diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md index f49882db87..6dbc427707 100644 --- a/prowler/CHANGELOG.md +++ b/prowler/CHANGELOG.md @@ -27,6 +27,7 @@ All notable changes to the **Prowler SDK** are documented in this file. - Update Oracle Cloud Integration service metadata to new format [(#9376)](https://github.com/prowler-cloud/prowler/pull/9376) - Update Oracle Cloud KMS service metadata to new format [(#9377)](https://github.com/prowler-cloud/prowler/pull/9377) - Update Oracle Cloud Network service metadata to new format [(#9378)](https://github.com/prowler-cloud/prowler/pull/9378) +- Update Oracle Cloud Object Storage service metadata to new format [(#9379)](https://github.com/prowler-cloud/prowler/pull/9379) --- diff --git a/prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_encrypted_with_cmk/objectstorage_bucket_encrypted_with_cmk.metadata.json b/prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_encrypted_with_cmk/objectstorage_bucket_encrypted_with_cmk.metadata.json index b811ea9e3a..d05762f073 100644 --- a/prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_encrypted_with_cmk/objectstorage_bucket_encrypted_with_cmk.metadata.json +++ b/prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_encrypted_with_cmk/objectstorage_bucket_encrypted_with_cmk.metadata.json @@ -1,35 +1,34 @@ { "Provider": "oraclecloud", "CheckID": "objectstorage_bucket_encrypted_with_cmk", - "CheckTitle": "Ensure Object Storage Buckets are encrypted with a Customer Managed Key (CMK)", - "CheckType": [ - "Software and Configuration Checks", - "Industry and Regulatory Standards", - "CIS OCI Foundations Benchmark" - ], + "CheckTitle": "Object Storage bucket is encrypted with a Customer Managed Key (CMK)", + "CheckType": [], "ServiceName": "objectstorage", "SubServiceName": "", - "ResourceIdTemplate": "oci:objectstorage:bucket", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "OciBucket", + "ResourceType": "Bucket", "ResourceGroup": "storage", - "Description": "Object Storage buckets should be encrypted with Customer Managed Keys.", - "Risk": "Not meeting this storage security requirement increases data security risk.", - "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Object/home.htm", + "Description": "**OCI Object Storage buckets** use **customer-managed encryption keys** (`CMEK`) for server-side encryption, with an associated KMS key configured on the bucket.", + "Risk": "Without `CMEK`, encryption relies on provider-managed keys, reducing control over **confidentiality** and key lifecycle. You cannot strictly limit key usage, enforce custom rotation, or revoke keys for crypto-erasure, increasing exposure to unauthorized decryption, data exfiltration, and auditability gaps.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/oci/OCI-ObjectStorage/buckets-encrypted-with-cmks.html", + "https://docs.oracle.com/en-us/iaas/Content/Object/home.htm" + ], "Remediation": { "Code": { - "CLI": "", + "CLI": "oci os bucket update --namespace-name --bucket-name --kms-key-id ", "NativeIaC": "", - "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-ObjectStorage/buckets-encrypted-with-cmks.html", - "Terraform": "" + "Other": "1. Sign in to the OCI Console\n2. Go to Storage > Object Storage & Archive Storage > Buckets\n3. Open the target bucket\n4. Click Edit bucket\n5. Under Encryption, select Customer-managed key and choose the desired Vault key\n6. Click Save", + "Terraform": "```hcl\nresource \"oci_objectstorage_bucket\" \"\" {\n compartment_id = \"\"\n name = \"\"\n namespace = \"\"\n\n kms_key_id = \"\" # Critical: sets the Customer Managed Key to encrypt the bucket\n}\n```" }, "Recommendation": { - "Text": "Ensure Object Storage Buckets are encrypted with a Customer Managed Key (CMK)", - "Url": "https://hub.prowler.com/check/oci/objectstorage_bucket_encrypted_with_cmk" + "Text": "Encrypt buckets with `CMEK`. Apply **least privilege** to key usage, enforce **separation of duties** between key and storage admins, mandate regular rotation, and monitor key access. Use **defense in depth** so encryption complements strict IAM and network controls rather than replacing them.", + "Url": "https://hub.prowler.com/check/objectstorage_bucket_encrypted_with_cmk" } }, "Categories": [ - "storage", "encryption" ], "DependsOn": [], diff --git a/prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_logging_enabled/objectstorage_bucket_logging_enabled.metadata.json b/prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_logging_enabled/objectstorage_bucket_logging_enabled.metadata.json index fdad66b3c1..348e5a0022 100644 --- a/prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_logging_enabled/objectstorage_bucket_logging_enabled.metadata.json +++ b/prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_logging_enabled/objectstorage_bucket_logging_enabled.metadata.json @@ -1,27 +1,31 @@ { "Provider": "oraclecloud", "CheckID": "objectstorage_bucket_logging_enabled", - "CheckTitle": "Ensure write level Object Storage logging is enabled for all buckets", + "CheckTitle": "Object Storage bucket has write-level logging enabled", "CheckType": [], "ServiceName": "objectstorage", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "OciObjectStorageBucket", + "ResourceType": "Bucket", "ResourceGroup": "storage", - "Description": "Write-level logging for Object Storage buckets provides an audit trail of all write operations (PUT, POST, DELETE) performed on buckets, enabling security monitoring and compliance requirements.", - "Risk": "Without write-level logging, unauthorized or malicious modifications to Object Storage data cannot be detected or investigated.", - "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Logging/Concepts/loggingoverview.htm", + "Description": "**OCI Object Storage buckets** have service logs for **write access events** enabled.\n\nThe evaluation identifies buckets with an active `write` logging category scoped to the bucket and region; only `read` logging does not satisfy this condition.", + "Risk": "Without **write logging**, unauthorized or accidental overwrites and deletions can go **undetected**, degrading **data integrity** and **availability**.\n\nMissing audit evidence weakens **non-repudiation**, impedes incident response, and allows covert tampering without reliable forensic reconstruction.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/oci/OCI-ObjectStorage/enable-write-level-logging.html", + "https://docs.oracle.com/en-us/iaas/Content/Logging/Concepts/loggingoverview.htm" + ], "Remediation": { "Code": { - "CLI": "oci logging log create --log-group-id --display-name 'ObjectStorage-Write-Logs' --log-type SERVICE --configuration '{\"compartmentId\":\"\",\"source\":{\"service\":\"objectstorage\",\"resource\":\"\",\"category\":\"write\",\"sourceType\":\"OCISERVICE\"}}'", + "CLI": "oci logging log create --log-group-id --display-name ObjectStorage-Write-Logs --log-type SERVICE --configuration '{\"compartmentId\":\"\",\"source\":{\"service\":\"objectstorage\",\"resource\":\"\",\"category\":\"write\",\"sourceType\":\"OCISERVICE\"}}'", "NativeIaC": "", - "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-ObjectStorage/enable-write-level-logging.html", - "Terraform": "resource \"oci_logging_log\" \"objectstorage_write_log\" {\n display_name = \"ObjectStorage-Write-Logs\"\n log_group_id = oci_logging_log_group.log_group.id\n log_type = \"SERVICE\"\n configuration {\n source {\n category = \"write\"\n resource = oci_objectstorage_bucket.bucket.name\n service = \"objectstorage\"\n source_type = \"OCISERVICE\"\n }\n compartment_id = var.compartment_id\n }\n is_enabled = true\n}" + "Other": "1. In the OCI Console, select the target region and go to Observability & Management > Logging > Log groups\n2. Open an existing log group or click Create log group\n3. Click Create log\n4. Type: Service\n5. Service: Object Storage\n6. Category: write\n7. Resource: select the target bucket (bucket name must match)\n8. Ensure Enabled is checked\n9. Click Create", + "Terraform": "```hcl\nresource \"oci_logging_log\" \"\" {\n display_name = \"ObjectStorage-Write-Logs\"\n log_group_id = \"\"\n log_type = \"SERVICE\"\n\n configuration {\n compartment_id = \"\"\n source {\n service = \"objectstorage\" # Critical: Service must be Object Storage\n category = \"write\" # Critical: Enable write-level logging\n resource = \"\" # Critical: Bucket name must match the target bucket\n source_type = \"OCISERVICE\"\n }\n }\n}\n```" }, "Recommendation": { - "Text": "Enable write-level logging for all Object Storage buckets to maintain audit trails of data modifications.", - "Url": "https://docs.prowler.com/checks/oci/oci-logging/objectstorage_bucket_logging_enabled" + "Text": "Enable `write` service logs on all buckets and route them to a centralized log group for monitoring.\n\nApply **least privilege** to log data, enforce retention and immutability, and alert on anomalous write activity. Use **defense in depth** so bucket changes are accountable and swiftly detected.", + "Url": "https://hub.prowler.com/check/objectstorage_bucket_logging_enabled" } }, "Categories": [ diff --git a/prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_not_publicly_accessible/objectstorage_bucket_not_publicly_accessible.metadata.json b/prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_not_publicly_accessible/objectstorage_bucket_not_publicly_accessible.metadata.json index 59e6a10355..d49bc714d4 100644 --- a/prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_not_publicly_accessible/objectstorage_bucket_not_publicly_accessible.metadata.json +++ b/prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_not_publicly_accessible/objectstorage_bucket_not_publicly_accessible.metadata.json @@ -1,36 +1,35 @@ { "Provider": "oraclecloud", "CheckID": "objectstorage_bucket_not_publicly_accessible", - "CheckTitle": "Ensure no Object Storage buckets are publicly visible", - "CheckType": [ - "Software and Configuration Checks", - "Industry and Regulatory Standards", - "CIS OCI Foundations Benchmark" - ], + "CheckTitle": "Object Storage bucket is not publicly accessible", + "CheckType": [], "ServiceName": "objectstorage", "SubServiceName": "", - "ResourceIdTemplate": "oci:objectstorage:bucket", + "ResourceIdTemplate": "", "Severity": "critical", - "ResourceType": "OciObjectStorageBucket", + "ResourceType": "Bucket", "ResourceGroup": "storage", - "Description": "Ensure no Object Storage buckets are publicly visible. Public access to Object Storage buckets can lead to unauthorized data access or data leakage.", - "Risk": "Publicly accessible Object Storage buckets can expose sensitive data to unauthorized users on the internet.", - "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Object/Tasks/managingbuckets.htm", + "Description": "**OCI Object Storage buckets** are assessed for **public accessibility**. Buckets configured as `NoPublicAccess` deny anonymous reads; any other public access setting indicates bucket contents may be reachable without authentication.", + "Risk": "**Public buckets** enable unauthenticated downloads and content listing, compromising **confidentiality** and exposing metadata. Hotlinking can drive unexpected **egress costs** and degrade **availability** through bandwidth exhaustion and service abuse.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.oracle.com/en-us/iaas/Content/Object/Tasks/managingbuckets.htm", + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/oci/OCI-ObjectStorage/publicly-accessible-buckets.html" + ], "Remediation": { "Code": { - "CLI": "oci os bucket update --namespace --bucket-name --public-access-type NoPublicAccess", + "CLI": "oci os bucket update --namespace-name --bucket-name --public-access-type NoPublicAccess", "NativeIaC": "", - "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-ObjectStorage/publicly-accessible-buckets.html", - "Terraform": "" + "Other": "1. Sign in to the OCI Console\n2. Go to Object Storage > Buckets and open \n3. Click Edit (Bucket details)\n4. Set Public access type to \"No public access\"\n5. Click Save", + "Terraform": "```hcl\nresource \"oci_objectstorage_bucket\" \"\" {\n compartment_id = \"\"\n name = \"\"\n namespace = \"\"\n public_access_type = \"NoPublicAccess\" # Critical: makes the bucket private\n}\n```" }, "Recommendation": { - "Text": "Update the bucket's public access type to 'NoPublicAccess' to prevent unauthorized access.", - "Url": "https://docs.oracle.com/en-us/iaas/Content/Object/Tasks/managingbuckets.htm" + "Text": "Keep buckets **private** (`NoPublicAccess`) under the **least privilege** principle. For external sharing, use **pre-authenticated requests** or signed URLs with scoped permissions and expiry. Restrict access via IAM policies, enforce guardrails (*e.g.*, Security Zones), and regularly review bucket visibility.", + "Url": "https://hub.prowler.com/check/objectstorage_bucket_not_publicly_accessible" } }, "Categories": [ - "internet-exposed", - "encryption" + "internet-exposed" ], "DependsOn": [], "RelatedTo": [], diff --git a/prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_versioning_enabled/objectstorage_bucket_versioning_enabled.metadata.json b/prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_versioning_enabled/objectstorage_bucket_versioning_enabled.metadata.json index 1295f9cfd9..5418e08375 100644 --- a/prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_versioning_enabled/objectstorage_bucket_versioning_enabled.metadata.json +++ b/prowler/providers/oraclecloud/services/objectstorage/objectstorage_bucket_versioning_enabled/objectstorage_bucket_versioning_enabled.metadata.json @@ -1,36 +1,35 @@ { "Provider": "oraclecloud", "CheckID": "objectstorage_bucket_versioning_enabled", - "CheckTitle": "Ensure Versioning is Enabled for Object Storage Buckets", - "CheckType": [ - "Software and Configuration Checks", - "Industry and Regulatory Standards", - "CIS OCI Foundations Benchmark" - ], + "CheckTitle": "Object Storage bucket has versioning enabled", + "CheckType": [], "ServiceName": "objectstorage", "SubServiceName": "", - "ResourceIdTemplate": "oci:objectstorage:bucket", + "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "OciBucket", + "ResourceType": "Bucket", "ResourceGroup": "storage", - "Description": "Object Storage buckets should have versioning enabled.", - "Risk": "Not meeting this storage security requirement increases data security risk.", - "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Object/home.htm", + "Description": "**OCI Object Storage buckets** are assessed for **versioning** being set to `Enabled`, indicating prior object versions are retained when updates or deletions occur.", + "Risk": "**No versioning** lets overwrites or deletions permanently remove data, harming **availability** and **integrity**. Malicious or accidental actions, automated jobs, or malware can wipe or corrupt objects without rollback, enabling **ransomware-style** encryption and large-scale data loss.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.oracle.com/en-us/iaas/Content/Object/home.htm", + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/oci/OCI-ObjectStorage/enable-versioning.html" + ], "Remediation": { "Code": { - "CLI": "", + "CLI": "oci os bucket update --namespace-name --bucket-name --versioning Enabled", "NativeIaC": "", - "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-ObjectStorage/enable-versioning.html", - "Terraform": "" + "Other": "1. Sign in to the OCI Console\n2. Go to Storage > Buckets and open the target bucket\n3. In Bucket details, find Versioning and click Edit\n4. Select Enabled and click Save", + "Terraform": "```hcl\nresource \"oci_objectstorage_bucket\" \"\" {\n compartment_id = \"\"\n name = \"\"\n namespace = \"\"\n versioning = \"Enabled\" # Critical: enables bucket versioning to pass the check\n}\n```" }, "Recommendation": { - "Text": "Ensure Versioning is Enabled for Object Storage Buckets", - "Url": "https://hub.prowler.com/check/oci/objectstorage_bucket_versioning_enabled" + "Text": "Enable **bucket versioning** (`Enabled`) for data that needs recovery. Apply **least privilege** to delete and overwrite actions, use **retention rules** or legal holds for critical data, and add **lifecycle policies** to manage older versions-providing **defense in depth** against destructive changes.", + "Url": "https://hub.prowler.com/check/objectstorage_bucket_versioning_enabled" } }, "Categories": [ - "storage", - "encryption" + "resilience" ], "DependsOn": [], "RelatedTo": [],