Releases: oci-landing-zones/oci-cis-landingzone-quickstart
Releases · oci-landing-zones/oci-cis-landingzone-quickstart
v2.6.4
September 18, 2023 Release Notes - 2.6.4
- CIS Compliance Script Adds Identity Domains
- Updates to the CIS Compliance Script
- Workload Expansion Terraform for Quick Start
CIS Compliance Script Adds Identity Domains
CIS compliance checking scripts adds collection of Identity Domains password policy. This allows the compliance checking script to access CIS recommendation 1.5 Ensure IAM password policy expires passwords within 365 days and recommendation 1.6 Ensure IAM password policy prevents password reuse.
Updates to the CIS Compliance Script
- Updates:
- Improved navigation for CIS Summary Report HTML
- Added
error_report.csvfor errors when collection OCI resources
- Fixes:
- Improved OCI logging error handling
- Fixed compliance for Storage Admin policies for CIS recommendation 1.14 Ensure storage service-level admins cannot delete resources they manage
Workload Expansion Terraform for Quick Start
The terraform code in this folder expands an existing CIS Landing Zone deployment. It does this by adding one or more workload compartment(s) in the AppDev compartment and, optionally, the associated OCI IAM groups, dynamic groups, and OCI IAM policies to manage OCI resources in the workload compartment. For more information please see the readme.md
Release 2.6.3
September 4, 2023 Release Notes - 2.6.3
- Fixes to the CIS Compliance Script
- Updates to the CIS Compliance Script
- Updates to Terraform Template
Fixes to the CIS Compliance Script
Fixes:
- Index of out range exception in obp checks for subnets and buckets in some exceptional cases.
- No budget returned if script executed from non-home region in Cloud Shell. Budgets are now returned in all cases.
Updates to the CIS Compliance Script
Updates:
- Event types added to remediation in HTML report for check 3.13.
- All OCI groups are now returned in raw output, including groups with no users.
- Databases in "UNAVAILABLE" state are no longer returned in check 2.8.
Updates to Terraform Template
Updates:
- Existing groups can now have spaces in their names. Useful when referring to synchronized groups from external identity providers, where spaces are allowed in group names.
- Variables for existing groups (existing_xxxxx_admin_group_name) can be assigned multiple groups. Feature only available through Terraform CLI. Not available in OCI Resource Manager.
- network_admin_email_endpoints and security_admin_email_endpoints variables now enforce non-emptiness in Terrafom CLI.
v2.6.2
August 8, 2023 Release Notes - 2.6.2
Updates to the CIS Compliance Script
Updates:
- Added Service Connector Hub ID and Name to OBP Best practices for VCN Flow Logs and Object Storage Buckets
- Alert users when the cis_reports.py is not run in home region which can impact budgets collection
Fixes to the CIS Compliance Script
Fixes:
- Updated CIS 2.8 check updated to exclude ADB-S that are in a VCN but not attached to Network Security Group. Closes issue #105
- Cleaned up 1900+ Flake8
Updates to the Readme
Updates:
- Removed team section
- Added the CIS Terraform Modules Section
v2.6.1
July 26, 2023 Release Notes - 2.6.1
Updates to Terraform Template
Fixes:
- Fixed a defect where missing exainfra admin group name in grants was causing policies creation to fail.
Updates:
- Set Terraform version upper bound to < 1.3.0 in provider.tf.
Documentation Updates
Updates:
- Added link to CIS Landing Zone Quick Start Live Lab in README.md.
Fixes to the CIS Compliance Script
Fixes:
- CIS check 2.8 now skips autonomous database in the UNAVAILABLE state
v2.6.0
July 14, 2023 Release Notes - 2.6.0
Updates to Terraform Template
Updates:
- IAM resources, including compartments, groups, dynamic groups and policies are now managed with new remote modules, available in https://github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam. The old local IAM modules are still kept in this repository.
- IAM policies can now be created based on metadata associated to compartments. This is an alternative way of managing policies, enabled by the new IAM policy module. In this approach, the grants to resources belonging to a specific compartment are combined into a single policy that is attached to the compartment itself. This differs from the existing approach, where grants are combined per grantee and attached to the enclosing compartment. This alternative way is enabled by Enable template policies? checkbox (if using OCI Resource Manager) or by the enable_template_policies variable (if using Terraform CLI). The existing approach of deploying policies remains the default.
- Some policy grants have been updated, allowing admin groups to manage keys in their own compartments using the OCI Vault in the Security Compartment and deploy private endpoints in Network compartment. Additionally, some grants have been consolidated into a single grant with a comma-separated list of group principals. Service policies have been consolidated into a single policy with the new name ${var.service_label}-services-policy.
- Deploying with an enclosing compartment becomes the default. Users who deploy without an enclosing compartment should unset Use an enclosing compartment? checkbox (if using OCI Resource Manager) or set use_enclosing_compartment variable to false (if using Terraform CLI).
- Quick Start release number added to cis-landing-zone freeform tag.
- Application Information tab is now enabled in OCI Resource Manager, displaying basic information about the stack and outputs of latest Terraform apply.
Release 2.5.12
June 29, 2023 Release Notes - 2.5.12
Fixes to the CIS Compliance Script
Fixes:
- Fixed a logic issue for Security Lists and Network Security Groups with source ports but no destination ports
- Removed Deeplink from Exception handling when reading object storage buckets
- OBP check for budgets now verifies that there is budget with an alert for the root compartment
v2.5.11
June 20, 2023 Release Notes - 2.5.11
- Performance update to the CIS Compliance Script
- Summary Data update to the CIS Compliance Script
- Fixes to the CIS Compliance Script
Performance update to the CIS Compliance Script
Migrate the querying of resources to Resource Search (a module within Oracle’s API). By using Resource Search, compartment iterations for listing items are ignored. For items that require more detailed information than Resource Search returns, only those compartments are queried. This migration reduces script execution time by 8 times.
Updates to the CIS Compliance Script
The CIS Summary report CSV adds two new columns Compliant Items, which represents the number of resources that are aligned to that recommendation, and Total which is the total number of that resource in tenancy. The Total column is also in the screen output.
Fixes to the CIS Compliance Script
Fixes
- Updated the CIS checks 2.1, 2,2, 2.3, and 2.4 to detect Security Lists and Networks Security Groups that allow egress access to ports 22 or 3389 via allowing all protocols, all ports, or using port ranges.
- Updated CIS Check 2.5 to only look at Default Security Lists.
v2.5.10
May 12, 2023 Release Notes - 2.5.10
Support for Security Tokens in the CIS Compliance Script
New:
- Added support of Security Tokens for script authentication courtesy of Dave Knot (dns-prefetch). For usage example, go to the compliance-script.md and review the Executing on a local machine via Security Token (oci session authenticate) example. For more information on security tokens: https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/clitoken.htm
Terraform Template Updates
Fixes:
- Security rule added for ICMP in Exadata CS security lists, allowing for the initiation of ICMP requests to hosts in the VCN. Changes in net_exacs_vcns.tf.
- VSS targets are now created when the Landing Zone is extended to a new region. Changes in vss.tf.
v2.5.9
April 26, 2023 Release Notes - 2.5.9
Terraform Template Updates
Updates:
- Security Zone is enabled only if an enclosing compartment is used. Changes in security_zones.tf.
- Network event types updated for local peering gateway and service gateway: only event types ending with ".end" are captured. Changes in mon_notifications.tf.
v2.5.8
April 17, 2023 Release Notes - 2.5.8
CIS Compliance Script Updates
Updates:
- Updated CIS rule 1.7 to exclude OCI IAM Local Users that are service accounts. A service account is a OCI IAM Local user that does not have Local Password as a User Capabilities.
- Support validated on OCI SDK 2.97.0.
Fixes: - Improved error handling for Event Rules with no conditions.
Terraform Template Updates
- Compartment level service policies no longer created when extending Landing Zone to new region.
- VSS and Vault resources now dependent on service policies.