steampipe plugin install oci

Table: oci_core_security_list - Query OCI Core Services Security Lists using SQL

A Security List in OCI Core Services is a virtual firewall for an instance, with ingress and egress rules that specify the types of traffic allowed in and out. Each rule can have a type, destination, protocol, and source. Security Lists are stateful, meaning their rules apply to both incoming and outgoing traffic.

Table Usage Guide

The oci_core_security_list table provides insights into Security Lists within OCI Core Services. As a network administrator, you can examine the details of these lists, including the types of traffic they allow and their rules. This table is a valuable tool for understanding and managing the flow of traffic in and out of your instances.

Examples

Basic info

Assess the elements within your network by identifying the lifecycle state and creation time of security lists in Oracle Cloud Infrastructure. This helps pinpoint specific locations where security measures are active, aiding in overall network management and security.

select
display_name,
id,
lifecycle_state,
time_created,
vcn_id
from
oci_core_security_list;
select
display_name,
id,
lifecycle_state,
time_created,
vcn_id
from
oci_core_security_list;

Get egress security rules for each security list

Uncover the details of egress security rules for each security list to understand their settings and configurations. This can be used to assess the elements within each list, providing insights into the security protocols and options in place.

select
display_name,
p ->> 'destination' as destination,
p ->> 'destinationType' as destination_type,
p ->> 'icmpOptions' as icmp_options,
p ->> 'isStateless' as is_stateless,
p ->> 'protocol' as protocol,
p ->> 'tcpOptions' as tcp_options,
p ->> 'udpOptions' as udp_options
from
oci_core_security_list,
jsonb_array_elements(egress_security_rules) as p;
select
display_name,
json_extract(p.value, '$.destination') as destination,
json_extract(p.value, '$.destinationType') as destination_type,
json_extract(p.value, '$.icmpOptions') as icmp_options,
json_extract(p.value, '$.isStateless') as is_stateless,
json_extract(p.value, '$.protocol') as protocol,
json_extract(p.value, '$.tcpOptions') as tcp_options,
json_extract(p.value, '$.udpOptions') as udp_options
from
oci_core_security_list,
json_each(egress_security_rules) as p;

Get ingress security rules for each security list

Determine the areas in which your system's security could be improved by analyzing the ingress security rules for each security list. This allows you to identify potential vulnerabilities and take necessary action to enhance your system's security.

select
display_name,
p ->> 'description' as description,
p ->> 'icmpOptions' as icmp_options,
p ->> 'isStateless' as is_stateless,
p ->> 'protocol' as protocol,
p ->> 'source' as source,
p ->> 'sourceType' as source_type,
p ->> 'tcpOptions' as tcp_options,
p ->> 'udpOptions' as udp_options
from
oci_core_security_list,
jsonb_array_elements(ingress_security_rules) as p;
select
display_name,
json_extract(p.value, '$.description') as description,
json_extract(p.value, '$.icmpOptions') as icmp_options,
json_extract(p.value, '$.isStateless') as is_stateless,
json_extract(p.value, '$.protocol') as protocol,
json_extract(p.value, '$.source') as source,
json_extract(p.value, '$.sourceType') as source_type,
json_extract(p.value, '$.tcpOptions') as tcp_options,
json_extract(p.value, '$.udpOptions') as udp_options
from
oci_core_security_list,
json_each(ingress_security_rules) as p;

List security lists that do not restrict SSH and RDP access from the internet

Identify instances where the security lists are not restricting SSH and RDP access from the internet, which could potentially expose your network to security risks.

select
display_name,
p ->> 'description' as description,
p ->> 'icmpOptions' as icmp_options,
p ->> 'isStateless' as is_stateless,
p ->> 'protocol' as protocol,
p ->> 'source' as source,
p ->> 'sourceType' as source_type,
p -> 'tcpOptions' -> 'destinationPortRange' ->> 'max' as min_port_range,
p -> 'tcpOptions' -> 'destinationPortRange' ->> 'min' as max_port_range,
p ->> 'udpOptions' as udp_options
from
oci_core_security_list,
jsonb_array_elements(ingress_security_rules) as p
where
p ->> 'source' = '0.0.0.0/0'
and (
(
p ->> 'protocol' = 'all'
and (p -> 'tcpOptions' -> 'destinationPortRange' -> 'min') is null
)
or (
(p -> 'tcpOptions' -> 'destinationPortRange' ->> 'min') :: integer <= 22
and (p -> 'tcpOptions' -> 'destinationPortRange' ->> 'max') :: integer >= 22
)
or (
(p -> 'tcpOptions' -> 'destinationPortRange' ->> 'min') :: integer <= 3389
and (p -> 'tcpOptions' -> 'destinationPortRange' ->> 'max') :: integer >= 3389
)
);
select
display_name,
json_extract(p.value, '$.description') as description,
json_extract(p.value, '$.icmpOptions') as icmp_options,
json_extract(p.value, '$.isStateless') as is_stateless,
json_extract(p.value, '$.protocol') as protocol,
json_extract(p.value, '$.source') as source,
json_extract(p.value, '$.sourceType') as source_type,
json_extract(p.value, '$.tcpOptions.destinationPortRange.max') as min_port_range,
json_extract(p.value, '$.tcpOptions.destinationPortRange.min') as max_port_range,
json_extract(p.value, '$.udpOptions') as udp_options
from
oci_core_security_list,
json_each(ingress_security_rules) as p
where
json_extract(p.value, '$.source') = '0.0.0.0/0'
and (
(
json_extract(p.value, '$.protocol') = 'all'
and json_extract(p.value, '$.tcpOptions.destinationPortRange.min') is null
)
or (
json_extract(p.value, '$.tcpOptions.destinationPortRange.min') <= 22
and json_extract(p.value, '$.tcpOptions.destinationPortRange.max') >= 22
)
or (
json_extract(p.value, '$.tcpOptions.destinationPortRange.min') <= 3389
and json_extract(p.value, '$.tcpOptions.destinationPortRange.max') >= 3389
)
);

List default security lists

Explore the default security lists within your system to understand their unique identifiers and names. This is useful in assessing the existing security configurations and identifying any potential areas of concern.

select
display_name,
id
from
oci_core_security_list
where
display_name like '%Default Security%';
select
display_name,
id
from
oci_core_security_list
where
display_name like '%Default Security%';

Schema for oci_core_security_list

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
compartment_idtext=The OCID of the compartment in Tenant in which the resource is located.
defined_tagsjsonbDefined tags for resource. Defined tags are set up in your tenancy by an administrator. Only users granted permission to work with the defined tags can apply them to resources.
display_nametext=A user-friendly name. Does not have to be unique, and it's changeable.
egress_security_rulesjsonbRules for allowing egress IP packets.
freeform_tagsjsonbFree-form tags for resource. This tags can be applied by any user with permissions on the resource.
idtext=The security list's Oracle Cloud ID (OCID).
ingress_security_rulesjsonbRules for allowing ingress IP packets.
lifecycle_statetext=The security list's current state.
regiontextThe OCI region in which the resource is located.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
tagsjsonbA map of tags for the resource.
tenant_idtext=, !=, ~~, ~~*, !~~, !~~*The OCID of the Tenant in which the resource is located.
tenant_nametextThe name of the Tenant in which the resource is located.
time_createdtimestamp with time zoneThe date and time the security list was created.
titletextTitle of the resource.
vcn_idtext=The OCID of the VCN the security list belongs to.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- oci

You can pass the configuration to the command with the --config argument:

steampipe_export_oci --config '<your_config>' oci_core_security_list