chore: add oraclecloud/compute metadata update to changelog

prowler/CHANGELOG.md

@@ -83,6 +83,8 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update AWS ECS service metadata to new format [(#8888)](https://github.com/prowler-cloud/prowler/pull/8888)
 - Update AWS Kinesis service metadata to new format [(#9262)](https://github.com/prowler-cloud/prowler/pull/9262)
 - Update AWS DocumentDB service metadata to new format [(#8862)](https://github.com/prowler-cloud/prowler/pull/8862)
+- Update oraclecloud Compute Engine service metadata to new format [(#9371)](https://github.com/prowler-cloud/prowler/pull/9371)
+
 
 ### Fixed
 - Check `check_name` has no `resource_name` error for GCP provider [(#9169)](https://github.com/prowler-cloud/prowler/pull/9169)

prowler/providers/oraclecloud/services/compute/compute_instance_in_transit_encryption_enabled/compute_instance_in_transit_encryption_enabled.metadata.json

@@ -1,34 +1,36 @@
 {
   "Provider": "oraclecloud",
   "CheckID": "compute_instance_in_transit_encryption_enabled",
-  "CheckTitle": "Ensure In-transit Encryption is enabled on Compute Instance",
-  "CheckType": [
-    "Software and Configuration Checks",
-    "Industry and Regulatory Standards",
-    "CIS OCI Foundations Benchmark"
-  ],
+  "CheckTitle": "Compute instance has in-transit encryption enabled",
+  "CheckType": [],
   "ServiceName": "compute",
   "SubServiceName": "",
-  "ResourceIdTemplate": "oci:compute:instance",
+  "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "OciComputeInstance",
-  "Description": "In-transit encryption protects data as it moves between the compute instance and block volumes. This is implemented through the Oracle Cloud Agent management plugin which enables encryption for block volume attachments.",
-  "Risk": "Without in-transit encryption, data moving between compute instances and block volumes could be intercepted or tampered with during transmission.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Block/Concepts/blockvolumeencryption.htm",
+  "ResourceType": "Instance",
+  "Description": "**OCI compute instances** are evaluated for **in-transit encryption** on paravirtualized block or boot volume attachments, confirming that data exchanged between the instance and attached volumes is encrypted during transfer.",
+  "Risk": "Without **in-transit encryption**, volume traffic can be inspected or altered on internal paths. A threat actor or compromised host could read sensitive data, inject corrupted blocks, or replay writes, undermining **confidentiality** and **integrity**, and risking **availability** through data corruption.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://github.com/hitrov/oci-arm-host-capacity/issues/20",
+    "https://skrajend.blogspot.com/2019/02/in-transit-encryption-for-boot-and.html",
+    "https://docs.oracle.com/en-us/iaas/Content/Block/Concepts/blockvolumeencryption.htm",
+    "https://www.pulumi.com/registry/packages/oci/api-docs/core/volumeattachment/",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-Compute/enable-encryption-in-transit.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "oci compute instance update --instance-id <instance-ocid> --agent-config '{\"isManagementDisabled\": false}'",
+      "CLI": "oci compute boot-volume-attachment update --boot-volume-attachment-id <boot-volume-attachment-ocid> --is-pv-encryption-in-transit-enabled true",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-Compute/enable-encryption-in-transit.html",
-      "Terraform": "resource \"oci_core_instance\" \"example\" {\n  # ... other configuration ...\n  agent_config {\n    is_management_disabled = false\n  }\n}"
+      "Other": "1. In the OCI Console, go to Compute > Instances and open the target instance\n2. Under Resources, click the boot volume attachment, choose Edit, enable \"Use in-transit encryption\", and Save\n3. For each attached block volume (paravirtualized), open the attachment (More actions > Edit), enable \"Use in-transit encryption\", and Save\n4. If Edit isn't available for an attachment, detach it and reattach it with \"Use in-transit encryption\" checked",
+      "Terraform": "```hcl\nresource \"oci_core_instance\" \"<example_resource_name>\" {\n  # ... other required configuration ...\n  launch_options {\n    is_pv_encryption_in_transit_enabled = true  # Critical: enables in-transit encryption for paravirtualized attachments\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable the Oracle Cloud Agent management plugin on all compute instances to enable in-transit encryption for block volume attachments.",
-      "Url": "https://hub.prowler.com/check/oci/compute_instance_in_transit_encryption_enabled"
+      "Text": "Enable **in-transit encryption** for all paravirtualized volume attachments and make it standard in golden images and IaC. Apply **defense in depth** with **customer-managed keys** and regular rotation. Periodically verify attachments and remediate drift so no instance communicates with volumes over unencrypted channels.",
+      "Url": "https://hub.prowler.com/check/compute_instance_in_transit_encryption_enabled"
     }
   },
   "Categories": [
-    "compute",
     "encryption"
   ],
   "DependsOn": [],

prowler/providers/oraclecloud/services/compute/compute_instance_legacy_metadata_endpoint_disabled/compute_instance_legacy_metadata_endpoint_disabled.metadata.json

@@ -1,35 +1,35 @@
 {
   "Provider": "oraclecloud",
   "CheckID": "compute_instance_legacy_metadata_endpoint_disabled",
-  "CheckTitle": "Ensure Compute Instance Legacy Metadata service endpoint is disabled",
-  "CheckType": [
-    "Software and Configuration Checks",
-    "Industry and Regulatory Standards",
-    "CIS OCI Foundations Benchmark"
-  ],
+  "CheckTitle": "Compute instance legacy metadata service endpoint is disabled",
+  "CheckType": [],
   "ServiceName": "compute",
   "SubServiceName": "",
-  "ResourceIdTemplate": "oci:compute:instance",
-  "Severity": "medium",
-  "ResourceType": "OciComputeInstance",
-  "Description": "The legacy Instance Metadata Service (IMDS) v1 endpoints do not use session authentication. Disabling the legacy endpoints helps prevent unauthorized access to instance metadata.",
-  "Risk": "If legacy metadata endpoints are enabled, attackers who gain access to the instance may be able to access instance metadata without authentication, potentially exposing sensitive information.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Compute/Tasks/gettingmetadata.htm",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "Instance",
+  "Description": "**OCI compute instance metadata service** is configured so legacy **IMDS v1** endpoints are disabled, requiring session-authorized **IMDS v2** requests for metadata access",
+  "Risk": "Enabled **IMDS v1** permits unauthenticated metadata reads via local access or **SSRF**, compromising **confidentiality** of instance credentials, SSH keys, and custom data. Stolen tokens enable cloud API abuse, driving **privilege escalation**, **lateral movement**, and unauthorized changes that impact **integrity**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.oracle.com/en-us/iaas/Content/Compute/Tasks/gettingmetadata.htm",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-Compute/enforce-imds-v2.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "oci compute instance update --instance-id <instance-ocid> --instance-options '{\"areLegacyImdsEndpointsDisabled\": true}'",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-Compute/enforce-imds-v2.html",
-      "Terraform": "resource \"oci_core_instance\" \"example\" {\n  # ... other configuration ...\n  instance_options {\n    are_legacy_imds_endpoints_disabled = true\n  }\n}"
+      "Other": "1. In the OCI Console, go to Compute > Instances\n2. Select <example_resource_name>\n3. In Instance Details, next to Instance metadata service, click Edit\n4. Set Allowed IMDS version to Version 2 only\n5. Click Save changes",
+      "Terraform": "```hcl\nresource \"oci_core_instance\" \"<example_resource_name>\" {\n  instance_options {\n    are_legacy_imds_endpoints_disabled = true  # Critical: disables IMDSv1, allowing only IMDSv2\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Disable legacy metadata service endpoints on all compute instances to enforce session-based authentication.",
-      "Url": "https://hub.prowler.com/check/oci/compute_instance_legacy_metadata_endpoint_disabled"
+      "Text": "Disable **IMDS v1** and require **IMDS v2** across all instances. Migrate applications to session-authorized requests and confirm image support. Enforce **least privilege** for instance principals, restrict untrusted processes from reaching `169.254.169.254`, and monitor metadata access to provide **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/compute_instance_legacy_metadata_endpoint_disabled"
     }
   },
   "Categories": [
-    "compute",
-    "security-configuration"
+    "secrets",
+    "identity-access"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/oraclecloud/services/compute/compute_instance_secure_boot_enabled/compute_instance_secure_boot_enabled.metadata.json

@@ -1,35 +1,34 @@
 {
   "Provider": "oraclecloud",
   "CheckID": "compute_instance_secure_boot_enabled",
-  "CheckTitle": "Ensure Secure Boot is enabled on Compute Instance",
-  "CheckType": [
-    "Software and Configuration Checks",
-    "Industry and Regulatory Standards",
-    "CIS OCI Foundations Benchmark"
-  ],
+  "CheckTitle": "Compute instance has Secure Boot enabled",
+  "CheckType": [],
   "ServiceName": "compute",
   "SubServiceName": "",
-  "ResourceIdTemplate": "oci:compute:instance",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "OciComputeInstance",
-  "Description": "Secure Boot helps ensure that the instance boots using only software that is trusted by the platform firmware. This prevents rootkits and bootkits from loading during the boot process.",
-  "Risk": "Without Secure Boot enabled, instances are vulnerable to boot-level malware that can compromise the entire system before the operating system loads.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Compute/References/shielded-instances.htm",
+  "ResourceType": "Instance",
+  "Description": "**OCI compute instances** have **UEFI Secure Boot** enabled so the platform firmware loads only trusted, signed bootloaders, kernels, and drivers at startup.",
+  "Risk": "Without **Secure Boot**, unsigned or tampered boot code can run before the OS, enabling **bootkits/rootkits** to gain kernel-level persistence, bypass monitoring, alter logs, and exfiltrate secrets, eroding **integrity** and **confidentiality**, and risking **availability** through destructive changes or ransom staging.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-Compute/enable-secure-boot.html",
+    "https://docs.oracle.com/en-us/iaas/Content/Compute/References/shielded-instances.htm"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "oci compute instance update --instance-id <instance-ocid> --platform-config '{\"isSecureBootEnabled\": true}'",
+      "CLI": "",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-Compute/enable-secure-boot.html",
-      "Terraform": "resource \"oci_core_instance\" \"example\" {\n  # ... other configuration ...\n  platform_config {\n    type = \"AMD_MILAN_BM\" # or appropriate platform\n    is_secure_boot_enabled = true\n  }\n}"
+      "Other": "1. In the OCI Console, go to Compute > Instances\n2. Click Create instance\n3. Choose an image and shape that support Shielded instance\n4. In the Security section, click Edit under Shielded instance and enable Secure Boot\n5. Click Create\n6. To remove the failing resource, select the original non-shielded instance > More actions > Terminate",
+      "Terraform": "```hcl\nresource \"oci_core_instance\" \"example\" {\n  # ... other required configuration ...\n\n  platform_config {\n    type                   = \"AMD_VM\"\n    is_secure_boot_enabled = true # Critical: enable Secure Boot to pass the check\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable Secure Boot on all compute instances to protect against boot-level malware and ensure system integrity.",
-      "Url": "https://hub.prowler.com/check/oci/compute_instance_secure_boot_enabled"
+      "Text": "Enable **Secure Boot** across instances and prefer **shielded instances**. Pair with **TPM** and **Measured Boot** where supported for defense in depth. Permit only trusted, signed kernels and drivers, and manage updates via hardened golden images and code signing. *On Windows VMs, use Secure Boot with TPM and Measured Boot.*",
+      "Url": "https://hub.prowler.com/check/compute_instance_secure_boot_enabled"
     }
   },
   "Categories": [
-    "compute",
-    "security-configuration"
+    "node-security"
   ],
   "DependsOn": [],
   "RelatedTo": [],