Merge remote-tracking branch 'origin/master' into fix/oraclecloud-idp-group-mapping-events-10411

- Accept current and legacy OCI IdP group mapping event names\n- Add regression coverage for both event name variants\n- Align check metadata and CIS 3.1 guidance with current names

prowler/CHANGELOG.md

@@ -9,6 +9,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Azure MySQL flexible server checks now compare configuration values case-insensitively to avoid false negatives when Azure returns lowercase values [(#10396)](https://github.com/prowler-cloud/prowler/pull/10396)
 - Azure `vm_backup_enabled` and `vm_sufficient_daily_backup_retention_period` checks now compare VM names case-insensitively to avoid false negatives when Azure stores backup item names in a different case [(#10395)](https://github.com/prowler-cloud/prowler/pull/10395)
 - `entra_non_privileged_user_has_mfa` skips disabled users to avoid false positives [(#10426)](https://github.com/prowler-cloud/prowler/pull/10426)
+- Oracle Cloud `events_rule_idp_group_mapping_changes` now recognizes the CIS 3.1 `add/remove` event names to avoid false positives [(#10411)](https://github.com/prowler-cloud/prowler/issues/10411)
 
 ---
 

prowler/compliance/oraclecloud/cis_3.1_oraclecloud.json

@@ -662,8 +662,8 @@
           "Description": "It is recommended to setup an Event Rule and Notification that gets triggered when Identity Provider Group Mappings are created, updated or deleted. Event Rules are compartment scoped and will detect events in child compartments. It is recommended to create the Event rule at the root compartment level.",
           "RationaleStatement": "IAM Policies govern access to all resources within an OCI Tenancy. IAM Policies use OCI Groups for assigning the privileges. Identity Provider Groups could be mapped to OCI Groups to assign privileges to federated users in OCI. Monitoring and alerting on changes to Identity Provider Group mappings will help in identifying changes to the security posture.",
           "ImpactStatement": "There is no performance impact when enabling the above described features but depending on the amount of notifications sent per month there may be a cost associated.",
-          "RemediationProcedure": "**From Console:**1. Go to the `Events Service` page: [https://cloud.oracle.com/events/rules](https://cloud.oracle.com/events/rules)2. Select the `compartment` that should host the rule3. Click `Create Rule`4. Provide a `Display Name` and `Description`5. Create a Rule Condition by selecting `Identity` in the Service Name Drop-down and selecting `Idp Group Mapping – Create`, `Idp Group Mapping – Delete` and `Idp Group Mapping – Update`6. In the `Actions` section select `Notifications` as Action Type7. Select the `Compartment` that hosts the Topic to be used.8. Select the `Topic` to be used9. Optionally add Tags to the Rule10. Click `Create Rule`**From CLI:**1. Find the `topic-id` of the topic the Event Rule should use for sending notifications by using the topic `name` and `Compartment OCID````oci ons topic list --compartment-id <compartment-ocid> --all --query data [?name=='<topic-name>'].{name:name,topic_id:\\topic-id\\} --output table```2. Create a JSON file to be used when creating the Event Rule. Replace topic id, display name, description and compartment OCID.```{ actions: { actions: [ { actionType: ONS, isEnabled: true, topicId: <topic-id> }] }, condition:{\\eventType\\:[\\com.oraclecloud.identitycontrolplane.addidpgroupmapping\\,\\com.oraclecloud.identitycontrolplane.removeidpgroupmapping\\,\\com.oraclecloud.identitycontrolplane.updateidpgroupmapping\\],\\data\\:{}}, displayName: <display-name>, description: <description>, isEnabled: true, compartmentId: <compartment-ocid>}```3. Create the actual event rule```oci events rule create --from-json file://event_rule.json```4. Note in the JSON returned that it lists the parameters specified in the JSON file provided and that there is an OCID provided for the Event Rule",
-          "AuditProcedure": "**From Console:**1. Go to the Events Service page: [https://cloud.oracle.com/events/rules](https://cloud.oracle.com/events/rules)2. Select the `Compartment` that hosts the rules3. Find and click the `Rule` that handles `Idp Group Mapping` Changes (if any)4. Ensure the `Rule` is `ACTIVE`5. Click the `Edit Rule` button and verify that the `RuleConditions` section contains a condition for the Service `Identity` and Event Types: `Idp Group Mapping – Create`, `Idp Group Mapping – Delete` and `Idp Group Mapping – Update`6. Verify that in the `Actions` section the Action Type contains: `Notifications` and that a valid `Topic` is referenced.**From CLI:** 1. Find the OCID of the specific Event Rule based on Display Name and Compartment OCID```oci events rule list --compartment-id <compartment-ocid> --query data [?\\display-name\\=='<displa-name>'].{id:id} --output table```2. List the details of a specific Event Rule based on the OCID of the rule.```oci events rule get --rule-id <rule-id>```3. In the JSON output locate the Conditions key value pair and verify that the following Conditions are present:```com.oraclecloud.identitycontrolplane.addidpgroupmappingcom.oraclecloud.identitycontrolplane.removeidpgroupmappingcom.oraclecloud.identitycontrolplane.updateidpgroupmapping```4. Verify the value of the `is-enabled` attribute is `true`5. In the JSON output verify that `actionType` is `ONS` and locate the `topic-id`6. Verify the correct topic is used by checking the topic name```oci ons topic get --topic-id <topic-id> --query data.{name:name} --output table```",
+          "RemediationProcedure": "**From Console:**1. Go to the `Events Service` page: [https://cloud.oracle.com/events/rules](https://cloud.oracle.com/events/rules)2. Select the `compartment` that should host the rule3. Click `Create Rule`4. Provide a `Display Name` and `Description`5. Create a Rule Condition by selecting `Identity` in the Service Name Drop-down and selecting `Idp Group Mapping – Add`, `Idp Group Mapping – Remove` and `Idp Group Mapping – Update`6. In the `Actions` section select `Notifications` as Action Type7. Select the `Compartment` that hosts the Topic to be used.8. Select the `Topic` to be used9. Optionally add Tags to the Rule10. Click `Create Rule`**From CLI:**1. Find the `topic-id` of the topic the Event Rule should use for sending notifications by using the topic `name` and `Compartment OCID````oci ons topic list --compartment-id <compartment-ocid> --all --query data [?name=='<topic-name>'].{name:name,topic_id:\\topic-id\\} --output table```2. Create a JSON file to be used when creating the Event Rule. Replace topic id, display name, description and compartment OCID.```{ actions: { actions: [ { actionType: ONS, isEnabled: true, topicId: <topic-id> }] }, condition:{\\eventType\\:[\\com.oraclecloud.identitycontrolplane.addidpgroupmapping\\,\\com.oraclecloud.identitycontrolplane.removeidpgroupmapping\\,\\com.oraclecloud.identitycontrolplane.updateidpgroupmapping\\],\\data\\:{}}, displayName: <display-name>, description: <description>, isEnabled: true, compartmentId: <compartment-ocid>}```3. Create the actual event rule```oci events rule create --from-json file://event_rule.json```4. Note in the JSON returned that it lists the parameters specified in the JSON file provided and that there is an OCID provided for the Event Rule",
+          "AuditProcedure": "**From Console:**1. Go to the Events Service page: [https://cloud.oracle.com/events/rules](https://cloud.oracle.com/events/rules)2. Select the `Compartment` that hosts the rules3. Find and click the `Rule` that handles `Idp Group Mapping` Changes (if any)4. Ensure the `Rule` is `ACTIVE`5. Click the `Edit Rule` button and verify that the `RuleConditions` section contains a condition for the Service `Identity` and Event Types: `Idp Group Mapping – Add`, `Idp Group Mapping – Remove` and `Idp Group Mapping – Update`6. Verify that in the `Actions` section the Action Type contains: `Notifications` and that a valid `Topic` is referenced.**From CLI:** 1. Find the OCID of the specific Event Rule based on Display Name and Compartment OCID```oci events rule list --compartment-id <compartment-ocid> --query data [?\\display-name\\=='<displa-name>'].{id:id} --output table```2. List the details of a specific Event Rule based on the OCID of the rule.```oci events rule get --rule-id <rule-id>```3. In the JSON output locate the Conditions key value pair and verify that the following Conditions are present:```com.oraclecloud.identitycontrolplane.addidpgroupmappingcom.oraclecloud.identitycontrolplane.removeidpgroupmappingcom.oraclecloud.identitycontrolplane.updateidpgroupmapping```4. Verify the value of the `is-enabled` attribute is `true`5. In the JSON output verify that `actionType` is `ONS` and locate the `topic-id`6. Verify the correct topic is used by checking the topic name```oci ons topic get --topic-id <topic-id> --query data.{name:name} --output table```",
           "AdditionalInformation": "'- The same Notification topic can be reused by many Event Rules.- The generated notification will include an eventID that can be used when querying the Audit Logs in case further investigation is required.",
           "References": ""
         }

prowler/providers/oraclecloud/services/events/events_rule_idp_group_mapping_changes/events_rule_idp_group_mapping_changes.metadata.json

@@ -9,7 +9,7 @@
   "Severity": "high",
   "ResourceType": "EventRule",
   "ResourceGroup": "messaging",
-  "Description": "**OCI Events rules** monitor **IdP group mapping changes** with **notification actions** for `com.oraclecloud.identitycontrolplane.createidpgroupmapping`, `com.oraclecloud.identitycontrolplane.deleteidpgroupmapping`, and `com.oraclecloud.identitycontrolplane.updateidpgroupmapping`.",
+  "Description": "**OCI Events rules** monitor **IdP group mapping changes** with **notification actions** for `com.oraclecloud.identitycontrolplane.addidpgroupmapping`, `com.oraclecloud.identitycontrolplane.removeidpgroupmapping`, and `com.oraclecloud.identitycontrolplane.updateidpgroupmapping`.",
   "Risk": "Without **alerts** on IdP group mapping changes, federated users can gain unauthorized group memberships unnoticed, enabling **privilege escalation** and broader access to OCI resources. This undermines **confidentiality** and **integrity**, and may affect **availability** through misuse of elevated permissions.",
   "RelatedUrl": "",
   "AdditionalURLs": [
@@ -18,13 +18,13 @@
   ],
   "Remediation": {
     "Code": {
-      "CLI": "oci events rule create --compartment-id <COMPARTMENT_OCID> --display-name <example_resource_name> --is-enabled true --condition '{\"eventType\":[\"com.oraclecloud.identitycontrolplane.createidpgroupmapping\",\"com.oraclecloud.identitycontrolplane.deleteidpgroupmapping\",\"com.oraclecloud.identitycontrolplane.updateidpgroupmapping\"]}' --actions '{\"actions\":[{\"actionType\":\"ONS\",\"isEnabled\":true,\"topicId\":\"<TOPIC_OCID>\"}]}'",
+      "CLI": "oci events rule create --compartment-id <COMPARTMENT_OCID> --display-name <example_resource_name> --is-enabled true --condition '{\"eventType\":[\"com.oraclecloud.identitycontrolplane.addidpgroupmapping\",\"com.oraclecloud.identitycontrolplane.removeidpgroupmapping\",\"com.oraclecloud.identitycontrolplane.updateidpgroupmapping\"]}' --actions '{\"actions\":[{\"actionType\":\"ONS\",\"isEnabled\":true,\"topicId\":\"<TOPIC_OCID>\"}]}'",
       "NativeIaC": "",
-      "Other": "1. In OCI Console, go to Observability & Management > Events Service > Rules\n2. Click Create rule\n3. Condition: add Event types:\n   - com.oraclecloud.identitycontrolplane.createidpgroupmapping\n   - com.oraclecloud.identitycontrolplane.deleteidpgroupmapping\n   - com.oraclecloud.identitycontrolplane.updateidpgroupmapping\n4. Actions: Add action > Notifications (ONS) and select the target Topic\n5. Ensure Rule is Enabled and click Create",
-      "Terraform": "```hcl\nresource \"oci_events_rule\" \"<example_resource_name>\" {\n  compartment_id = \"<example_resource_id>\"\n  display_name   = \"<example_resource_name>\"\n  is_enabled     = true\n\n  condition = jsonencode({\n    eventType = [\n      \"com.oraclecloud.identitycontrolplane.createidpgroupmapping\", # critical: monitor IdP group mapping create\n      \"com.oraclecloud.identitycontrolplane.deleteidpgroupmapping\", # critical: monitor IdP group mapping delete\n      \"com.oraclecloud.identitycontrolplane.updateidpgroupmapping\"  # critical: monitor IdP group mapping update\n    ]\n  })\n\n  actions {\n    actions {\n      action_type = \"ONS\"                       # critical: adds notification action\n      topic_id    = \"<example_resource_id>\"     # critical: ONS topic to notify\n      is_enabled  = true\n    }\n  }\n}\n```"
+      "Other": "1. In OCI Console, go to Observability & Management > Events Service > Rules\n2. Click Create rule\n3. Condition: add Event types:\n   - com.oraclecloud.identitycontrolplane.addidpgroupmapping\n   - com.oraclecloud.identitycontrolplane.removeidpgroupmapping\n   - com.oraclecloud.identitycontrolplane.updateidpgroupmapping\n4. Actions: Add action > Notifications (ONS) and select the target Topic\n5. Ensure Rule is Enabled and click Create",
+      "Terraform": "```hcl\nresource \"oci_events_rule\" \"<example_resource_name>\" {\n  compartment_id = \"<example_resource_id>\"\n  display_name   = \"<example_resource_name>\"\n  is_enabled     = true\n\n  condition = jsonencode({\n    eventType = [\n      \"com.oraclecloud.identitycontrolplane.addidpgroupmapping\", # critical: monitor IdP group mapping add\n      \"com.oraclecloud.identitycontrolplane.removeidpgroupmapping\", # critical: monitor IdP group mapping remove\n      \"com.oraclecloud.identitycontrolplane.updateidpgroupmapping\"  # critical: monitor IdP group mapping update\n    ]\n  })\n\n  actions {\n    actions {\n      action_type = \"ONS\"                       # critical: adds notification action\n      topic_id    = \"<example_resource_id>\"     # critical: ONS topic to notify\n      is_enabled  = true\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Define **Events rules** for IdP group mapping changes (`com.oraclecloud.identitycontrolplane.createidpgroupmapping`, `...deleteidpgroupmapping`, `...updateidpgroupmapping`) and route notifications to monitored channels via **OCI Notifications**. Apply **least privilege** and **separation of duties**, and integrate alerts with a SIEM for **defense in depth**.",
+      "Text": "Define **Events rules** for IdP group mapping changes (`com.oraclecloud.identitycontrolplane.addidpgroupmapping`, `...removeidpgroupmapping`, `...updateidpgroupmapping`) and route notifications to monitored channels via **OCI Notifications**. Apply **least privilege** and **separation of duties**, and integrate alerts with a SIEM for **defense in depth**.",
       "Url": "https://hub.prowler.com/check/events_rule_idp_group_mapping_changes"
     }
   },

prowler/providers/oraclecloud/services/events/events_rule_idp_group_mapping_changes/events_rule_idp_group_mapping_changes.py

@@ -15,17 +15,33 @@ class events_rule_idp_group_mapping_changes(Check):
         """Execute the events_rule_idp_group_mapping_changes check."""
         findings = []
 
-        # Required event types for IdP group mapping changes
-        required_event_types = [
+        # OCI CIS 3.1 renamed create/delete to add/remove. Accept both to keep
+        # compatibility with rules that still use the legacy event names.
+        current_required_event_types = [
+            "com.oraclecloud.identitycontrolplane.addidpgroupmapping",
+            "com.oraclecloud.identitycontrolplane.removeidpgroupmapping",
+            "com.oraclecloud.identitycontrolplane.updateidpgroupmapping",
+        ]
+        legacy_required_event_types = [
             "com.oraclecloud.identitycontrolplane.createidpgroupmapping",
             "com.oraclecloud.identitycontrolplane.deleteidpgroupmapping",
             "com.oraclecloud.identitycontrolplane.updateidpgroupmapping",
         ]
 
         # Filter rules that monitor IdP group mapping changes
-        matching_rules = filter_rules_by_event_types(
-            events_client.rules, required_event_types
-        )
+        matching_rules = []
+        seen_rule_ids = set()
+        for required_event_types in (
+            current_required_event_types,
+            legacy_required_event_types,
+        ):
+            for rule, condition in filter_rules_by_event_types(
+                events_client.rules, required_event_types
+            ):
+                rule_id = getattr(rule, "id", None) or id(rule)
+                if rule_id not in seen_rule_ids:
+                    matching_rules.append((rule, condition))
+                    seen_rule_ids.add(rule_id)
 
         # Create findings for each matching rule
         for rule, _ in matching_rules:

tests/providers/oraclecloud/services/events/events_rule_idp_group_mapping_changes/events_rule_idp_group_mapping_changes_test.py

@@ -9,6 +9,102 @@ from tests.providers.oraclecloud.oci_fixtures import (
 
 
 class Test_events_rule_idp_group_mapping_changes:
+    def test_current_cis_3_1_event_types_pass(self):
+        """events_rule_idp_group_mapping_changes: current CIS 3.1 event types should pass."""
+        events_client = mock.MagicMock()
+        events_client.audited_compartments = {OCI_COMPARTMENT_ID: mock.MagicMock()}
+        events_client.audited_tenancy = OCI_TENANCY_ID
+
+        rule = mock.MagicMock()
+        rule.id = "ocid1.eventrule.oc1.iad.aaaaaaaexample"
+        rule.name = "idp-group-mapping-events"
+        rule.region = OCI_REGION
+        rule.compartment_id = OCI_COMPARTMENT_ID
+        rule.lifecycle_state = "ACTIVE"
+        rule.is_enabled = True
+        rule.condition = """
+        {
+          "eventType": [
+            "com.oraclecloud.identitycontrolplane.addidpgroupmapping",
+            "com.oraclecloud.identitycontrolplane.removeidpgroupmapping",
+            "com.oraclecloud.identitycontrolplane.updateidpgroupmapping"
+          ]
+        }
+        """
+        rule.actions = [{"action_type": "ONS", "is_enabled": True}]
+
+        events_client.rules = [rule]
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_oraclecloud_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.oraclecloud.services.events.events_rule_idp_group_mapping_changes.events_rule_idp_group_mapping_changes.events_client",
+                new=events_client,
+            ),
+        ):
+            from prowler.providers.oraclecloud.services.events.events_rule_idp_group_mapping_changes.events_rule_idp_group_mapping_changes import (
+                events_rule_idp_group_mapping_changes,
+            )
+
+            check = events_rule_idp_group_mapping_changes()
+            result = check.execute()
+
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert result[0].resource_id == rule.id
+            assert result[0].resource_name == rule.name
+
+    def test_legacy_event_types_still_pass(self):
+        """events_rule_idp_group_mapping_changes: legacy event types remain supported."""
+        events_client = mock.MagicMock()
+        events_client.audited_compartments = {OCI_COMPARTMENT_ID: mock.MagicMock()}
+        events_client.audited_tenancy = OCI_TENANCY_ID
+
+        rule = mock.MagicMock()
+        rule.id = "ocid1.eventrule.oc1.iad.bbbbbbbexample"
+        rule.name = "legacy-idp-group-mapping-events"
+        rule.region = OCI_REGION
+        rule.compartment_id = OCI_COMPARTMENT_ID
+        rule.lifecycle_state = "ACTIVE"
+        rule.is_enabled = True
+        rule.condition = """
+        {
+          "eventType": [
+            "com.oraclecloud.identitycontrolplane.createidpgroupmapping",
+            "com.oraclecloud.identitycontrolplane.deleteidpgroupmapping",
+            "com.oraclecloud.identitycontrolplane.updateidpgroupmapping"
+          ]
+        }
+        """
+        rule.actions = [{"action_type": "ONS", "is_enabled": True}]
+
+        events_client.rules = [rule]
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_oraclecloud_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.oraclecloud.services.events.events_rule_idp_group_mapping_changes.events_rule_idp_group_mapping_changes.events_client",
+                new=events_client,
+            ),
+        ):
+            from prowler.providers.oraclecloud.services.events.events_rule_idp_group_mapping_changes.events_rule_idp_group_mapping_changes import (
+                events_rule_idp_group_mapping_changes,
+            )
+
+            check = events_rule_idp_group_mapping_changes()
+            result = check.execute()
+
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert result[0].resource_id == rule.id
+            assert result[0].resource_name == rule.name
+
     def test_no_resources(self):
         """events_rule_idp_group_mapping_changes: No resources to check"""
         events_client = mock.MagicMock()