protocol__c"
- status: "INCOMPLIANT"
currentStateMessage: "This ingress rule allows SSH access from the internet."
remediationMessage: "Remove this rule or restrict the source CIDR to approved administrative ranges."
check:
OR:
args:
- AND:
args:
- IS_EMPTY:
arg:
EXTRACT: "CA10O1__destinationPortMin__c"
- IS_EMPTY:
arg:
EXTRACT: "CA10O1__destinationPortMax__c"
- AND:
args:
- LESS_THAN_EQUAL:
left:
EXTRACT: "CA10O1__destinationPortMin__c"
right:
NUMBER: 22.0
- GREATER_THAN_EQUAL:
left:
EXTRACT: "CA10O1__destinationPortMax__c"
right:
NUMBER: 22.0
otherwise:
status: "COMPLIANT"
currentStateMessage: "This ingress rule does not allow unrestricted SSH access."