oci_adm_knowledge_baseoci_adm_vulnerability_auditoci_ai_anomaly_detection_ai_private_endpointoci_ai_anomaly_detection_data_assetoci_ai_anomaly_detection_modeloci_ai_anomaly_detection_projectoci_analytics_instanceoci_apigateway_apioci_application_migration_migrationoci_application_migration_sourceoci_artifacts_container_imageoci_artifacts_container_image_signatureoci_artifacts_container_repositoryoci_artifacts_generic_artifactoci_artifacts_repositoryoci_autoscaling_auto_scaling_configurationoci_autoscaling_auto_scaling_policyoci_bastion_bastionoci_bastion_sessionoci_bds_bds_instanceoci_budget_alert_ruleoci_budget_budgetoci_certificates_authority_bundleoci_certificates_management_associationoci_certificates_management_ca_bundleoci_certificates_management_certificateoci_certificates_management_certificate_authorityoci_certificates_management_certificate_authority_versionoci_certificates_management_certificate_versionoci_cloud_guard_configurationoci_cloud_guard_detector_recipeoci_cloud_guard_managed_listoci_cloud_guard_responder_recipeoci_cloud_guard_targetoci_container_instances_containeroci_container_instances_container_instanceoci_containerengine_clusteroci_core_block_volume_replicaoci_core_boot_volumeoci_core_boot_volume_attachmentoci_core_boot_volume_backupoci_core_boot_volume_metric_read_opsoci_core_boot_volume_metric_read_ops_dailyoci_core_boot_volume_metric_read_ops_hourlyoci_core_boot_volume_metric_write_opsoci_core_boot_volume_metric_write_ops_dailyoci_core_boot_volume_metric_write_ops_hourlyoci_core_boot_volume_replicaoci_core_cluster_networkoci_core_dhcp_optionsoci_core_drgoci_core_imageoci_core_image_customoci_core_instanceoci_core_instance_configurationoci_core_instance_metric_cpu_utilizationoci_core_instance_metric_cpu_utilization_dailyoci_core_instance_metric_cpu_utilization_hourlyoci_core_internet_gatewayoci_core_load_balanceroci_core_local_peering_gatewayoci_core_nat_gatewayoci_core_network_load_balanceroci_core_network_security_groupoci_core_public_ipoci_core_public_ip_pooloci_core_route_tableoci_core_security_listoci_core_service_gatewayoci_core_subnetoci_core_vcnoci_core_vnic_attachmentoci_core_volumeoci_core_volume_attachmentoci_core_volume_backupoci_core_volume_backup_policyoci_core_volume_default_backup_policyoci_core_volume_groupoci_database_autonomous_databaseoci_database_autonomous_db_metric_cpu_utilizationoci_database_autonomous_db_metric_cpu_utilization_dailyoci_database_autonomous_db_metric_cpu_utilization_hourlyoci_database_autonomous_db_metric_storage_utilizationoci_database_autonomous_db_metric_storage_utilization_dailyoci_database_autonomous_db_metric_storage_utilization_hourlyoci_database_cloud_vm_clusteroci_database_dboci_database_db_homeoci_database_db_systemoci_database_exadata_infrastructureoci_database_pluggable_databaseoci_database_software_imageoci_devops_projectoci_devops_repositoryoci_dns_rrsetoci_dns_tsig_keyoci_dns_zoneoci_events_ruleoci_file_storage_file_systemoci_file_storage_mount_targetoci_file_storage_snapshotoci_functions_applicationoci_functions_functionoci_identity_api_keyoci_identity_auth_tokenoci_identity_authentication_policyoci_identity_availability_domainoci_identity_compartmentoci_identity_customer_secret_keyoci_identity_db_credentialoci_identity_domainoci_identity_dynamic_groupoci_identity_groupoci_identity_network_sourceoci_identity_policyoci_identity_tag_defaultoci_identity_tag_namespaceoci_identity_tenancyoci_identity_useroci_kms_keyoci_kms_key_versionoci_kms_vaultoci_logging_logoci_logging_log_groupoci_logging_searchoci_mysql_backupoci_mysql_channeloci_mysql_configurationoci_mysql_configuration_customoci_mysql_db_systemoci_mysql_db_system_metric_connectionsoci_mysql_db_system_metric_connections_dailyoci_mysql_db_system_metric_connections_hourlyoci_mysql_db_system_metric_cpu_utilizationoci_mysql_db_system_metric_cpu_utilization_dailyoci_mysql_db_system_metric_cpu_utilization_hourlyoci_mysql_db_system_metric_memory_utilizationoci_mysql_db_system_metric_memory_utilization_dailyoci_mysql_heat_wave_clusteroci_network_firewall_firewalloci_network_firewall_policyoci_nosql_tableoci_nosql_table_metric_read_throttle_countoci_nosql_table_metric_read_throttle_count_dailyoci_nosql_table_metric_read_throttle_count_hourlyoci_nosql_table_metric_storage_utilizationoci_nosql_table_metric_storage_utilization_dailyoci_nosql_table_metric_storage_utilization_hourlyoci_nosql_table_metric_write_throttle_countoci_nosql_table_metric_write_throttle_count_dailyoci_nosql_table_metric_write_throttle_count_hourlyoci_objectstorage_bucketoci_objectstorage_objectoci_ons_notification_topicoci_ons_subscriptionoci_queue_queueoci_regionoci_resource_searchoci_resourcemanager_stackoci_streaming_streamoci_vault_secret
Table: oci_core_network_security_group - Query OCI Core Network Security Groups using SQL
A Network Security Group in OCI Core service is a virtual firewall for your virtual network resources. It provides inbound and outbound security rules that specify the type of traffic and the ports on which the traffic is allowed. Network Security Groups are associated with a Virtual Cloud Network (VCN) and can be associated with specific subnets or a specific set of Compute instances.
Table Usage Guide
The oci_core_network_security_group table provides insights into the Network Security Groups within OCI Core service. As a security analyst, you can explore group-specific details through this table, including security rules, associated resources, and other metadata. Leverage this table to identify potential security risks, such as overly permissive security rules and to ensure compliance with your organization's security policies.
Examples
Basic info
Explore which network security groups are active within your system and when they were created. This can help maintain security standards and identify any potentially unauthorized or outdated groups.
select display_name, id, vcn_id, lifecycle_state as state, time_createdfrom oci_core_network_security_group;select display_name, id, vcn_id, lifecycle_state as state, time_createdfrom oci_core_network_security_group;List NSGs that are not available
Discover the segments that are not currently available in your network security groups. This is useful to assess the elements within your network that might be causing issues due to their unavailability.
select display_name, id, lifecycle_state as statefrom oci_core_network_security_groupwhere lifecycle_state <> 'AVAILABLE';select display_name, id, lifecycle_state as statefrom oci_core_network_security_groupwhere lifecycle_state <> 'AVAILABLE';Count the number of rules per NSG
- "Explore the distribution of rules across different Network Security Groups (NSG) in your environment."
- "Identify Network Security Groups (NSGs) in your environment that have unrestricted inbound access from the internet."
- "Uncover Network Security Groups (NSGs) in your environment that have unrestricted SSH and RDP access from the internet.
select display_name, id, jsonb_array_length(rules) as rules_countfrom oci_core_network_security_group;select display_name, id, json_array_length(rules) as rules_countfrom oci_core_network_security_group;List NSGs whose inbound access is open to the internet
select display_name, id, r ->> 'direction' as direction, r ->> 'sourceType' as source_type, r ->> 'source' as sourcefrom oci_core_network_security_group, jsonb_array_elements(rules) as rwhere r ->> 'direction' = 'INGRESS' and r ->> 'sourceType' = 'CIDR_BLOCK' and r ->> 'source' = '0.0.0.0/0'select display_name, id, json_extract(r.value, '$.direction') as direction, json_extract(r.value, '$.sourceType') as source_type, json_extract(r.value, '$.source') as sourcefrom oci_core_network_security_group, json_each(rules) as rwhere json_extract(r.value, '$.direction') = 'INGRESS' and json_extract(r.value, '$.sourceType') = 'CIDR_BLOCK' and json_extract(r.value, '$.source') = '0.0.0.0/0'List NSG whose SSH and RDP access is not restricted from the internet
select display_name, id, r ->> 'direction' as direction, r ->> 'sourceType' as source_type, r ->> 'source' as source, r ->> 'protocol' as protocol, r -> 'tcpOptions' -> 'destinationPortRange' ->> 'max' as min_port_range, r -> 'tcpOptions' -> 'destinationPortRange' ->> 'min' as max_port_rangefrom oci_core_network_security_group, jsonb_array_elements(rules) as rwhere r ->> 'direction' = 'INGRESS' and r ->> 'sourceType' = 'CIDR_BLOCK' and r ->> 'source' = '0.0.0.0/0' and ( (r ->> 'protocol' = 'all') or ( (r -> 'tcpOptions' -> 'destinationPortRange' ->> 'min') :: integer <= 22 and (r -> 'tcpOptions' -> 'destinationPortRange' ->> 'max') :: integer >= 22 ) or ( (r -> 'tcpOptions' -> 'destinationPortRange' ->> 'min') :: integer <= 3389 and (r -> 'tcpOptions' -> 'destinationPortRange' ->> 'max') :: integer >= 3389 ) );select display_name, id, json_extract(r.value, '$.direction') as direction, json_extract(r.value, '$.sourceType') as source_type, json_extract(r.value, '$.source') as source, json_extract(r.value, '$.protocol') as protocol, json_extract(r.value, '$.tcpOptions.destinationPortRange.max') as min_port_range, json_extract(r.value, '$.tcpOptions.destinationPortRange.min') as max_port_rangefrom oci_core_network_security_group, json_each(rules) as rwhere json_extract(r.value, '$.direction') = 'INGRESS' and json_extract(r.value, '$.sourceType') = 'CIDR_BLOCK' and json_extract(r.value, '$.source') = '0.0.0.0/0' and ( (json_extract(r.value, '$.protocol') = 'all') or ( cast( json_extract(r.value, '$.tcpOptions.destinationPortRange.min') as integer ) <= 22 and cast( json_extract(r.value, '$.tcpOptions.destinationPortRange.max') as integer ) >= 22 ) or ( cast( json_extract(r.value, '$.tcpOptions.destinationPortRange.min') as integer ) <= 3389 and cast( json_extract(r.value, '$.tcpOptions.destinationPortRange.max') as integer ) >= 3389 ) );Count the number of NSGs per VCN
Explore which Virtual Cloud Networks (VCNs) have the most Network Security Groups (NSGs) to understand your cloud network's security distribution. This can help in assessing the security coverage and identifying areas that might need additional security measures.
select vcn_id, count(id) as no_of_nsgfrom oci_core_network_security_groupgroup by vcn_id;select vcn_id, count(id) as no_of_nsgfrom oci_core_network_security_groupgroup by vcn_id;Query examples
- compute_instance_security_groups
- oci_vcn_security_group_count
- oci_vcn_security_group_unrestricted_ingress_rdp_count
- oci_vcn_security_group_unrestricted_ingress_ssh_count
- oci_vcn_security_groups_by_compartment
- oci_vcn_security_groups_by_region
- oci_vcn_security_groups_by_tenancy
- oci_vcn_security_groups_by_vcn
- vcn_attached_nsg_count
- vcn_network_security_group_assoc
- vcn_network_security_group_egress_rule
- vcn_network_security_group_egress_rules_count
- vcn_network_security_group_ingress_rdp
- vcn_network_security_group_ingress_rule
- vcn_network_security_group_ingress_rules_count
- vcn_network_security_group_ingress_ssh
- vcn_network_security_group_input
- vcn_network_security_group_overview
- vcn_network_security_group_tag
- vcn_network_security_groups_for_vcn_vcn
- vcn_security_group
- vcn_vcns_for_vcn_network_security_group
Control examples
- CIS v1.1.0 > 2 Networking > 2.3 Ensure no network security groups allow ingress from 0.0.0.0/0 to port 22
- CIS v1.1.0 > 2 Networking > 2.4 Ensure no network security groups allow ingress from 0.0.0.0/0 to port 3389
- CIS v1.2.0 > 2 Networking > 2.3 Ensure no network security groups allow ingress from 0.0.0.0/0 to port 22
- CIS v1.2.0 > 2 Networking > 2.4 Ensure no network security groups allow ingress from 0.0.0.0/0 to port 3389
- CIS v2.0.0 > 2 Networking > 2.3 Ensure no network security groups allow ingress from 0.0.0.0/0 to port 22
- CIS v2.0.0 > 2 Networking > 2.4 Ensure no network security groups allow ingress from 0.0.0.0/0 to port 3389
Schema for oci_core_network_security_group
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| compartment_id | text | = | The OCID of the compartment in Tenant in which the resource is located. |
| defined_tags | jsonb | Defined tags for resource. Defined tags are set up in your tenancy by an administrator. Only users granted permission to work with the defined tags can apply them to resources. | |
| display_name | text | = | A user-friendly name. Does not have to be unique. |
| freeform_tags | jsonb | Free-form tags for resource. This tags can be applied by any user with permissions on the resource. | |
| id | text | = | The OCID of the network security group. |
| lifecycle_state | text | = | The network security group's current state. |
| region | text | The OCI region in which the resource is located. | |
| rules | jsonb | Lists of security rules in the specified network security group. | |
| sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
| sp_ctx | jsonb | Steampipe context in JSON form. | |
| tags | jsonb | A map of tags for the resource. | |
| tenant_id | text | =, !=, ~~, ~~*, !~~, !~~* | The OCID of the Tenant in which the resource is located. |
| tenant_name | text | The name of the Tenant in which the resource is located. | |
| time_created | timestamp with time zone | The date and time the network security group was created. | |
| title | text | Title of the resource. | |
| vcn_id | text | = | The OCID of the network security group's VCN. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- ociYou can pass the configuration to the command with the --config argument:
steampipe_export_oci --config '<your_config>' oci_core_network_security_group