diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md index 81f13e5bbe..53410dad24 100644 --- a/prowler/CHANGELOG.md +++ b/prowler/CHANGELOG.md @@ -22,6 +22,7 @@ All notable changes to the **Prowler SDK** are documented in this file. - Update GitHub Repository service metadata to new format [(#9659)](https://github.com/prowler-cloud/prowler/pull/9659) - Update GitHub Organization service metadata to new format [(#10273)](https://github.com/prowler-cloud/prowler/pull/10273) - Update Oracle Cloud Compute Engine service metadata to new format [(#9371)](https://github.com/prowler-cloud/prowler/pull/9371) +- Update Oracle Cloud Database service metadata to new format [(#9372)](https://github.com/prowler-cloud/prowler/pull/9372) --- diff --git a/prowler/providers/oraclecloud/services/database/database_autonomous_database_access_restricted/database_autonomous_database_access_restricted.metadata.json b/prowler/providers/oraclecloud/services/database/database_autonomous_database_access_restricted/database_autonomous_database_access_restricted.metadata.json index 0531977bb2..07f8fbdbdd 100644 --- a/prowler/providers/oraclecloud/services/database/database_autonomous_database_access_restricted/database_autonomous_database_access_restricted.metadata.json +++ b/prowler/providers/oraclecloud/services/database/database_autonomous_database_access_restricted/database_autonomous_database_access_restricted.metadata.json @@ -1,35 +1,36 @@ { "Provider": "oraclecloud", "CheckID": "database_autonomous_database_access_restricted", - "CheckTitle": "Ensure Oracle Autonomous Shared Database (ADB) access is restricted or deployed within a VCN", - "CheckType": [ - "Software and Configuration Checks", - "Industry and Regulatory Standards", - "CIS OCI Foundations Benchmark" - ], + "CheckTitle": "Autonomous Shared Database (ADB) is deployed within a VCN or restricts public access with whitelisted IPs excluding 0.0.0.0/0", + "CheckType": [], "ServiceName": "database", "SubServiceName": "", - "ResourceIdTemplate": "oci:database:autonomousdatabase", + "ResourceIdTemplate": "", "Severity": "high", "ResourceType": "AutonomousDatabase", "ResourceGroup": "database", - "Description": "Autonomous Shared Database instances should either have IP whitelisting configured or be deployed within a VCN to restrict network access and improve security posture.", - "Risk": "Public or unrestricted Autonomous Database access increases the attack surface and risk of unauthorized access.", - "RelatedUrl": "https://docs.oracle.com/en/cloud/paas/autonomous-database/adbsa/autonomous-private-endpoints.html", + "Description": "**OCI Autonomous Database (shared)** network exposure is evaluated: instances are treated as restricted when using a **VCN private endpoint** or when **ACLs** allow only specified IPs/VCNs. It identifies configurations with no ACL and no VCN, or ACLs permitting `0.0.0.0/0`.", + "Risk": "With **open access**, attackers can probe endpoints, brute-force credentials, or abuse leaked wallets to connect.\n\nImpact:\n- Confidentiality: unauthorized queries and data exfiltration\n- Integrity: malicious changes\n- Availability: heavy queries or scans causing service disruption", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.oracle.com/en/cloud/paas/autonomous-database/adbsa/autonomous-private-endpoints.html", + "https://www.oracle.com/cloud/networking/private-endpoint/supported-services/" + ], "Remediation": { "Code": { - "CLI": "oci db autonomous-database create-private-endpoint --autonomous-database-id --subnet-id ", + "CLI": "oci db autonomous-database update --autonomous-database-id --is-access-control-enabled true --whitelisted-ips '[\"\"]'", "NativeIaC": "", - "Other": "1. Navigate to Autonomous Database\n2. Select the database instance\n3. Click 'More Actions' → 'Update'\n4. Under Network Access, select 'Private endpoint access only'\n5. Configure VCN and subnet for private endpoint\n6. Alternatively, configure Access Control List (ACL) with specific IP addresses", - "Terraform": "resource \"oci_database_autonomous_database\" \"adb\" {\n compartment_id = var.compartment_id\n db_name = \"MyADB\"\n display_name = \"My Autonomous Database\"\n is_free_tier = false\n db_workload = \"OLTP\"\n whitelisted_ips = [\"10.0.0.0/24\"]\n nsg_ids = [oci_core_network_security_group.adb_nsg.id]\n subnet_id = oci_core_subnet.private_subnet.id\n}" + "Other": "1. In OCI Console, go to Autonomous Database and select the instance\n2. Click More Actions > Update\n3. Under Network Access, enable Access control list (ACL)\n4. Add an allowed IP/CIDR (exclude 0.0.0.0/0) and remove any 0.0.0.0/0 entry\n5. Click Save", + "Terraform": "```hcl\nresource \"oci_database_autonomous_database\" \"\" {\n is_access_control_enabled = true # Critical: enable ACLs to restrict public access\n whitelisted_ips = [\"\"] # Critical: allow only specific IP/CIDR; do not use 0.0.0.0/0\n}\n```" }, "Recommendation": { - "Text": "Deploy Autonomous Databases within a VCN using private endpoints or configure strict IP whitelisting to restrict access.", - "Url": "https://hub.prowler.com/check/oci/database_autonomous_database_access_restricted" + "Text": "Prefer **VCN private endpoints** to eliminate internet exposure. If public access is required, enforce **least privilege** by limiting ACLs to specific CIDRs or VCNs; never use `0.0.0.0/0`.\n\nAdd **defense in depth** with NSGs and private connectivity (VPN/peering), monitor access, and rotate client wallets regularly.", + "Url": "https://hub.prowler.com/check/database_autonomous_database_access_restricted" } }, "Categories": [ - "network-security" + "internet-exposed", + "trust-boundaries" ], "DependsOn": [], "RelatedTo": [],