Restrict Traffic for Default Security Lists

Risk Level: Very High (act immediately)

Rule ID: OCI-Networking-006

Ensure that your Oracle Cloud Infrastructure (OCI) security lists restrict all ingress and egress network traffic in order to enforce OCI users to create custom security lists that exercise the Principle of Least Privilege (POLP) instead of using the default security lists provided by Virtual Cloud Network (VCN).

Security

In Oracle Cloud Infrastructure (OCI), a default security list is deployed when a Virtual Cloud Network (VCN) is created. Given that many OCI users often attach the default security list to their compute instances during the launch process, any default security list configured to allow unrestricted access may enhance the risk of malicious activities, including hacking, Denial-of-Service (DoS) attacks, and brute-force attacks.

Audit

To determine if your default security lists allow unrestricted access on TCP port 22 (SSH), perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Networking console available at https://cloud.oracle.com/networking/.

03 In the left navigation panel, under Overview, choose Virtual cloud networks.

04 Choose the OCI compartment that you want to access from the Compartment dropdown menu, to list the Virtual Cloud Networks (VCNs) created for the selected OCI compartment.

05 Click on the name (link) of the Virtual Cloud Network (VCN) that you want to examine, listed in the Name column.

06 Select the Security tab and click on the name (link) of the default security list created for your VCN, listed in the Security Lists section. The default security list has the following name: Default Security List for \, where \ is the name of the selected Virtual Cloud Network (VCN).

07 Select the Security rules tab and perform the following actions:

Check the Ingress Rules list for any inbound rules with the Source attribute set to 0.0.0.0/0 and IP Protocol set to any protocol (including All Protocols) except ICMP. If one or more rules match the search criteria, the default security list for the selected Virtual Cloud Network (VCN) has ingress rules that allow unrestricted access.
Check the Egress Rules list for any outbound rules with the Destination attribute set to 0.0.0.0/0 and IP Protocol set to any protocol (including All Protocols) except ICMP. If one or more rules match the search criteria, the default security list for the selected Virtual Cloud Network (VCN) has egress rules that allow unrestricted access.

08 Repeat steps no. 5 - 7 for each VCN deployed within the selected Oracle Cloud Infrastructure (OCI) compartment.

Using OCI CLI

01 Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

02 The command output should return the requested OCI compartment identifiers (OCIDs):

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

03 Run network vcn list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, the list the name of each Virtual Cloud Network (VCN) available in the selected OCI compartment:

oci network vcn list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."display-name"'

04 The command output should return the requested VCN identifiers (names):

[
	"cc-project5-vcn",
	"cc-production-vcn"
]

05 Run network security-list list command (Windows/macOS/Linux) with the name of the default security list as the identifier parameter, to list the ingress rules configured for the specified security list. Use the --display-name parameter to specify the name of the default security list. The default security list has the following name: Default Security List for \<vcn-name\>, where \<vcn-name\> is the name of the Virtual Cloud Network (VCN):

oci network security-list list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--display-name 'Default Security List for cc-project5-vcn'
	--query 'data[]."ingress-security-rules"'

06 The command output should return the requested ingress security rules:

[
	[
		{
			"description": null,
			"icmp-options": null,
			"is-stateless": false,
			"protocol": "6",
			"source": "0.0.0.0/0",
			"source-type": "CIDR_BLOCK",
			"tcp-options": {
				"destination-port-range": {
					"max": 22,
					"min": 22
				},
				"source-port-range": null
			},
			"udp-options": null
		},
		{
			"description": null,
			"icmp-options": {
				"code": null,
				"type": 3
			},
			"is-stateless": false,
			"protocol": "1",
			"source": "10.0.0.0/16",
			"source-type": "CIDR_BLOCK",
			"tcp-options": null,
			"udp-options": null
		}
	]
]

Check each inbound rule returned by the network security-list list command output for a "source" attribute set to "0.0.0.0/0" and "protocol" set to "all" or any number except 1 (ICMP). If one or more rules match the search criteria, the default security list for the selected Virtual Cloud Network (VCN) has ingress rules that allow unrestricted access.

07 Run network security-list list command (Windows/macOS/Linux) with the name of the default security list as the identifier parameter, to list the egress rules configured for the specified security list. Use the --display-name parameter to specify the name of the default security list:

oci network security-list list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--display-name 'Default Security List for cc-project5-vcn'
	--query 'data[]."egress-security-rules"'

08 The command output should return the requested egress security rules:

[
	[
		{
			"description": null,
			"destination": "0.0.0.0/0",
			"destination-type": "CIDR_BLOCK",
			"icmp-options": null,
			"is-stateless": false,
			"protocol": "all",
			"tcp-options": null,
			"udp-options": null
		}
	]
]

Check each outbound rule returned by the network security-list list command output for a "destination" attribute set to "0.0.0.0/0" and "protocol" set to "all" or any number except 1 (ICMP). If one or more rules match the search criteria, the default security list for the selected Virtual Cloud Network (VCN) has egress rules that allow unrestricted access.

09 Repeat steps no. 5 - 8 for each Virtual Cloud Network created in the selected OCI compartment.

10 Repeat steps no. 3 – 9 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

Remediation / Resolution

To update the ingress and egress configuration for your default security lists in order to restrict network access, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Networking console available at https://cloud.oracle.com/networking/.

03 In the left navigation panel, under Overview, choose Virtual cloud networks.

04 Choose the OCI compartment that you want to access from the Compartment dropdown menu, to list the Virtual Cloud Networks (VCNs) created for the selected OCI compartment.

05 Click on the name (link) of the Virtual Cloud Network (VCN) that you want to access, listed in the Name column.

07 Select the Security rules tab and perform the following actions to change the traffic source/destination for the inbound/outbound rules that allows unrestricted access:

For ingress rules:
1. Select the rule that you want to modify, choose Actions, and select Edit.
2. Replace 0.0.0.0/0 in the Source CIDR box with an authorized IP address or IP address range.
3. Choose Save changes to apply the configuration changes.
For egress rules:
1. Select the rule that you want to modify, choose Actions, and select Edit.
2. Replace 0.0.0.0/0 in the Destination CIDR box with an authorized IP address or IP address range.
3. Choose Save changes to apply the configuration changes.

08 To remove entirely the ingress/egress rule that allows unrestricted access, perform the following actions:

Select the ingress/egress rule that you want to delete, choose Actions, and choose Remove.
In the confirmation box choose Remove to confirm the rule removal.

09 Repeat steps no. 5 - 8 for each VCN deployed within the selected Oracle Cloud Infrastructure (OCI) compartment.

Using OCI CLI

01 Run network security-list list command (Windows/macOS/Linux) with custom output filters to describe the resource ID for the default security list:

oci network security-list list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--display-name 'Default Security List for cc-project5-vcn'
	--query 'data[]."id"'

02 The command output should return the requested ingress security rules:

[
	"ocid1.securitylist.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234"
]

03 Run network security-list update command (OSX/Linux/UNIX) with the ID of the default security list that you want to configure as the identifier parameter, to change the traffic source for the ingress rule that allows unrestricted access (i.e., 0.0.0.0/0). For "source", you can provide one or more authorized IP addresses and/or IP address ranges using CIDR notation (e.g., 10.0.0.15/32 or 10.0.0.0/16). IMPORTANT: This command will overwrite existing rules. Ensure that you include all existing ingress rules in the --ingress-security-rules parameter value:

oci network security-list update
	--security-list-id 'ocid1.securitylist.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234'
	--ingress-security-rules '[{"source": "10.0.0.15/32", "protocol": "6", "isStateless": true, "tcpOptions": {"destinationPortRange": {"max": 22, "min": 22}}}]'
	--query 'data."ingress-security-rules"'

04 The command output should return the ingress rules configured for the modified security list:

[
	{
		"description": null,
		"icmp-options": null,
		"is-stateless": true,
		"protocol": "6",
		"source": "10.0.0.15/32",
		"source-type": "CIDR_BLOCK",
		"tcp-options": {
			"destination-port-range": {
				"max": 22,
				"min": 22
			},
			"source-port-range": null
		},
		"udp-options": null
	}
]

05 Run network security-list update command (OSX/Linux/UNIX) with the ID of the default security list that you want to configure as the identifier parameter, to change the traffic destination for the egress rule that allows unrestricted access. For "destination", you can provide one or more authorized IP addresses and/or IP address ranges using CIDR notation (e.g., 10.0.0.15/32 or 10.0.0.0/16). IMPORTANT: This command will overwrite existing rules. Ensure that you include all existing egress rules in the --egress-security-rules parameter value:

oci network security-list update
	--security-list-id 'ocid1.securitylist.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234'
	--ingress-security-rules '[{"destination": "10.0.0.15/32", "protocol": "all", "isStateless": false}]'
	--query 'data."egress-security-rules"'

06 The command output should return the egress rules configured for the modified security list:

[
	[
		{
			"description": null,
			"destination": "10.0.0.15/32",
			"destination-type": "CIDR_BLOCK",
			"icmp-options": null,
			"is-stateless": false,
			"protocol": "all",
			"tcp-options": null,
			"udp-options": null
		}
	]
]

07 To remove entirely the ingress rule that allows unrestricted access, delete the non-compliant rule by editing the JSON configuration file that defines the security list inbound rules (i.e., cc-new-ingress-rules.json), specified by the --ingress-security-rules parameter, and run network security-list update command (OSX/Linux/UNIX) with the ID of the default security list that you want to update as the identifier parameter:

oci network security-list list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--display-name 'Default Security List for cc-project5-vcn'
	--query 'data[]."egress-security-rules"'

08 The command output should return the ingress rules available for the modified security list:

[
	{
		"description": null,
		"icmp-options": null,
		"is-stateless": true,
		"protocol": "6",
		"source": "10.0.0.0/16",
		"source-type": "CIDR_BLOCK",
		"tcp-options": null,
		"udp-options": null
	}
]

09 To remove the egress rule that allows unrestricted access, delete the non-compliant rule by editing the JSON configuration file that defines the security list outbound rules (i.e., cc-new-egress-rules.json), specified by the --egress-security-rules parameter, and run network security-list update command (OSX/Linux/UNIX) with the ID of the default security list that you want to update as the identifier parameter:

oci network security-list update
	--security-list-id 'ocid1.securitylist.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234'
	--ingress-security-rules file://cc-new-egress-rules.json
	--query 'data."egress-security-rules"'

10 The command output should return the egress rules available for the modified security list:

[
	{
		"description": null,
		"icmp-options": null,
		"is-stateless": false,
		"protocol": "all",
		"destination": "10.0.0.15/16",
		"source-type": "CIDR_BLOCK",
		"tcp-options": null,
		"udp-options": null
	}
]

11 Repeat steps no. 1 - 10 for each Virtual Cloud Network created in the selected OCI compartment.

12 Repeat steps no. 1 – 11 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

References

Oracle Cloud Infrastructure Documentation
Working with Security Lists
Getting Details for a Security List
Updating Rules in a Security List

Oracle Cloud Infrastructure CLI Documentation
vcn list
security-list list
security-list update

Publication date Mar 12, 2025

Audit

Using OCI Console

Using OCI CLI

Remediation / Resolution

Using OCI Console

Using OCI CLI

References

Related OCI-Networking rules