turbot/oci

steampipe plugin install ocisteampipe plugin install oci
On This Page
Get Involved

Table: oci_core_security_list

Security lists act as virtual firewalls for your Compute instances and other kinds of resources. A security list consists of a set of ingress and egress security rules that apply to all the VNICs in any subnet that the security list is associated with.

Examples

Basic info

select
display_name,
id,
lifecycle_state,
time_created,
vcn_id
from
oci_core_security_list;

Get egress security rules for each security list

select
display_name,
p ->> 'destination' as destination,
p ->> 'destinationType' as destination_type,
p ->> 'icmpOptions' as icmp_options,
p ->> 'isStateless' as is_stateless,
p ->> 'protocol' as protocol,
p ->> 'tcpOptions' as tcp_options,
p ->> 'udpOptions' as udp_options
from
oci_core_security_list,
jsonb_array_elements(egress_security_rules) as p;

Get ingress security rules for each security list

select
display_name,
p ->> 'description' as description,
p ->> 'icmpOptions' as icmp_options,
p ->> 'isStateless' as is_stateless,
p ->> 'protocol' as protocol,
p ->> 'source' as source,
p ->> 'sourceType' as source_type,
p ->> 'tcpOptions' as tcp_options,
p ->> 'udpOptions' as udp_options
from
oci_core_security_list,
jsonb_array_elements(ingress_security_rules) as p;

List security lists that do not restrict SSH and RDP access from the internet

select
display_name,
p ->> 'description' as description,
p ->> 'icmpOptions' as icmp_options,
p ->> 'isStateless' as is_stateless,
p ->> 'protocol' as protocol,
p ->> 'source' as source,
p ->> 'sourceType' as source_type,
p -> 'tcpOptions' -> 'destinationPortRange' ->> 'max' as min_port_range,
p -> 'tcpOptions' -> 'destinationPortRange' ->> 'min' as max_port_range,
p ->> 'udpOptions' as udp_options
from
oci_core_security_list,
jsonb_array_elements(ingress_security_rules) as p
where
p ->> 'source' = '0.0.0.0/0'
and (
(
p ->> 'protocol' = 'all'
and (p -> 'tcpOptions' -> 'destinationPortRange' -> 'min') is null
)
or (
(p -> 'tcpOptions' -> 'destinationPortRange' ->> 'min')::integer <= 22
and (p -> 'tcpOptions' -> 'destinationPortRange' ->> 'max')::integer >= 22
)
or (
(p -> 'tcpOptions' -> 'destinationPortRange' ->> 'min')::integer <= 3389
and (p -> 'tcpOptions' -> 'destinationPortRange' ->> 'max')::integer >= 3389
)
);

List default security lists

select
display_name,
id
from
oci_core_security_list
where
display_name like '%Default Security%';

.inspect oci_core_security_list

A security list is a virtual firewall for an instance, with ingress and egress rules that specify the types of traffic allowed in and out.

NameTypeDescription
compartment_idtextThe OCID of the compartment in Tenant in which the resource is located.
defined_tagsjsonbDefined tags for resource. Defined tags are set up in your tenancy by an administrator. Only users granted permission to work with the defined tags can apply them to resources.
display_nametextA user-friendly name. Does not have to be unique, and it's changeable.
egress_security_rulesjsonbRules for allowing egress IP packets.
freeform_tagsjsonbFree-form tags for resource. This tags can be applied by any user with permissions on the resource.
idtextThe security list's Oracle Cloud ID (OCID).
ingress_security_rulesjsonbRules for allowing ingress IP packets.
lifecycle_statetextThe security list's current state.
regiontextThe OCI region in which the resource is located.
tagsjsonbA map of tags for the resource.
tenant_idtextThe OCID of the Tenant in which the resource is located.
time_createdtimestamp without time zoneThe date and time the security list was created.
titletextTitle of the resource.
vcn_idtextThe OCID of the VCN the security list belongs to.