Merge branch 'main' into patch-1

Author: martatolosa

security/security-design/README.md

@@ -1,5 +1,7 @@
 # Security Design
 
+The Cloud Security Design Advisory team is covering end-to-end OCI security topics depending on customers' needs and requirements.
+We are working closely with OCI Domain Specialists (networking, infrastructure security, data management, and observability), to provide the customer the best deep dive expertise, both on Cloud Security and Cloud Solutions.
 
 
 Reviewed: 01.02.2024
@@ -47,7 +49,12 @@ Reviewed: 01.02.2024
 - [Oracle Security](https://www.oracle.com/security/)
     - Protect your most valuable data in the cloud and on-premises with Oracle’s security-first approach. Oracle has decades of experience securing data and applications; Oracle Cloud Infrastructure delivers a more secure cloud to our customers, building trust and protecting their most valuable data.
  - [Oracle Cloud Compliance](https://www.oracle.com/corporate/cloud-compliance/)
-     - Oracle is committed to helping customers operate globally in a fast-changing business environment and address the challenges of an ever more complex regulatory environment. 
+     - Oracle is committed to helping customers operate globally in a fast-changing business environment and address the challenges of an ever more complex regulatory environment.
+ - [Security in OCI - OCI Best Practices for security adoption](https://www.oracle.com/cloud/oci-best-practices-guide/#security-on-oci)
+ - [Security Checklist for OCI](https://docs.oracle.com/en/solutions/oci-security-checklist/#GUID-D27BD123-8CFB-49A4-84AF-3546022638CE)
+ - [Zero Trust Security Model](https://www.oracle.com/security/what-is-zero-trust/)
+ - [Cloud Security Documentation](https://docs.oracle.com/en-us/iaas/Content/Security/Concepts/security.htm#Security_Guide_and_Announcements)
+ - [OCI Architecture Center](https://www.oracle.com/uk/cloud/architecture-center/)
 
 # License
 

security/security-design/shared-assets/bastion-session-script/README.md

@@ -2,11 +2,13 @@
 
 This shell script can be used to easily connect to the OCI Bastion service based on temporary SSH keys. Authorization is granted based on OCI CLI authentication and OCI Permissions. For OCI CLI authentication both the use of exchanged API keys and session security tokens is supported. This script works also directly on OCI Cloud Shell, however only for Managed SSH Sessions since port forwarding is not supported on OCI Cloud Shell.
 
-## When to use this asset?
+Reviewed: 01.02.2024
 
-Use this shell script if you want to make use of OCI Bastions in a simple and secure way.
+# When to use this asset?
 
-## How to use this asset?
+Use this shell script if you want to make use of OCI Bastions simply and securely.
+
+# How to use this asset?
 
 **Usage: ./bastion-session.sh COMMAND [ARGS]...**
 
@@ -36,9 +38,9 @@ Example:
 | -p, --profile TEXT              | The OCI profile in the config file to load. [default: DEFAULT]|
 | -s, --session TEXT              | The Bastion session name. [default: Bastion-Session]|
 | -t, --ttl INTEGER               | The Bastion session time-to-live in seconds, minimum 1800, maximum 10800. [default: 10800]|
-| -d, --destination-ip IP         | The destination IP Address to be used for Bastion session. [default: the first private ip address of instance]|
-| -e, --destination-port INTEGER  | The destination port to be used for Port Forwarding session. [default: 22]|
-| -l, --local-port INTEGER        | The local port to be used for Port Forwarding session. [defaults to same value as destination port]|
+| -d, --destination-ip IP         | The destination IP Address to be used for the Bastion session. [default: the first private ip address of instance]|
+| -e, --destination-port INTEGER  | The destination port to be used for the Port Forwarding session. [default: 22]|
+| -l, --local-port INTEGER        | The local port to be used for the Port Forwarding session. [defaults to same value as destination port]|
 | -a, --key-alg TEXT              | The algorithm for the SSH key (ssh-keygen) to be used. [default: rsa]|
 | -k, --key-size INTEGER          | The key size for the SSH key (ssh-keygen) to be used. [default: 4096]|
 | -pr, --private-key TEXT         | The private key file to be used when not generating a temporary key pair. [by default not used]|
@@ -49,10 +51,10 @@ Prerequisites:
 
 - The OCI CLI must be installed and configured.
   (See also [https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/cliinstall.htm](https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/cliinstall.htm))
-- The jq commandline JSON processer must be installed.
+- The jq command-line JSON processer must be installed.
   (See also [https://stedolan.github.io/jq](https://stedolan.github.io/jq))
 
-## License
+# License
 
 Copyright (c) 2024 Oracle and/or its affiliates.
 

security/security-design/shared-assets/fn-datasafe-dbaudit-to-oci-logging/README.md

@@ -2,30 +2,32 @@
 
 Owner: Fabrizio Zarri
 
-Oracle Data Safe is a fully-integrated, regional Cloud service focused on data security. It provides a complete and integrated set of features of the Oracle Cloud Infrastructure (OCI) for protecting sensitive and regulated data in Oracle databases.
+Oracle Data Safe is a fully integrated, regional Cloud service focused on data security. It provides a complete and integrated set of features of the Oracle Cloud Infrastructure (OCI) for protecting sensitive and regulated data in Oracle databases.
 
-Oracle Data Safe delivers essential security services for Oracle Autonomous Database, Exadata Database on Dedicated Infrastructure, Oracle Base Database and Oracle Databases running in OCI. Data Safe also supports on-premises Oracle Databases, Exadata Database on Cloud@Customer, and multicloud deployments. All Oracle Database customers can reduce the risk of a data breach and simplify compliance by using Data Safe to assess configuration and user risk, monitor and audit user activity, and discover, classify, and mask sensitive data.
+Oracle Data Safe delivers essential security services for Oracle Autonomous Database, Exadata Database on Dedicated Infrastructure, Oracle Base Database, and Oracle Databases running in OCI. Data Safe also supports on-premises Oracle Databases, Exadata Database on Cloud@Customer, and multicloud deployments. All Oracle Database customers can reduce the risk of a data breach and simplify compliance by using Data Safe to assess configuration and user risk, monitor and audit user activity, and discover, classify, and mask sensitive data.
 
 Oracle Functions is a serverless, highly scalable, fully managed Functions-as-a-Service platform built on Oracle Cloud Infrastructure and powered by the open-source Fn Project engine. Developers can use Oracle Functions to write and deploy code that delivers business value without worrying about provisioning or managing the underlying infrastructure. Oracle Functions is container-native, with functions packaged as Docker container images.
 
-This Reference Architecture describes OCI Logging based solution for collecting Oracle Datasafe Oracle DB Audit Logs for continuous monitoring and troubleshooting. An OCI Function pulls audit logs from Data Safe REST API Endpoints regularly and ingest them in OCI Logging. 
-From OCI Logging Data Safe DB Audit Logs, can be send to OCI Logging Analytics, external SIEM and OCI Object Storage. See [Design Guidance for SIEM Integration](https://docs.oracle.com/en-us/iaas/Content/cloud-adoption-framework/siem-integration.htm)
+This Reference Architecture describes OCI Logging solution for collecting Oracle Datasafe Oracle DB Audit Logs for continuous monitoring and troubleshooting. An OCI Function pulls audit logs from Data Safe REST API Endpoints regularly and ingests them in OCI Logging. 
+From OCI Logging Data Safe DB Audit Logs, can be sent to OCI Logging Analytics, external SIEM, and OCI Object Storage. See [Design Guidance for SIEM Integration](https://docs.oracle.com/en-us/iaas/Content/cloud-adoption-framework/siem-integration.htm)
 
-## Prerequisites
+Reviewed: 01.02.2024
+
+# Prerequisites
 
 - Configure Data Safe to get Database Audit Events from Oracle DataBase.
 
-- Configure OCI Registry username (your OCI username) and OCI Registry user password (your OCI user authtoken), See [Generating an Auth Token to Enable Login to Oracle Cloud Infrastructure Registry](https://docs.oracle.com/en-us/iaas/Content/Functions/Tasks/functionsgenerateauthtokens.htm)
+- Configure the OCI Registry username (your OCI username) and OCI Registry user password (your OCI user auth token), See [Generating an Auth Token to Enable Login to Oracle Cloud Infrastructure Registry](https://docs.oracle.com/en-us/iaas/Content/Functions/Tasks/functionsgenerateauthtokens.htm)
 
 - Create and/or Check IAM Policies to permit Oracle Cloud Infrastructure Registry username to push function image in OCI Registry. See [Policies to Control Repository Access](https://docs.oracle.com/en-us/iaas/Content/Registry/Concepts/registrypolicyrepoaccess.htm)
 
 - Permission to `manage` the following types of resources in your Oracle Cloud Infrastructure tenancy: `IAM policies`, `Dynamic Group`, `vcns`, `services-gateways`, `route-tables`, `security-lists`, `subnets`, `functions`, `Monitor Alarms`, and `Notifications`.
 
-- Quota to create the following resources: 1 VCN, 1 subnets, 1 Service Gateway, 1 route rule, 1 function, 1 dynamic group, 1 policy in root compartment, 1 Monitor Alarm, and 1 Notification Subscription.
+- Quota to create the following resources: 1 VCN, 1 subnet, 1 Service Gateway, 1 route rule, 1 function, 1 dynamic group, 1 policy in root compartment, 1 Monitor Alarm, and 1 Notification Subscription.
 
 If you don't have the required permissions and quota, contact your tenancy administrator. See [Policy Reference](https://docs.cloud.oracle.com/en-us/iaas/Content/Identity/Reference/policyreference.htm), [Service Limits](https://docs.cloud.oracle.com/en-us/iaas/Content/General/Concepts/servicelimits.htm), [Compartment Quotas](https://docs.cloud.oracle.com/iaas/Content/General/Concepts/resourcequotas.htm).
 
-## Deploy Using Oracle Resource Manager
+# Deploy Using Oracle Resource Manager
 
 1. Click [![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?region=home&zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/fn-datasafe-to-oci-logging/fn-datasafe-dbaudit-to-oci-logging.zip)
 
@@ -47,14 +49,14 @@ If you don't have the required permissions and quota, contact your tenancy admin
 
 ## Deploy Using the Terraform CLI
 
-### Clone the Module
+## Clone the Module
 Now, you'll want a local copy of this repo. You can make that with the commands:
 
     git clone https://github.com/oracle-devrel/technology-engineering.git
     cd security/security-design/fn-datasafe-dbaudit-to-oci-logging
     ls
 
-### Prerequisites
+## Prerequisites
 First off, you'll need to do some pre-deploy setup for Docker and Fn Project inside your machine:
 
 ```
@@ -75,16 +77,16 @@ exit
 OR
 
 you'll use [Oracle Linux Cloud Developer Image](https://docs.oracle.com/en-us/iaas/oracle-linux/developer/index.htm). The Oracle Linux Cloud Developer image provides the latest development tools, languages, and Oracle Cloud Infrastructure Software Development Kits (SDKs) to rapidly deploy, that include Podman instead of Docker.
-The Oracle Linux Cloud Developer image don't include Fn Project but it easy to setup:
+The Oracle Linux Cloud Developer image doesn't include Fn Project but it is easy to setup:
 
 ```
 curl -LSs https://raw.githubusercontent.com/fnproject/cli/master/install | sh
 ```
 
-Also, please follow this [note](https://docs.oracle.com/en-us/iaas/Content/Functions/Tasks/functionsinstalldocker.htm#Install_Docker_for_Use_with_Oracle_Functions__section_podman_instead_of_docker). By default, Fn Project (and by extension, OCI Functions) assumes the use of Docker to build and deploy function images. However, Fn Project also supports Podman as an alternative to Docker. When using Fn Project CLI version 0.6.12 and above, you can set a configuration setting to specify that you want to use Podman instead of Docker. 
+Also, please follow this [note](https://docs.oracle.com/en-us/iaas/Content/Functions/Tasks/functionsinstalldocker.htm#Install_Docker_for_Use_with_Oracle_Functions__section_podman_instead_of_docker). By default, Fn Project (and by extension, OCI Functions) assumes the use of Docker to build and deploy function images. However, the Fn Project also supports Podman as an alternative to Docker. When using Fn Project CLI version 0.6.12 and above, you can set a configuration setting to specify that you want to use Podman instead of Docker. 
 
 
-### Set Up and Configure Terraform
+## Set Up and Configure Terraform
 
 1. Complete the prerequisites described [here](https://github.com/cloud-partners/oci-prerequisites).   
 
@@ -105,7 +107,7 @@ compartment_ocid = "<compartment_ocid>"
 
 # OCIR
 ocir_user_name         = "<ocir_user_name>"  <- OCI Registry username (your OCI username)
-ocir_user_password     = "<ocir_user_password>" <- OCI Registry user password (your OCI user authtoken)
+ocir_user_password     = "<ocir_user_password>" <- OCI Registry user password (your OCI user auth token)
 
 # Deployment name is used in resource names
 deployment_name="<deployment name>"
@@ -114,31 +116,31 @@ deployment_name="<deployment name>"
 
 Please note that the `terraform.tfvars` file will include sensitive information and needs to be protected from unauthorized usage.
 
-### Create the Resources
+## Create the Resources
 Run the following commands:
 
     terraform init
     terraform plan
     terraform apply
 
-### Test the stack 
+## Test the stack 
 
-You can test the stack by login/logout in the DB already integrated with Data Safe that generates DB audit log. The function will load the logs in 1 minutes and you can see it in Logging Console.
-In Logging Console will be present a new Log Group (ex. loggr-test-eu-milan-1-fn_ds_to_ol-d54e) and relative 2 logs:
+You can test the stack by login/logout in the DB already integrated with Data Safe that generates the DB audit log. The function will load the logs in 1 minute and you can see it in Logging Console.
+In the Logging Console will be present a new Log Group (ex. loggr-test-eu-milan-1-fn_ds_to_ol-d54e) and relative 2 logs:
 - Log with data from Data Safe: Log Type Custom (example log name: log-test-eu-milan-1-fn_ds_to_ol-d54e)
 - Log execution function: Log Type Service (example log name: fn-datasafe-dbaudit-test-eu-milan-1-fn_ds_to_ol-d54e)
 
-### Destroy the Deployment
+## Destroy the Deployment
 When you no longer need the deployment, you can run this command to destroy the resources:
 
     terraform destroy
 
-If there is error in destroying the object storage bucket, manually delete the bucket and run "terraform destroy" again.
+If there is an error in destroying the object storage bucket, manually delete the bucket and run "terraform destroy" again.
 
-### Test Environment
+## Test Environment
 We tested the terraform script in [Oracle Linux Cloud Developer Image](https://docs.oracle.com/en-us/iaas/oracle-linux/developer/index.htm) and Oracle Resource Manager. 
 
-### Architecture Diagram
+## Architecture Diagram
 ![](./images/DatasafetoOCILoggingArchitecture.jpg)
 
 # License
@@ -147,4 +149,4 @@ Copyright (c) 2024 Oracle and/or its affiliates.
 
 Licensed under the Universal Permissive License (UPL), Version 1.0.
 
-See [LICENSE](https://github.com/oracle-devrel/technology-engineering/blob/main/LICENSE) for more details.
+See [LICENSE](https://github.com/oracle-devrel/technology-engineering/blob/main/LICENSE) for more details.