prowler-cloud 5.12.3__py3-none-any.whl → 5.13.0__py3-none-any.whl

prowler/compliance/oci/cis_3.0_oci.json

@@ -0,0 +1,1141 @@
+{
+  "Framework": "CIS",
+  "Name": "CIS Oracle Cloud Infrastructure Foundations Benchmark v3.0.0",
+  "Version": "3.0",
+  "Provider": "OCI",
+  "Description": "The CIS Oracle Cloud Infrastructure Foundations Benchmark provides prescriptive guidance for configuring security options for Oracle Cloud Infrastructure with an emphasis on foundational, testable, and architecture agnostic settings.",
+  "Requirements": [
+    {
+      "Id": "1.1",
+      "Description": "Ensure service level admins are created to manage resources of particular service",
+      "Checks": [
+        "identity_service_level_admins_exist"
+      ],
+      "Attributes": [
+        {
+          "Section": "1. Identity and Access Management",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Manual",
+          "Description": "To apply least-privilege security principle, one can create service-level administrators in corresponding groups and assigning specific users to each service-level administrative group in a tenancy. This limits administrative access in a tenancy. \n\nIt means service-level administrators can only manage resources of a specific service.\n\nExample policies for global/tenant level service-administrators\n```\nAllow group VolumeAdmins to manage volume-family in tenancy\nAllow group ComputeAdmins to manage instance-family in tenancy\nAllow group NetworkAdmins to manage virtual-network-family in tenancy\n```\n\n```\nA tenancy with identity domains : An Identity Domain is a container of users, groups, Apps and other security configurations. A tenancy that has Identity Domains available comes seeded with a 'Default' identity domain. \n\nIf a group belongs to a domain different than the default domain, use a domain prefix in the policy statements.\nExample - \nAllow group <identity_domain_name>/<group_name> to <verb> <resource-type> in compartment <compartment_name>\n\nIf you do not include the <identity_domain_name> before the <group_name>, then the policy statement is evaluated as though the group belongs to the default identity domain.\n\n```\nOrganizations have various ways of defining service-administrators. Some may prefer creating service administrators at a tenant level and some per department or per project or even per application environment ( dev/test/production etc.). Either approach works so long as the policies are written to limit access given to the service-administrators.\n\n Example policies for compartment level service-administrators \n\n```\nAllow group NonProdComputeAdmins to manage instance-family in compartment dev\nAllow group ProdComputeAdmins to manage instance-family in compartment production\nAllow group A-Admins to manage instance-family in compartment Project-A\nAllow group A-Admins to manage volume-family in compartment Project-A\n```\n\n```\nA tenancy with identity domains : An Identity Domain is a container of users, groups, Apps and other security configurations. A tenancy that has Identity Domains available comes seeded with a 'Default' identity domain. \n\nIf a group belongs to a domain different than the default domain, use a domain prefix in the policy statements.\nExample - \nAllow group <identity_domain_name>/<group_name> to <verb> <resource-type> in compartment <compartment_name>\n\nIf you do not include the <identity_domain_name> before the <group_name>, then the policy statement is evaluated as though the group belongs to the default identity domain.\n\n```",
+          "RationaleStatement": "Creating service-level administrators helps in tightly controlling access to Oracle Cloud Infrastructure (OCI) services to implement the least-privileged security principle.",
+          "ImpactStatement": "",
+          "RemediationProcedure": "Refer to the [policy syntax document](https://docs.cloud.oracle.com/en-us/iaas/Content/Identity/Concepts/policysyntax.htm) and create new policies if the audit results indicate that the required policies are missing.\nThis can be done via OCI console or OCI CLI/SDK or API.\n\nCreating a new policy:\n\n***From CLI:***\n\n```\noci iam policy create [OPTIONS]\n```\nCreates a new policy in the specified compartment (either the tenancy or another of your compartments). If you're new to policies, see\n [Getting Started with Policies](https://docs.cloud.oracle.com/Content/Identity/Concepts/policygetstarted.htm) \n\nYou must specify a name for the policy, which must be unique across all policies in your tenancy and cannot be changed.\n\nYou must also specify a description for the policy (although it can be an empty string). It does not have to be unique, and you can change it anytime with UpdatePolicy.\n\nYou must specify one or more policy statements in the statements array.\nFor information about writing policies, see How [Policies Work](https://docs.cloud.oracle.com/Content/Identity/Concepts/policies.htm) and [Common Policies](https://docs.cloud.oracle.com/Content/Identity/Concepts/commonpolicies.htm).",
+          "AuditProcedure": "***From CLI:***\n\n1) [Set up OCI CLI](https://docs.cloud.oracle.com/iaas/Content/API/SDKDocs/cliinstall.htm) with an IAM administrator user who has read access to IAM resources such as groups and policies.\n\n2) Run OCI CLI command providing the root_compartment_OCID\nGet the list of groups in a tenancy\n```\noci iam group list --compartment-id <root_compartment_OCID> | grep name\n```\n\n```\nA tenancy with identity domains : The above CLI commands work with the default identity domain only.\nFor IaaS resource management, users and groups created in the default domain are sufficient. \n\n```\n3) Ensure distinct administrative groups are created as per your organization's definition of service-administrators.\n\n4) Verify the appropriate policies are created for the service-administrators groups to have the right access to the corresponding services. Retrieve the policy statements scoped at the tenancy level and/or per compartment. \n```\noci iam policy list --compartment-id <root_compartment_OCID> | grep \"in tenancy\"\n\noci iam policy list --compartment-id <root_compartment_OCID> | grep \"in compartment\"\n```\nThe --compartment-id parameter can be changed to a child compartment to get policies associated with child compartments.\n```\noci iam policy list --compartment-id <child_compartment_OCID> | grep \"in compartment\"\n\n```\nVerify the results to ensure the right policies are created for service-administrators to have the necessary access.",
+          "AdditionalInformation": "",
+          "References": ""
+        }
+      ]
+    },
+    {
+      "Id": "1.2",
+      "Description": "Ensure permissions on all resources are given only to the tenancy administrator group",
+      "Checks": [
+        "identity_tenancy_admin_permissions_limited"
+      ],
+      "Attributes": [
+        {
+          "Section": "1. Identity and Access Management",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Automated",
+          "Description": "There is a built-in OCI IAM policy enabling the Administrators group to perform any action within a tenancy. In the OCI IAM console, this policy reads:\n\n```\nAllow group Administrators to manage all-resources in tenancy\n```\n\nAdministrators create more users, groups, and policies to provide appropriate access to other groups.\n\nAdministrators should not allow any-other-group full access to the tenancy by writing a policy like this - \n\n```\nAllow group any-other-group to manage all-resources in tenancy\n```\n\nThe access should be narrowed down to ensure the least-privileged principle is applied.",
+          "RationaleStatement": "Permission to manage all resources in a tenancy should be limited to a small number of users in the `Administrators` group for break-glass situations and to set up users/groups/policies when a tenancy is created.\n\nNo group other than `Administrators` in a tenancy should need access to all resources in a tenancy, as this violates the enforcement of the least privilege principle.",
+          "ImpactStatement": "",
+          "RemediationProcedure": "**From Console:**\n\n1) Login to OCI console.\n2) Go to `Identity` -> `Policies`, In the compartment dropdown, choose the root compartment. Open each policy to view the policy statements. \n2) Remove any policy statement that allows any group other than `Administrators` or any service access to manage all resources in the tenancy. \n\n**From CLI:**\n\nThe policies can also be updated via OCI CLI, SDK and API, with an example of the CLI commands below:\n\n * Delete a policy via the CLI:\n `oci iam policy delete --policy-id <policy-ocid>`\n\n * Update a policy via the CLI:\n `oci iam policy update --policy-id <policy-ocid> --statements <json-array-of-statements>`\n\nNote: You should generally **not** delete the policy that allows the `Administrators` group the ability to manage all resources in the tenancy.",
+          "AuditProcedure": "**From CLI:**\n\n1) Run OCI CLI command providing the root compartment OCID to get the list of groups having access to manage all resources in your tenancy. \n\n```\noci iam policy list --compartment-id <root_compartment_OCID> | grep -i \"to manage all-resources in tenancy\" \n```\n2) Verify the results to ensure only the `Administrators` group has access to manage all resources in tenancy.\n\n \"Allow group Administrators to manage all-resources in tenancy\"",
+          "AdditionalInformation": "",
+          "References": ""
+        }
+      ]
+    },
+    {
+      "Id": "1.3",
+      "Description": "Ensure IAM administrators cannot update tenancy Administrators group",
+      "Checks": [
+        "identity_iam_admins_cannot_update_tenancy_admins"
+      ],
+      "Attributes": [
+        {
+          "Section": "1. Identity and Access Management",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Automated",
+          "Description": "Tenancy administrators can create more users, groups, and policies to provide other service administrators access to OCI resources.\n\nFor example, an IAM administrator will need to have access to manage \nresources like compartments, users, groups, dynamic-groups, policies, identity-providers, tenancy tag-namespaces, tag-definitions in the tenancy.\n\nThe policy that gives IAM-Administrators or any other group full access to 'groups' resources should not allow access to the tenancy 'Administrators' group.\n\nThe policy statements would look like -\n\n```\nAllow group IAMAdmins to inspect users in tenancy\nAllow group IAMAdmins to use users in tenancy where target.group.name != 'Administrators'\nAllow group IAMAdmins to inspect groups in tenancy\nAllow group IAMAdmins to use groups in tenancy where target.group.name != 'Administrators'\n```\n\n**Note:** You must include separate statements for 'inspect' access, because the target.group.name variable is not used by the ListUsers and ListGroups operations",
+          "RationaleStatement": "These policy statements ensure that no other group can manage tenancy administrator users or the membership to the 'Administrators' group thereby gain or remove tenancy administrator access.",
+          "ImpactStatement": "",
+          "RemediationProcedure": "**From Console:**\n\n1. Login to OCI Console.\n2. Select `Identity` from Services Menu.\n3. Select `Policies` from Identity Menu.\n4. Click on an individual policy under the Name heading.\n5. Ensure Policy statements look like this -\n\n```\nAllow group IAMAdmins to use users in tenancy where target.group.name != 'Administrators'\nAllow group IAMAdmins to use groups in tenancy where target.group.name != 'Administrators'\n```",
+          "AuditProcedure": "**From CLI:**\n\n1) Run the following OCI CLI commands providing the root_compartment_OCID \n\n```\noci iam policy list --compartment-id <root_compartment_OCID> | grep -i \" to use users in tenancy\"\noci iam policy list --compartment-id <root_compartment_OCID> | grep -i \" to use groups in tenancy\"\n```\n2) Verify the results to ensure that the policy statements that grant access to use or manage users or groups in the tenancy have a condition that excludes access to `Administrators` group or to users in the Administrators group.",
+          "AdditionalInformation": "",
+          "References": ""
+        }
+      ]
+    },
+    {
+      "Id": "1.4",
+      "Description": "Ensure IAM password policy requires minimum length of 14 or greater",
+      "Checks": [
+        "identity_password_policy_minimum_length_14"
+      ],
+      "Attributes": [
+        {
+          "Section": "1. Identity and Access Management",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Automated",
+          "Description": "Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure passwords are at least a certain length and are composed of certain characters. \n\nIt is recommended the password policy require a minimum password length 14 characters and contain 1 non-alphabetic\ncharacter (Number or “Special Character”).",
+          "RationaleStatement": "In keeping with the overall goal of having users create a password that is not overly weak, an eight-character minimum password length is recommended for an MFA account, and 14 characters for a password only account. In addition, maximum password length should be made as long as possible based on system/software capabilities and not restricted by policy.\n\nIn general, it is true that longer passwords are better (harder to crack), but it is also true that forced password length requirements can cause user behavior that is predictable and undesirable. For example, requiring users to have a minimum 16-character password may cause them to choose repeating patterns like fourfourfourfour or passwordpassword that meet the requirement but aren’t hard to guess. Additionally, length requirements increase the chances that users will adopt other insecure practices, like writing them down, re-using them or storing them unencrypted in their documents. \n\nPassword composition requirements are a poor defense against guessing attacks. Forcing users to choose some combination of upper-case, lower-case, numbers, and special characters has a negative impact. It places an extra burden on users and many\nwill use predictable patterns (for example, a capital letter in the first position, followed by lowercase letters, then one or two numbers, and a “special character” at the end). Attackers know this, so dictionary attacks will often contain these common patterns and use the most common substitutions like, $ for s, @ for a, 1 for l, 0 for o.\n\nPasswords that are too complex in nature make it harder for users to remember, leading to bad practices. In addition, composition requirements provide no defense against common attack types such as social engineering or insecure storage of passwords.",
+          "ImpactStatement": "",
+          "RemediationProcedure": "1. Go to Identity Domains: [https://cloud.oracle.com/identity/domains/](https://cloud.oracle.com/identity/domains/)\n1. Select the Compartment the Domain to remediate is in\n1. Click on the Domain to remediate\n1. Click on Settings\n1. Click on Password policy to remediate\n1. Click Edit password rules\n1. Update the `Password length (minimum)` setting to 14 or greater\n6. Under The `Passwords must meet the following character requirements` section, update the number given in `Special (minimum)` setting to `1` or greater\n\nor\n\n Under The `Passwords must meet the following character requirements` section, update the number given in `Numeric (minimum)` setting to `1` or greater\n7. Click `Save changes`",
+          "AuditProcedure": "1. Go to Identity Domains: [https://cloud.oracle.com/identity/domains/](https://cloud.oracle.com/identity/domains/)\n1. Select the `Compartment` your Domain to review is in\n1. Click on the Domain to review\n1. Click on `Settings`\n1. Click on `Password policy`\n1. Click each Password policy in the domain\n1. Ensure `Password length (minimum)` is greater than or equal to 14\n1. Under The `The following criteria apply to passwords` section, ensure that the number given in `Numeric (minimum)` setting is `1`, or the `Special (minimum)` setting is `1`.\n\nThe following criteria apply to passwords:\n6. Ensure that 1 or more is selected for `Numeric (minimum)` OR `Special (minimum)`\n\n**From Cloud Guard:**\n\nTo Enable Cloud Guard Auditing:\nEnsure Cloud Guard is enabled in the root compartment of the tenancy. For more information about enabling Cloud Guard, please look at the instructions included in \"Ensure Cloud Guard is enabled in the root compartment of the tenancy\" Recommendation in the \"Logging and Monitoring\" section. \n\n**From Console:**\n1. Type `Cloud Guard` into the Search box at the top of the Console.\n2. Click `Cloud Guard` from the “Services” submenu.\n3. Click `Detector Recipes` in the Cloud Guard menu.\n4. Click `OCI Configuration Detector Recipe (Oracle Managed)` under the Recipe Name column.\n5. Find Password policy does not meet complexity requirements in the Detector Rules column.\n6. Select the vertical ellipsis icon and chose `Edit` on the Password policy does not meet complexity requirements row.\n7. In the Edit Detector Rule window, find the Input Setting box and verify/change the Required password length setting to 14.\n8. Click the `Save` button.\n\n**From CLI:**\n1. Update the Password policy does not meet complexity requirements Detector Rule in Cloud Guard to generate Problems if IAM password policy isn’t configured to enforce a password length of at least 14 characters with the following command:\n\n```\noci cloud-guard detector-recipe-detector-rule update --detector-recipe-id <insert detector recipe ocid> --detector-rule-id PASSWORD_POLICY_NOT_COMPLEX --details '{\"configurations\":[{ \"configKey\" : \"passwordPolicyMinLength\", \"name\" : \"Required password length\", \"value\" : \"14\", \"dataType\" : null, \"values\" : null }]}'\n```",
+          "AdditionalInformation": "The Audit Procedure and Remediation Procedure for OCI IAM without Identity Domains can be found in the CIS OCI Foundation Benchmark 2.0.0 under the respective recommendations.",
+          "References": "https://www.cisecurity.org/white-papers/cis-password-policy-guide/"
+        }
+      ]
+    },
+    {
+      "Id": "1.5",
+      "Description": "Ensure IAM password policy expires passwords within 365 days",
+      "Checks": [
+        "identity_password_policy_expires_within_365_days"
+      ],
+      "Attributes": [
+        {
+          "Section": "1. Identity and Access Management",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Manual",
+          "Description": "IAM password policies can require passwords to be rotated or expired after a given number of days. It is recommended that the password policy expire passwords after 365 and are changed immediately based on events.",
+          "RationaleStatement": "Excessive password expiration requirements do more harm than good, because these requirements make users select predictable passwords, composed of sequential words and numbers that are closely related to each other.10 In these cases, the next password can be predicted based on the previous one (incrementing a number used in the password for example). Also, password expiration requirements offer no containment benefits because attackers will often use credentials as soon as they compromise them. Instead, immediate password changes should be based on key events including, but not\nlimited to:\n\n1. Indication of compromise\n1. Change of user roles\n1. When a user leaves the organization.\n\nNot only does changing passwords every few weeks or months frustrate the user, it’s been suggested that it does more harm than good, because it could lead to bad practices by the user such as adding a character to the end of their existing password.\n\nIn addition, we also recommend a yearly password change. This is primarily because for all their good intentions users will share credentials across accounts. Therefore, even if a breach is publicly identified, the user may not see this notification, or forget they have an account on that site. This could leave a shared credential vulnerable indefinitely. Having an organizational policy of a 1-year (annual) password expiration is a reasonable compromise to mitigate this with minimal user burden.",
+          "ImpactStatement": "",
+          "RemediationProcedure": "1. Go to Identity Domains: [https://cloud.oracle.com/identity/domains/](https://cloud.oracle.com/identity/domains/)\n1. Select the `Compartment` the Domain to remediate is in\n1. Click on the Domain to remediate\n1. Click on `Settings`\n1. Click on `Password policy` to remediate\n1. Click `Edit password rules`\n1. Change `Expires after (days)` to 365",
+          "AuditProcedure": "1. Go to Identity Domains: [https://cloud.oracle.com/identity/domains/](https://cloud.oracle.com/identity/domains/)\n1. Select the `Compartment` your Domain to review is in\n1. Click on the Domain to review\n1. Click on `Settings`\n1. Click on `Password policy`\n1. Click each Password policy in the domain\n1. Ensure `Expires after (days)` is less than or equal to 365 days",
+          "AdditionalInformation": "The Audit Procedure and Remediation Procedure for OCI IAM without Identity Domains can be found in the CIS OCI Foundation Benchmark 2.0.0 under the respective recommendations.",
+          "References": "https://www.cisecurity.org/white-papers/cis-password-policy-guide/"
+        }
+      ]
+    },
+    {
+      "Id": "1.6",
+      "Description": "Ensure IAM password policy prevents password reuse",
+      "Checks": [
+        "identity_password_policy_prevents_reuse"
+      ],
+      "Attributes": [
+        {
+          "Section": "1. Identity and Access Management",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Manual",
+          "Description": "IAM password policies can prevent the reuse of a given password by the same user. It is recommended the password policy prevent the reuse of passwords.",
+          "RationaleStatement": "Enforcing password history ensures that passwords are not reused in for a certain period of time by the same user. If a user is not allowed to use last 24 passwords, that window of time is greater. This helps maintain the effectiveness of password security.",
+          "ImpactStatement": "",
+          "RemediationProcedure": "1. Go to Identity Domains: [https://cloud.oracle.com/identity/domains/](https://cloud.oracle.com/identity/domains/)\n1. Select the Compartment the Domain to remediate is in\n1. Click on the Domain to remediate\n1. Click on Settings\n1. Click on Password policy to remediate\n1. Click Edit password rules\n1. Update the number of remembered passwords in `Previous passwords remembered` setting to 24 or greater.",
+          "AuditProcedure": "1. Go to Identity Domains: [https://cloud.oracle.com/identity/domains/](https://cloud.oracle.com/identity/domains/)\n1. Select the `Compartment` your Domain to review is in\n1. Click on the Domain to review\n1. Click on `Settings`\n1. Click on `Password policy`\n1. Click each Password policy in the domain\n1. Ensure `Previous passwords remembered` is set 24 or greater",
+          "AdditionalInformation": "The Audit Procedure and Remediation Procedure for OCI IAM without Identity Domains can be found in the CIS OCI Foundation Benchmark 2.0.0 under the respective recommendations.",
+          "References": ""
+        }
+      ]
+    },
+    {
+      "Id": "1.7",
+      "Description": "Ensure MFA is enabled for all users with a console password",
+      "Checks": [
+        "identity_user_mfa_enabled_console_access"
+      ],
+      "Attributes": [
+        {
+          "Section": "1. Identity and Access Management",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Automated",
+          "Description": "Multi-factor authentication is a method of authentication that requires the use of more than one factor to verify a user’s identity.\n\nWith MFA enabled in the IAM service, when a user signs in to Oracle Cloud Infrastructure, they are prompted for their user name and password, which is the first factor (something that they know). The user is then prompted to provide a verification code from a registered MFA device, which is the second factor (something that they have). The two factors work together, requiring an extra layer of security to verify the user’s identity and complete the sign-in process.\n\nOCI IAM supports two-factor authentication using a password (first factor) and a device that can generate a time-based one-time password (TOTP) (second factor).\n\nSee [OCI documentation](https://docs.cloud.oracle.com/en-us/iaas/Content/Identity/Tasks/usingmfa.htm) for more details.",
+          "RationaleStatement": "Multi factor authentication adds an extra layer of security during the login process and makes it harder for unauthorized users to gain access to OCI resources.",
+          "ImpactStatement": "",
+          "RemediationProcedure": "Each user must enable MFA for themselves using a device they will have access to every time they sign in. An administrator cannot enable MFA for another user but can enforce MFA by identifying the list of non-complaint users, notifying them or disabling access by resetting the password for non-complaint accounts.\n\n**Disabling access from Console:**\n\n1. Go to [https://cloud.oracle.com/identity/](https://cloud.oracle.com/identity/).\n1. Select `Domains` from Identity menu.\n1. Select the domain\n1. Click `Security`\n1. Click `Sign-on polices` then the `\"Default Sign-on Policy\"`\n1. Under the sign-on rules header, click the three dots on the rule with the highest priority.\n1. Select `Edit sign-on rule`\n1. Make a change to ensure that `allow access` is selected and `prompt for an additional factor` is enabled",
+          "AuditProcedure": "**From Console:**\n1. Go to Identity Domains: [https://cloud.oracle.com/identity/domains/](https://cloud.oracle.com/identity/domains/)\n1. Select the `Compartment` your Domain to review is in\n1. Click on the Domain to review\n1. Click on `Security`\n1. Click `Sign-on policies` \n1. Select the sign-on policy to review\n6. Under the sign-on rules header, click the three dots on the rule with the highest priority.\n7. Select `Edit sign-on rule`\n8. Verify that `allow access` is selected and `prompt for an additional factor` is enabled\n\n* This requires users to enable MFA when they next login next however, to determine users have enabled MFA use the below CLI.\n\n**From the CLI:**\n* This CLI command checks which users have enabled MFA for their accounts\n1. Execute the below:\n```\ntenancy_ocid=`oci iam compartment list --raw-output --query \"data[?contains(\\\"compartment-id\\\",'.tenancy.')].\\\"compartment-id\\\" | [0]\"`\nfor id_domain_url in `oci iam domain list --compartment-id $tenancy_ocid --all | jq -r '.data[] | .url'`\ndo\n oci identity-domains users list --endpoint $id_domain_url 2>/dev/null | jq -r '.data.resources[] | select(.\"urn-ietf-params-scim-schemas-oracle-idcs-extension-mfa-user\".\"mfa-status\"!=\"ENROLLED\")' 2>/dev/null | jq -r '.ocid'\n\ndone\nfor region in `oci iam region-subscription list | jq -r '.data[] | .\"region-name\"'`;\n do\n for compid in `oci iam compartment list --compartment-id-in-subtree TRUE --all 2>/dev/null | jq -r '.data[] | .id'`\n do\n for id_domain_url in `oci iam domain list --compartment-id $compid --region $region --all 2>/dev/null | jq -r '.data[] | .url'`\n do\n oci identity-domains users list --endpoint $id_domain_url 2>/dev/null | jq -r '.data.resources[] | select(.\"urn-ietf-params-scim-schemas-oracle-idcs-extension-mfa-user\".\"mfa-status\"!=\"ENROLLED\")' 2>/dev/null | jq -r '.ocid'\n done\n done\n done\n```\n2. Ensure no results are returned",
+          "AdditionalInformation": "The Audit Procedure and Remediation Procedure for OCI IAM without Identity Domains can be found in the CIS OCI Foundation Benchmark 2.0.0 under the respective recommendations.",
+          "References": "https://docs.cloud.oracle.com/en-us/iaas/Content/Identity/Tasks/usingmfa.htm:https://docs.oracle.com/en-us/iaas/Content/Security/Reference/iam_security_topic-IAM_MFA.htm"
+        }
+      ]
+    },
+    {
+      "Id": "1.8",
+      "Description": "Ensure user API keys rotate within 90 days",
+      "Checks": [
+        "identity_user_api_keys_rotated_90_days"
+      ],
+      "Attributes": [
+        {
+          "Section": "1. Identity and Access Management",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Automated",
+          "Description": "API keys are used by administrators, developers, services and scripts for accessing OCI APIs directly or via SDKs/OCI CLI to search, create, update or delete OCI resources.\n\nThe API key is an RSA key pair. The private key is used for signing the API requests and the public key is associated with a local or synchronized user's profile.",
+          "RationaleStatement": "It is important to secure and rotate an API key every 90 days or less as it provides the same level of access that a user it is associated with has.\n\nIn addition to a security engineering best practice, this is also a compliance requirement. For example, PCI-DSS Section 3.6.4 states, \"Verify that key-management procedures include a defined cryptoperiod for each key type in use and define a process for key changes at the end of the defined crypto period(s).\"",
+          "ImpactStatement": "",
+          "RemediationProcedure": "**From Console:**\n\n1. Login to OCI Console.\n2. Select `Identity & Security` from the Services menu.\n3. Select `Domains` from the Identity menu.\n4. For each domain listed, click on the name and select `Users`.\n5. Click on an individual user under the Name heading.\n6. Click on `API Keys` in the lower left-hand corner of the page.\n7. Delete any API Keys that are older than 90 days under the `Created` column of the API Key table.\n\n**From CLI:**\n\n```\noci iam user api-key delete --user-id _<user_ocid>_ --fingerprint <fingerprint_of_the_key_to_be_deleted>\n```",
+          "AuditProcedure": "**From Console:**\n\n1. Login to OCI Console.\n2. Select `Identity & Security` from the Services menu.\n3. Select `Domains` from the Identity menu.\n4. For each domain listed, click on the name and select `Users`.\n5. Click on an individual user under the Name heading.\n6. Click on `API Keys` in the lower left-hand corner of the page.\n7. Ensure the date of the API key under the `Created` column of the API Key is no more than 90 days old.",
+          "AdditionalInformation": "The Audit Procedure and Remediation Procedure for OCI IAM without Identity Domains can be found in the CIS OCI Foundation Benchmark 2.0.0 under the respective recommendations.",
+          "References": ""
+        }
+      ]
+    },
+    {
+      "Id": "1.9",
+      "Description": "Ensure user customer secret keys rotate within 90 days",
+      "Checks": [
+        "identity_user_customer_secret_keys_rotated_90_days"
+      ],
+      "Attributes": [
+        {
+          "Section": "1. Identity and Access Management",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Automated",
+          "Description": "Object Storage provides an API to enable interoperability with Amazon S3. To use this Amazon S3 Compatibility API, you need to generate the signing key required to authenticate with Amazon S3.\n\nThis special signing key is an Access Key/Secret Key pair. Oracle generates the Customer Secret key to pair with the Access Key.",
+          "RationaleStatement": "It is important to rotate customer secret keys at least every 90 days, as they provide the same level of object storage access that the user they are associated with has.",
+          "ImpactStatement": "",
+          "RemediationProcedure": "**From Console:**\n1. Login to OCI Console.\n1. Select `Identity & Security` from the Services menu.\n1. Select Domains from the Identity menu.\n1. For each domain listed, click on the name and select `Users`.\n1. Click on an individual user under the `Username` heading.\n1. Click on `Customer Secret Keys` in the lower left-hand corner of the page.\n1. Delete any Access Keys with a date older than 90 days under the `Created` column of the Customer Secret Keys.",
+          "AuditProcedure": "**From Console:**\n1. Login to OCI Console.\n1. Select `Identity & Security` from the Services menu.\n1. Select Domains from the Identity menu.\n1. For each domain listed, click on the name and select `Users`.\n1. Click on an individual user under the `Username` heading.\n1. Click on `Customer Secret Keys` in the lower left-hand corner of the page.\n1. Ensure the date of the Customer Secret Key under the `Created` column of the Customer Secret Key is no more than 90 days old.",
+          "AdditionalInformation": "The Audit Procedure and Remediation Procedure for OCI IAM without Identity Domains can be found in the CIS OCI Foundation Benchmark 2.0.0 under the respective recommendations.",
+          "References": ""
+        }
+      ]
+    },
+    {
+      "Id": "1.10",
+      "Description": "Ensure user auth tokens rotate within 90 days",
+      "Checks": [
+        "identity_user_auth_tokens_rotated_90_days"
+      ],
+      "Attributes": [
+        {
+          "Section": "1. Identity and Access Management",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Automated",
+          "Description": "Auth tokens are authentication tokens generated by Oracle. You use auth tokens to authenticate with APIs that do not support the Oracle Cloud Infrastructure signature-based authentication. If the service requires an auth token, the service-specific documentation instructs you to generate one and how to use it.",
+          "RationaleStatement": "It is important to secure and rotate an auth token every 90 days or less as it provides the same level of access to APIs that do not support the OCI signature-based authentication as the user associated to it.",
+          "ImpactStatement": "",
+          "RemediationProcedure": "**From Console:**\n\n1. Login to OCI Console.\n1. Select `Identity & Security` from the Services menu.\n1. Select Domains from the Identity menu.\n1. For each domain listed, click on the name and select `Users`.\n1. Click on an individual user under the `Username` heading.\n1. Click on `Auth Tokens` in the lower left-hand corner of the page.\n1. Delete any auth token with a date older than 90 days under the `Created` column of the Customer Secret Keys.",
+          "AuditProcedure": "**From Console:**\n\n1. Login to OCI Console.\n1. Select `Identity & Security` from the Services menu.\n1. Select Domains from the Identity menu.\n1. For each domain listed, click on the name and select `Users`.\n1. Click on an individual user under the `Username` heading.\n5. Click on `Auth Tokens` in the lower left-hand corner of the page.\n1. Ensure the date of the Auth Token under the `Created` column of the Customer Secret Key is no more than 90 days old.",
+          "AdditionalInformation": "The Audit Procedure and Remediation Procedure for OCI IAM without Identity Domains can be found in the CIS OCI Foundation Benchmark 2.0.0 under the respective recommendations.",
+          "References": ""
+        }
+      ]
+    },
+    {
+      "Id": "1.11",
+      "Description": "Ensure user IAM Database Passwords rotate within 90 days",
+      "Checks": [
+        "identity_user_db_passwords_rotated_90_days"
+      ],
+      "Attributes": [
+        {
+          "Section": "1. Identity and Access Management",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Manual",
+          "Description": "Users can create and manage their database password in their IAM user profile and use that password to authenticate to databases in their tenancy. An IAM database password is a different password than an OCI Console password. Setting an IAM database password allows an authorized IAM user to sign in to one or more Autonomous Databases in their tenancy.\n\nAn IAM database password is a different password than an OCI Console password. Setting an IAM database password allows an authorized IAM user to sign in to one or more Autonomous Databases in their tenancy.",
+          "RationaleStatement": "It is important to secure and rotate an IAM Database password 90 days or less as it provides the same access the user would have a using a local database user.",
+          "ImpactStatement": "",
+          "RemediationProcedure": "#### OCI IAM with Identity Domains\n\n**From Console:**\n1. Login to OCI Console.\n1. Select `Identity & Security` from the Services menu.\n1. Select Domains from the Identity menu.\n1. For each domain listed, click on the name and select `Users`.\n1. Click on an individual user under the `Username` heading.\n1. Click on `IAM Database Passwords` in the lower left-hand corner of the page.\n1. Delete any Database Passwords with a date older than 90 days under the `Created` column of the Database Passwords.",
+          "AuditProcedure": "**From Console:**\n\n1. Login to OCI Console.\n2. Select `Identity & Security` from the Services menu.\n3. Select `Users` from the Identity menu.\n4. Click on an individual user under the Name heading.\n5. Click on `Database Passwords` in the lower left-hand corner of the page.\n6. Ensure the date of the Database Passwords under the `Created` column of the Database Passwords is no more than 90 days \n**From Console:**\n1. Login to OCI Console.\n1. Select `Identity & Security` from the Services menu.\n1. Select Domains from the Identity menu.\n1. For each domain listed, click on the name and select `Users`.\n1. Click on an individual user under the `Username` heading.\n1. Click on `Database Passwords` in the lower left-hand corner of the page.\n1. Ensure the date of the Database Passwords under the `Created` column of the Database Password is no more than 90 days old.",
+          "AdditionalInformation": "The Audit Procedure and Remediation Procedure for OCI IAM without Identity Domains can be found in the CIS OCI Foundation Benchmark 2.0.0 under the respective recommendations.",
+          "References": "https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/usercredentials.htm#usercredentials_iam_db_pwd"
+        }
+      ]
+    },
+    {
+      "Id": "1.12",
+      "Description": "Ensure API keys are not created for tenancy administrator users",
+      "Checks": [
+        "identity_tenancy_admin_users_no_api_keys"
+      ],
+      "Attributes": [
+        {
+          "Section": "1. Identity and Access Management",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Automated",
+          "Description": "Tenancy administrator users have full access to the organization's OCI tenancy. API keys associated with user accounts are used for invoking the OCI APIs via custom programs or clients like CLI/SDKs. The clients are typically used for performing day-to-day operations and should never require full tenancy access. Service-level administrative users with API keys should be used instead.",
+          "RationaleStatement": "For performing day-to-day operations tenancy administrator access is not needed.\nService-level administrative users with API keys should be used to apply privileged security principle.",
+          "ImpactStatement": "",
+          "RemediationProcedure": "**From Console:**\n\n1. Login to OCI console.\n2. Select `Identity` from Services menu.\n3. Select `Users` from Identity menu, or select `Domains`, select a domain, and select `Users`.\n4. Select the username of a tenancy administrator user with an API key.\n5. Select `API Keys` from the menu in the lower left-hand corner.\n6. Delete any associated keys from the `API Keys` table.\n7. Repeat steps 3-6 for all tenancy administrator users with an API key.\n\n**From CLI:**\n\n1. For each tenancy administrator user with an API key, execute the following command to retrieve API key details:\n```\noci iam user api-key list --user-id <user_id>\n```\n2. For each API key, execute the following command to delete the key:\n```\noci iam user api-key delete --user-id <user_id> --fingerprint <api_key_fingerprint>\n```\n3. The following message will be displayed:\n```\nAre you sure you want to delete this resource? [y/N]:\n```\n4. Type 'y' and press 'Enter'.",
+          "AuditProcedure": "**From Console:**\n\n1. Login to OCI Console. \n1. Select `Identity & Security` from the Services menu.\n1. Select `Domains` from the Identity menu.\n1. Click on the 'Default' Domain in the (root).\n1. Click on 'Groups'.\n1. Select the 'Administrators' group by clicking on the Name\n1. Click on each local or synchronized `Administrators` member profile\n4. Click on API Keys to verify if a user has an API key associated.",
+          "AdditionalInformation": "The Audit Procedure and Remediation Procedure for OCI IAM without Identity Domains can be found in the CIS OCI Foundation Benchmark 2.0.0 under the respective recommendations.",
+          "References": ""
+        }
+      ]
+    },
+    {
+      "Id": "1.13",
+      "Description": "Ensure all OCI IAM user accounts have a valid and current email address",
+      "Checks": [
+        "identity_user_valid_email_address"
+      ],
+      "Attributes": [
+        {
+          "Section": "1. Identity and Access Management",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Manual",
+          "Description": "All OCI IAM local user accounts have an email address field associated with the account. It is recommended to specify an email address that is valid and current.\n\nIf you have an email address in your user profile, you can use the Forgot Password link on the sign on page to have a temporary password sent to you.",
+          "RationaleStatement": "Having a valid and current email address associated with an OCI IAM local user account allows you to tie the account to identity in your organization. It also allows that user to reset their password if it is forgotten or lost.",
+          "ImpactStatement": "",
+          "RemediationProcedure": "**From Console:**\n1. Login to OCI Console.\n1. Select `Identity & Security` from the Services menu.\n1. Select Domains from the Identity menu.\n1. For each domain listed, click on the name and select `Users`.\n1. Click on each non-complaint user.\n1. Click on `Edit User`.\n1. Enter a valid and current email address in the Email and Recovery Email text boxes.\n1. Click `Save Changes`",
+          "AuditProcedure": "**From Console:**\n1. Login to OCI Console.\n1. Select `Identity & Security` from the Services menu.\n1. Select Domains from the Identity menu.\n1. For each domain listed, click on the name and select `Users`.\n1. Click on an individual user under the `Username` heading.\n1. Ensure a valid and current email address is next to Email and Recovery email.",
+          "AdditionalInformation": "The Audit Procedure and Remediation Procedure for OCI IAM without Identity Domains can be found in the CIS OCI Foundation Benchmark 2.0.0 under the respective recommendations.",
+          "References": ""
+        }
+      ]
+    },
+    {
+      "Id": "1.14",
+      "Description": "Ensure Instance Principal authentication is used for OCI instances, OCI Cloud Databases and OCI Functions to access OCI resources",
+      "Checks": [
+        "identity_instance_principal_used"
+      ],
+      "Attributes": [
+        {
+          "Section": "1. Identity and Access Management",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Manual",
+          "Description": "OCI instances, OCI database and OCI functions can access other OCI resources either via an OCI API key associated to a user or via Instance Principal. Instance Principal authentication can be achieved by inclusion in a Dynamic Group that has an IAM policy granting it the required access or using an OCI IAM policy that has `request.principal` added to the `where` clause. Access to OCI Resources refers to making API calls to another OCI resource like Object Storage, OCI Vaults, etc.",
+          "RationaleStatement": "Instance Principal reduces the risks related to hard-coded credentials. Hard-coded API keys can be shared and require rotation, which can open them up to being compromised. Compromised credentials could allow access to OCI services outside of the expected radius.",
+          "ImpactStatement": "For an OCI instance that contains embedded credential audit the scripts and environment variables to ensure that none of them contain OCI API Keys or credentials.",
+          "RemediationProcedure": "**From Console (Dynamic Groups):**\n1. Go to [https://cloud.oracle.com/identity/domains/](https://cloud.oracle.com/identity/domains/)\n1. Select a Compartment\n1. Click on the Domain\n1. Click on `Dynamic groups`\n1. Click Create Dynamic Group.\n1. Enter a Name\n1. Enter a Description\n1. Enter Matching Rules to that includes the instances accessing your OCI resources.\n1. Click Create.",
+          "AuditProcedure": "**From Console (Dynamic Groups):**\n1. Go to [https://cloud.oracle.com/identity/domains/](https://cloud.oracle.com/identity/domains/)\n1. Select a Compartment\n1. Click on a Domain\n1. Click on `Dynamic groups`\n1. Click on the Dynamic Group\n1. Check if the Matching Rules includes the instances accessing your OCI resources.\n\n**From Console (request.principal):**\n1. Go to [https://cloud.oracle.com/identity/policies](https://cloud.oracle.com/identity/policies)\n1. Select a Compartment\n1. Click on an individual policy under the Name heading.\n1. Ensure Policy statements look like this :\n```\nallow any-user to <verb> <resource> in compartment <compartment-name> where ALL {request.principal.type='<resource_type>', request.principal.id='<resource_ocid>'}\n```\nor\n```\nallow any-user to <verb> <resource> in compartment <compartment-name> where ALL {request.principal.type='<resource_type>', request.principal.compartment.id='<compartment_OCID>'}\n```\n\n**From CLI (request.principal):**\n1. Execute the following for each compartment_OCID: \n```\noci iam policy list --compartment-id <compartment_OCID> | grep request.principal\n```\n1. Ensure that the condition includes the instances accessing your OCI resources",
+          "AdditionalInformation": "The Audit Procedure and Remediation Procedure for OCI IAM without Identity Domains can be found in the CIS OCI Foundation Benchmark 2.0.0 under the respective recommendations.",
+          "References": "https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingdynamicgroups.htm"
+        }
+      ]
+    },
+    {
+      "Id": "1.15",
+      "Description": "Ensure storage service-level admins cannot delete resources they manage",
+      "Checks": [],
+      "Attributes": [
+        {
+          "Section": "1. Identity and Access Management",
+          "Profile": "Level 2",
+          "AssessmentStatus": "Manual",
+          "Description": "To apply the separation of duties security principle, one can restrict service-level administrators from being able to delete resources they are managing. It means service-level administrators can only manage resources of a specific service but not delete resources for that specific service.\n\nExample policies for global/tenant level for block volume service-administrators:\n```\nAllow group VolumeUsers to manage volumes in tenancy where request.permission!='VOLUME_DELETE' \nAllow group VolumeUsers to manage volume-backups in tenancy where request.permission!='VOLUME_BACKUP_DELETE'\n```\n\nExample policies for global/tenant level for file storage system service-administrators:\n```\nAllow group FileUsers to manage file-systems in tenancy where request.permission!='FILE_SYSTEM_DELETE'\nAllow group FileUsers to manage mount-targets in tenancy where request.permission!='MOUNT_TARGET_DELETE'\nAllow group FileUsers to manage export-sets in tenancy where request.permission!='EXPORT_SET_DELETE'\n```\n\nExample policies for global/tenant level for object storage system service-administrators:\n```\nAllow group BucketUsers to manage objects in tenancy where request.permission!='OBJECT_DELETE' \nAllow group BucketUsers to manage buckets in tenancy where request.permission!='BUCKET_DELETE'\n```",
+          "RationaleStatement": "Creating service-level administrators without the ability to delete the resource they are managing helps in tightly controlling access to Oracle Cloud Infrastructure (OCI) services by implementing the separation of duties security principle.",
+          "ImpactStatement": "",
+          "RemediationProcedure": "**From Console:**\n1. Login to OCI console.\n2. Go to Identity -> Policies, In the compartment dropdown, choose the compartment. Open each policy to view the policy statements.\n3. Add the appropriate `where` condition to any policy statement that allows the storage service-level to manage the storage service.",
+          "AuditProcedure": "**From Console:**\n1. Login to OCI console.\n2. Go to Identity -> Policies, In the compartment dropdown, choose the compartment. \n3. Open each policy to view the policy statements.\n4. Verify the policies to ensure that the policy statements that grant access to storage service-level administrators have a condition that excludes access to delete the service they are the administrator for.\n\n**From CLI:**\n1. Execute the following command:\n```\nfor compid in `oci iam compartment list --compartment-id-in-subtree TRUE 2>/dev/null | jq -r '.data[] | .id'`\n do\n for policy in `oci iam policy list --compartment-id $compid 2>/dev/null | jq -r '.data[] | .id'`\n do\n output=`oci iam policy list --compartment-id $compid 2>/dev/null | jq -r '.data[] | .id, .name, .statements'` \n if [ ! -z \"$output\" ]; then echo $output; fi\n done\n done\n```\n2. Verify the policies to ensure that the policy statements that grant access to storage service-level administrators have a condition that excludes access to delete the service they are the administrator for.",
+          "AdditionalInformation": "",
+          "References": "https://docs.oracle.com/en/solutions/oci-best-practices/protect-data-rest1.html#GUID-939A5EA1-3057-48E0-9E02-ADAFCB82BA3E:https://docs.oracle.com/en-us/iaas/Content/Identity/policyreference/policyreference.htm:https://docs.oracle.com/en-us/iaas/Content/Block/home.htm:https://docs.oracle.com/en-us/iaas/Content/File/home.htm:https://docs.oracle.com/en-us/iaas/Content/Object/home.htm"
+        }
+      ]
+    },
+    {
+      "Id": "1.16",
+      "Description": "Ensure OCI IAM credentials unused for 45 days or more are disabled",
+      "Checks": [],
+      "Attributes": [
+        {
+          "Section": "1. Identity and Access Management",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Automated",
+          "Description": "OCI IAM Local users can access OCI resources using different credentials, such as passwords or API keys. It is recommended that credentials that have been unused for 45 days or more be deactivated or removed.",
+          "RationaleStatement": "Disabling or removing unnecessary OCI IAM local users will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.",
+          "ImpactStatement": "",
+          "RemediationProcedure": "**From Console:**\n1. Login to OCI Console.\n2. Select `Identity & Security` from the Services menu.\n3. Select Domains from the Identity menu.\n4. For each domain listed, click on the name and select `Users`.\n5. Click on an individual user under the `Username` heading.\n6. Click `More action`\n7. Select `Deactivate`\n\n**From CLI:**\n1. Create a input.json:\n```\n{\n \"operations\": [\n { \"op\": \"replace\", \"path\": \"active\",\"value\": false}\n ],\n \"schemas\": [\"urn:ietf:params:scim:api:messages:2.0:PatchOp\"],\n \"userId\": \"<user-ocid>\"\n }\n```\n2. Execute the below:\n```\noci identity-domains user patch --from-json file://file.json --endpoint <identity-domain-endpoint>\n```",
+          "AuditProcedure": "Perform the following to determine if unused credentials exist:\n\n**From Console:**\n\nFor Passwords:\n1. Login to OCI Console.\n2. Select `Identity & Security` from the Services menu.\n3. Select `Domains` from the `Identity` menu.\n4. For each domain listed, click on the name \n5. Click `Reports`\n6. Under Dormant users report click `View report`\n7. Enter a date 45 days from today’s date in Last Successful Login Date\n8. Check and ensure that `Last Successful Login Date` is greater than 45 days or empty\n\nFor API Keys:\n1. Login to OCI Console.\n2. Select `Observability & Management` from the Services menu.\n3. Select `Search` from `Logging` menu\n4. Click `Show Advanced Mode` in the right corner\n5. Select `Custom` from `Filter by time`\n6. Under `Select regions to search` add regions\n7. Under `Query` enter the following query in the text box:\n```\nsearch \"<tenancy-ocid>/_Audit_Include_Subcompartment\" | data.identity.credentials='<tenancy-ocid>/<user-ocid>/<key-fingerprint>' | summarize count() by data.identity.principalId\n```\n8. Enter a day range \n- Note each query can only be 14 days multiple queries will be required to go 45 days\n9. Click `Search`\n10. Expand the results\n11. If results the count is not zero the user has used their API key during that period\n12. Repeat steps 8 – 11 for the 45-day period\n\n**From CLI:**\n\nFor Passwords:\n1. Execute the below:\n\n```\noci identity-domains users list --all --endpoint <identity-domain-endpoint> --attributes urn:ietf:params:scim:schemas:oracle:idcs:extension:userState:User:lastSuccessfulLoginDate --profile Oracle --query '.data.resources[]|.\"user-name\" + \" \" + .\"urn-ietf-params-scim-schemas-oracle-idcs-extension-user-state-user\".\"last-successful-login-date\"'\n```\n\n2. Review the output the that the date is under 45 days, or no date means they have not logged in\n\nFor API Keys: \n1. Create the search query text:\n\n```\nexport query=\"search \\\"<tenancy-ocid>/_Audit_Include_Subcompartment\\\" | data.identity.credentials='*<key-finger-print>' | summarize count() by data.identity.principalId\"\n```\n2. Select a day range. Date format is `2024-12-01`\n- Note each query can only be 14 days multiple queries will be required to go 45 days\n3. Execute the below:\n```\n\noci logging-search search-logs --search-query $query --time-start <start-date> --time-end <end-date> --query 'data.results[0].data.count' \nexport query=\"search \\\"<tenancy-ocid>/_Audit_Include_Subcompartment\\\" | data.identity.credentials='*<key-finger-print>' | summarize count() by data.identity.principalId\"\n```\n\n4. If results the count is not zero, the user has used their API key during that period\n5. Repeat steps 2 – 4 for the 45-day period",
+          "AdditionalInformation": "This audit should exclude the OCI Administrator, break-glass accounts, and service accounts as these accounts should only be used for day-to-day business and would likely be unused for up to 45 days.",
+          "References": ""
+        }
+      ]
+    },
+    {
+      "Id": "1.17",
+      "Description": "Ensure there is only one active API Key for any single OCI IAM user",
+      "Checks": [],
+      "Attributes": [
+        {
+          "Section": "1. Identity and Access Management",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Automated",
+          "Description": "API Keys are long-term credentials for an OCI IAM user. They can be used to make programmatic requests to the OCI APIs directly or via, OCI SDKs or the OCI CLI.",
+          "RationaleStatement": "Having a single API Key for an OCI IAM reduces attack surface area and makes it easier to manage.",
+          "ImpactStatement": "Deletion of an OCI API Key will remove programmatic access to OCI APIs",
+          "RemediationProcedure": "**From Console:**\n1. Login to OCI Console.\n2. Select `Identity & Security` from the Services menu.\n3. Select `Domains` from the Identity menu.\n4. For each domain listed, click on the name and select Users.\n5. Click on an individual user under the Name heading.\n6. Click on `API Keys` in the lower left-hand corner of the page.\n7. Delete one of the API Keys \n\n**From CLI:**\n1. Follow the audit procedure above.\n2. For API Key ID to be removed execute the following command:\n```\noci identity-domains api-key delete –api-key-id <id> --endpoint <domain-endpoint>\n```",
+          "AuditProcedure": "**From Console:**\n\n1. Login to OCI Console.\n2. Select `Identity & Security` from the Services menu.\n3. Select `Users` from the Identity menu.\n4. Click on an individual user under the Name heading.\n5. Click on `API Keys` in the lower left-hand corner of the page.\n6. Ensure the has only has a one API Key\n\n**From CLI:**\n1. Each user and in each Identity Domain\n```\noci raw-request --http-method GET --target-uri \"https://<domain-endpoint>/admin/v1/ApiKeys?filter=user.ocid+eq+%<user-ocid>%22\" | jq '.data.Resources[] | \"\\(.fingerprint) \\(.id)\"'\n```\n2. Ensure only one key is returned",
+          "AdditionalInformation": "",
+          "References": "https://docs.public.oneportal.content.oci.oraclecloud.com/en-us/iaas/Content/Security/Reference/iam_security_topic-IAM_Credentials.htm#IAM_Credentials"
+        }
+      ]
+    },
+    {
+      "Id": "2.1",
+      "Description": "Ensure no security lists allow ingress from 0.0.0.0/0 to port 22",
+      "Checks": [
+        "network_security_list_ingress_from_internet_to_ssh_port"
+      ],
+      "Attributes": [
+        {
+          "Section": "2. Networking",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Automated",
+          "Description": "Security lists provide stateful and stateless filtering of ingress and egress network traffic to OCI resources on a subnet level. It is recommended that no security list allows unrestricted ingress access to port 22.",
+          "RationaleStatement": "Removing unfettered connectivity to remote console services, such as Secure Shell (SSH), reduces a server's exposure to risk.",
+          "ImpactStatement": "For updating an existing environment, care should be taken to ensure that administrators currently relying on an existing ingress from 0.0.0.0/0 have access to ports 22 and/or 3389 through another network security group or security list.",
+          "RemediationProcedure": "**From Console:**\n\n1. Follow the audit procedure above.\n2. For each security list in the returned results, click the security list name\n3. Either edit the `ingress rule` to be more restrictive, delete the `ingress rule` or click on the `VCN` and terminate the `security list` as appropriate.\n\n**From CLI:**\n\n1. Follow the audit procedure.\n2. For each of the `security lists` identified, execute the following command:\n```\noci network security-list get --security-list-id <security list id>\n```\n3. Then either:\n\n - Update the `security list` by copying the `ingress-security-rules` element from the JSON returned by the above command, edit it appropriately and use it in the following command:\n```\noci network security-list update --security-list-id <security-list-id> --ingress-security-rules '<ingress security rules JSON>'\n```\n or\n - Delete the security list with the following command:\n\n```\noci network security-list delete --security-list-id <security list id>\n```",
+          "AuditProcedure": "**From Console:**\n\n1. Login to the OCI Console.\n2. Click the search bar at the top of the screen.\n3. Type `Advanced Resource Query` and hit `enter`.\n4. Click the `Advanced Resource Query` button in the upper right corner of the screen.\n5. Enter the following query in the query box:\n```\nquery SecurityList resources where \n(IngressSecurityRules.source = '0.0.0.0/0' && \nIngressSecurityRules.protocol = 6 && IngressSecurityRules.tcpOptions.destinationPortRange.max >= 22 && IngressSecurityRules.tcpOptions.destinationPortRange.min =<= 22) \n```\n6. Ensure the query returns no results.\n\n**From CLI:**\n\n1. Execute the following command:\n```\noci search resource structured-search --query-text \"query SecurityList resources where \n(IngressSecurityRules.source = '0.0.0.0/0' && \nIngressSecurityRules.protocol = 6 && IngressSecurityRules.tcpOptions.destinationPortRange.max >= 22 && IngressSecurityRules.tcpOptions.destinationPortRange.min <= 22) \n\"\n```\n2. Ensure the query returns no results.\n\n**Cloud Guard**\n\nEnsure Cloud Guard is enabled in the root compartment of the tenancy. For more information about enabling Cloud Guard, please look at the instructions included in Recommendation 3.15.\n\n**From Console:**\n1. Type `Cloud Guard` into the Search box at the top of the Console.\n2. Click `Cloud Guard` from the “Services” submenu.\n3. Click `Detector Recipes` in the Cloud Guard menu.\n4. Click `OCI Configuration Detector Recipe (Oracle Managed)` under the Recipe Name column.\n5. Find VCN Security list allows traffic to non-public port from all sources (0.0.0.0/0) in the Detector Rules column.\n6. Select the vertical ellipsis icon and chose Edit on the VCN Security list allows traffic to non-public port from all sources (0.0.0.0/0) row.\n7. In the Edit Detector Rule window find the Input Setting box and verify/add to the Restricted Protocol: Ports List setting to TCP:[22], UDP:[22].\n8. Click the `Save` button.\n\n**From CLI:**\n1. Update the VCN Security list allows traffic to non-public port from all sources (0.0.0.0/0) Detector Rule in Cloud Guard to generate Problems if a VCN security list allows public access via port 22 with the following command:\n\n```\noci cloud-guard detector-recipe-detector-rule update --detector-recipe-id <insert detector recipe ocid> --detector-rule-id SECURITY_LISTS_OPEN_SOURCE --details '{\"configurations\":[{ \"configKey\" : \"securityListsOpenSourceConfig\", \"name\" : \"Restricted Protocol:Ports List\", \"value\" : \"TCP:[22], UDP:[22]\", \"dataType\" : null, \"values\" : null }]}'\n```",
+          "AdditionalInformation": "",
+          "References": ""
+        }
+      ]
+    },
+    {
+      "Id": "2.2",
+      "Description": "Ensure no security lists allow ingress from 0.0.0.0/0 to port 3389",
+      "Checks": [
+        "network_security_list_ingress_from_internet_to_rdp_port"
+      ],
+      "Attributes": [
+        {
+          "Section": "2. Networking",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Automated",
+          "Description": "Security lists provide stateful and stateless filtering of ingress and egress network traffic to OCI resources on a subnet level. It is recommended that no security group allows unrestricted ingress access to port 3389.",
+          "RationaleStatement": "Removing unfettered connectivity to remote console services, such as Remote Desktop Protocol (RDP), reduces a server's exposure to risk.",
+          "ImpactStatement": "For updating an existing environment, care should be taken to ensure that administrators currently relying on an existing ingress from 0.0.0.0/0 have access to ports 22 and/or 3389 through another network security group or security list.",
+          "RemediationProcedure": "**From Console:**\n\n1. Follow the audit procedure above.\n2. For each security list in the returned results, click the security list name\n3. Either edit the `ingress rule` to be more restrictive, delete the `ingress rule` or click on the `VCN` and terminate the `security list` as appropriate.\n\n**From CLI:**\n\n1. Follow the audit procedure.\n2. For each of the `security lists` identified, execute the following command:\n```\noci network security-list get --security-list-id <security list id>\n```\n3. Then either:\n - Update the `security list` by copying the `ingress-security-rules` element from the JSON returned by the above command, edit it appropriately, and use it in the following command\n```\noci network security-list update --security-list-id <security-list-id> --ingress-security-rules '<ingress security rules JSON>'\n```\n or\n - Delete the security list with the following command:\n\n```\noci network security-list delete --security-list-id <security list id>\n```",
+          "AuditProcedure": "**From Console:**\n\n1. Login into the OCI Console\n2. Click in the search bar at the top of the screen.\n3. Type `Advanced Resource Query` and hit `enter`.\n4. Click the `Advanced Resource Query` button in the upper right corner of the screen.\n5. Enter the following query in the query box:\n```\nquery SecurityList resources where \n(IngressSecurityRules.source = '0.0.0.0/0' && \nIngressSecurityRules.protocol = 6 && IngressSecurityRules.tcpOptions.destinationPortRange.max >= 3389 && IngressSecurityRules.tcpOptions.destinationPortRange.min <= 3389) \n```\n6. Ensure query returns no results.\n\n**From CLI:**\n\n1. Execute the following command:\n```\noci search resource structured-search --query-text \"query SecurityList resources where \n(IngressSecurityRules.source = '0.0.0.0/0' && \nIngressSecurityRules.protocol = 6 && IngressSecurityRules.tcpOptions.destinationPortRange.max >= 3389 && IngressSecurityRules.tcpOptions.destinationPortRange.min <= 3389) \n\"\n```\n2. Ensure query returns no results.\n\n**Cloud Guard**\n\nTo Enable Cloud Guard Auditing:\nEnsure Cloud Guard is enabled in the root compartment of the tenancy. For more information about enabling Cloud Guard, please look at the instructions included in Recommendation 3.15. \n\n**From Console:**\n1. Type `Cloud Guard` into the Search box at the top of the Console .\n2. Click `Cloud Guard` from the “Services” submenu.\n3. Click `Detector Recipes` in the Cloud Guard menu.\n4. Click `OCI Configuration Detector Recipe (Oracle Managed)` under the Recipe Name column.\n5. Find VCN Security list allows traffic to non-public port from all sources (0.0.0.0/0) in the Detector Rules column.\n6. Select the vertical ellipsis icon and choose Edit on the VCN Security list allows traffic to non-public port from all sources (0.0.0.0/0) row.\n7. In the Edit Detector Rule window find the Input Setting box and verify/add to the Restricted Protocol: Ports List setting to TCP:[3389], UDP:[3389].\n8. Click the `Save` button.\n\n**From CLI:**\n1. Update the VCN Security list allows traffic to non-public port from all sources (0.0.0.0/0) Detector Rule in Cloud Guard to generate Problems if a VCN security list allows public access via port 3389 with the following command:\n```\noci cloud-guard detector-recipe-detector-rule update --detector-recipe-id <insert detector recipe ocid> --detector-rule-id SECURITY_LISTS_OPEN_SOURCE --details '{\"configurations\":[{ \"configKey\" : \"securityListsOpenSourceConfig\", \"name\" : \"Restricted Protocol:Ports List\", \"value\" : \"TCP:[3389], UDP:[3389]\", \"dataType\" : null, \"values\" : null }]}'\n```",
+          "AdditionalInformation": "This recommendation can also be audited programmatically using REST API \n\nhttps://docs.oracle.com/en-us/iaas/api/#/en/iaas/20160918/SecurityList/ListSecurityLists",
+          "References": ""
+        }
+      ]
+    },
+    {
+      "Id": "2.3",
+      "Description": "Ensure no network security groups allow ingress from 0.0.0.0/0 to port 22",
+      "Checks": [
+        "network_security_group_ingress_from_internet_to_ssh_port"
+      ],
+      "Attributes": [
+        {
+          "Section": "2. Networking",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Automated",
+          "Description": "Network security groups provide stateful filtering of ingress/egress network traffic to OCI resources. It is recommended that no security group allows unrestricted ingress to port 22.",
+          "RationaleStatement": "Removing unfettered connectivity to remote console services, such as Secure Shell (SSH), reduces a server's exposure to risk.",
+          "ImpactStatement": "For updating an existing environment, care should be taken to ensure that administrators currently relying on an existing ingress from 0.0.0.0/0 have access to ports 22 and/or 3389 through another network security group or security list.",
+          "RemediationProcedure": "**From Console:**\n 1. Login into the OCI Console.\n 2. Click the search bar at the top of the screen.\n 3. Type Advanced Resource Query and hit enter.\n 4. Click the Advanced Resource Query button in the upper right corner of the screen.\n 5. Enter the following query in the query box:\n\n query networksecuritygroup resources where lifeCycleState = 'AVAILABLE'\n\n 6. For each of the network security groups in the returned results, click the name and inspect each of the security rules.\n 7. Remove all security rules with direction: Ingress, Source: 0.0.0.0/0, and Destination Port Range: 22.\n\n**From CLI:**\n\nIssue the following command and identify the security rule to remove.\n\n```\n for region in `oci iam region list | jq -r '.data[] | .name'`;\n do\n for compid in `oci iam compartment list 2>/dev/null | jq -r '.data[] | .id'`;\n do \n for nsgid in `oci network nsg list --compartment-id $compid --region $region --all 2>/dev/null | jq -r '.data[] | .id'`\n do\n output=`oci network nsg rules list --nsg-id=$nsgid --all 2>/dev/null | jq -r '.data[] | select(.source == \"0.0.0.0/0\" and .direction == \"INGRESS\" and ((.\"tcp-options\".\"destination-port-range\".max >= 22 and .\"tcp-options\".\"destination-port-range\".min <= 22) or .\"tcp-options\".\"destination-port-range\" == null))'`\n if [ ! -z \"$output\" ]; then echo \"NSGID=\", $nsgid, \"Security Rules=\", $output; fi\n done\n done\n done\n```\n\n- Remove the security rules\n\n```\noci network nsg rules remove --nsg-id=<NSGID from audit output>\n```\nor\n\n- Update the security rules\n```\noci network nsg rules update --nsg-id=<NSGID from audit output> --security-rules='[<updated security-rules JSON (without isValid and TimrCreated fields)>]'\n\neg:\n\n oci network nsg rules update --nsg-id=ocid1.networksecuritygroup.oc1.iad.xxxxxxxxxxxxxxxxxxxxxx --security-rules='[{ \"description\": null, \"destination\": null, \"destination-type\": null, \"direction\": \"INGRESS\", \"icmp-options\": null, \"id\": \"709001\", \"is-stateless\": null, \"protocol\": \"6\", \"source\": \"140.238.154.0/24\", \"source-type\": \"CIDR_BLOCK\", \"tcp-options\": { \"destination-port-range\": { \"max\": 22, \"min\": 22 }, \"source-port-range\": null }, \"udp-options\": null }]'\n```",
+          "AuditProcedure": "**From Console:**\n 1. Login into the OCI Console.\n 2. Click the search bar at the top of the screen.\n 3. Type Advanced Resource Query and hit enter.\n 4. Click the Advanced Resource Query button in the upper right corner of the screen.\n 5. Enter the following query in the query box:\n```\nquery networksecuritygroup resources where lifeCycleState = 'AVAILABLE'\n```\n 6. For each of the network security groups in the returned results, click the name and inspect each of the security rules.\n 7. Ensure that there are no security rules with direction: Ingress, Source: 0.0.0.0/0, and Destination Port Range: 22.\n\n**From CLI:**\n\nIssue the following command, it should return no values.\n\n```\nfor region in $(oci iam region-subscription list | jq -r '.data[] | .\"region-name\"')\n do\n echo \"Enumerating region $region\"\n for compid in $(oci iam compartment list --include-root --compartment-id-in-subtree TRUE 2>/dev/null | jq -r '.data[] | .id')\n do\n echo \"Enumerating compartment $compid\"\n for nsgid in $(oci network nsg list --compartment-id $compid --region $region --all 2>/dev/null | jq -r '.data[] | .id')\n do\n output=$(oci network nsg rules list --nsg-id=$nsgid --all 2>/dev/null | jq -r '.data[] | select(.source == \"0.0.0.0/0\" and .direction == \"INGRESS\" and ((.\"tcp-options\".\"destination-port-range\".max >= 22 and .\"tcp-options\".\"destination-port-range\".min <= 22) or .\"tcp-options\".\"destination-port-range\" == null))')\n if [ ! -z \"$output\" ]; then echo \"NSGID: \", $nsgid, \"Security Rules: \", $output; fi\n done\n done\n done\n```\n\n**Cloud Guard:**\n\nTo Enable Cloud Guard Auditing:\nEnsure Cloud Guard is enabled in the root compartment of the tenancy. For more information about enabling Cloud Guard, please look at the instructions included in Recommendation 3.15. \n\n**From Console:**\n1. Type `Cloud Guard` into the Search box at the top of the Console .\n2. Click `Cloud Guard` from the “Services” submenu.\n3. Click `Detector Recipes` in the Cloud Guard menu.\n4. Click `OCI Configuration Detector Recipe (Oracle Managed)` under the Recipe Name column.\n5. Find NSG ingress rule contains disallowed IP/port in the Detector Rules column.\n6. Select the vertical ellipsis icon and chose Edit on the NSG ingress rule contains disallowed IP/port row.\n7. In the Edit Detector Rule window find the Input Setting box and verify/add to the Restricted Protocol: Ports List setting to TCP:[22], UDP:[22].\n8. Click the `Save` button.\n\n**From CLI:**\n1. Update the NSG ingress rule contains disallowed IP/port Detector Rule in Cloud Guard to generate Problems if a network security group allows ingress network traffic to port 22 with the following command:\n\n```\noci cloud-guard detector-recipe-detector-rule update --detector-recipe-id <insert detector recipe ocid> --detector-rule-id VCN_NSG_INGRESS_RULE_PORTS_CHECK --details '{\"configurations\":[ {\"configKey\" : \"nsgIngressRuleDisallowedPortsConfig\", \"name\" : \"Default disallowed ports\", \"value\" : \"TCP:[22], UDP:[22]\", \"dataType\" : null, \"values\" : null }]}'\n```",
+          "AdditionalInformation": "",
+          "References": ""
+        }
+      ]
+    },
+    {
+      "Id": "2.4",
+      "Description": "Ensure no network security groups allow ingress from 0.0.0.0/0 to port 3389",
+      "Checks": [
+        "network_security_group_ingress_from_internet_to_rdp_port"
+      ],
+      "Attributes": [
+        {
+          "Section": "2. Networking",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Automated",
+          "Description": "Network security groups provide stateful filtering of ingress/egress network traffic to OCI resources. It is recommended that no security group allows unrestricted ingress access to port 3389.",
+          "RationaleStatement": "Removing unfettered connectivity to remote console services, such as Remote Desktop Protocol (RDP), reduces a server's exposure to risk.",
+          "ImpactStatement": "For updating an existing environment, care should be taken to ensure that administrators currently relying on an existing ingress from 0.0.0.0/0 have access to ports 22 and/or 3389 through another network security group or security list.",
+          "RemediationProcedure": "**From CLI:**\n\nUsing the details returned from the audit procedure either:\n\n- Remove the security rules\n```\noci network nsg rules remove --nsg-id=<NSGID from audit output>\n```\nor\n\n- Update the security rules\n```\noci network nsg rules update --nsg-id=<NSGID from audit output> --security-rules=<updated security-rules JSON (without the isValid or TimeCreated fields)>\n\neg:\n\n oci network nsg rules update --nsg-id=ocid1.networksecuritygroup.oc1.iad.xxxxxxxxxxxxxxxxxxxxxx --security-rules='[{ \"description\": null, \"destination\": null, \"destination-type\": null, \"direction\": \"INGRESS\", \"icmp-options\": null, \"id\": \"709001\", \"is-stateless\": null, \"protocol\": \"6\", \"source\": \"140.238.154.0/24\", \"source-type\": \"CIDR_BLOCK\", \"tcp-options\": { \"destination-port-range\": { \"max\": 3389, \"min\": 3389 }, \"source-port-range\": null }, \"udp-options\": null }]'\n```",
+          "AuditProcedure": "**From CLI:**\n\nIssue the following command, it should not return anything.\n\n```\n for region in $(oci iam region-subscription list | jq -r '.data[] | .\"region-name\"')\n do\n echo \"Enumerating region $region\"\n for compid in $(oci iam compartment list --include-root --compartment-id-in-subtree TRUE 2>/dev/null | jq -r '.data[] | .id')\n do\n echo \"Enumerating compartment $compid\"\n for nsgid in $(oci network nsg list --compartment-id $compid --region $region --all 2>/dev/null | jq -r '.data[] | .id')\n do\n output=$(oci network nsg rules list --nsg-id=$nsgid --all 2>/dev/null | jq -r '.data[] | select(.source == \"0.0.0.0/0\" and .direction == \"INGRESS\" and ((.\"tcp-options\".\"destination-port-range\".max >= 3389 and .\"tcp-options\".\"destination-port-range\".min <= 3389) or .\"tcp-options\".\"destination-port-range\" == null))')\n if [ ! -z \"$output\" ]; then echo \"NSGID: \", $nsgid, \"Security Rules: \", $output; fi\n done\n done\n done\n```\n\n**From Cloud Guard:**\n\nTo Enable Cloud Guard Auditing:\nEnsure Cloud Guard is enabled in the root compartment of the tenancy. For more information about enabling Cloud Guard, please look at the instructions included in Recommendation 3.15. \n\n**From Console:**\n1. Type `Cloud Guard` into the Search box at the top of the Console.\n2. Click `Cloud Guard` from the “Services” submenu.\n3. Click `Detector Recipes` in the Cloud Guard menu.\n4. Click `OCI Configuration Detector Recipe (Oracle Managed)` under the Recipe Name column.\n5. Find NSG ingress rule contains disallowed IP/port in the Detector Rules column.\n6. Select the vertical ellipsis icon and chose Edit on the NSG ingress rule contains disallowed IP/port row.\n7. In the Edit Detector Rule window find the Input Setting box and verify/add to the Restricted Protocol: Ports List setting to TCP:[3389], UDP:[3389].\n8. Click the Save button.\n\n**From CLI:**\n1. Update the NSG ingress rule contains disallowed IP/port Detector Rule in Cloud Guard to generate Problems if a network security group allows ingress network traffic to port 3389 with the following command:\n\n```\noci cloud-guard detector-recipe-detector-rule update --detector-recipe-id <insert detector recipe ocid> --detector-rule-id VCN_NSG_INGRESS_RULE_PORTS_CHECK --details '{\"configurations\":[ {\"configKey\" : \"nsgIngressRuleDisallowedPortsConfig\", \"name\" : \"Default disallowed ports\", \"value\" : \"TCP:[3389], UDP:[3389]\", \"dataType\" : null, \"values\" : null }]}'\n```",
+          "AdditionalInformation": "",
+          "References": ""
+        }
+      ]
+    },
+    {
+      "Id": "2.5",
+      "Description": "Ensure the default security list of every VCN restricts all traffic except ICMP",
+      "Checks": [
+        "network_default_security_list_restricts_traffic"
+      ],
+      "Attributes": [
+        {
+          "Section": "2. Networking",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Automated",
+          "Description": "A default security list is created when a Virtual Cloud Network (VCN) is created and attached to the public subnets in the VCN. Security lists provide stateful or stateless filtering of ingress and egress network traffic to OCI resources in the VCN. It is recommended that the default security list does not allow unrestricted ingress and egress access to resources in the VCN.",
+          "RationaleStatement": "Removing unfettered connectivity to OCI resource, reduces a server's exposure to unauthorized access or data exfiltration.",
+          "ImpactStatement": "For updating an existing environment, care should be taken to ensure that administrators currently relying on an existing ingress from 0.0.0.0/0 have access to port 22 through another network security group and servers have egress to specified ports and protocols through another network security group.",
+          "RemediationProcedure": "**From Console:**\n\n1. Login into the OCI Console\n2. Click on `Networking -> Virtual Cloud Networks` from the services menu\n3. For each VCN listed `Click on Security Lists`\n4. Click on `Default Security List for <VCN Name>`\n5. Identify the Ingress Rule with 'Source 0.0.0.0/0'\n6. Either Edit the Security rule to restrict the source and/or port range or delete the rule.\n7. Identify the Egress Rule with 'Destination 0.0.0.0/0, All Protocols'\n8. Either Edit the Security rule to restrict the source and/or port range or delete the rule.",
+          "AuditProcedure": "**From Console:**\n\n1. Login into the OCI Console\n2. Click on `Networking -> Virtual Cloud Networks` from the services menu\n3. For each VCN listed `Click on Security Lists`\n4. Click on `Default Security List for <VCN Name>`\n5. Verify that there is no Ingress rule with 'Source 0.0.0.0/0'\n6. Verify that there is no Egress rule with 'Destination 0.0.0.0/0, All Protocols'",
+          "AdditionalInformation": "",
+          "References": "https://docs.oracle.com/en-us/iaas/Content/Security/Reference/networking_security.htm#Securing_Networking_VCN_Load_Balancers_and_DNS"
+        }
+      ]
+    },
+    {
+      "Id": "2.6",
+      "Description": "Ensure Oracle Integration Cloud (OIC) access is restricted to allowed sources",
+      "Checks": [
+        "integration_instance_access_restricted"
+      ],
+      "Attributes": [
+        {
+          "Section": "2. Networking",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Manual",
+          "Description": "Oracle Integration (OIC) is a complete, secure, but lightweight integration solution that enables you to connect your applications in the cloud. It simplifies connectivity between your applications and connects both your applications that live in the cloud and your applications that still live on premises. Oracle Integration provides secure, enterprise-grade connectivity regardless of the applications you are connecting or where they reside. OIC instances are created within an Oracle managed secure private network with each having a public endpoint. The capability to configure ingress filtering of network traffic to protect your OIC instances from unauthorized network access is included. It is recommended that network access to your OIC instances be restricted to your approved corporate IP Addresses or Virtual Cloud Networks (VCN)s.",
+          "RationaleStatement": "Restricting connectivity to OIC Instances reduces an OIC instance’s exposure to risk.",
+          "ImpactStatement": "When updating ingress filters for an existing environment, care should be taken to ensure that IP addresses and VCNs currently used by administrators, users, and services to access your OIC instances are included in the updated filters.",
+          "RemediationProcedure": "**From Console:**\n1. Follow the audit procedure above.\n2. For each OIC instance in the returned results, click the OIC Instance name\n3. Click `Network Access`\n4. Either edit the `Network Access` to be more restrictive \n\n**From CLI**\n1. Follow the audit procedure.\n2. Get the json input format using the below command:\n```\noci integration integration-instance change-network-endpoint --generate-param-json-input\n```\n3.For each of the OIC Instances identified get its details.\n4.Update the `Network Access`, copy the `network-endpoint-details` element from the JSON returned by the above get call, edit it appropriately and use it in the following command\n```\nOci integration integration-instance change-network-endpoint --id <oic-instance-id> --from-json '<network endpoints JSON>'\n```",
+          "AuditProcedure": "**From Console:**\n1. Login into the OCI Console\n2. Click in the search bar, top of the screen.\n3. Type Advanced Resource Query and hit enter.\n4. Click the Advanced Resource Query button in the upper right of the screen.\n5. Enter the following query in the query box:\n```\nquery integrationinstance resources\n```\n6. For each OIC Instance returned click on the link under `Display name`\n7. Click on `Network Access`\n8 .Ensure `Restrict Network Access` is selected and the IP Address/CIDR Block as well as Virtual Cloud Networks are correct\n9. Repeat for other subscribed regions\n\n**From CLI:**\n1. Execute the following command:\n```\nfor region in `oci iam region list | jq -r '.data[] | .name'`;\n do\n for compid in `oci iam compartment list --compartment-id-in-subtree TRUE 2>/dev/null | jq -r '.data[] | .id'`\n do\n output=`oci integration integration-instance list --compartment-id $compid --region $region --all 2>/dev/null | jq -r '.data[] | select(.\"network-endpoint-details\".\"network-endpoint-type\" == null)'`\n if [ ! -z \"$output\" ]; then echo $output; fi\n done\n done\n\n```\n2. Ensure `allowlisted-http-ips` and `allowed-http-vcns` are correct",
+          "AdditionalInformation": "",
+          "References": "https://docs.oracle.com/en/cloud/paas/integration-cloud/integrations-user/get-started-integration-cloud-service.html"
+        }
+      ]
+    },
+    {
+      "Id": "2.7",
+      "Description": "Ensure Oracle Analytics Cloud (OAC) access is restricted to allowed sources or deployed within a Virtual Cloud Network",
+      "Checks": [
+        "analytics_instance_access_restricted"
+      ],
+      "Attributes": [
+        {
+          "Section": "2. Networking",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Manual",
+          "Description": "Oracle Analytics Cloud (OAC) is a scalable and secure public cloud service that provides a full set of capabilities to explore and perform collaborative analytics for you, your workgroup, and your enterprise. OAC instances provide ingress filtering of network traffic or can be deployed with in an existing Virtual Cloud Network VCN. It is recommended that all new OAC instances be deployed within a VCN and that the Access Control Rules are restricted to your corporate IP Addresses or VCNs for existing OAC instances.",
+          "RationaleStatement": "Restricting connectivity to Oracle Analytics Cloud instances reduces an OAC instance’s exposure to risk.",
+          "ImpactStatement": "When updating ingress filters for an existing environment, care should be taken to ensure that IP addresses and VCNs currently used by administrators, users, and services to access your OAC instances are included in the updated filters. Also, these changes will temporarily bring the OAC instance offline.",
+          "RemediationProcedure": "**From Console:**\n1. Follow the audit procedure above.\n2. For each OAC instance in the returned results, click the OAC Instance name\n3. Click `Edit` next to `Access Control Rules`\n4. Click `+Another Rule` and add rules as required\n\n**From CLI:**\n1. Follow the audit procedure.\n2. Get the json input format by executing the below command:\n```\noci analytics analytics-instance change-network-endpoint --generate-full-command-json-input\n```\n3. For each of the OAC Instances identified get its details.\n4. Update the `Access Control Rules`, copy the `network-endpoint-details` element from the JSON returned by the above get call, edit it appropriately and use it in the following command:\n```\noci integration analytics-instance change-network-endpoint --from-json '<network endpoints JSON>'\n```",
+          "AuditProcedure": "**From Console:**\n1 Login into the OCI Console\n2. Click in the search bar, top of the screen.\n3. Type Advanced Resource Query and hit enter.\n4. Click the Advanced Resource Query button in the upper right of the screen.\n5. Enter the following query in the query box:\n```\nquery analyticsinstance resources\n```\n6. For each OAC Instance returned click on the link under `Display name`.\n7. Ensure `Access Control Rules` IP Address/CIDR Block as well as Virtual Cloud Networks are correct.\n8. Repeat for other subscribed regions.\n\n**From CLI:**\n1. Execute the following command:\n```\nfor region in `oci iam region list | jq -r '.data[] | .name'`;\n do\n for compid in `oci iam compartment list --compartment-id-in-subtree TRUE 2>/dev/null | jq -r '.data[] | .id'`\n do\n output=`oci analytics analytics-instance list --compartment-id $compid --region $region --all 2>/dev/null | jq -r '.data[] | select(.\"network-endpoint-details\".\"network-endpoint-type\" == \"PUBLIC\")'`\n if [ ! -z \"$output\" ]; then echo $output; fi\n done\n done\n```\n2. Ensure `network-endpoint-type` are correct.",
+          "AdditionalInformation": "https://docs.oracle.com/en/cloud/paas/analytics-cloud/acoci/manage-service-access-and-security.html#GUID-3DB25824-4417-4981-9EEC-29C0C6FD3883",
+          "References": ""
+        }
+      ]
+    },
+    {
+      "Id": "2.8",
+      "Description": "Ensure Oracle Autonomous Shared Databases (ADB) access is restricted to allowed sources or deployed within a Virtual Cloud Network",
+      "Checks": [
+        "database_autonomous_database_access_restricted"
+      ],
+      "Attributes": [
+        {
+          "Section": "2. Networking",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Manual",
+          "Description": "Oracle Autonomous Database Shared (ADB-S) automates database tuning, security, backups, updates, and other routine management tasks traditionally performed by DBAs. ADB-S provide ingress filtering of network traffic or can be deployed within an existing Virtual Cloud Network (VCN). It is recommended that all new ADB-S databases be deployed within a VCN and that the Access Control Rules are restricted to your corporate IP Addresses or VCNs for existing ADB-S databases.",
+          "RationaleStatement": "Restricting connectivity to ADB-S Databases reduces an ADB-S database’s exposure to risk.",
+          "ImpactStatement": "When updating ingress filters for an existing environment, care should be taken to ensure that IP addresses and VCNs currently used by administrators, users, and services to access your ADB-S instances are included in the updated filters.",
+          "RemediationProcedure": "**From Console:**\n1. Follow the audit procedure above.\n2. For each ADB-S database in the returned results, click the ADB-S database name\n3. Click `Edit` next to `Access Control Rules`\n4. Click `+Another Rule` and add rules as required\n5. Click `Save Changes`\n\n**From CLI:**\n1. Follow the audit procedure.\n2. Get the json input format by executing the following command:\n```\noci db autonomous-database update --generate-full-command-json-input\n```\n3. For each of the ADB-S Database identified get its details.\n4. Update the `whitelistIps`, copy the `WhiteListIPs` element from the JSON returned by the above get call, edit it appropriately and use it in the following command:\n```\noci db autonomous-database update –-autonomous-database-id <ABD-S OCID> --from-json '<network endpoints JSON>'\n```",
+          "AuditProcedure": "**From Console:**\n1. Login into the OCI Console\n2. Click in the search bar, top of the screen.\n3. Type Advanced Resource Query and hit enter.\n4. Click the `Advanced Resource Query` button in the upper right of the screen.\n5. Enter the following query in the query box:\n```\nquery autonomousdatabase resources\n```\n6. For each ABD-S database returned click on the link under `Display name`\n7. Click `Edit` next to `Access Control List`\n8. Ensure `Access Control Rules’ IP Address/CIDR Block as well as VCNs are correct\n9. Repeat for other subscribed regions\n\n**From CLI:**\n1. Execute the following command:\n```\nfor region in `oci iam region list | jq -r '.data[] | .name'`;\n do\n for compid in `oci iam compartment list --compartment-id-in-subtree TRUE 2>/dev/null | jq -r '.data[] | .id'`\n do\n for adbid in `oci db autonomous-database list --compartment-id $compid --region $region --all 2>/dev/null | jq -r '.data[] | select(.\"nsg-ids\" == null).id'`\n do\n output=`oci db autonomous-database get --autonomous-database-id $adbid --region $region --query=data.{\"WhiteListIPs:\\\"whitelisted-ips\\\",\"id:id\"\"} --output table 2>/dev/null`\n if [ ! -z \"$output\" ]; then echo $output; fi\n done\n done\n done\n```\n2. Ensure `WhiteListIPs` are correct.",
+          "AdditionalInformation": "",
+          "References": "https://docs.oracle.com/en/cloud/paas/autonomous-database/adbsa/network-access-options.html#GUID-29D62917-0F18-4F3E-8081-B3BD5C0C79F5"
+        }
+      ]
+    },
+    {
+      "Id": "3.1",
+      "Description": "Ensure Compute Instance Legacy Metadata service endpoint is disabled",
+      "Checks": [
+        "compute_instance_legacy_metadata_endpoint_disabled"
+      ],
+      "Attributes": [
+        {
+          "Section": "3. Compute",
+          "Profile": "Level 2",
+          "AssessmentStatus": "Automated",
+          "Description": "Compute Instances that utilize Legacy MetaData service endpoints (IMDSv1) are susceptible to potential SSRF attacks. To bolster security measures, it is strongly advised to reconfigure Compute Instances to adopt Instance Metadata Service v2, aligning with the industry's best security practices.",
+          "RationaleStatement": "Enabling Instance Metadata Service v2 enhances security and grants precise control over metadata access. Transitioning from IMDSv1 reduces the risk of SSRF attacks, bolstering system protection.\n\nIMDv1 poses security risks due to its inferior security measures and limited auditing capabilities. Transitioning to IMDv2 ensures a more secure environment with robust security features and improved monitoring capabilities.",
+          "ImpactStatement": "If you disable IMDSv1 on an instance that does not support IMDSv2, you might not be able to connect to the instance when you launch it.\n\nIMDSv2 is supported on the following platform images:\n- Oracle Autonomous Linux 8.x images\n- Oracle Autonomous Linux 7.x images released in June 2020 or later\n- Oracle Linux 8.x, Oracle Linux 7.x, and Oracle Linux 6.x images released in July 2020 or later\n\nOther platform images, most custom images, and most Marketplace images do not support IMDSv2. Custom Linux images might support IMDSv2 if cloud-init is updated to version 20.3 or later and Oracle Cloud Agent is updated to version 0.0.19 or later. Custom Windows images might support IMDSv2 if Oracle Cloud Agent is updated to version 1.0.0.0 or later; cloudbase-init does not support IMDSv2.",
+          "RemediationProcedure": "**From Console:**\n\n1. Login to the OCI Console\n2. Click on the search box at the top of the console and search for compute instance name.\n3. Click on the instance name, In the `Instance Details` section, next to Instance Metadata Service, click `Edit`.\n4. For the `Instance metadata service`, select the `Version 2 only` option.\n5. Click `Save Changes`.\n\nNote : Disabling IMDSv1 on an incompatible instance may result in connectivity issues upon launch.\nTo re-enable IMDSv1, follow these steps: \n\n1. On the Instance Details page in the Console, click `Edit` next to Instance Metadata Service.\n2. Choose the `Version 1 and version 2` option, and save your changes.\n\n**From CLI:**\n\nRun Below Command,\n\n```\noci compute instance update --instance-id [instance-ocid] --instance-options '{\"areLegacyImdsEndpointsDisabled\" :\"true\"}'\n```\n\nThis will set Instance Metadata Service to use Version 2 Only.",
+          "AuditProcedure": "**From Console:**\n\n1. Login to the OCI Console\n2. Select compute instance in your compartment.\n3. Click on each instance name.\n4. In the `Instance Details` section, next to `Instance metadata service` make sure `Version 2 only` is selected.\n\n**From CLI:**\n1. Run command:\n```\nfor region in `oci iam region-subscription list | jq -r '.data[] | .\"region-name\"'`;\n do\n for compid in `oci iam compartment list --compartment-id-in-subtree TRUE 2>/dev/null | jq -r '.data[] | .id'`\n do\n output=`oci compute instance list --compartment-id $compid --region $region --all 2>/dev/null | jq -r '.data[] | select(.\"instance-options\".\"are-legacy-imds-endpoints-disabled\" == false )'`\n if [ ! -z \"$output\" ]; then echo $output; fi\n done\n done\n```\n2. No results should be returned",
+          "AdditionalInformation": "",
+          "References": "https://docs.oracle.com/en-us/iaas/Content/Compute/Tasks/gettingmetadata.htm"
+        }
+      ]
+    },
+    {
+      "Id": "3.2",
+      "Description": "Ensure Secure Boot is enabled on Compute Instance",
+      "Checks": [
+        "compute_instance_secure_boot_enabled"
+      ],
+      "Attributes": [
+        {
+          "Section": "3. Compute",
+          "Profile": "Level 2",
+          "AssessmentStatus": "Automated",
+          "Description": "Shielded Instances with Secure Boot enabled prevents unauthorized boot loaders and operating systems from booting. This prevent rootkits, bootkits, and unauthorized software from running before the operating system loads.\nSecure Boot verifies the digital signature of the system's boot software to check its authenticity. The digital signature ensures the operating system has not been tampered with and is from a trusted source.\nWhen the system boots and attempts to execute the software, it will first check the digital signature to ensure validity. If the digital signature is not valid, the system will not allow the software to run.\nSecure Boot is a feature of UEFI(Unified Extensible Firmware Interface) that only allows approved operating systems to boot up.",
+          "RationaleStatement": "A Threat Actor with access to the operating system may seek to alter boot components to persist malware or rootkits during system initialization. Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components.",
+          "ImpactStatement": "An existing instance cannot be changed to a Shielded instance with Secure boot enabled. Shielded Secure Boot not available on all instance shapes and Operating systems. Additionally the following limitations exist:\n\nThus to enable you have to terminate the instance and create a new one. Also, Shielded instances do not support live migration. During an infrastructure maintenance event, Oracle Cloud Infrastructure live migrates supported VM instances from the physical VM host that needs maintenance to a healthy VM host with minimal disruption to running instances. If you enable Secure Boot on an instance, the instance cannot be migrated, because the hardware TPM is not migratable. This may result in an outage because the TPM can't be migrate from a unhealthy host to healthy host.",
+          "RemediationProcedure": "Note: Secure Boot facility is available on selected VM images and Shapes in OCI. User have to configure Secured Boot at time of instance creation only.\n\n**From Console:**\n\n1. Navigate to https://cloud.oracle.com/compute/instances\n1. Select the instance from the Audit Procedure\n1. Click `Terminate`.\n1. Determine whether or not to permanently delete instance's attached boot volume.\n1. Click `Terminate instance`.\n1. Click on `Create Instance`.\n1. Select Image and Shape which supports Shielded Instance configuration. Icon for Shield in front of Image/Shape row indicates support of Shielded Instance.\n1. Click on `edit` of Security Blade.\n1. Turn On Shielded Instance, then Turn on the Secure Boot Toggle.\n1. Fill in the rest of the details as per requirements.\n1. Click `Create`.",
+          "AuditProcedure": "**From Console:**\n\n1. Login to the OCI Console\n2. Select compute instance in your compartment.\n3. Click on each instance name.\n4. In the `Launch Options` section,\n5. Check if `Secure Boot` is `Enabled`.\n\n**From CLI:**\n\nRun command:\n```\nfor region in `oci iam region-subscription list | jq -r '.data[] | .\"region-name\"'`;\n do\n for compid in `oci iam compartment list --compartment-id-in-subtree TRUE 2>/dev/null | jq -r '.data[] | .id'`\n do\n output=`oci compute instance list --compartment-id $compid --region $region --all 2>/dev/null | jq -r '.data[] | select(.\"platform-config\" == null or \"platform-config\".\"is-secure-boot-enabled\" == false )'`\n if [ ! -z \"$output\" ]; then echo $output; fi\n done\n done\n\n```\nIn response, check if `platform-config` are not null and `is-secure-boot-enabled` is set to `true`",
+          "AdditionalInformation": "",
+          "References": "https://docs.oracle.com/en-us/iaas/Content/Compute/References/shielded-instances.htm:https://uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf"
+        }
+      ]
+    },
+    {
+      "Id": "3.3",
+      "Description": "Ensure In-transit Encryption is enabled on Compute Instance",
+      "Checks": [
+        "compute_instance_in_transit_encryption_enabled"
+      ],
+      "Attributes": [
+        {
+          "Section": "3. Compute",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Automated",
+          "Description": "The Block Volume service provides the option to enable in-transit encryption for paravirtualized volume attachments on virtual machine (VM) instances.",
+          "RationaleStatement": "All the data moving between the instance and the block volume is transferred over an internal and highly secure network. If you have specific compliance requirements related to the encryption of the data while it is moving between the instance and the block volume, you should enable the in-transit encryption option.",
+          "ImpactStatement": "In-transit encryption for boot and block volumes is only available for virtual machine (VM) instances launched from platform images, along with bare metal instances that use the following shapes: BM.Standard.E3.128, BM.Standard.E4.128, BM.DenseIO.E4.128. It is not supported on other bare metal instances.",
+          "RemediationProcedure": "**From Console:**\n1. Navigate to https://cloud.oracle.com/compute/instances\n1. Select the instance from the Audit Procedure\n1. Click `Terminate`.\n1. Determine whether or not to permanently delete instance's attached boot volume.\n1. Click `Terminate instance`.\n1. Click on `Create Instance`.\n1. Fill in the details as per requirements.\n1. In the `Boot volume` section ensure `Use in-transit encryption` is checked.\n1. Fill in the rest of the details as per requirements.\n1. Click `Create`.",
+          "AuditProcedure": "**From Console:**\n1. Go to [https://cloud.oracle.com/compute/instances](https://cloud.oracle.com/compute/instances)\n2. Select compute instance in your compartment.\n3. Click on each instance name.\n4. Click on `Boot volume` on the bottom left.\n5. Under the `In-transit encryption` column make sure it is `Enabled`\n\n**From CLI:**\n1. Execute the following:\n```\nfor region in `oci iam region-subscription list | jq -r '.data[] | .\"region-name\"'`;\n do\n for compid in `oci iam compartment list --compartment-id-in-subtree TRUE 2>/dev/null | jq -r '.data[] | .id'`\n do\n output=`oci compute instance list --compartment-id $compid --region $region --all 2>/dev/null | jq -r '.data[] | select(.\"launch-options\".\"is-pv-encryption-in-transit-enabled\" == false )'`\n if [ ! -z \"$output\" ]; then echo $output; fi\n done\n done\n```\n2. Ensure no results are returned",
+          "AdditionalInformation": "",
+          "References": "https://docs.oracle.com/en-us/iaas/Content/Block/Concepts/overview.htm#BlockVolumeEncryption__intransit"
+        }
+      ]
+    },
+    {
+      "Id": "4.1",
+      "Description": "Ensure default tags are used on resources",
+      "Checks": [],
+      "Attributes": [
+        {
+          "Section": "4. Logging and Monitoring",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Automated",
+          "Description": "Using default tags is a way to ensure all resources that support tags are tagged during creation. Tags can be based on static or computed values. It is recommended to set up default tags early after root compartment creation to ensure all created resources will get tagged.\nTags are scoped to Compartments and are inherited by Child Compartments. The recommendation is to create default tags like “CreatedBy” at the Root Compartment level to ensure all resources get tagged.\nWhen using Tags it is important to ensure that Tag Namespaces are protected by IAM Policies otherwise this will allow users to change tags or tag values.\nDepending on the age of the OCI Tenancy there may already be Tag defaults setup at the Root Level and no need for further action to implement this action.",
+          "RationaleStatement": "In the case of an incident having default tags like “CreatedBy” applied will provide info on who created the resource without having to search the Audit logs.",
+          "ImpactStatement": "There is no performance impact when enabling the above described features.",
+          "RemediationProcedure": "**From Console:**\n\n1. Login to OCI Console.\n2. From the navigation menu, select `Governance & Administration`.\n3. Under `Tenancy Management`, select `Tag Namespaces`.\n4. Under `Compartment`, select the root compartment.\n5. If no tag namespace exists, click `Create Tag Namespace`, enter a name and description and click `Create Tag Namespace`.\n6. Click the name of a tag namespace.\n7. Click `Create Tag Key Definition`.\n8. Enter a tag key (e.g. CreatedBy) and description, and click `Create Tag Key Definition`.\n9. From the navigation menu, select `Identity & Security`.\n10. Under `Identity`, select `Compartments`.\n11. Click the name of the root compartment.\n12. Under `Resources`, select `Tag Defaults`.\n13. Click `Create Tag Default`.\n14. Select a tag namespace, tag key, and enter `${iam.principal.name}` as the tag value.\n15. Click `Create`.\n\n**From CLI:**\n\n1. Create a Tag Namespace in the Root Compartment\n```\noci iam tag-namespace create --compartment-id=<tenancy_ocid> --name=<name> --description=<description> --query data.{\"\\\"Tag Namespace OCID\\\":id\"} --output table\n```\n2. Note the Tag Namespace OCID and use it when creating the Tag Key Definition\n```\noci iam tag create --tag-namespace-id=<tag_namespace_ocid> --name=<tag_key_name> --description=<description> --query data.{\"\\\"Tag Key Definition OCID\\\":id\"} --output table\n```\n3. Note the Tag Key Definition OCID and use it when creating the Tag Default in the Root compartment\n```\noci iam tag-default create --compartment-id=<tenancy_ocid> --tag-definition-id=<tag_key_definition_id> --value=\"\\${iam.principal.name}\"\n```",
+          "AuditProcedure": "**From Console:**\n\n1. Login to OCI Console.\n2. From the navigation menu, select `Identity & Security`.\n3. Under `Identity`, select `Compartments`.\n4. Click the name of the root compartment.\n5. Under `Resources`, select `Tag Defaults`.\n6. In the `Tag Defaults` table, verify that there is a Tag with a value of `${iam.principal.name}` and a Tag Key Status of `Active`.\n\nNote: \nThe name of the tag may be different then “CreatedBy” if the Tenancy Administrator has decided to use another tag.\n\n**From CLI:**\n\n1. List the active tag defaults defined at the Root compartment level by using the Tenancy OCID as compartment id.\nNote: The Tenancy OCID can be found in the `~/.oci/config` file used by the OCI Command Line Tool\n```\noci iam tag-default list --compartment-id=<tenancy_ocid> --query=\"data [?\\\"lifecycle-state\\\"=='ACTIVE']\".{\"name:\\\"tag-definition-name\\\",\"value:value\"\"} --output table\n```\n2. Verify in the table returned that there is at least one row that contains the value of `${iam.principal.name}`.",
+          "AdditionalInformation": "'- There is no requirement to use the “Oracle-Tags” namespace to implement this control.\n A Tag Namespace Administrator can create any namespace and use it for this control.",
+          "References": ""
+        }
+      ]
+    },
+    {
+      "Id": "4.2",
+      "Description": "Create at least one notification topic and subscription to receive monitoring alerts",
+      "Checks": [
+        "events_notification_topic_and_subscription_exists"
+      ],
+      "Attributes": [
+        {
+          "Section": "4. Logging and Monitoring",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Automated",
+          "Description": "Notifications provide a multi-channel messaging service that allow users and applications to be notified of events of interest occurring within OCI. Messages can be sent via eMail, HTTPs, PagerDuty, Slack or the OCI Function service. Some channels, such as eMail require confirmation of the subscription before it becomes active.",
+          "RationaleStatement": "Creating one or more notification topics allow administrators to be notified of relevant changes made to OCI infrastructure.",
+          "ImpactStatement": "There is no performance impact when enabling the above described features but depending on the amount of notifications sent per month there may be a cost associated.",
+          "RemediationProcedure": "**From Console:**\n1. Go to the Notifications Service page: [https://console.us-ashburn-1.oraclecloud.com/notification/topics](https://console.us-ashburn-1.oraclecloud.com/notification/topics)\n2. Select the `Compartment` that hosts the notifications\n3. Click `Create Topic`\n4. Set the `name` to something relevant\n5. Set the `description` to describe the purpose of the topic\n6. Click `Create`\n7. Click the newly created topic\n8. Click `Create Subscription`\n9. Choose the correct `protocol`\n10. Complete the correct parameter, for instance `email` address\n11. Click `Create`\n\n**From CLI:**\n1. Create a topic in a compartment\n```\noci ons topic create --name <topic name> --description <topic description> --compartment-id <compartment OCID>\n```\n2. Note the `OCID` of the `topic` using the `topic-id` field of the returned JSON and use it to create a new subscription\n```\noci ons subscription create --compartment-id <compartment OCID> --topic-id <topic OCID> --protocol <protocol> --subscription-endpoint <subscription endpoint>\n```\n3. The returned JSON includes the id of the `subscription`.",
+          "AuditProcedure": "**From Console:**\n\n1. Go to the Notifications Service page: [https://console.us-ashburn-1.oraclecloud.com/notification/topics](https://console.us-ashburn-1.oraclecloud.com/notification/topics)\n2. Select the `Compartment` that hosts the notifications\n3. Find and click the `Topic` relevant to your monitoring alerts.\n4. Ensure a valid active subscription is shown.\n\n**From CLI:** \n1. List the topics in the `Compartment` that hosts the notifications\n```\noci ons topic list --compartment-id <compartment OCID> --all\n```\n2. Note the `OCID` of the monitoring topic(s) using the `topic-id` field of the returned JSON and use it to list the subscriptions\n```\noci ons subscription list --compartment-id <compartment OCID> --topic-id <topic OCID> --all\n```\n3. Ensure at least one active subscription is returned",
+          "AdditionalInformation": "'- The console URL shown is for the Ashburn region. Your tenancy might have a different home region and thus console URL.\n- The same Notification topic can be reused by many Events. A single topic can have multiple subscriptions allowing the same topic to be published to multiple locations.\n- The generated notification will include an eventID that can be used when querying the Audit Logs in case further investigation is required.",
+          "References": ""
+        }
+      ]
+    },
+    {
+      "Id": "4.3",
+      "Description": "Ensure a notification is configured for Identity Provider changes",
+      "Checks": [
+        "events_rule_identity_provider_changes"
+      ],
+      "Attributes": [
+        {
+          "Section": "4. Logging and Monitoring",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Automated",
+          "Description": "It is recommended to setup an Event Rule and Notification that gets triggered when Identity Providers are created, updated or deleted. Event Rules are compartment scoped and will detect events in child compartments. It is recommended to create the Event rule at the root compartment level.",
+          "RationaleStatement": "OCI Identity Providers allow management of User ID / passwords in external systems and use of those credentials to access OCI resources. Identity Providers allow users to single sign-on to OCI console and have other OCI credentials like API Keys.\nMonitoring and alerting on changes to Identity Providers will help in identifying changes to the security posture.",
+          "ImpactStatement": "There is no performance impact when enabling the above described features but depending on the amount of notifications sent per month there may be a cost associated.",
+          "RemediationProcedure": "**From Console:**\n1. Go to the `Events Service` page: [https://cloud.oracle.com/events/rules](https://cloud.oracle.com/events/rules)\n2. Select the `compartment` that should host the rule\n3. Click `Create Rule`\n4. Provide a `Display Name` and `Description`\n5. Create a Rule Condition by selecting `Identity` in the Service Name Drop-down and selecting `Identity Provider – Create`, `Identity Provider - Delete and Identity Provider – Update`\n6. In the `Actions` section select `Notifications` as Action Type\n7. Select the `Compartment` that hosts the Topic to be used.\n8. Select the `Topic` to be used\n9. Optionally add Tags to the Rule\n10. Click `Create Rule`\n\n**From CLI:**\n1. Find the `topic-id` of the topic the Event Rule should use for sending notifications by using the topic `name` and `Compartment OCID`\n```\noci ons topic list --compartment-id <compartment-ocid> --all --query \"data [?name=='<topic-name>']\".{\"name:name,topic_id:\\\"topic-id\\\"\"} --output table\n```\n2. Create a JSON file to be used when creating the Event Rule. Replace topic id, display name, description and compartment OCID.\n```\n{\n \"actions\":\n {\n \"actions\": [\n {\n \"actionType\": \"ONS\",\n \"isEnabled\": true,\n \"topicId\": \"<topic-id>\"\n }]\n },\n \"condition\":\n\"{\\\"eventType\\\":[\\\"com.oraclecloud.identitycontrolplane.createidentityprovider\\\",\\\" com.oraclecloud.identitycontrolplane.deleteidentityprovider\\\",\\\" com.oraclecloud.identitycontrolplane.updateidentityprovider\\\"],\\\"data\\\":{}}\",\n \"displayName\": \"<display-name>\",\n \"description\": \"<description>\",\n \"isEnabled\": true,\n \"compartmentId\": \"<compartment-ocid>\"\n}\n```\n3. Create the actual event rule\n```\noci events rule create --from-json file://event_rule.json\n```\n4. Note in the JSON returned that it lists the parameters specified in the JSON file provided and that there is an OCID provided for the Event Rule",
+          "AuditProcedure": "**From Console:**\n1. Go to the Events Service page: \n[https://cloud.oracle.com/events/rules](https://cloud.oracle.com/events/rules)\n2. Select the `Compartment` that hosts the rules\n3. Find and click the `Rule` that handles `Identity Provider` Changes (if any)\n4. Click the `Edit Rule` button and verify that the `RuleConditions` section contains a condition for the Service `Identity` and Event Types: `Identity Provider – Create`, `Identity Provider - Delete` and `Identity Provider – Update`\n5. Verify that in the `Actions` section the Action Type contains: `Notifications` and that a valid `Topic` is referenced.\n\n**From CLI:** \n1. Find the OCID of the specific Event Rule based on Display Name and Compartment OCID\n```\noci events rule list --compartment-id <compartment-ocid> --query \"data [?\\\"display-name\\\"=='<display-name>']\".{\"id:id\"} --output table\n```\n2. List the details of a specific Event Rule based on the OCID of the rule.\n```\noci events rule get --rule-id <rule-id>\n```\n3. In the JSON output locate the Conditions key value pair and verify that the following Conditions are present:\n```\ncom.oraclecloud.identitycontrolplane.createidentityprovider\ncom.oraclecloud.identitycontrolplane.deleteidentityprovider\ncom.oraclecloud.identitycontrolplane.updateidentityprovider\n```\n4. Verify the value of the `is-enabled` attribute is `true`\n5. In the JSON output verify that `actionType` is `ONS` and locate the `topic-id`\n6. Verify the correct topic is used by checking the topic name\n```\noci ons topic get --topic-id <topic-id> --query data.{\"name:name\"} --output table\n```",
+          "AdditionalInformation": "'- The same Notification topic can be reused by many Event Rules.\n- The generated notification will include an eventID that can be used when querying the Audit Logs in case further investigation is required.",
+          "References": ""
+        }
+      ]
+    },
+    {
+      "Id": "4.4",
+      "Description": "Ensure a notification is configured for IdP group mapping changes",
+      "Checks": [
+        "events_rule_idp_group_mapping_changes"
+      ],
+      "Attributes": [
+        {
+          "Section": "4. Logging and Monitoring",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Automated",
+          "Description": "It is recommended to setup an Event Rule and Notification that gets triggered when Identity Provider Group Mappings are created, updated or deleted. Event Rules are compartment scoped and will detect events in child compartments. It is recommended to create the Event rule at the root compartment level.",
+          "RationaleStatement": "IAM Policies govern access to all resources within an OCI Tenancy. IAM Policies use OCI Groups for assigning the privileges. Identity Provider Groups could be mapped to OCI Groups to assign privileges to federated users in OCI. Monitoring and alerting on changes to Identity Provider Group mappings will help in identifying changes to the security posture.",
+          "ImpactStatement": "There is no performance impact when enabling the above described features but depending on the amount of notifications sent per month there may be a cost associated.",
+          "RemediationProcedure": "**From Console:**\n1. Go to the `Events Service` page: [https://cloud.oracle.com/events/rules](https://cloud.oracle.com/events/rules)\n2. Select the `compartment` that should host the rule\n3. Click `Create Rule`\n4. Provide a `Display Name` and `Description`\n5. Create a Rule Condition by selecting `Identity` in the Service Name Drop-down and selecting `Idp Group Mapping – Create`, `Idp Group Mapping – Delete` and `Idp Group Mapping – Update`\n6. In the `Actions` section select `Notifications` as Action Type\n7. Select the `Compartment` that hosts the Topic to be used.\n8. Select the `Topic` to be used\n9. Optionally add Tags to the Rule\n10. Click `Create Rule`\n\n**From CLI:**\n1. Find the `topic-id` of the topic the Event Rule should use for sending notifications by using the topic `name` and `Compartment OCID`\n```\noci ons topic list --compartment-id <compartment-ocid> --all --query \"data [?name=='<topic-name>']\".{\"name:name,topic_id:\\\"topic-id\\\"\"} --output table\n```\n2. Create a JSON file to be used when creating the Event Rule. Replace topic id, display name, description and compartment OCID.\n```\n{\n \"actions\":\n {\n \"actions\": [\n {\n \"actionType\": \"ONS\",\n \"isEnabled\": true,\n \"topicId\": \"<topic-id>\"\n }]\n },\n \"condition\":\n\"{\\\"eventType\\\":[\\\"com.oraclecloud.identitycontrolplane.createidpgroupmapping\\\",\\\"com.oraclecloud.identitycontrolplane.deleteidpgroupmapping\\\",\\\"com.oraclecloud.identitycontrolplane.updateidpgroupmapping\\\"],\\\"data\\\":{}}\",\n \"displayName\": \"<display-name>\",\n \"description\": \"<description>\",\n \"isEnabled\": true,\n \"compartmentId\": \"<compartment-ocid>\"\n}\n\n```\n3. Create the actual event rule\n```\noci events rule create --from-json file://event_rule.json\n```\n4. Note in the JSON returned that it lists the parameters specified in the JSON file provided and that there is an OCID provided for the Event Rule",
+          "AuditProcedure": "**From Console:**\n1. Go to the Events Service page: \n[https://cloud.oracle.com/events/rules](https://cloud.oracle.com/events/rules)\n2. Select the `Compartment` that hosts the rules\n3. Find and click the `Rule` that handles `Idp Group Mapping` Changes (if any)\n4. Click the `Edit Rule` button and verify that the `RuleConditions` section contains a condition for the Service `Identity` and Event Types: `Idp Group Mapping – Create`, `Idp Group Mapping – Delete` and `Idp Group Mapping – Update`\n5. Verify that in the `Actions` section the Action Type contains: `Notifications` and that a valid `Topic` is referenced.\n\n**From CLI:** \n1. Find the OCID of the specific Event Rule based on Display Name and Compartment OCID\n```\noci events rule list --compartment-id <compartment-ocid> --query \"data [?\\\"display-name\\\"=='<displa-name>']\".{\"id:id\"} --output table\n```\n2. List the details of a specific Event Rule based on the OCID of the rule.\n```\noci events rule get --rule-id <rule-id>\n```\n3. In the JSON output locate the Conditions key value pair and verify that the following Conditions are present:\n```\ncom.oraclecloud.identitycontrolplane.createidpgroupmapping\ncom.oraclecloud.identitycontrolplane.deleteidpgroupmapping\ncom.oraclecloud.identitycontrolplane.updateidpgroupmapping\n```\n4. Verify the value of the `is-enabled` attribute is `true`\n5. In the JSON output verify that `actionType` is `ONS` and locate the `topic-id`\n6. Verify the correct topic is used by checking the topic name\n```\noci ons topic get --topic-id <topic-id> --query data.{\"name:name\"} --output table\n```",
+          "AdditionalInformation": "'- The same Notification topic can be reused by many Event Rules.\n- The generated notification will include an eventID that can be used when querying the Audit Logs in case further investigation is required.",
+          "References": ""
+        }
+      ]
+    },
+    {
+      "Id": "4.5",
+      "Description": "Ensure a notification is configured for IAM group changes",
+      "Checks": [
+        "events_rule_iam_group_changes"
+      ],
+      "Attributes": [
+        {
+          "Section": "4. Logging and Monitoring",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Automated",
+          "Description": "It is recommended to setup an Event Rule and Notification that gets triggered when IAM Groups are created, updated or deleted. Event Rules are compartment scoped and will detect events in child compartments, it is recommended to create the Event rule at the root compartment level.",
+          "RationaleStatement": "IAM Groups control access to all resources within an OCI Tenancy. \nMonitoring and alerting on changes to IAM Groups will help in identifying changes to satisfy least privilege principle.",
+          "ImpactStatement": "There is no performance impact when enabling the above described features but depending on the amount of notifications sent per month there may be a cost associated.",
+          "RemediationProcedure": "**From Console:**\n1. Go to the `Events Service` page: [https://cloud.oracle.com/events/rules](https://cloud.oracle.com/events/rules)\n2. Select the `compartment` that should host the rule\n3. Click `Create Rule`\n4. Provide a `Display Name` and `Description`\n5. Create a Rule Condition by selecting `Identity` in the Service Name Drop-down and selecting `Group – Create`, `Group – Delete` and `Group – Update`\n6. In the `Actions` section select `Notifications` as Action Type\n7. Select the `Compartment` that hosts the Topic to be used.\n8. Select the `Topic` to be used\n9. Optionally add Tags to the Rule\n10. Click `Create Rule`\n\n**From CLI:**\n1. Find the `topic-id` of the topic the Event Rule should use for sending Notifications by using the topic `name` and `Compartment OCID`\n```\noci ons topic list --compartment-id <compartment-ocid> --all --query \"data [?name=='<topic-name>']\".{\"name:name,topic_id:\\\"topic-id\\\"\"} --output table\n```\n2. Create a JSON file to be used when creating the Event Rule. Replace topic id, display name, description and compartment OCID.\n```\n{\n \"actions\":\n {\n \"actions\": [\n {\n \"actionType\": \"ONS\",\n \"isEnabled\": true,\n \"topicId\": \"<topic-id>\"\n }]\n },\n \"condition\": \"{\\\"eventType\\\":[\\\"com.oraclecloud.identitycontrolplane.creategroup\\\",\\\"com.oraclecloud.identitycontrolplane.deletegroup\\\",\\\"com.oraclecloud.identitycontrolplane.updategroup\\\"],\\\"data\\\":{}}\",\n \"displayName\": \"<display-name>\",\n \"description\": \"<description>\",\n \"isEnabled\": true,\n \"compartmentId\": \"<compartment-ocid>\"\n}\n```\n3. Create the actual event rule\n```\noci events rule create --from-json file://event_rule.json\n```\n4. Note in the JSON returned that it lists the parameters specified in the JSON file provided and that there is an OCID provided for the Event Rule",
+          "AuditProcedure": "**From Console:**\n1. Go to the `Events Service` page: \n[https://cloud.oracle.com/events/rules](https://cloud.oracle.com/events/rules)\n2. Select the `Compartment` that hosts the rules\n3. Find and click the `Rule` that handles IAM `Group` Changes\n4. Click the `Edit Rule` button and verify that the `Rule Conditions` section contains a condition for the Service `Identity` and Event Types: `Group – Create`, `Group – Delete` and `Group – Update`\n5. Verify that in the `Actions` section the Action Type contains: `Notifications` and that a valid `Topic` is referenced.\n\n**From CLI:**\n1. Find the OCID of the specific Event Rule based on `Display Name` and `Compartment OCID`\n```\noci events rule list --compartment-id <compartment-ocid> --query \"data [?\\\"display-name\\\"=='<display-name>']\".{\"id:id\"} --output table\n```\n2. List the details of a specific Event Rule based on the OCID of the rule.\n```\noci events rule get --rule-id <rule-id>\n```\n3. In the JSON output locate the Conditions key value pair and verify that the following Conditions are present:\n```\ncom.oraclecloud.identitycontrolplane.creategroup\ncom.oraclecloud.identitycontrolplane.deletegroup\ncom.oraclecloud.identitycontrolplane.updategroup\n```\n4. Verify the value of the `is-enabled` attribute is `true`\n5. In the JSON output verify that `actionType` is ONS and locate the `topic-id`\n6. Verify the correct topic is used by checking the topic name\n```\noci ons topic get --topic-id <topic-id> --query data.{\"name:name\"} --output table\n```",
+          "AdditionalInformation": "'- The same Notification topic can be reused by many Event Rules.\n- The generated notification will include an eventID that can be used when querying the Audit Logs in case further investigation is required.",
+          "References": ""
+        }
+      ]
+    },
+    {
+      "Id": "4.6",
+      "Description": "Ensure a notification is configured for IAM policy changes",
+      "Checks": [
+        "events_rule_iam_policy_changes"
+      ],
+      "Attributes": [
+        {
+          "Section": "4. Logging and Monitoring",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Automated",
+          "Description": "It is recommended to setup an Event Rule and Notification that gets triggered when IAM Policies are created, updated or deleted. Event Rules are compartment scoped and will detect events in child compartments, it is recommended to create the Event rule at the root compartment level.",
+          "RationaleStatement": "IAM Policies govern access to all resources within an OCI Tenancy. \nMonitoring and alerting on changes to IAM policies will help in identifying changes to the security posture.",
+          "ImpactStatement": "There is no performance impact when enabling the above described features but depending on the amount of notifications sent per month there may be a cost associated.",
+          "RemediationProcedure": "**From Console:**\n1. Go to the `Events Service` page: [https://cloud.oracle.com/events/rules](https://cloud.oracle.com/events/rules)\n2. Select the `compartment` that should host the rule\n3. Click `Create Rule`\n4. Provide a `Display Name` and `Description`\n5. Create a Rule Condition by selecting `Identity` in the Service Name Drop-down and selecting `Policy – Change Compartment`, `Policy – Create`, `Policy - Delete` and `Policy – Update`\n6. In the `Actions` section select `Notifications` as Action Type\n7. Select the `Compartment` that hosts the Topic to be used.\n8. Select the `Topic` to be used\n9. Optionally add Tags to the Rule\n10. Click `Create Rule`\n\n**From CLI:**\n1. Find the `topic-id` of the topic the Event Rule should use for sending Notifications by using the topic `name` and `Compartment OCID`\n```\noci ons topic list --compartment-id <compartment-ocid> --all --query \"data [?name=='<topic-name>']\".{\"name:name,topic_id:\\\"topic-id\\\"\"} --output table\n```\n2. Create a JSON file to be used when creating the Event Rule. Replace topic id, display name, description and compartment OCID.\n```\n{\n \"actions\":\n {\n \"actions\": [\n {\n \"actionType\": \"ONS\",\n \"isEnabled\": true,\n \"topicId\": \"<topic-id>\"\n }]\n },\n \"condition\":\n\"{\\\"eventType\\\":[\\\"com.oraclecloud.identitycontrolplane.createpolicy\\\",\\\"com.oraclecloud.identitycontrolplane.deletepolicy\\\",\\\"com.oraclecloud.identitycontrolplane.updatepolicy\\\"],\\\"data\\\":{}}\",\n \"displayName\": \"<display-name>\",\n \"description\": \"<description>\",\n \"isEnabled\": true,\n \"compartmentId\": \"<compartment-ocid>\"\n}\n```\n3. Create the actual event rule\n```\noci events rule create --from-json file://event_rule.json\n```\n4. Note in the JSON returned that it lists the parameters specified in the JSON file provided and that there is an OCID provided for the Event Rule",
+          "AuditProcedure": "**From Console:**\n1. Go to the Events Service page: \n[https://cloud.oracle.com/events/rules](https://cloud.oracle.com/events/rules)\n2. Select the `Compartment` that hosts the rules\n3. Find and click the `Rule` that handles `IAM Policy` Changes (if any)\n4. Click the `Edit Rule` button and verify that the `RuleConditions` section contains a condition for the Service `Identity` and Event Types: `Policy – Create`, ` Policy - Delete` and `Policy – Update`\n5. Verify that in the `Actions` section the Action Type contains: `Notifications` and that a valid `Topic` is referenced.\n\n**From CLI:** \n1. Find the OCID of the specific Event Rule based on Display Name and Compartment OCID\n```\noci events rule list --compartment-id <compartment-ocid> --query \"data [?\\\"display-name\\\"=='<display-name>']\".{\"id:id\"} --output table\n```\n2. List the details of a specific Event Rule based on the OCID of the rule.\n```\noci events rule get --rule-id <rule-id>\n```\n3. In the JSON output locate the Conditions key value pair and verify that the following Conditions are present:\n```\ncom.oraclecloud.identitycontrolplane.createpolicy\ncom.oraclecloud.identitycontrolplane.deletepolicy\ncom.oraclecloud.identitycontrolplane.updatepolicy\n```\n4. Verify the value of the `is-enabled` attribute is `true`\n5. In the JSON output verify that `actionType` is `ONS` and locate the `topic-id`\n6. Verify the correct topic is used by checking the topic name\n```\noci ons topic get --topic-id <topic-id> --query data.{\"name:name\"} --output table\n```",
+          "AdditionalInformation": "'- The same Notification topic can be reused by many Event Rules.\n- The generated notification will include an eventID that can be used when querying the Audit Logs in case further investigation is required.",
+          "References": ""
+        }
+      ]
+    },
+    {
+      "Id": "4.7",
+      "Description": "Ensure a notification is configured for user changes",
+      "Checks": [
+        "events_rule_user_changes"
+      ],
+      "Attributes": [
+        {
+          "Section": "4. Logging and Monitoring",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Automated",
+          "Description": "It is recommended to setup an Event Rule and Notification that gets triggered when IAM Users are created, updated, deleted, capabilities updated, or state updated. Event Rules are compartment scoped and will detect events in child compartments, it is recommended to create the Event rule at the root compartment level.",
+          "RationaleStatement": "Users use or manage Oracle Cloud Infrastructure resources. \nMonitoring and alerting on changes to Users will help in identifying changes to the security posture.",
+          "ImpactStatement": "There is no performance impact when enabling the above described features but depending on the amount of notifications sent per month there may be a cost associated.",
+          "RemediationProcedure": "**From Console:**\n1. Using the search box to navigate to `events`\n2. Navigate to the `rules` page\n3. Select the `compartment` that should host the rule\n4. Click `Create Rule`\n5. Provide a `Display Name` and `Description`\n6. Create a Rule Condition by selecting `Identity` in the Service Name Drop-down and selecting:\n`User – Create`, \n`User – Delete`, \n`User – Update`, \n`User Capabilities – Update`,\n`User State – Update` \n7. In the `Actions` section select `Notifications` as Action Type\n8. Select the `Compartment` that hosts the Topic to be used.\n9. Select the `Topic` to be used\n10. Optionally add Tags to the Rule\n11. Click `Create Rule`\n\n**From CLI:**\n1. Find the `topic-id` of the topic the Event Rule should use for sending Notifications by using the topic `name` and `Compartment OCID`\n```\noci ons topic list --compartment-id <compartment-ocid> --all --query \"data [?name=='<topic-name>']\".{\"name:name,topic_id:\\\"topic-id\\\"\"} --output table\n```\n2. Create a JSON file to be used when creating the Event Rule. Replace topic id, display name, description and compartment OCID.\n```\n{\n \"actions\":\n {\n \"actions\": [\n {\n \"actionType\": \"ONS\",\n \"isEnabled\": true,\n \"topicId\": \"<topic-id>\"\n }]\n },\n \"condition\": \"{\\\"eventType\\\":[\\\"com.oraclecloud.identitycontrolplane.createuser\\\",\\\"com.oraclecloud.identitycontrolplane.deleteuser\\\",\\\"com.oraclecloud.identitycontrolplane.updateuser\\\",\\\"com.oraclecloud.identitycontrolplane.updateusercapabilities\\\",\\\"com.oraclecloud.identitycontrolplane.updateuserstate\\\"],\\\"data\\\":{}}\",\n \"displayName\": \"<display-name>\",\n \"description\": \"<description>\",\n \"isEnabled\": true,\n \"compartmentId\": \"<compartment-ocid>\"\n}\n```\n3. Create the actual event rule\n```\noci events rule create --from-json file://event_rule.json\n```\n4. Note in the JSON returned that it lists the parameters specified in the JSON file provided and that there is an OCID provided for the Event Rule",
+          "AuditProcedure": "**From Console:**\n1. Using the search box to navigate to `events`\n2. Navigate to the `rules` page\n3. Select the `Compartment` that hosts the rules\n4. Find and click the `Rule` that handles `IAM User` Changes\n5. Click the `Edit Rule` button and verify that the `Rule Conditions` section contains a condition for the Service `Identity` and Event Types: \n`User – Create`, \n`User – Delete`, \n`User – Update`, \n`User Capabilities – Update`,\n`User State – Update` \n6. Verify that in the `Actions` section the Action Type contains: `Notifications` and that a valid `Topic` is referenced.\n\n**From CLI:**\n1. Find the OCID of the specific Event Rule based on `Display Name` and `Compartment OCID`\n```\noci events rule list --compartment-id <compartment-ocid> --query \"data [?\\\"display-name\\\"=='<display-name>']\".{\"id:id\"} --output table\n```\n2. List the details of a specific Event Rule based on the OCID of the rule.\n```\noci events rule get --rule-id <rule-id>\n```\n3. In the JSON output locate the Conditions key value pair and verify that the following Conditions are present:\n```\ncom.oraclecloud.identitycontrolplane.createuser\ncom.oraclecloud.identitycontrolplane.deleteuser\ncom.oraclecloud.identitycontrolplane.updateuser\ncom.oraclecloud.identitycontrolplane.updateusercapabilities\ncom.oraclecloud.identitycontrolplane.updateuserstate\n```\n4. Verify the value of the `is-enabled` attribute is `true`\n5. In the JSON output verify that `actionType` is ONS and locate the `topic-id`\n6. Verify the correct topic is used by checking the topic name\n```\noci ons topic get --topic-id <topic-id> --query data.{\"name:name\"} --output table\n```",
+          "AdditionalInformation": "'- The same Notification topic can be reused by many Event Rules.\n- The generated notification will include an eventID that can be used when querying the Audit Logs in case further investigation is required.",
+          "References": ""
+        }
+      ]
+    },
+    {
+      "Id": "4.8",
+      "Description": "Ensure a notification is configured for VCN changes",
+      "Checks": [
+        "events_rule_vcn_changes"
+      ],
+      "Attributes": [
+        {
+          "Section": "4. Logging and Monitoring",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Automated",
+          "Description": "It is recommended to setup an Event Rule and Notification that gets triggered when Virtual Cloud Networks are created, updated or deleted. Event Rules are compartment scoped and will detect events in child compartments, it is recommended to create the Event rule at the root compartment level.",
+          "RationaleStatement": "Virtual Cloud Networks (VCNs) closely resembles a traditional network. \nMonitoring and alerting on changes to VCNs will help in identifying changes to the security posture.",
+          "ImpactStatement": "There is no performance impact when enabling the above described features but depending on the amount of notifications sent per month there may be a cost associated.",
+          "RemediationProcedure": "**From Console:**\n1. Go to the `Events Service` page: [https://cloud.oracle.com/events/rules](https://cloud.oracle.com/events/rules)\n2. Select the `compartment` that should host the rule\n3. Click `Create Rule`\n4. Provide a `Display Name` and `Description`\n5. Create a Rule Condition by selecting `Networking` in the Service Name Drop-down and selecting `VCN – Create`, ` VCN - Delete and VCN – Update`\n6. In the `Actions` section select `Notifications` as Action Type\n7. Select the `Compartment` that hosts the Topic to be used.\n8. Select the `Topic` to be used\n9. Optionally add Tags to the Rule\n10. Click `Create Rule`\n\n**From CLI:**\n1. Find the `topic-id` of the topic the Event Rule should use for sending Notifications by using the topic `name` and `Compartment OCID`\n```\noci ons topic list --compartment-id <compartment-ocid> --all --query \"data [?name=='<topic-name>']\".{\"name:name,topic_id:\\\"topic-id\\\"\"} --output table\n```\n2. Create a JSON file to be used when creating the Event Rule. Replace topic id, display name, description and compartment OCID.\n```\n{\n \"actions\":\n {\n \"actions\": [\n {\n \"actionType\": \"ONS\",\n \"isEnabled\": true,\n \"topicId\": \"<topic-id>\"\n }]\n },\n \"condition\":\n\"{\\\"eventType\\\":[\\\"com.oraclecloud.virtualnetwork.createvcn\\\",\\\"com.oraclecloud.virtualnetwork.deletevcn\\\",\\\"com.oraclecloud.virtualnetwork.updatevcn\\\"],\\\"data\\\":{}}\",\n \"displayName\": \"<display-name>\",\n \"description\": \"<description>\",\n \"isEnabled\": true,\n \"compartmentId\": \"<compartment-ocid>\"\n}\n```\n3. Create the actual event rule\n```\noci events rule create --from-json file://event_rule.json\n```\n4. Note in the JSON returned that it lists the parameters specified in the JSON file provided and that there is an OCID provided for the Event Rule",
+          "AuditProcedure": "**From Console:**\n1. Go to the Events Service page: \n[https://cloud.oracle.com/events/rules](https://cloud.oracle.com/events/rules)\n2. Select the `Compartment` that hosts the rules\n3. Find and click the `Rule` that handles `VCN` Changes (if any)\n4. Click the `Edit Rule` button and verify that the `RuleConditions` section contains a condition for the Service `Networking` and Event Types: `VCN – Create`, ` VCN - Delete and VCN – Update`\n5. Verify that in the `Actions` section the Action Type contains: `Notifications` and that a valid `Topic` is referenced.\n\n**From CLI:**\n1. Find the OCID of the specific Event Rule based on Display Name and Compartment OCID\n```\noci events rule list --compartment-id <compartment-ocid> --query \"data [?\\\"display-name\\\"=='<display-name>']\".{\"id:id\"} --output table\n```\n2. List the details of a specific Event Rule based on the OCID of the rule.\n```\noci events rule get --rule-id <rule-id>\n```\n3. In the JSON output locate the Conditions key value pair and verify that the following Conditions are present:\n```\ncom.oraclecloud.virtualnetwork.createvcn\ncom.oraclecloud.virtualnetwork.deletevcn\ncom.oraclecloud.virtualnetwork.updatevcn\n```\n4. Verify the value of the `is-enabled` attribute is `true`\n5. In the JSON output verify that `actionType` is `ONS` and locate the `topic-id`\n6. Verify the correct topic is used by checking the topic name\n```\noci ons topic get --topic-id <topic-id> --query data.{\"name:name\"} --output table\n```",
+          "AdditionalInformation": "'- The same Notification topic can be reused by many Event Rules.\n- The generated notification will include an eventID that can be used when querying the Audit Logs in case further investigation is required.",
+          "References": ""
+        }
+      ]
+    },
+    {
+      "Id": "4.9",
+      "Description": "Ensure a notification is configured for changes to route tables",
+      "Checks": [
+        "events_rule_route_table_changes"
+      ],
+      "Attributes": [
+        {
+          "Section": "4. Logging and Monitoring",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Automated",
+          "Description": "It is recommended to setup an Event Rule and Notification that gets triggered when route tables are created, updated or deleted. Event Rules are compartment scoped and will detect events in child compartments, it is recommended to create the Event rule at the root compartment level.",
+          "RationaleStatement": "Route tables control traffic flowing to or from Virtual Cloud Networks and Subnets. \nMonitoring and alerting on changes to route tables will help in identifying changes these traffic flows.",
+          "ImpactStatement": "There is no performance impact when enabling the above described features but depending on the amount of notifications sent per month there may be a cost associated.",
+          "RemediationProcedure": "**From Console:**\n1. Go to the `Events Service` page: [https://cloud.oracle.com/events/rules](https://cloud.oracle.com/events/rules)\n2. Select the `compartment` that should host the rule\n3. Click `Create Rule`\n4. Provide a `Display Name` and `Description`\n5. Create a Rule Condition by selecting `Networking` in the Service Name Drop-down and selecting `Route Table – Change Compartment`, `Route Table – Create`, `Route Table - Delete` and `Route Table – Update`\n6. In the `Actions` section select `Notifications` as Action Type\n7. Select the `Compartment` that hosts the Topic to be used.\n8. Select the `Topic` to be used\n9. Optionally add Tags to the Rule\n10. Click `Create Rule`\n\n**From CLI:**\n1. Find the `topic-id` of the topic the Event Rule should use for sending Notifications by using the topic `name` and `Compartment OCID`\n```\noci ons topic list --compartment-id <compartment-ocid> --all --query \"data [?name=='<topic-name>']\".{\"name:name,topic_id:\\\"topic-id\\\"\"} --output table\n```\n2. Create a JSON file to be used when creating the Event Rule. Replace topic id, display name, description and compartment OCID.\n```\n{\n \"actions\":\n {\n \"actions\": [\n {\n \"actionType\": \"ONS\",\n \"isEnabled\": true,\n \"topicId\": \"<topic-id>\"\n }]\n },\n \"condition\":\n\"{\\\"eventType\\\":[\\\"com.oraclecloud.virtualnetwork.changeroutetablecompartment\\\",\\\"com.oraclecloud.virtualnetwork.createroutetable\\\",\\\"com.oraclecloud.virtualnetwork.deleteroutetable\\\",\\\"com.oraclecloud.virtualnetwork.updateroutetable\\\"],\\\"data\\\":{}}\",\n \"displayName\": \"<display-name>\",\n \"description\": \"<description>\",\n \"isEnabled\": true,\n \"compartmentId\": \"<compartment-ocid>\"\n}\n```\n3. Create the actual event rule\n```\noci events rule create --from-json file://event_rule.json\n```\n4. Note in the JSON returned that it lists the parameters specified in the JSON file provided and that there is an OCID provided for the Event Rule",
+          "AuditProcedure": "**From Console:**\n1. Go to the Events Service page: \n[https://cloud.oracle.com/events/rules](https://cloud.oracle.com/events/rules)\n2. Select the `Compartment` that hosts the rules\n3. Find and click the `Rule` that handles `Route Table` Changes (if any)\n4. Click the `Edit Rule` button and verify that the `RuleConditions` section contains a condition for the Service `Networking` and Event Types: `Route Table – Change Compartment`, `Route Table – Create`, ` Route Table - Delete` and `Route Table - Update`\n5. Verify that in the `Actions` section the Action Type contains: `Notifications` and that a valid `Topic` is referenced.\n\n**From CLI:**\n1. Find the OCID of the specific Event Rule based on Display Name and Compartment OCID\n```\noci events rule list --compartment-id <compartment-ocid> --query \"data [?\\\"display-name\\\"=='<display-name>']\".{\"id:id\"} --output table\n```\n2. List the details of a specific Event Rule based on the OCID of the rule.\n```\noci events rule get --rule-id <rule-id>\n```\n3. In the JSON output locate the Conditions key value pair and verify that the following Conditions are present:\n```\ncom.oraclecloud.virtualnetwork.changeroutetablecompartment\ncom.oraclecloud.virtualnetwork.createroutetable\ncom.oraclecloud.virtualnetwork.deleteroutetable\ncom.oraclecloud.virtualnetwork.updateroutetable\n```\n4. Verify the value of the `is-enabled` attribute is `true`\n5. In the JSON output verify that `actionType` is `ONS` and locate the `topic-id`\n6. Verify the correct topic is used by checking the topic name\n```\noci ons topic get --topic-id <topic-id> --query data.{\"name:name\"} --output table\n```",
+          "AdditionalInformation": "'- The same Notification topic can be reused by many Event Rules.\n- The generated notification will include an eventID that can be used when querying the Audit Logs in case further investigation is required.",
+          "References": ""
+        }
+      ]
+    },
+    {
+      "Id": "4.10",
+      "Description": "Ensure a notification is configured for security list changes",
+      "Checks": [
+        "events_rule_security_list_changes"
+      ],
+      "Attributes": [
+        {
+          "Section": "4. Logging and Monitoring",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Automated",
+          "Description": "It is recommended to setup an Event Rule and Notification that gets triggered when security lists are created, updated or deleted. Event Rules are compartment scoped and will detect events in child compartments, it is recommended to create the Event rule at the root compartment level.",
+          "RationaleStatement": "Security Lists control traffic flowing into and out of Subnets within a Virtual Cloud Network. \nMonitoring and alerting on changes to Security Lists will help in identifying changes to these security controls.",
+          "ImpactStatement": "There is no performance impact when enabling the above described features but depending on the amount of notifications sent per month there may be a cost associated.",
+          "RemediationProcedure": "**From Console:**\n1. Go to the `Events Service` page: [https://cloud.oracle.com/events/rules](https://cloud.oracle.com/events/rules)\n2. Select the `compartment` that should host the rule\n3. Click `Create Rule`\n4. Provide a `Display Name` and `Description`\n5. Create a Rule Condition by selecting `Networking` in the Service Name Drop-down and selecting `Security List – Change Compartment`, `Security List – Create`, `Security List - Delete` and `Security List – Update`\n6. In the `Actions` section select `Notifications` as Action Type\n7. Select the `Compartment` that hosts the Topic to be used.\n8. Select the `Topic` to be used\n9. Optionally add Tags to the Rule\n10. Click `Create Rule`\n\n**From CLI:**\n1. Find the `topic-id` of the topic the Event Rule should use for sending Notifications by using the topic `name` and `Compartment OCID`\n```\noci ons topic list --compartment-id <compartment-ocid> --all --query \"data [?name=='<topic-name>']\".{\"name:name,topic_id:\\\"topic-id\\\"\"} --output table\n```\n2. Create a JSON file to be used when creating the Event Rule. Replace topic-id, display name, description and compartment OCID.\n```\n{\n \"actions\":\n {\n \"actions\": [\n {\n \"actionType\": \"ONS\",\n \"isEnabled\": true,\n \"topicId\": \"<topic-id>\"\n }]\n },\n \"condition\":\n\"{\\\"eventType\\\":[\\\"com.oraclecloud.virtualnetwork.changesecuritylistcompartment\\\",\\\"com.oraclecloud.virtualnetwork.createsecuritylist\\\",\\\"com.oraclecloud.virtualnetwork.deletesecuritylist\\\",\\\"com.oraclecloud.virtualnetwork.updatesecuritylist\\\"],\\\"data\\\":{}}\",\n \"displayName\": \"<display-name>\",\n \"description\": \"<description>\",\n \"isEnabled\": true,\n \"compartmentId\": \"<compartment-ocid>\"\n}\n```\n3. Create the actual event rule\n```\noci events rule create --from-json file://event_rule.json\n```\n4. Note in the JSON returned that it lists the parameters specified in the JSON file provided and that there is an OCID provided for the Event Rule",
+          "AuditProcedure": "**From Console:**\n1. Go to the Events Service page: \n[https://cloud.oracle.com/events/rules](https://cloud.oracle.com/events/rules)\n2. Select the `Compartment` that hosts the rules\n3. Find and click the `Rule` that handles `Security List` Changes (if any)\n4. Click the `Edit Rule` button and verify that the `RuleConditions` section contains a condition for the Service `Networking` and Event Types: `Security List – Change Compartment`, `Security List – Create`, `Security List - Delete` and `Security List – Update`\n5. Verify that in the `Actions` section the Action Type contains: `Notifications` and that a valid `Topic` is referenced.\n\n**From CLI:**\n1. Find the OCID of the specific Event Rule based on Display Name and Compartment OCID\n```\noci events rule list --compartment-id <compartment-ocid> --query \"data [?\\\"display-name\\\"=='<display-name>']\".{\"id:id\"} --output table\n```\n2. List the details of a specific Event Rule based on the OCID of the rule.\n```\noci events rule get --rule-id <rule-ocid>\n```\n3. In the JSON output locate the Conditions key value pair and verify that the following Conditions are present:\n```\ncom.oraclecloud.virtualnetwork.changesecuritylistcompartment\ncom.oraclecloud.virtualnetwork.createsecuritylist\ncom.oraclecloud.virtualnetwork.deletesecuritylist\ncom.oraclecloud.virtualnetwork.updatesecuritylist\n```\n4. Verify the value of the `is-enabled` attribute is `true`\n5. In the JSON output verify that `actionType` is `ONS` and locate the `topic-id`\n6. Verify the correct topic is used by checking the topic name\n```\noci ons topic get --topic-id <topic-id> --query data.{\"name:name\"} --output table\n```",
+          "AdditionalInformation": "'- The same Notification topic can be reused by many Event Rules.\n- The generated notification will include an eventID that can be used when querying the Audit Logs in case further investigation is required.",
+          "References": ""
+        }
+      ]
+    },
+    {
+      "Id": "4.11",
+      "Description": "Ensure a notification is configured for network security group changes",
+      "Checks": [
+        "events_rule_network_security_group_changes"
+      ],
+      "Attributes": [
+        {
+          "Section": "4. Logging and Monitoring",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Automated",
+          "Description": "It is recommended to setup an Event Rule and Notification that gets triggered when network security groups are created, updated or deleted. Event Rules are compartment scoped and will detect events in child compartments, it is recommended to create the Event rule at the root compartment level.",
+          "RationaleStatement": "Network Security Groups control traffic flowing between Virtual Network Cards attached to Compute instances. \nMonitoring and alerting on changes to Network Security Groups will help in identifying changes these security controls.",
+          "ImpactStatement": "There is no performance impact when enabling the above described features but depending on the amount of notifications sent per month there may be a cost associated.",
+          "RemediationProcedure": "**From Console:**\n1. Go to the `Events Service` page: [https://cloud.oracle.com/events/rules](https://cloud.oracle.com/events/rules)\n2. Select the `compartment` that should host the rule\n3. Click `Create Rule`\n4. Provide a `Display Name` and `Description`\n5. Create a Rule Condition by selecting `Networking` in the Service Name Drop-down and selecting `Network Security Group – Change Compartment`, `Network Security Group – Create`, `Network Security Group - Delete` and `Network Security Group – Update`\n6. In the `Actions` section select `Notifications` as Action Type\n7. Select the `Compartment` that hosts the Topic to be used.\n8. Select the `Topic` to be used\n9. Optionally add Tags to the Rule\n10. Click `Create Rule`\n\n**From CLI:**\n1. Find the `topic-id` of the topic the Event Rule should use for sending Notifications by using the topic `name` and `Compartment OCID`\n```\noci ons topic list --compartment-id <compartment-ocid> --all --query \"data [?name=='<topic-name>']\".{\"name:name,topic_id:\\\"topic-id\\\"\"} --output table\n```\n2. Create a JSON file to be used when creating the Event Rule. Replace topic id, display name, description and compartment OCID.\n```\n{\n \"actions\": {\n \"actions\": [\n {\n \"actionType\": \"ONS\",\n \"isEnabled\": true,\n \"topicId\": \"<topic-id>\"\n }\n ]\n },\n \"condition\":\n\"{\\\"eventType\\\":[\\\"com.oraclecloud.virtualnetwork.changenetworksecuritygroupcompartment\\\",\\\"com.oraclecloud.virtualnetwork.createnetworksecuritygroup\\\",\\\"com.oraclecloud.virtualnetwork.deletenetworksecuritygroup\\\",\\\"com.oraclecloud.virtualnetwork.updatenetworksecuritygroup\\\"],\\\"data\\\":{}}\",\n \"displayName\": \"<display-name>\",\n \"description\": \"<description>\",\n \"isEnabled\": true,\n \"compartmentId\": \"<compartment-ocid>\"\n}\n```\n3. Create the actual event rule\n```\noci events rule create --from-json file://event_rule.json\n```\n4. Note in the JSON returned that it lists the parameters specified in the JSON file provided and that there is an OCID provided for the Event Rule",
+          "AuditProcedure": "**From Console:**\n\n1. Go to the Events Service page: \n[https://cloud.oracle.com/events/rules](https://cloud.oracle.com/events/rules)\n2. Select the `Compartment` that hosts the rules\n3. Find and click the `Rule` that handles `Network Security Group` Changes (if any)\n4. Click the `Edit Rule` button and verify that the `RuleConditions` section contains a condition for the Service `Networking` and Event Types: `Network Security Group – Change Compartment`, `Network Security Group – Create`, `Network Security Group - Delete` and `Network Security Group – Update`\n5. Verify that in the `Actions` section the Action Type contains: `Notifications` and that a valid `Topic` is referenced.\n\n**From CLI:**\n1. Find the OCID of the specific Event Rule based on Display Name and Compartment OCID\n```\noci events rule list --compartment-id <compartment-ocid> --query \"data [?\\\"display-name\\\"=='<display name used>']\".{\"id:id\"} --output table\n```\n2. List the details of a specific Event Rule based on the OCID of the rule.\n```\noci events rule get --rule-id <rule-id>\n```\n3. In the JSON output locate the Conditions key value pair and verify that the following conditions are present:\n```\ncom.oraclecloud.virtualnetwork.changenetworksecuritygroupcompartment\ncom.oraclecloud.virtualnetwork.createnetworksecuritygroup\ncom.oraclecloud.virtualnetwork.deletenetworksecuritygroup\ncom.oraclecloud.virtualnetwork.updatenetworksecuritygroup\n```\n4. Verify the value of the `is-enabled` attribute is `true`\n5. In the JSON output verify that `actionType` is `ONS` and locate the `topic-id`\n6. Verify the correct topic is used by checking the topic name\n```\noci ons topic get --topic-id <topic-id> --query data.{\"name:name\"} --output table\n```",
+          "AdditionalInformation": "'- The same Notification topic can be reused by many Event Rules.\n- The generated notification will include an eventID that can be used when querying the Audit Logs in case further investigation is required.",
+          "References": ""
+        }
+      ]
+    },
+    {
+      "Id": "4.12",
+      "Description": "Ensure a notification is configured for changes to network gateways",
+      "Checks": [
+        "events_rule_network_gateway_changes"
+      ],
+      "Attributes": [
+        {
+          "Section": "4. Logging and Monitoring",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Automated",
+          "Description": "It is recommended to setup an Event Rule and Notification that gets triggered when Network Gateways are created, updated, deleted, attached, detached, or moved. This recommendation includes Internet Gateways, Dynamic Routing Gateways, Service Gateways, Local Peering Gateways, and NAT Gateways. Event Rules are compartment scoped and will detect events in child compartments, it is recommended to create the Event rule at the root compartment level.",
+          "RationaleStatement": "Network Gateways act as routers between VCNs and the Internet, Oracle Services Networks, other VCNS, and on-premise networks.\nMonitoring and alerting on changes to Network Gateways will help in identifying changes to the security posture.",
+          "ImpactStatement": "There is no performance impact when enabling the above described features but depending on the amount of notifications sent per month there may be a cost associated.",
+          "RemediationProcedure": "**From Console:**\n1. Go to the `Events Service` page: [https://cloud.oracle.com/events/rules](https://cloud.oracle.com/events/rules)\n2. Select the `compartment` that should host the rule\n3. Click `Create Rule`\n4. Provide a `Display Name` and `Description`\n5. Create a Rule Condition by selecting `Networking` in the Service Name Drop-down and selecting:\n```\nDRG – Create\nDRG – Delete\nDRG – Update\nDRG Attachment – Create\nDRG Attachment – Delete\nDRG Attachment – Update\nInternet Gateway – Create\nInternet Gateway – Delete\nInternet Gateway – Update\nInternet Gateway – Change Compartment\nLocal Peering Gateway – Create\nLocal Peering Gateway – Delete End\nLocal Peering Gateway – Update\nLocal Peering Gateway – Change Compartment\nNAT Gateway – Create\nNAT Gateway – Delete\nNAT Gateway – Update\nNAT Gateway – Change Compartment\nService Gateway – Create\nService Gateway – Delete End\nService Gateway – Update\nService Gateway – Attach Service\nService Gateway – Detach Service\nService Gateway – Change Compartment\n```\n6. In the `Actions` section select `Notifications` as Action Type\n7. Select the `Compartment` that hosts the Topic to be used.\n8. Select the `Topic` to be used\n9. Optionally add Tags to the Rule\n10. Click `Create Rule`\n\n**From CLI:**\n\n1. Find the `topic-id` of the topic the Event Rule should use for sending Notifications by using the topic `name` and `Compartment OCID`\n```\noci ons topic list --compartment-id <compartment-ocid> --all --query \"data [?name=='<topic_name>']\".{\"name:name,topic_id:\\\"topic-id\\\"\"} --output table\n```\n2. Create a JSON file to be used when creating the Event Rule. Replace topic id, display name, description and compartment OCID.\n```\n{\n \"actions\": {\n \"actions\": [\n {\n \"actionType\": \"ONS\",\n \"isEnabled\": true,\n \"topicId\": \"<topic-id>\"\n }\n ]\n },\n \"condition\":\n\"{\\\"eventType\\\":[\\\"com.oraclecloud.virtualnetwork.createdrg\\\",\\\"com.oraclecloud.virtualnetwork.deletedrg\\\",\\\"com.oraclecloud.virtualnetwork.updatedrg\\\",\\\"com.oraclecloud.virtualnetwork.createdrgattachment\\\",\\\"com.oraclecloud.virtualnetwork.deletedrgattachment\\\",\\\"com.oraclecloud.virtualnetwork.updatedrgattachment\\\",\\\"com.oraclecloud.virtualnetwork.changeinternetgatewaycompartment\\\",\\\"com.oraclecloud.virtualnetwork.createinternetgateway\\\",\\\"com.oraclecloud.virtualnetwork.deleteinternetgateway\\\",\\\"com.oraclecloud.virtualnetwork.updateinternetgateway\\\",\\\"com.oraclecloud.virtualnetwork.changelocalpeeringgatewaycompartment\\\",\\\"com.oraclecloud.virtualnetwork.createlocalpeeringgateway\\\",\\\"com.oraclecloud.virtualnetwork.deletelocalpeeringgateway.end\\\",\\\"com.oraclecloud.virtualnetwork.updatelocalpeeringgateway\\\",\\\"com.oraclecloud.natgateway.changenatgatewaycompartment\\\",\\\"com.oraclecloud.natgateway.createnatgateway\\\",\\\"com.oraclecloud.natgateway.deletenatgateway\\\",\\\"com.oraclecloud.natgateway.updatenatgateway\\\",\\\"com.oraclecloud.servicegateway.attachserviceid\\\",\\\"com.oraclecloud.servicegateway.changeservicegatewaycompartment\\\",\\\"com.oraclecloud.servicegateway.createservicegateway\\\",\\\"com.oraclecloud.servicegateway.deleteservicegateway.end\\\",\\\"com.oraclecloud.servicegateway.detachserviceid\\\",\\\"com.oraclecloud.servicegateway.updateservicegateway\\\"],\\\"data\\\":{}}\",\n \"displayName\": \"<display-name>\",\n \"description\": \"<description>\",\n \"isEnabled\": true,\n \"compartmentId\": \"<compartment-ocid>\"\n}\n```\n3. Create the actual event rule\n```\noci events rule create --from-json file://event_rule.json\n```\n4. Note in the JSON returned that it lists the parameters specified in the JSON file provided and that there is an OCID provided for the Event Rule",
+          "AuditProcedure": "**From Console:**\n1. Go to the Events Service page: \n[https://cloud.oracle.com/events/rules](https://cloud.oracle.com/events/rules)\n2. Select the `Compartment` that hosts the rules\n3. Find and click the `Rule` that handles `Network Gateways` Changes (if any)\n4. Click the `Edit Rule` button and verify that the `RuleConditions` section contains a condition for the Service `Networking` and Event Types: \n```\nDRG – Create\nDRG – Delete\nDRG – Update\nDRG Attachment – Create\nDRG Attachment – Delete\nDRG Attachment – Update\nInternet Gateway – Create\nInternet Gateway – Delete\nInternet Gateway – Update\nInternet Gateway – Change Compartment\nLocal Peering Gateway – Create\nLocal Peering Gateway – Delete End\nLocal Peering Gateway – Update\nLocal Peering Gateway – Change Compartment\nNAT Gateway – Create\nNAT Gateway – Delete\nNAT Gateway – Update\nNAT Gateway – Change Compartment\nService Gateway – Create\nService Gateway – Delete End\nService Gateway – Update\nService Gateway – Attach Service\nService Gateway – Detach Service\nService Gateway – Change Compartment\n```\n5. Verify that in the `Actions` section the Action Type contains: `Notifications` and that a valid `Topic` is referenced.\n\n**From CLI:**\n1. Find the OCID of the specific Event Rule based on Display Name and Compartment OCID\n```\noci events rule list --compartment-id <compartment-ocid> --query \"data [?\\\"display-name\\\"=='<display-name>']\".{\"id:id\"} --output table\n```\n2. List the details of a specific Event Rule based on the OCID of the rule.\n```\noci events rule get --rule-id <rule-id>\n```\n3. In the JSON output locate the Conditions key value pair and verify that the following Conditions are present:\n```\ncom.oraclecloud.virtualnetwork.createdrg\ncom.oraclecloud.virtualnetwork.deletedrg\ncom.oraclecloud.virtualnetwork.updatedrg\ncom.oraclecloud.virtualnetwork.createdrgattachment\ncom.oraclecloud.virtualnetwork.deletedrgattachment\ncom.oraclecloud.virtualnetwork.updatedrgattachment\ncom.oraclecloud.virtualnetwork.changeinternetgatewaycompartment\ncom.oraclecloud.virtualnetwork.createinternetgateway\ncom.oraclecloud.virtualnetwork.deleteinternetgateway\ncom.oraclecloud.virtualnetwork.updateinternetgateway\ncom.oraclecloud.virtualnetwork.changelocalpeeringgatewaycompartment\ncom.oraclecloud.virtualnetwork.createlocalpeeringgateway\ncom.oraclecloud.virtualnetwork.deletelocalpeeringgateway.end\ncom.oraclecloud.virtualnetwork.updatelocalpeeringgateway\ncom.oraclecloud.natgateway.changenatgatewaycompartment\ncom.oraclecloud.natgateway.createnatgateway\ncom.oraclecloud.natgateway.deletenatgateway\ncom.oraclecloud.natgateway.updatenatgateway\ncom.oraclecloud.servicegateway.attachserviceid\ncom.oraclecloud.servicegateway.changeservicegatewaycompartment\ncom.oraclecloud.servicegateway.createservicegateway\ncom.oraclecloud.servicegateway.deleteservicegateway.end\ncom.oraclecloud.servicegateway.detachserviceid\ncom.oraclecloud.servicegateway.updateservicegateway\n```\n4. Verify the value of the `is-enabled` attribute is `true`\n5. In the JSON output verify that `actionType` is `ONS` and locate the `topic-id`\n6. Verify the correct topic is used by checking the topic name\n```\noci ons topic get --topic-id <topic-id> --query data.{\"name:name\"} --output table\n```",
+          "AdditionalInformation": "'- The same Notification topic can be reused by many Event Rules.\n- The generated notification will include an eventID that can be used when querying the Audit Logs in case further investigation is required.",
+          "References": ""
+        }
+      ]
+    },
+    {
+      "Id": "4.13",
+      "Description": "Ensure VCN flow logging is enabled for all subnets",
+      "Checks": [
+        "network_vcn_subnet_flow_logs_enabled"
+      ],
+      "Attributes": [
+        {
+          "Section": "4. Logging and Monitoring",
+          "Profile": "Level 2",
+          "AssessmentStatus": "Automated",
+          "Description": "VCN flow logs record details about traffic that has been accepted or rejected based on the security list rule.",
+          "RationaleStatement": "Enabling VCN flow logs enables you to monitor traffic flowing within your virtual network and can be used to detect anomalous traffic.",
+          "ImpactStatement": "Enabling VCN flow logs will not affect the performance of your virtual network but it will generate additional use of object storage that should be controlled via object lifecycle management.\n\nBy default, VCN flow logs are stored for 30 days in object storage. Users can specify a longer retention period.",
+          "RemediationProcedure": "**From Console:**\n\nFirst, if a Capture filter has not already been created, create a Capture Filter by the following steps:\n1. Go to the Network Command Center page (https://cloud.oracle.com/networking/network-command-center)\n2. Click 'Capture filters'\n3. Click 'Create Capture filter'\n4. Type a name for the Capture filter in the Name box.\n5. Select 'Flow log capture filter'\n6. For `Sample rating` select `100%`\n7. Scroll to `Rules`\n8. For `Traffic disposition` select `All`\n9. For `Include/Exclude` select `Include`\n10. Level `Source IPv4 CIDR or IPv6 prefix` and `Destination IPv4 CIDR or IPv6 prefix` empty\n11. For `IP protocol` select `Include`\n12. Click `Create Capture filter`\n\nSecond, enable VCN flow logging for your VCN or subnet(s) by the following steps:\n\n1. Go to the Logs page (https://cloud.oracle.com/logging/logs)\n2. Click the `Enable Service Log` button in the middle of the screen.\n3. Select the relevant resource compartment.\n4. Select `Virtual Cloud Networks - Flow logs` from the Service drop down menu.\n5. Select the relevant resource level from the resource drop down menu either `VCN` or `subnet`.\n5. Select the relevant resource from the resource drop down menu.\n6. Select the from the Log Category drop down menu that either `Flow Logs - subnet records` or `Flow Logs - vcn records`.\n7. Select the Capture filter from above\n7. Type a name for your flow logs in the Log Name text box.\n7. Select the Compartment for the Log Location\n8. Select the Log Group for the Log Location or Click `Create New Group` to create a new log group\n8. Click the Enable Log button in the lower left-hand corner.",
+          "AuditProcedure": "**From Console (For Logging enabled Flow logs):**\n1. Go to the Virtual Cloud Network (VCN) page (https://cloud.oracle.com/networking/vcns)\n2. Select the Compartment \n3. Click on the name of each VCN\n4. Click on each subnet within the VCN\n5. Under Resources click on Logs or the Monitoring tab\n6. Verify that there is a log enabled for the subnet\n7. Click the `Log Name`\n8. Verify `Flowlogs Capture Filter` is set to `No filter (collecting all logs)`\n9. If there is a Capture filter click the 'Capture Filter Name'\n10. Click `Edit`\n11. Verify Sampling rate is `100%`\n12. Click `Cancel`\n13. Verify there is a in the Rules list that is: `Enabled, Traffic disposition: All, Include/Exclude: Include, Source CIDR: Any, Destination CIDR: Any, IP Protocol: All`\n\n**From Console (For Network Command Center Enabled Flow logs):**\n1. Go to the Network Command Center page (https://cloud.oracle.com/networking/network-command-center)\n2. Click on Flow Logs\n3. Click on the Flow log `Name`\n4. Click `Edit`\n5. Verify Sampling rate is `100%` \n6. Click `Cancel`\n7. Verify there is a in the Rules list that is: `Enabled, Traffic disposition: All, Include/Exclude: Include, Source CIDR: Any, Destination CIDR: Any, IP Protocol: All`",
+          "AdditionalInformation": "",
+          "References": "https://docs.oracle.com/en/solutions/oci-aggregate-logs-siem/index.html#GUID-601E052A-8A8E-466B-A8A8-2BBBD3B80B6D"
+        }
+      ]
+    },
+    {
+      "Id": "4.14",
+      "Description": "Ensure Cloud Guard is enabled in the root compartment of the tenancy",
+      "Checks": [
+        "cloudguard_enabled"
+      ],
+      "Attributes": [
+        {
+          "Section": "4. Logging and Monitoring",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Automated",
+          "Description": "Cloud Guard detects misconfigured resources and insecure activity within a tenancy and provides security administrators with the visibility to resolve these issues. Upon detection, Cloud Guard can suggest, assist, or take corrective actions to mitigate these issues. Cloud Guard should be enabled in the root compartment of your tenancy with the default configuration, activity detectors and responders.",
+          "RationaleStatement": "Cloud Guard provides an automated means to monitor a tenancy for resources that are configured in an insecure manner as well as risky network activity from these resources.",
+          "ImpactStatement": "There is no performance impact when enabling the above described features, but additional IAM policies will be required.",
+          "RemediationProcedure": "**From Console:**\n1. Type `Cloud Guard` into the Search box at the top of the Console.\n2. Click `Cloud Guard` from the \"Services\" submenu.\n3. Click `Enable Cloud Guard`.\n4. Click `Create Policy`.\n5. Click `Next`.\n6. Under `Reporting Region`, select a region.\n7. Under `Compartments To Monitor`, choose `Select Compartment`.\n8. Under `Select Compartments`, select the `root` compartment.\n9. Under `Configuration Detector Recipe`, select `OCI Configuration Detector Recipe (Oracle Managed)`.\n10. Under `Activity Detector Recipe`, select `OCI Activity Detector Recipe (Oracle Managed)`.\n11. Click `Enable`.\n\n**From CLI:**\n1. Create OCI IAM Policy for Cloud Guard\n```\noci iam policy create --compartment-id '<tenancy-id>' --name 'CloudGuardPolicies' --description 'Cloud Guard Access Policy' --statements '[\n \"allow service cloudguard to read vaults in tenancy\",\n \"allow service cloudguard to read keys in tenancy\",\n \"allow service cloudguard to read compartments in tenancy\",\n \"allow service cloudguard to read tenancies in tenancy\",\n \"allow service cloudguard to read audit-events in tenancy\",\n \"allow service cloudguard to read compute-management-family in tenancy\",\n \"allow service cloudguard to read instance-family in tenancy\",\n \"allow service cloudguard to read virtual-network-family in tenancy\",\n \"allow service cloudguard to read volume-family in tenancy\",\n \"allow service cloudguard to read database-family in tenancy\",\n \"allow service cloudguard to read object-family in tenancy\",\n \"allow service cloudguard to read load-balancers in tenancy\",\n \"allow service cloudguard to read users in tenancy\",\n \"allow service cloudguard to read groups in tenancy\",\n \"allow service cloudguard to read policies in tenancy\",\n \"allow service cloudguard to read dynamic-groups in tenancy\",\n \"allow service cloudguard to read authentication-policies in tenancy\"\n ]'\n```\n2. Enable Cloud Guard in root compartment\n```\noci cloud-guard configuration update --reporting-region '<region-name>' --compartment-id '<tenancy-id>' --status 'ENABLED'\n```",
+          "AuditProcedure": "**From Console:**\n1. Type `Cloud Guard` into the Search box at the top of the Console.\n2. Click `Cloud Guard` from the \"Services\" submenu.\n3. View if `Cloud Guard` is enabled\n\n**From CLI:**\n1. Retrieve the `Cloud Guard` status from the console\n```\noci cloud-guard configuration get --compartment-id <tenancy-ocid> --query 'data.status'\n```\n2. Ensure the returned value is \"ENABLED\"`",
+          "AdditionalInformation": "",
+          "References": "https://docs.oracle.com/en-us/iaas/Content/General/Concepts/regions.htm"
+        }
+      ]
+    },
+    {
+      "Id": "4.15",
+      "Description": "Ensure a notification is configured for Oracle Cloud Guard problems detected",
+      "Checks": [
+        "events_rule_cloudguard_problems"
+      ],
+      "Attributes": [
+        {
+          "Section": "4. Logging and Monitoring",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Automated",
+          "Description": "Cloud Guard detects misconfigured resources and insecure activity within a tenancy and provides security administrators with the visibility to resolve these issues. Upon detection, Cloud Guard generates a Problem. It is recommended to setup an Event Rule and Notification that gets triggered when Oracle Cloud Guard Problems are created, dismissed or remediated. Event Rules are compartment scoped and will detect events in child compartments. It is recommended to create the Event rule at the root compartment level.",
+          "RationaleStatement": "Cloud Guard provides an automated means to monitor a tenancy for resources that are configured in an insecure manner as well as risky network activity from these resources. Monitoring and alerting on Problems detected by Cloud Guard will help in identifying changes to the security posture.",
+          "ImpactStatement": "There is no performance impact when enabling the above described features but depending on the amount of notifications sent per month there may be a cost associated.",
+          "RemediationProcedure": "**From Console:**\n\n1. Go to the Events Service page: [https://cloud.oracle.com/events/rules](https://cloud.oracle.com/events/rules)\n1. Select the compartment that should host the rule\n1. Click Create Rule\n1. Provide a Display Name and Description\n1. Create a Rule Condition by selecting Cloud Guard in the Service Name Drop-down and selecting: `Detected – Problem`, `Remediated – Problem`, and `Dismissed - Problem`\n1. In the Actions section select Notifications as Action Type\n1. Select the Compartment that hosts the Topic to be used.\n1. Select the Topic to be used\n1. Optionally add Tags to the Rule\n1. Click Create Rule\n\n**From CLI:**\n\n1. Find the topic-id of the topic the Event Rule should use for sending Notifications by using the topic name and Compartment OCID\n```\noci ons topic list --compartment-id=<compartment OCID> --all --query \"data [?name=='<topic_name>']\".{\"name:name,topic_id:\\\"topic-id\\\"\"} --output table\n```\n1. Create a JSON file to be used when creating the Event Rule. Replace topic id, display name, description and compartment OCID.\n```\n{\n \"actions\":\n {\n \"actions\": [\n {\n \"actionType\": \"ONS\",\n \"isEnabled\": true,\n \"topicId\": \"<topic id>\"\n }]\n },\n \"condition\":\n\"{\\\"eventType\\\":[\\\" com.oraclecloud.cloudguard.problemdetected\\\",\\\" com.oraclecloud.cloudguard.problemdismissed\\\",\\\" com.oraclecloud.cloudguard.problemremediated\\\"],\\\"data\\\":{}}\",\n \"displayName\": \"<display name>\",\n \"description\": \"<description>\",\n \"isEnabled\": true,\n \"compartmentId\": \"compartment OCID\"\n}\n```\n1. Create the actual event rule\n```\noci events rule create --from-json file://event_rule.json\n```\n1. Note in the JSON returned that it lists the parameters specified in the JSON file provided and that there is an OCID provided for the Event Rule",
+          "AuditProcedure": "**From Console:**\n\n1. Go to the Events Service page: [https://cloud.oracle.com/events/rules](https://cloud.oracle.com/events/rules)\n1. Select the Compartment that hosts the rules\n1. Find and click the Rule that handles Cloud Guard Changes (if any)\n1. Click the Edit Rule button and verify that the RuleConditions section contains a condition for the Service Cloud Guard and Event Types: Detected – Problem, Remediated – Problem, and Dismissed - Problem\n1. Verify that in the Actions section the Action Type contains: Notifications and that a valid Topic is referenced.\n\n**From CLI:**\n\n1. Find the OCID of the specific Event Rule based on Display Name and Compartment OCID\n```\noci events rule list --compartment-id=<compartment OCID> --query \"data [?\\\"display-name\\\"=='<display name used>']\".{\"id:id\"} --output table\n```\n1. List the details of a specific Event Rule based on the OCID of the rule.\n1. In the JSON output locate the Conditions key-value pair and verify that the following Conditions are present: \n```\n\"com.oraclecloud.cloudguard.problemdetected\",\"com.oraclecloud.cloudguard.problemdismissed\",\"com.oraclecloud.cloudguard.problemremediated\"\n```\n1. Verify the value of the is-enabled attribute is true\n1. In the JSON output verify that actionType is ONS and locate the topic-id\n1. Verify the correct topic is used by checking the topic name\n```\noci ons topic get --topic-id=<topic id> --query data.{\"name:name\"} --output table\n```",
+          "AdditionalInformation": "'- Your tenancy might have a different Cloud Reporting region than your home region.\n- The same Notification topic can be reused by many Event Rules.\n- The generated notification will include an eventID that can be used when querying the Audit Logs in case further investigation is required.",
+          "References": "https://docs.oracle.com/en-us/iaas/cloud-guard/using/export-notifs-config.htm"
+        }
+      ]
+    },
+    {
+      "Id": "4.16",
+      "Description": "Ensure customer created Customer Managed Key (CMK) is rotated at least annually",
+      "Checks": [
+        "kms_key_rotation_enabled"
+      ],
+      "Attributes": [
+        {
+          "Section": "4. Logging and Monitoring",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Automated",
+          "Description": "Oracle Cloud Infrastructure Vault securely stores master encryption keys that protect your encrypted data. You can use the Vault service to rotate keys to generate new cryptographic material. Periodically rotating keys limits the amount of data encrypted by one key version.",
+          "RationaleStatement": "Rotating keys annually limits the data encrypted under one key version. Key rotation thereby reduces the risk in case a key is ever compromised.",
+          "ImpactStatement": "",
+          "RemediationProcedure": "**From Console:**\n1. Login into OCI Console.\n2. Select `Identity & Security` from the Services menu.\n3. Select `Vault`.\n4. Click on the individual Vault under the Name heading.\n5. Click on the menu next to the time created.\n6. Click `Rotate Key`\n\n**From CLI:**\n1. Execute the following:\n```\noci kms management key rotate --key-id <key-ocid> --endpoint <management-endpoint-url>\n```",
+          "AuditProcedure": "**From Console:**\n1. Login into OCI Console.\n2. Select `Identity & Security` from the Services menu.\n3. Select `Vault`.\n4. Click on the individual Vault under the Name heading.\n5. Ensure the date of each Master Encryption key under the `Created` column of the Master Encryption key is no more than 365 days old, and that the key is in the `ENABLED` state\n6. Repeat for all Vaults in all compartments\n\n**From CLI:**\n1. Execute the following for each Vault in each compartment\n```\noci kms management key list --compartment-id '<compartment-id>' --endpoint '<management-endpoint-url>' --all --query \"data[*].[\\\"time-created\\\",\\\"display-name\\\",\\\"lifecycle-state\\\"]\"\n```\n2. Ensure the date of the Master Encryption key is no more than 365 days old and is also in the `ENABLED` state.",
+          "AdditionalInformation": "",
+          "References": ""
+        }
+      ]
+    },
+    {
+      "Id": "4.17",
+      "Description": "Ensure write level Object Storage logging is enabled for all buckets",
+      "Checks": [
+        "objectstorage_bucket_logging_enabled"
+      ],
+      "Attributes": [
+        {
+          "Section": "4. Logging and Monitoring",
+          "Profile": "Level 2",
+          "AssessmentStatus": "Automated",
+          "Description": "Object Storage write logs will log all write requests made to objects in a bucket.",
+          "RationaleStatement": "Enabling an Object Storage write log, the `requestAction` property would contain values of `PUT`, `POST`, or `DELETE`. This will provide you more visibility into changes to objects in your buckets.",
+          "ImpactStatement": "There is no performance impact when enabling the above described features, but will generate additional use of object storage that should be controlled via object lifecycle management. \n\nBy default, Object Storage logs are stored for 30 days in object storage. Users can specify a longer retention period.",
+          "RemediationProcedure": "**From Console:**\nFirst, if a log group for holding these logs has not already been created, create a log group by the following steps:\n1. Go to the Log Groups page [https://cloud.oracle.com/logging/log-groups](ttps://cloud.oracle.com/logging/log-groups)\n2. Click the Create Log Groups button in the middle of the screen.\n3. Select the relevant compartment to place these logs.\n4. Type a name for the log group in the Name box.\n5. Add an optional description in the Description box.\n6. Click the Create button in the lower left-hand corner.\n\nSecond, enable Object Storage write log logging for your bucket(s) by the following steps:\n\n1. Go to the Logs page [https://cloud.oracle.com/logging/logs](https://cloud.oracle.com/logging/logs)\n2. Click the Enable Service Log button in the middle of the screen.\n3. Select the relevant resource compartment.\n4. Select Object Storage from the Service drop down menu.\n5. Select the relevant bucket from the resource drop down menu.\n6. Select 'Write Access Events` from the Log Category drop down menu.\n7. Type a name for your Object Storage write log in the Log Name drop down menu.\n8. Click the `Enable Log` button in the lower left-hand corner.\n\n**From CLI:**\n\nFirst, if a log group for holding these logs has not already been created, create a log group by the following steps:\n\n1. Create a log group:\n```\noci logging log-group create --compartment-id <compartment-id> --display-name \"<display-name>\" --description \"<description>\"\n```\nThe output of the command gives you a work request id. You can query the work request to see the status of the job by issuing the following command:\n```\noci logging work-request get --work-request-id <work-request-id>\n```\nLook for status filed to be `SUCCEEDED`.\n\nSecond, enable Object Storage write log logging for your bucket(s) by the following steps:\n\n2. Get the Log group ID needed for creating the Log:\n```\noci logging log-group list --compartment-id <compartment-id> --query 'data[?contains(\"display-name\", `'\"<display-name>\"'`)].id|join(`\\n`, @)' --raw-output\n```\n3. Create a JSON file called `config.json` with the following content:\n```\n{\n \"compartment-id\":\"<compartment-id>\",\n \"source\": {\n \"resource\": \"<bucket-name.\",\n \"service\": \"ObjectStorage\",\n \"source-type\": \"OCISERVICE\",\n \"category\": \"write\"\n }\n}\n```\nThe compartment-id is the Compartment OCID of where the bucket is exists. The resource value is the bucket name.\n\n4. Create the Service Log:\n```\noci logging log create --log-group-id <log-group-id> --display-name \"<display-name>\" --log-type SERVICE --is-enabled TRUE --configuration file://config.json\n```\n\nThe output of the command gives you a work request id. You can query the work request to see that status of the job by issuing the following command:\n```\noci logging work-request get --work-request-id <work-request-id>\n```\n\nLook for the status filed to be `SUCCEEDED`.",
+          "AuditProcedure": "**From Console:**\n1. Log into the OCI console.\n2. Select `Storage` from the Services, and click on `Buckets`.\n3. Click on the individual Bucket under the Name heading.\n4. Click `Logs` from the Resource menu on the left.\n5. Click on the slider under Enable Log in row labeled `Write Access Events`.\n6. Select the Compartment.\n7. Select the Log Group.\n8. Enter a `Log Name`.\n9. Select a Log Retention.\n10. Click `Enable Log`.\n\n**From CLI:**\n1. Find the bucket `name` of the specific bucket.\n```\noci os bucket list --compartment-id <compartment-id>\n```\n2. Find the `OCID` of the Log Group used for `FlowLogs`.\n```\noci logging log-group list --compartment-id <compartment-id> --query \"data [?\\\"display-name\\\"=='<log-group-name>']\"\n```\n3. List the logs associated with the bucket `name` for this bucket\n```\noci logging log list --log-group-id <log-group-id> --query \"data [?configuration.source.resource=='<bucket-name>']\"\n```\n4. Ensure a `log` is listed for this bucket `name`",
+          "AdditionalInformation": "",
+          "References": ""
+        }
+      ]
+    },
+    {
+      "Id": "4.18",
+      "Description": "Ensure a notification is configured for Local OCI User Authentication",
+      "Checks": [
+        "events_rule_local_user_authentication"
+      ],
+      "Attributes": [
+        {
+          "Section": "4. Logging and Monitoring",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Automated",
+          "Description": "It is recommended that an Event Rule and Notification be set up when a user in the via OCI local authentication. Event Rules are compartment-scoped and will detect events in child compartments. This Event rule is required to be created at the root compartment level.",
+          "RationaleStatement": "Users should rarely use OCI local authenticated and be authenticated via organizational standard Identity providers, not local credentials. Access in this matter would represent a break glass activity and should be monitored to see if changes made impact the security posture.",
+          "ImpactStatement": "There is no performance impact when enabling the above-described features but depending on the amount of notifications sent per month there may be a cost associated.",
+          "RemediationProcedure": "From Console:\n1. Go to the Events Service page: [https://cloud.oracle.com/events/rules](https://cloud.oracle.com/events/rules)\n2. Select the `Root compartment` that should host the rule\n3. Click `Create Rule`\n4. Provide a `Display Name` and `Description`\n5. Create a Rule Condition by selecting `Identity SignOn` in the Service Name Drop-down and selecting `Interactive Login`\n6. In the `Actions` section select `Notifications` as Action Type\n7. Select the `Compartment` that hosts the Topic to be used.\n8. Select the `Topic` to be used\n9. Optionally add Tags to the Rule\n10. Click `Create Rule`\n\nFrom CLI:\n1. Find the `topic-id` of the topic the Event Rule should use for sending notifications by using the topic `name` and `Tenancy OCID`\n```\noci ons topic list --compartment-id <tenacy-ocid> --all --query \"data [?name=='<topic-name>']\".{\"name:name,topic_id:\\\"topic-id\\\"\"} --output table\n```\n2. Create a JSON file to be used when creating the Event Rule. Replace topic id, display name, description and compartment OCID.\n```\n{\n \"actions\":\n {\n \"actions\": [\n {\n \"actionType\": \"ONS\",\n \"isEnabled\": true,\n \"topicId\": \"<topic-id>\"\n }]\n },\n \"condition\":\n\"{\\\"eventType\\\":[\\\"com.oraclecloud.identitysignon.interactivelogin\\\",data\\\":{}}\",\n \"displayName\": \"<display-name>\",\n \"description\": \"<description>\",\n \"isEnabled\": true,\n \"compartmentId\": \"<tenancy-ocid>\"\n}\n```\n3. Create the actual event rule\n```\noci events rule create --from-json file://event_rule.json\n```\n4. Note in the JSON returned that it lists the parameters specified in the JSON file provided and that there is an OCID provided for the Event Rule",
+          "AuditProcedure": "From Console:\n\n1. Go to the Events Service page: [https://cloud.oracle.com/events/rules](https://cloud.oracle.com/events/rules)\n2. Select the `Root Compartment `that hosts the rules\n3. Click the `Rule` that handles `Identity SignOn` Changes (if any)\n4. Click the `Edit Rule` button and verify that the `RuleCondition`s section contains a condition `Event Type` for the Service `Identity SignOn` and Event Types: `Interactive Login `\n5. On the Action Type contains: `Notifications` and that a valid Topic is referenced.\n\nFrom CLI:\n1. Find the OCID of the specific Event Rule based on Display Name and Tenancy OCID\n```\noci events rule list --compartment-id <tenancy-ocid> --query \"data [?\\\"display-name\\\"=='<display-name>']\".{\"id:id\"} --output table\n```\n2. List the details of a specific Event Rule based on the OCID of the rule.\n```\noci events rule get --rule-id <rule-id>\n```\n3. In the JSON output locate the Conditions key value pair and verify that the following Conditions are present:\n```\ncom.oraclecloud.identitysignon.interactivelogin\n```\n4. Verify the value of the `is-enabled` attribute is `true`\n5. In the JSON output verify that `actionType` is `ONS` and locate the `topic-id`\n6. Verify the correct topic is used by checking the topic name\n```\noci ons topic get --topic-id <topic-id> --query data.{\"name:name\"} --output table\n```",
+          "AdditionalInformation": "'- The same Notification topic can be reused by many Event Rules.\n- The generated notification will include an eventID that can be used when querying the Audit Logs in case further investigation is required.",
+          "References": "https://docs.oracle.com/en-us/iaas/Content/Security/Reference/iam_security_topic-IAM_Federation.htm#IAM_Federation"
+        }
+      ]
+    },
+    {
+      "Id": "5.1.1",
+      "Description": "Ensure no Object Storage buckets are publicly visible",
+      "Checks": [
+        "objectstorage_bucket_not_publicly_accessible"
+      ],
+      "Attributes": [
+        {
+          "Section": "5. Storage",
+          "SubSection": "5.1 Object Storage",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Automated",
+          "Description": "A bucket is a logical container for storing objects. It is associated with a single compartment that has policies that determine what action a user can perform on a bucket and on all the objects in the bucket. By Default a newly created bucket is private. It is recommended that no bucket be publicly accessible.",
+          "RationaleStatement": "Removing unfettered reading of objects in a bucket reduces an organization's exposure to data loss.",
+          "ImpactStatement": "For updating an existing bucket, care should be taken to ensure objects in the bucket can be accessed through either IAM policies or pre-authenticated requests.",
+          "RemediationProcedure": "**From Console:**\n1. Follow the audit procedure above. \n2. For each `bucket` in the returned results, click the Bucket `Display Name`\n3. Click `Edit Visibility`\n3. Select `Private`\n4. Click `Save Changes`\n\n**From CLI:**\n1. Follow the audit procedure\n2. For each of the `buckets` identified, execute the following command:\n```\noci os bucket update --bucket-name <bucket-name> --public-access-type NoPublicAccess\n```",
+          "AuditProcedure": "**From Console:**\n1. Login into the OCI Console\n2. Click in the search bar at the top of the screen.\n3. Type `Advanced Resource Query` and click `enter`.\n4. Click the `Advanced Resource Query` button in the upper right of the screen.\n5. Enter the following query in the query box:\n```\nquery\nbucket resources\nwhere \n (publicAccessType == 'ObjectRead') || (publicAccessType == 'ObjectReadWithoutList')\n```\n6. Ensure query returns no results\n\n**From CLI:**\n1. Execute the following command:\n```\noci search resource structured-search --query-text \"query \nbucket resources\nwhere \n(publicAccessType == 'ObjectRead') || (publicAccessType == 'ObjectReadWithoutList')\"\n```\n2. Ensure query returns no results\n\n**Cloud Guard**\n\nTo Enable Cloud Guard Auditing:\nEnsure Cloud Guard is enabled in the root compartment of the tenancy. For more information about enabling Cloud Guard, please look at the instructions included in Recommendation 3.15. \n\n**From Console:**\n\n1. Type `Cloud Guard` into the Search box at the top of the Console. \n2. Click `Cloud Guard` from the “Services” submenu.\n3. Click `Detector Recipes` in the Cloud Guard menu.\n4. Click `OCI Configuration Detector Recipe (Oracle Managed)` under the Recipe Name column.\n5. Find Bucket is public in the Detector Rules column.\n6. Verify that the Bucket is public Detector Rule is Enabled.\n\n**From CLI:**\n\n1. Verify the Bucket is public Detector Rule in Cloud Guard is enabled to generate Problems if Object Storage Buckets are configured to be accessible over the public Internet with the following command:\n\n```\noci cloud-guard detector-recipe-detector-rule get --detector-recipe-id <insert detector recipe ocid> --detector-rule-id BUCKET_IS_PUBLIC\n```",
+          "AdditionalInformation": "",
+          "References": "https://docs.oracle.com/en-us/iaas/Content/Object/Tasks/managingbuckets.htm"
+        }
+      ]
+    },
+    {
+      "Id": "5.1.2",
+      "Description": "Ensure Object Storage Buckets are encrypted with a Customer Managed Key (CMK)",
+      "Checks": [
+        "objectstorage_bucket_encrypted_with_cmk"
+      ],
+      "Attributes": [
+        {
+          "Section": "5. Storage",
+          "SubSection": "5.1 Object Storage",
+          "Profile": "Level 2",
+          "AssessmentStatus": "Automated",
+          "Description": "Oracle Object Storage buckets support encryption with a Customer Managed Key (CMK). By default, Object Storage buckets are encrypted with an Oracle managed key.",
+          "RationaleStatement": "Encryption of Object Storage buckets with a Customer Managed Key (CMK) provides an additional level of security on your data by allowing you to manage your own encryption key lifecycle management for the bucket.",
+          "ImpactStatement": "Encrypting with a Customer Managed Keys requires a Vault and a Customer Master Key. In addition, you must authorize Object Storage service to use keys on your behalf.\n\nRequired Policy:\n```\nAllow service objectstorage-<region_name>, to use keys in compartment <compartment-id> where target.key.id = '<key_OCID>'\n\n```",
+          "RemediationProcedure": "**From Console:**\n1. Go to [https://cloud.oracle.com/object-storage/buckets\n](https://cloud.oracle.com/object-storage/buckets)\n1. Click on an individual bucket under the Name heading.\n1. Click `Assign` next to `Encryption Key: Oracle managed key`.\n1. Select a `Vault`\n1. Select a `Master Encryption Key`\n1. Click `Assign`\n\n**From CLI:**\n1. Execute the following command\n```\noci os bucket update --bucket-name <bucket-name> --kms-key-id <master-encryption-key-id>\n```",
+          "AuditProcedure": "**From Console:**\n1. Go to [https://cloud.oracle.com/object-storage/buckets\n](https://cloud.oracle.com/object-storage/buckets)\n1. Click on an individual bucket under the Name heading.\n1. Ensure that the `Encryption Key` is not set to `Oracle managed key`.\n1. Repeat for each compartment\n\n**From CLI:**\n1. Execute the following command\n```\noci os bucket get --bucket-name <bucket-name>\n```\n2. Ensure `kms-key-id` is not `null`\n\n**Cloud Guard**\n\nTo Enable Cloud Guard Auditing:\nEnsure Cloud Guard is enabled in the root compartment of the tenancy. For more information about enabling Cloud Guard, please look at the instructions included in Recommendation 3.15. \n\n**From Console:**\n1. Type `Cloud Guard` into the Search box at the top of the Console. \n2. Click `Cloud Guard` from the “Services” submenu.\n3. Click `Detector Recipes` in the Cloud Guard menu.\n4. Click `OCI Configuration Detector Recipe (Oracle Managed)` under the Recipe Name column.\n5. Find Object Storage bucket is encrypted with Oracle-managed key in the Detector Rules column.\n6. Verify that the Object Storage bucket is encrypted with Oracle-managed key Detector Rule is Enabled.\n\n**From CLI:**\n1. Verify the Object Storage bucket is encrypted with Oracle-managed key Detector Rule in Cloud Guard is enabled to generate Problems if Object Storage Buckets are configured without a customer managed key with the following command:\n\n```\noci cloud-guard detector-recipe-detector-rule get --detector-recipe-id <insert detector recipe ocid> --detector-rule-id BUCKET_ENCRYPTED_WITH_ORACLE_MANAGED_KEY\n```",
+          "AdditionalInformation": "",
+          "References": "https://docs.oracle.com/en/solutions/oci-best-practices/protect-data-rest1.html#GUID-9C0F713E-4C67-43C6-80CA-525A6AB221F1:https://docs.oracle.com/en-us/iaas/Content/Object/Tasks/encryption.htm"
+        }
+      ]
+    },
+    {
+      "Id": "5.1.3",
+      "Description": "Ensure Versioning is Enabled for Object Storage Buckets",
+      "Checks": [
+        "objectstorage_bucket_versioning_enabled"
+      ],
+      "Attributes": [
+        {
+          "Section": "5. Storage",
+          "SubSection": "5.1 Object Storage",
+          "Profile": "Level 2",
+          "AssessmentStatus": "Automated",
+          "Description": "A bucket is a logical container for storing objects. Object versioning is enabled at the bucket level and is disabled by default upon creation. Versioning directs Object Storage to automatically create an object version each time a new object is uploaded, an existing object is overwritten, or when an object is deleted. You can enable object versioning at bucket creation time or later.",
+          "RationaleStatement": "Versioning object storage buckets provides for additional integrity of your data. Management of data integrity is critical to protecting and accessing protected data. Some customers want to identify object storage buckets without versioning in order to apply their own data lifecycle protection and management policy.",
+          "ImpactStatement": "",
+          "RemediationProcedure": "**From Console:**\n1. Follow the audit procedure above.\n2. For each bucket in the returned results, click the Bucket Display Name\n3. Click `Edit` next to `Object Versioning: Disabled`\n4. Click `Enable Versioning`\n\n**From CLI:**\n1. Follow the audit procedure\n2. For each of the buckets identified, execute the following command:\n```\noci os bucket update --bucket-name <bucket name> --versioning Enabled\n```",
+          "AuditProcedure": "**From Console:**\n1. Login to OCI Console.\n2. Select `Storage` from the Services menu.\n3. Select `Buckets` from under the `Object Storage & Archive Storage` section.\n4. Click on an individual bucket under the Name heading.\n5. Ensure that the `Object Versioning` is set to Enabled.\n6. Repeat for each compartment\n\n**From CLI:**\n1. Execute the following command:\n```\nfor region in $(oci iam region-subscription list --all | jq -r '.data[] | .\"region-name\"')\ndo\n echo \"Enumerating region $region\"\n for compid in $(oci iam compartment list --include-root --compartment-id-in-subtree TRUE 2>/dev/null | jq -r '.data[] | .id')\n do\n echo \"Enumerating compartment $compid\"\n for bkt in $(oci os bucket list --compartment-id $compid --region $region 2>/dev/null | jq -r '.data[] | .name')\n do\n output=$(oci os bucket get --bucket-name $bkt --region $region 2>/dev/null | jq -r '.data | select(.\"versioning\" == \"Disabled\").name')\n if [ ! -z \"$output\" ]; then echo $output; fi\n done\n done\ndone\n```\n2. Ensure no results are returned.",
+          "AdditionalInformation": "",
+          "References": "https://docs.oracle.com/en-us/iaas/Content/Object/Tasks/usingversioning.htm:https://docs.oracle.com/en-us/iaas/api/#/en/objectstorage/20160918/Bucket/GetBucket"
+        }
+      ]
+    },
+    {
+      "Id": "5.2.1",
+      "Description": "Ensure Block Volumes are encrypted with Customer Managed Keys (CMK)",
+      "Checks": [
+        "blockstorage_block_volume_encrypted_with_cmk"
+      ],
+      "Attributes": [
+        {
+          "Section": "5. Storage",
+          "SubSection": "5.2 Block Volumes",
+          "Profile": "Level 2",
+          "AssessmentStatus": "Automated",
+          "Description": "Oracle Cloud Infrastructure Block Volume service lets you dynamically provision and manage block storage volumes. By default, the Oracle service manages the keys that encrypt block volumes. Block Volumes can also be encrypted using a customer managed key.\n\nTerminated Block Volumes cannot be recovered and any data on a terminated volume is permanently lost. However, Block Volumes can exist in a terminated state within the OCI Portal and CLI for some time after deleting. As such, any Block Volumes in this state should not be considered when assessing this policy.",
+          "RationaleStatement": "Encryption of block volumes provides an additional level of security for your data. Management of encryption keys is critical to protecting and accessing protected data. Customers should identify block volumes encrypted with Oracle service managed keys in order to determine if they want to manage the keys for certain volumes and then apply their own key lifecycle management to the selected block volumes.",
+          "ImpactStatement": "Encrypting with a Customer Managed Key requires a Vault and a Customer Master Key. In addition, you must authorize the Block Volume service to use the keys you create.\nRequired IAM Policy:\n```\nAllow service blockstorage to use keys in compartment <compartment-id> where target.key.id = '<key_OCID>'\n```",
+          "RemediationProcedure": "**From Console:**\n1. Follow the audit procedure above.\n2. For each block volume returned, click the link under Display name.\n3. If the value for `Encryption Key` is `Oracle-managed key`, click `Assign` next to `Oracle-managed key`.\n4. Select a `Vault Compartment` and `Vault`.\n5. Select a `Master Encryption Key Compartment` and `Master Encryption key`.\n6. Click `Assign`.\n\n**From CLI:**\n1. Follow the audit procedure.\n2. For each `boot volume` identified, get the OCID.\n3. Execute the following command:\n```\noci bv volume-kms-key update –volume-id <volume OCID> --kms-key-id <kms key OCID>\n```",
+          "AuditProcedure": "**From Console:**\n1. Login to the OCI Console.\n2. Click the search bar at the top of the screen.\n3. Type 'Advanced Resource Query' and press return.\n4. Click `Advanced resource query`.\n5. Enter the following query in the query box:\n```\nquery volume resources\n```\n6. For each block volume returned, click the link under `Display name`.\n7. Ensure the value for `Encryption Key` is not `Oracle-managed key`.\n8. Repeat for other subscribed regions.\n\n**From CLI:**\n1. Execute the following command:\n```\nfor region in $(oci iam region-subscription list --all| jq -r '.data[] | .\"region-name\"')\ndo\n echo \"Enumerating region: $region\"\n for compid in `oci iam compartment list --compartment-id-in-subtree TRUE 2>/dev/null | jq -r '.data[] | .id'`\n do\n echo \"Enumerating compartment: $compid\"\n for bvid in `oci bv volume list --compartment-id $compid --region $region 2>/dev/null | jq -r '.data[] | select(.\"kms-key-id\" == null).id'`\n do\n output=`oci bv volume get --volume-id $bvid --region $region --query=data.{\"name:\\\"display-name\\\",\"id:id\"\"} --output table 2>/dev/null`\n if [ ! -z \"$output\" ]; then echo $output; fi\n done\n done\n done\n```\n2. Ensure the query returns no results.",
+          "AdditionalInformation": "",
+          "References": "https://docs.oracle.com/en/solutions/oci-best-practices/protect-data-rest1.html#GUID-BA1F5A20-8C78-49E3-8183-927F0CC6F6CC:https://docs.oracle.com/en-us/iaas/Content/Block/Concepts/overview.htm"
+        }
+      ]
+    },
+    {
+      "Id": "5.2.2",
+      "Description": "Ensure boot volumes are encrypted with Customer Managed Key (CMK)",
+      "Checks": [
+        "blockstorage_boot_volume_encrypted_with_cmk"
+      ],
+      "Attributes": [
+        {
+          "Section": "5. Storage",
+          "SubSection": "5.2 Block Volumes",
+          "Profile": "Level 2",
+          "AssessmentStatus": "Automated",
+          "Description": "When you launch a virtual machine (VM) or bare metal instance based on a platform image or custom image, a new boot volume for the instance is created in the same compartment. That boot volume is associated with that instance until you terminate the instance. By default, the Oracle service manages the keys that encrypt this boot volume. Boot Volumes can also be encrypted using a customer managed key.",
+          "RationaleStatement": "Encryption of boot volumes provides an additional level of security for your data. Management of encryption keys is critical to protecting and accessing protected data. Customers should identify boot volumes encrypted with Oracle service managed keys in order to determine if they want to manage the keys for certain boot volumes and then apply their own key lifecycle management to the selected boot volumes.",
+          "ImpactStatement": "Encrypting with a Customer Managed Keys requires a Vault and a Customer Master Key. In addition, you must authorize the Boot Volume service to use the keys you create.\nRequired IAM Policy:\n```\nAllow service Bootstorage to use keys in compartment <compartment-id> where target.key.id = '<key_OCID>'\n```",
+          "RemediationProcedure": "**From Console:**\n1. Follow the audit procedure above.\n2. For each Boot Volume in the returned results, click the Boot Volume name\n3. Click `Assign` next to `Encryption Key`\n4. Select the `Vault Compartment` and `Vault`\n5. Select the `Master Encryption Key Compartment` and `Master Encryption key`\n6. Click `Assign`\n\n**From CLI:**\n1. Follow the audit procedure.\n2. For each `boot volume` identified get its OCID. Execute the following command:\n```\noci bv boot-volume-kms-key update --boot-volume-id <Boot Volume OCID> --kms-key-id <KMS Key OCID>\n```",
+          "AuditProcedure": "**From Console:**\n1. Login into the OCI Console\n2. Click in the search bar, top of the screen.\n3. Type Advanced Resource Query and click enter.\n4. Click the `Advanced Resource Query` button in the upper right of the screen.\n5. Enter the following query in the query box:\n```\nquery bootvolume resources\n```\n6. For each boot volume returned click on the link under `Display name`\n7. Ensure `Encryption Key` does not say `Oracle managed key`\n8. Repeat for other subscribed regions\n\n**From CLI:**\n1. Execute the following command:\n```\nfor region in `oci iam region list | jq -r '.data[] | .name'`;\n do\n for bvid in `oci search resource structured-search --region $region --query-text \"query bootvolume resources\" 2>/dev/null | jq -r '.data.items[] | .identifier'`\n do\n output=`oci bv boot-volume get --boot-volume-id $bvid 2>/dev/null | jq -r '.data | select(.\"kms-key-id\" == null).id'`\n if [ ! -z \"$output\" ]; then echo $output; fi\n done\n done\n```\n2. Ensure query returns no results.",
+          "AdditionalInformation": "",
+          "References": "https://docs.oracle.com/en/solutions/oci-best-practices/protect-data-rest1.html#GUID-BA1F5A20-8C78-49E3-8183-927F0CC6F6CC"
+        }
+      ]
+    },
+    {
+      "Id": "5.3.1",
+      "Description": "Ensure File Storage Systems are encrypted with Customer Managed Keys (CMK)",
+      "Checks": [
+        "filestorage_file_system_encrypted_with_cmk"
+      ],
+      "Attributes": [
+        {
+          "Section": "5. Storage",
+          "SubSection": "5.3 File Storage Service",
+          "Profile": "Level 2",
+          "AssessmentStatus": "Automated",
+          "Description": "Oracle Cloud Infrastructure File Storage service (FSS) provides a durable, scalable, secure, enterprise-grade network file system. By default, the Oracle service manages the keys that encrypt FSS file systems. FSS file systems can also be encrypted using a customer managed key.",
+          "RationaleStatement": "Encryption of FSS systems provides an additional level of security for your data. Management of encryption keys is critical to protecting and accessing protected data. Customers should identify FSS file systems that are encrypted with Oracle service managed keys in order to determine if they want to manage the keys for certain FSS file systems and then apply their own key lifecycle management to the selected FSS file systems.",
+          "ImpactStatement": "Encrypting with a Customer Managed Keys requires a Vault and a Customer Master Key. In addition, you must authorize the File Storage service to use the keys you create.\nRequired IAM Policy:\n```\nAllow service FssOc1Prod to use keys in compartment <compartment-id> where target.key.id = '<key_OCID>'\n```",
+          "RemediationProcedure": "From Console:\n1. Follow the audit procedure above.\n2. For each File Storage System in the returned results, click the File System Storage\n3. Click `Edit` next to `Encryption Key`\n4. Select `Encrypt using customer-managed keys`\n5. Select the `Vault Compartment` and `Vault`\n6. Select the `Master Encryption Key Compartment` and `Master Encryption key`\n7. Click `Save Changes`\n\n**From CLI:**\n1. Follow the audit procedure.\n2. For each `File Storage System` identified get its OCID. Execute the following command:\n```\noci bv volume-kms-key update –volume-id <volume OCID> --kms-key-id <kms key OCID>\n```",
+          "AuditProcedure": "**From Console:**\n1. Login into the OCI Console\n2. Click in the search bar, top of the screen.\n3. Type Advanced Resource Query and click enter.\n4. Click the `Advanced Resource Query` button in the upper right of the screen.\n5. Enter the following query in the query box:\n```\nquery filesystem resources\n```\n6. For each file storage system returned click on the link under `Display name`\n7. Ensure `Encryption Key` does not say `Oracle-managed key`\n8. Repeat for other subscribed regions\n\n**From CLI:**\n1. Execute the following command:\n```\nfor region in `oci iam region list | jq -r '.data[] | .name'`;\n do\n for fssid in `oci search resource structured-search --region $region --query-text \"query filesystem resources\" 2>/dev/null | jq -r '.data.items[] | .identifier'`\n do\n output=`oci fs file-system get --file-system-id $fssid --region $region 2>/dev/null | jq -r '.data | select(.\"kms-key-id\" == \"\").id'`\n if [ ! -z \"$output\" ]; then echo $output; fi\n done\n done\n```\n2. Ensure query returns no results",
+          "AdditionalInformation": "",
+          "References": "https://docs.oracle.com/en/solutions/oci-best-practices/protect-data-rest1.html#GUID-BA1F5A20-8C78-49E3-8183-927F0CC6F6CC:https://docs.oracle.com/en-us/iaas/Content/File/Concepts/filestorageoverview.htm"
+        }
+      ]
+    },
+    {
+      "Id": "6.1",
+      "Description": "Create at least one compartment in your tenancy to store cloud resources",
+      "Checks": [
+        "identity_non_root_compartment_exists"
+      ],
+      "Attributes": [
+        {
+          "Section": "6. Asset Management",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Automated",
+          "Description": "When you sign up for Oracle Cloud Infrastructure, Oracle creates your tenancy, which is the root compartment that holds all your cloud resources. You then create additional compartments within the tenancy (root compartment) and corresponding policies to control access to the resources in each compartment. \n\nCompartments allow you to organize and control access to your cloud resources. A compartment is a collection of related resources (such as instances, databases, virtual cloud networks, block volumes) that can be accessed only by certain groups that have been given permission by an administrator.",
+          "RationaleStatement": "Compartments are a logical group that adds an extra layer of isolation, organization and authorization making it harder for unauthorized users to gain access to OCI resources.",
+          "ImpactStatement": "Once the compartment is created an OCI IAM policy must be created to allow a group to resources in the compartment otherwise only group with tenancy access will have access.",
+          "RemediationProcedure": "**From Console:**\n1. Login to OCI Console.\n1. Select `Identity` from the Services menu.\n1. Select `Compartments` from the Identity menu.\n1. Click `Create Compartment`\n1. Enter a `Name`\n1. Enter a `Description`\n1. Select the root compartment as the `Parent Compartment`\n1. Click `Create Compartment`\n\n**From CLI:**\n1. Execute the following command\n```\noci iam compartment create --compartment-id '<tenancy-id>' --name '<compartment-name>' --description '<compartment description>'\n```",
+          "AuditProcedure": "**From Console:**\n1. Login into the OCI Console.\n1. Click in the search bar, top of the screen.\n1. Type `Advanced Resource Query` and hit `enter`.\n1. Click the `Advanced Resource Query` button in the upper right of the screen.\n1. Enter the following query in the query box:\n```\nquery\n compartment resources\nwhere \n(compartmentId='<tenancy-id>' && lifecycleState='ACTIVE')\n```\n6. Ensure query returns at least one compartment in addition to the `ManagedCompartmentForPaaS` compartment\n\n**From CLI:**\n1. Execute the following command\n```\noci search resource structured-search --query-text \"query\n compartment resources\nwhere \n(compartmentId='<tenancy-id>' && lifecycleState='ACTIVE')\"\n```\n2. Ensure `items` are returned.",
+          "AdditionalInformation": "",
+          "References": ""
+        }
+      ]
+    },
+    {
+      "Id": "6.2",
+      "Description": "Ensure no resources are created in the root compartment",
+      "Checks": [
+        "identity_no_resources_in_root_compartment"
+      ],
+      "Attributes": [
+        {
+          "Section": "6. Asset Management",
+          "Profile": "Level 1",
+          "AssessmentStatus": "Automated",
+          "Description": "When you create a cloud resource such as an instance, block volume, or cloud network, you must specify to which compartment you want the resource to belong. Placing resources in the root compartment makes it difficult to organize and isolate those resources.",
+          "RationaleStatement": "Placing resources into a compartment will allow you to organize and have more granular access controls to your cloud resources.",
+          "ImpactStatement": "Placing a resource in a compartment will impact how you write policies to manage access and organize that resource.",
+          "RemediationProcedure": "**From Console:**\n1. Follow audit procedure above.\n2. For each item in the returned results, click the item name.\n3. Then select `Move Resource` or `More Actions` then `Move Resource`.\n4. Select a compartment that is not the root compartment in `CHOOSE NEW COMPARTMENT`.\n5. Click `Move Resource`.\n\n**From CLI:**\n1. Follow the audit procedure above.\n2. For each bucket item execute the below command: \n```\noci os bucket update --bucket-name <bucket-name> --compartment-id <not root compartment-id>\n```\n3. For other resources use the `change-compartment` command for the resource type:\n``` \noci <service-command> <resource-command> change-compartment --<item-id> <item-id> --compartment-id <not root compartment-id>\n```\n\n i. Example for an Autonomous Database:\n\n```\noci db autonomous-database change-compartment --autonomous-database-id <autonmous-database-id> --compartment-id <not root compartment-id>\n```",
+          "AuditProcedure": "**From Console:**\n1. Login into the OCI Console.\n2. Click in the search bar, top of the screen.\n3. Type `Advance Resource Query` and hit `enter`.\n4. Click the `Advanced Resource Query` button in the upper right of the screen.\n5. Enter the following query into the query box:\n```\nquery\n VCN, instance, bootvolume, volume, filesystem, bucket, \nautonomousdatabase, database, dbsystem resources\n where compartmentId = '<tenancy-id>'\n```\n6. Ensure query returns no results.\n\n**From CLI:**\n1. Execute the following command:\n```\noci search resource structured-search --query-text \"query\n VCN, instance, volume, bootvolume, filesystem, bucket, \nautonomousdatabase, database, dbsystem resources\n where compartmentId = '<tenancy-id>'\"\n```\n2. Ensure query return no results.",
+          "AdditionalInformation": "https://docs.cloud.oracle.com/en-us/iaas/Content/GSG/Concepts/settinguptenancy.htm#Understa",
+          "References": ""
+        }
+      ]
+    }
+  ]
+}