oci_adm_knowledge_baseoci_adm_vulnerability_auditoci_ai_anomaly_detection_ai_private_endpointoci_ai_anomaly_detection_data_assetoci_ai_anomaly_detection_modeloci_ai_anomaly_detection_projectoci_analytics_instanceoci_apigateway_apioci_application_migration_migrationoci_application_migration_sourceoci_artifacts_container_imageoci_artifacts_container_image_signatureoci_artifacts_container_repositoryoci_artifacts_generic_artifactoci_artifacts_repositoryoci_autoscaling_auto_scaling_configurationoci_autoscaling_auto_scaling_policyoci_bastion_bastionoci_bastion_sessionoci_bds_bds_instanceoci_budget_alert_ruleoci_budget_budgetoci_certificates_authority_bundleoci_certificates_management_associationoci_certificates_management_ca_bundleoci_certificates_management_certificateoci_certificates_management_certificate_authorityoci_certificates_management_certificate_authority_versionoci_certificates_management_certificate_versionoci_cloud_guard_configurationoci_cloud_guard_detector_recipeoci_cloud_guard_managed_listoci_cloud_guard_responder_recipeoci_cloud_guard_targetoci_container_instances_containeroci_container_instances_container_instanceoci_containerengine_clusteroci_core_block_volume_replicaoci_core_boot_volumeoci_core_boot_volume_attachmentoci_core_boot_volume_backupoci_core_boot_volume_metric_read_opsoci_core_boot_volume_metric_read_ops_dailyoci_core_boot_volume_metric_read_ops_hourlyoci_core_boot_volume_metric_write_opsoci_core_boot_volume_metric_write_ops_dailyoci_core_boot_volume_metric_write_ops_hourlyoci_core_boot_volume_replicaoci_core_cluster_networkoci_core_dhcp_optionsoci_core_drgoci_core_imageoci_core_image_customoci_core_instanceoci_core_instance_configurationoci_core_instance_metric_cpu_utilizationoci_core_instance_metric_cpu_utilization_dailyoci_core_instance_metric_cpu_utilization_hourlyoci_core_internet_gatewayoci_core_load_balanceroci_core_local_peering_gatewayoci_core_nat_gatewayoci_core_network_load_balanceroci_core_network_security_groupoci_core_public_ipoci_core_public_ip_pooloci_core_route_tableoci_core_security_listoci_core_service_gatewayoci_core_subnetoci_core_vcnoci_core_vnic_attachmentoci_core_volumeoci_core_volume_attachmentoci_core_volume_backupoci_core_volume_backup_policyoci_core_volume_default_backup_policyoci_core_volume_groupoci_database_autonomous_databaseoci_database_autonomous_db_metric_cpu_utilizationoci_database_autonomous_db_metric_cpu_utilization_dailyoci_database_autonomous_db_metric_cpu_utilization_hourlyoci_database_autonomous_db_metric_storage_utilizationoci_database_autonomous_db_metric_storage_utilization_dailyoci_database_autonomous_db_metric_storage_utilization_hourlyoci_database_cloud_vm_clusteroci_database_dboci_database_db_homeoci_database_db_systemoci_database_exadata_infrastructureoci_database_pluggable_databaseoci_database_software_imageoci_devops_projectoci_devops_repositoryoci_dns_rrsetoci_dns_tsig_keyoci_dns_zoneoci_events_ruleoci_file_storage_file_systemoci_file_storage_mount_targetoci_file_storage_snapshotoci_functions_applicationoci_functions_functionoci_identity_api_keyoci_identity_auth_tokenoci_identity_authentication_policyoci_identity_availability_domainoci_identity_compartmentoci_identity_customer_secret_keyoci_identity_db_credentialoci_identity_domainoci_identity_dynamic_groupoci_identity_groupoci_identity_network_sourceoci_identity_policyoci_identity_tag_defaultoci_identity_tag_namespaceoci_identity_tenancyoci_identity_useroci_kms_keyoci_kms_key_versionoci_kms_vaultoci_logging_logoci_logging_log_groupoci_logging_searchoci_mysql_backupoci_mysql_channeloci_mysql_configurationoci_mysql_configuration_customoci_mysql_db_systemoci_mysql_db_system_metric_connectionsoci_mysql_db_system_metric_connections_dailyoci_mysql_db_system_metric_connections_hourlyoci_mysql_db_system_metric_cpu_utilizationoci_mysql_db_system_metric_cpu_utilization_dailyoci_mysql_db_system_metric_cpu_utilization_hourlyoci_mysql_db_system_metric_memory_utilizationoci_mysql_db_system_metric_memory_utilization_dailyoci_mysql_heat_wave_clusteroci_network_firewall_firewalloci_network_firewall_policyoci_nosql_tableoci_nosql_table_metric_read_throttle_countoci_nosql_table_metric_read_throttle_count_dailyoci_nosql_table_metric_read_throttle_count_hourlyoci_nosql_table_metric_storage_utilizationoci_nosql_table_metric_storage_utilization_dailyoci_nosql_table_metric_storage_utilization_hourlyoci_nosql_table_metric_write_throttle_countoci_nosql_table_metric_write_throttle_count_dailyoci_nosql_table_metric_write_throttle_count_hourlyoci_objectstorage_bucketoci_objectstorage_objectoci_ons_notification_topicoci_ons_subscriptionoci_queue_queueoci_regionoci_resource_searchoci_resourcemanager_stackoci_streaming_streamoci_vault_secret
Table: oci_core_security_list - Query OCI Core Services Security Lists using SQL
A Security List in OCI Core Services is a virtual firewall for an instance, with ingress and egress rules that specify the types of traffic allowed in and out. Each rule can have a type, destination, protocol, and source. Security Lists are stateful, meaning their rules apply to both incoming and outgoing traffic.
Table Usage Guide
The oci_core_security_list table provides insights into Security Lists within OCI Core Services. As a network administrator, you can examine the details of these lists, including the types of traffic they allow and their rules. This table is a valuable tool for understanding and managing the flow of traffic in and out of your instances.
Examples
Basic info
Assess the elements within your network by identifying the lifecycle state and creation time of security lists in Oracle Cloud Infrastructure. This helps pinpoint specific locations where security measures are active, aiding in overall network management and security.
select display_name, id, lifecycle_state, time_created, vcn_idfrom oci_core_security_list;select display_name, id, lifecycle_state, time_created, vcn_idfrom oci_core_security_list;Get egress security rules for each security list
Uncover the details of egress security rules for each security list to understand their settings and configurations. This can be used to assess the elements within each list, providing insights into the security protocols and options in place.
select display_name, p ->> 'destination' as destination, p ->> 'destinationType' as destination_type, p ->> 'icmpOptions' as icmp_options, p ->> 'isStateless' as is_stateless, p ->> 'protocol' as protocol, p ->> 'tcpOptions' as tcp_options, p ->> 'udpOptions' as udp_optionsfrom oci_core_security_list, jsonb_array_elements(egress_security_rules) as p;select display_name, json_extract(p.value, '$.destination') as destination, json_extract(p.value, '$.destinationType') as destination_type, json_extract(p.value, '$.icmpOptions') as icmp_options, json_extract(p.value, '$.isStateless') as is_stateless, json_extract(p.value, '$.protocol') as protocol, json_extract(p.value, '$.tcpOptions') as tcp_options, json_extract(p.value, '$.udpOptions') as udp_optionsfrom oci_core_security_list, json_each(egress_security_rules) as p;Get ingress security rules for each security list
Determine the areas in which your system's security could be improved by analyzing the ingress security rules for each security list. This allows you to identify potential vulnerabilities and take necessary action to enhance your system's security.
select display_name, p ->> 'description' as description, p ->> 'icmpOptions' as icmp_options, p ->> 'isStateless' as is_stateless, p ->> 'protocol' as protocol, p ->> 'source' as source, p ->> 'sourceType' as source_type, p ->> 'tcpOptions' as tcp_options, p ->> 'udpOptions' as udp_optionsfrom oci_core_security_list, jsonb_array_elements(ingress_security_rules) as p;select display_name, json_extract(p.value, '$.description') as description, json_extract(p.value, '$.icmpOptions') as icmp_options, json_extract(p.value, '$.isStateless') as is_stateless, json_extract(p.value, '$.protocol') as protocol, json_extract(p.value, '$.source') as source, json_extract(p.value, '$.sourceType') as source_type, json_extract(p.value, '$.tcpOptions') as tcp_options, json_extract(p.value, '$.udpOptions') as udp_optionsfrom oci_core_security_list, json_each(ingress_security_rules) as p;List security lists that do not restrict SSH and RDP access from the internet
Identify instances where the security lists are not restricting SSH and RDP access from the internet, which could potentially expose your network to security risks.
select display_name, p ->> 'description' as description, p ->> 'icmpOptions' as icmp_options, p ->> 'isStateless' as is_stateless, p ->> 'protocol' as protocol, p ->> 'source' as source, p ->> 'sourceType' as source_type, p -> 'tcpOptions' -> 'destinationPortRange' ->> 'max' as min_port_range, p -> 'tcpOptions' -> 'destinationPortRange' ->> 'min' as max_port_range, p ->> 'udpOptions' as udp_optionsfrom oci_core_security_list, jsonb_array_elements(ingress_security_rules) as pwhere p ->> 'source' = '0.0.0.0/0' and ( ( p ->> 'protocol' = 'all' and (p -> 'tcpOptions' -> 'destinationPortRange' -> 'min') is null ) or ( (p -> 'tcpOptions' -> 'destinationPortRange' ->> 'min') :: integer <= 22 and (p -> 'tcpOptions' -> 'destinationPortRange' ->> 'max') :: integer >= 22 ) or ( (p -> 'tcpOptions' -> 'destinationPortRange' ->> 'min') :: integer <= 3389 and (p -> 'tcpOptions' -> 'destinationPortRange' ->> 'max') :: integer >= 3389 ) );select display_name, json_extract(p.value, '$.description') as description, json_extract(p.value, '$.icmpOptions') as icmp_options, json_extract(p.value, '$.isStateless') as is_stateless, json_extract(p.value, '$.protocol') as protocol, json_extract(p.value, '$.source') as source, json_extract(p.value, '$.sourceType') as source_type, json_extract(p.value, '$.tcpOptions.destinationPortRange.max') as min_port_range, json_extract(p.value, '$.tcpOptions.destinationPortRange.min') as max_port_range, json_extract(p.value, '$.udpOptions') as udp_optionsfrom oci_core_security_list, json_each(ingress_security_rules) as pwhere json_extract(p.value, '$.source') = '0.0.0.0/0' and ( ( json_extract(p.value, '$.protocol') = 'all' and json_extract(p.value, '$.tcpOptions.destinationPortRange.min') is null ) or ( json_extract(p.value, '$.tcpOptions.destinationPortRange.min') <= 22 and json_extract(p.value, '$.tcpOptions.destinationPortRange.max') >= 22 ) or ( json_extract(p.value, '$.tcpOptions.destinationPortRange.min') <= 3389 and json_extract(p.value, '$.tcpOptions.destinationPortRange.max') >= 3389 ) );List default security lists
Explore the default security lists within your system to understand their unique identifiers and names. This is useful in assessing the existing security configurations and identifying any potential areas of concern.
select display_name, idfrom oci_core_security_listwhere display_name like '%Default Security%';select display_name, idfrom oci_core_security_listwhere display_name like '%Default Security%';Query examples
- oci_vcn_security_list_by_compartment
- oci_vcn_security_list_by_region
- oci_vcn_security_list_by_tenancy
- oci_vcn_security_list_by_vcn
- oci_vcn_security_list_count
- oci_vcn_security_list_unrestricted_ingress_rdp_count
- oci_vcn_security_list_unrestricted_ingress_ssh_count
- vcn_attached_sl_count
- vcn_network_security_list_egress_rule
- vcn_network_security_list_ingress_rule
- vcn_nsl_egress_rule_sankey
- vcn_nsl_ingress_rule_sankey
- vcn_security_list
- vcn_security_list_ingress_rdp
- vcn_security_list_ingress_ssh
- vcn_security_list_input
- vcn_security_list_overview
- vcn_security_list_tag
- vcn_security_lists_for_vcn_vcn
- vcn_vcns_for_vcn_security_list
Control examples
- CIS v1.1.0 > 2 Networking > 2.1 Ensure no security lists allow ingress from 0.0.0.0/0 to port 22
- CIS v1.1.0 > 2 Networking > 2.2 Ensure no security lists allow ingress from 0.0.0.0/0 to port 3389
- CIS v1.1.0 > 2 Networking > 2.5 Ensure the default security list of every VCN restricts all traffic except ICMP
- CIS v1.2.0 > 2 Networking > 2.1 Ensure no security lists allow ingress from 0.0.0.0/0 to port 22
- CIS v1.2.0 > 2 Networking > 2.2 Ensure no security lists allow ingress from 0.0.0.0/0 to port 3389
- CIS v1.2.0 > 2 Networking > 2.5 Ensure the default security list of every VCN restricts all traffic except ICMP
- CIS v2.0.0 > 2 Networking > 2.1 Ensure no security lists allow ingress from 0.0.0.0/0 to port 22
- CIS v2.0.0 > 2 Networking > 2.2 Ensure no security lists allow ingress from 0.0.0.0/0 to port 3389
- CIS v2.0.0 > 2 Networking > 2.5 Ensure the default security list of every VCN restricts all traffic except ICMP
Schema for oci_core_security_list
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| compartment_id | text | = | The OCID of the compartment in Tenant in which the resource is located. |
| defined_tags | jsonb | Defined tags for resource. Defined tags are set up in your tenancy by an administrator. Only users granted permission to work with the defined tags can apply them to resources. | |
| display_name | text | = | A user-friendly name. Does not have to be unique, and it's changeable. |
| egress_security_rules | jsonb | Rules for allowing egress IP packets. | |
| freeform_tags | jsonb | Free-form tags for resource. This tags can be applied by any user with permissions on the resource. | |
| id | text | = | The security list's Oracle Cloud ID (OCID). |
| ingress_security_rules | jsonb | Rules for allowing ingress IP packets. | |
| lifecycle_state | text | = | The security list's current state. |
| region | text | The OCI region in which the resource is located. | |
| sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
| sp_ctx | jsonb | Steampipe context in JSON form. | |
| tags | jsonb | A map of tags for the resource. | |
| tenant_id | text | =, !=, ~~, ~~*, !~~, !~~* | The OCID of the Tenant in which the resource is located. |
| tenant_name | text | The name of the Tenant in which the resource is located. | |
| time_created | timestamp with time zone | The date and time the security list was created. | |
| title | text | Title of the resource. | |
| vcn_id | text | = | The OCID of the VCN the security list belongs to. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- ociYou can pass the configuration to the command with the --config argument:
steampipe_export_oci --config '<your_config>' oci_core_security_list