Recommendations 1.5 and 1.6 returns N/A

[G3N1J4L4C]

Recommendations 1.5 (Ensure IAM password policy expires passwords within 365 days) and 1.6 (Ensure IAM password policy prevents password reuse) return N/A even though both are fulfilled.
We get the same result no matter what is written in Password policy.
It's added to non-compliant recommendations, giving false negative.

Also, item 1.7 (Ensure MFA is enabled for all users with a console password) returns false negative for users who never logged in. We forced MFA on tenancy level, but newly created users (or users who never logged in) are marked as non-compliant although they do not have any console passwords created.

Is there a way to improve these 3 items, or some workaround?

[oheimburger]

Thank you for filing this issue.

• For 1.5 and 1.6: I will check the tooling.
• For 1.7: This is correct. If a user has never looged in, chances are that the user credentials can be stolen and and the attacker setup a factor that the real user is not aware of. If that happened the real user cannot login and the attacker can act on the user's behalf.

Dormant users, i.e., users that have never logged in or for some time are a security risk and should be deactivated.

[G3N1J4L4C]

Thank you very much for your reply.

[oheimburger]

I will keep you posted for 1.5 and 1.6.

[oheimburger]

@G3N1J4L4C Does your tenacy have IAM domains? 'N/A' for 1.5 and 1.6 will be shown for OCI tenancies that are not yet migrated to IAM domains.

[G3N1J4L4C]

Yes, all tenancies have IAM all in same region, and all have same result (5+ tenancies).
It's in a region that is not public - eu-jovanovac-1. It's fairly new (less than 2 years), but all tenancies have IAM.

[oheimburger]

Wording is a strange beast. OCI IAM and OCI IAM Domains are two different things. I assume you mean OCI IAM Domains.

Do you run version 241206?

[G3N1J4L4C]

Sorry for being vague... All tenancies in this region have OCI IAM domains. Latest one where we ran CIS benchmark has a Default domain of type "Free" (SS included - removed some data).
Yes, we are using oci-security-health-check-standard-241206.zip from GIT.

[oheimburger]

Thx. The script is using the following URL to determine whether domains are enabled:
https://login.oci.oraclecloud.com/v1/tenantMetadata/<tenancy_name>.

Can you run this and check the flights object's value isHenosisEnabled?

[G3N1J4L4C]

Hello, I had to change login part of the URL (as I said this region is not connected to cloud.oracle.com) so it's now:
https://login.oci.oraclecloud20.com/v1/tenantMetadata/kancelarijaite

Response is as follows (isHenosisEnabled" : true):
{
"tenantV2Enabled" : true,
"bootstrapping" : false,
"tenantInHomeRegion" : false,
"redirectToHomeRegion" : true,
"tenantHomeRegionUrl" : "https://login.eu-jovanovac-1.oraclecloud20.com/",
"tenantSubscribedRegionUrl" : "",
"identityProviders" : [ ],
"flights" : {
"isHenosisEnabled" : true,
"isMigrationBannerEnabled" : false,
"isSoupFallbackLoginEnabled" : false,
"isPostMigrationBannerEnabled" : false
}
}

[oheimburger]

Noted. I filed an internal issue for the script.
Will keep you posted, when fixed.

[G3N1J4L4C]

Great, thank you!

[oheimburger]

This issue should have been fixed in the latest version using a more generic approach. Please verify.