IT AUDIT RUNBOOK for Oracle Cloud Infrastructure (OCI) Tenancy & Operating System Level Audit

-

 

Purpose & Scope

Purpose

This runbook provides a structured, repeatable procedure for conducting an IT infrastructure audit of an Oracle Cloud Infrastructure (OCI) tenancy and all associated operating systems (Linux and Windows). The audit evaluates the security posture, access controls, configuration hygiene, compliance readiness, and operational governance of the cloud environment.

NOTE: This runbook is an outline only, it may not be suitable for all OCI Tenancy or Operating Systems. The auditor may need to improvise based on the tenancy structure, level of access given etc.

Scope

The following areas are within scope of this audit:

       OCI Tenancy-Level: IAM (users, groups, policies, federation), compartment hierarchy, networking (VCN, subnets, security lists, NSGs, DRG, VPN/FastConnect), compute instances, block/object/file storage, key management (Vault), logging, monitoring, audit trail, cost governance, and tagging.

       Operating System Level (Linux): User and group management, SSH configuration, sudo policies, firewall rules, patch levels, file permissions, cron jobs, kernel parameters, local logging (rsyslog/journald), and service hardening.

       Operating System Level (Windows): Local user accounts, group memberships, RDP configuration, Windows Firewall, Windows Update compliance, audit policies, scheduled tasks, registry hardening, local security policy, and event logging.

 The following are explicitly excluded from this audit:

       Application-level audits (web applications, middleware, custom software).

       Database-level audits (Oracle DB, MySQL, PostgreSQL, etc.).

       Third-party SaaS integrations and external identity providers (beyond federation configuration verification).

Audit Standards & Frameworks Referenced

       CIS Oracle Cloud Infrastructure Foundations Benchmark

       CIS Benchmarks for Oracle Linux / RHEL / Ubuntu / Windows Server

       ISO 27001:2022 (Annex A controls where applicable)

       NIST SP 800-53 Rev. 5 (selected controls)

       Cloud Security Alliance (CSA) Cloud Controls Matrix v4

Prerequisites

1.    Obtain read-only OCI Console and API access for the auditor identity (user or instance principal).

2.    Ensure OCI CLI is installed and configured with the correct profile and tenancy OCID.

3.    Obtain SSH/RDP access (read-only or limited privilege) to in-scope compute instances.

4.    Collect a list of all compartments, subscribed regions, and instance inventories in advance.

5.    Confirm that OCI Audit service is enabled and retention period is set (recommended: 365 days).

6.    Prepare a secure evidence repository (encrypted storage or a designated OCI Object Storage bucket with restricted access) for audit artefacts.


OCI Tenancy Audit – Identity & Access Management

Users & API Keys

Objective: Verify that all OCI local users are authorised, API keys are rotated, and inactive accounts are disabled.

1.    List all local users in the tenancy and cross-reference against an authorised user register.

oci iam user list --compartment-id <tenancy_ocid> --all --query "data[*].{Name:\"name\",State:\"lifecycle-state\",Created:\"time-created\"}" --output table

2.    For each user, list API keys and check creation dates; flag keys older than 90 days.

oci iam user api-key list --user-id <user_ocid> --output table

3.    List customer secret keys (S3-compatible credentials) and auth tokens; flag any that are unused or older than policy threshold.

oci iam customer-secret-key list --user-id <user_ocid>

oci iam auth-token list --user-id <user_ocid>

4.    Verify that MFA is enforced for all human users (especially administrators).

oci iam user list --all --query "data[?\"is-mfa-activated\"==\`false\`].{Name:name,MFA:\"is-mfa-activated\"}" --output table

5.    Document any service accounts; confirm they have minimal required permissions and no console passwords.

 

Audit Check

Command / Method

Evidence to Collect

User inventory

oci iam user list

Screenshot / JSON export

API key age > 90 days

oci iam user api-key list

List with creation timestamps

MFA enforcement

oci iam user list (filter)

Users with MFA disabled

Auth tokens / secret keys

oci iam auth-token list

JSON export per user

Groups & Dynamic Groups

1.    List all groups and their memberships; confirm alignment with role-based access control (RBAC) matrix.

oci iam group list --compartment-id <tenancy_ocid> --all --output table

2.    For each group, list members.

oci iam group list-users --group-id <group_ocid> --output table

3.    List all dynamic groups; verify matching rules target intended instance OCIDs or compartments only.

oci iam dynamic-group list --compartment-id <tenancy_ocid> --all

4.    Flag dynamic groups with overly broad matching rules (e.g., matching all instances in the tenancy without compartment scoping).

IAM Policies

1.    Export all policies across all compartments. Begin at the root compartment (tenancy level).

oci iam policy list --compartment-id <tenancy_ocid> --all

2.    Recursively list policies in each child compartment.

oci iam policy list --compartment-id <compartment_ocid> --all

3.    Review each policy statement for: overly permissive verbs (manage all-resources), missing conditions (e.g., no request.region or request.networkSource restriction), and use of 'any-user' subject.

4.    Flag policies that grant 'manage all-resources in tenancy' to non-administrator groups.

5.    Document all cross-tenancy policies (endorse / admit / define statements).

Federation & Identity Providers

1.    List all configured Identity Providers (IdPs).

oci iam identity-provider list --compartment-id <tenancy_ocid> --protocol SAML2 --all

2.    Verify SAML metadata validity and certificate expiry dates.

3.    Confirm that federated group mappings align with intended role assignments.

4.    Check whether any federated user has been granted local API keys (indicates potential shadow access).

OCI Tenancy Audit – Compartment & Tagging Governance

Compartment Hierarchy

1.    List all compartments (including nested) and map the hierarchy.

oci iam compartment list --compartment-id <tenancy_ocid> --compartment-id-in-subtree true --all --query "data[*].{Name:name,OCID:id,Parent:\"compartment-id\",State:\"lifecycle-state\"}" --output table

2.    Verify that compartments follow a logical separation (e.g., by environment: Dev/Staging/Prod, or by business unit).

3.    Identify and flag any empty or orphaned compartments.

4.    Confirm that the root compartment contains no resources directly (best practice: root should only contain compartments and tenancy-level policies).

Tag Namespaces & Defined Tags

1.    List all tag namespaces and defined tags.

oci iam tag-namespace list --compartment-id <tenancy_ocid> --all

2.    Verify that a mandatory tagging strategy exists (e.g., Environment, CostCenter, Owner, Application).

3.    Check for tag defaults configured on compartments.

oci iam tag-default list --compartment-id <compartment_ocid>

4.    Sample resources across compartments and confirm tags are applied consistently.

OCI Tenancy Audit – Networking & Security

VCN Inventory & Architecture

1.    List all VCNs across all compartments and subscribed regions.

oci network vcn list --compartment-id <compartment_ocid> --all --output table

2.    For each VCN, document CIDR blocks, DNS labels, and associated DRG attachments.

3.    Verify there is no overlapping CIDR between VCNs that are peered or connected via DRG.

Subnets

1.    List all subnets per VCN.

oci network subnet list --compartment-id <compartment_ocid> --vcn-id <vcn_ocid> --all --output table

2.    Confirm that subnets designated for internal workloads are private (prohibit-public-ip-on-vnic = true).

3.    Flag any public subnets that do not require public exposure.

Security Lists & Network Security Groups (NSGs)

1.    List all security lists per VCN and export ingress/egress rules.

oci network security-list list --compartment-id <compartment_ocid> --vcn-id <vcn_ocid> --all

2.    Flag rules allowing ingress from 0.0.0.0/0 on sensitive ports (SSH/22, RDP/3389, database ports 1521/3306/5432/1433).

3.    List all NSGs and their rules.

oci network nsg list --compartment-id <compartment_ocid> --all

oci network nsg rules list --nsg-id <nsg_ocid> --all

4.    Verify that NSGs are preferred over security lists for granular instance-level controls.

5.    Confirm that egress rules follow least-privilege (not 0.0.0.0/0 for all protocols).

Internet Gateway, NAT Gateway, Service Gateway

1.    List gateways per VCN.

oci network internet-gateway list --compartment-id <compartment_ocid> --vcn-id <vcn_ocid> --all

oci network nat-gateway list --compartment-id <compartment_ocid> --vcn-id <vcn_ocid> --all

oci network service-gateway list --compartment-id <compartment_ocid> --vcn-id <vcn_ocid> --all

2.    Verify that Internet Gateways are only attached to VCNs that require public-facing resources.

3.    Confirm that private workloads use NAT Gateways for outbound access and Service Gateways for OCI service access.

DRG, VPN Connect & FastConnect

1.    List all DRGs and their attachments.

oci network drg list --compartment-id <compartment_ocid> --all

oci network drg-attachment list --compartment-id <compartment_ocid> --all

2.    For IPSec VPN tunnels, verify tunnel status and IKE version.

oci network ip-sec-connection list --compartment-id <compartment_ocid> --all

3.    For FastConnect virtual circuits, confirm redundancy (at least two circuits via different providers or locations for production).

4.    Review DRG route tables and import/export route distributions for unintended route leakage between attached networks.

Load Balancers & WAF

1.    List all load balancers.

oci lb load-balancer list --compartment-id <compartment_ocid> --all

2.    Verify TLS/SSL certificate validity and cipher suite configuration on HTTPS listeners.

3.    List WAF policies and confirm they are attached to public-facing load balancers.

oci waf web-app-firewall list --compartment-id <compartment_ocid> --all

4.    Review WAF access rules and rate limiting configurations.

OCI Tenancy Audit – Compute

Instance Inventory

1.    List all compute instances across compartments and regions.

oci compute instance list --compartment-id <compartment_ocid> --all --query "data[*].{Name:\"display-name\",State:\"lifecycle-state\",Shape:shape,AD:\"availability-domain\"}" --output table

2.    Identify instances in STOPPED state for extended periods; flag for decommissioning review.

3.    Record instance shapes, OCPUs, memory, and boot/block volume associations.

Instance Configuration & Security

1.    Verify that Shielded Instances (Secure Boot, Measured Boot, TPM) are enabled where supported.

2.    Check that instance metadata service version 2 (IMDSv2) is enforced (legacy endpoint disabled).

oci compute instance get --instance-id <instance_ocid> --query "data.{IMDS:\"instance-options\"}"

3.    Confirm that instances in private subnets do not have public IP addresses assigned.

4.    Verify that OS Management Service (OSMS) or OS Management Hub agent is running and reporting on each instance.

Boot & Block Volumes

1.    List all boot volumes and block volumes.

oci bv boot-volume list --compartment-id <compartment_ocid> --availability-domain <ad_name> --all

oci bv volume list --compartment-id <compartment_ocid> --all

2.    Verify that all volumes use encryption (OCI-managed keys or customer-managed keys via Vault).

3.    Check that volume backup policies are assigned to production volumes.

oci bv volume-backup-policy-assignment get-volume-backup-policy-asset-assignment --asset-id <volume_ocid>

4.    Review cross-region volume replications for DR-critical volumes.

Instance Pools & Autoscaling

1.    List instance pools and autoscaling configurations.

oci compute-management instance-pool list --compartment-id <compartment_ocid> --all

2.    Verify scaling policies align with expected thresholds and that minimum instance counts meet availability requirements.

OCI Tenancy Audit – Storage

Object Storage

1.    List all buckets across compartments.

oci os bucket list --compartment-id <compartment_ocid> --all

2.    For each bucket, check visibility (public vs. private). Flag any public buckets.

3.    Verify that buckets storing sensitive data have: encryption with customer-managed keys (Vault), versioning enabled, lifecycle rules for retention/archival, and object-level audit logging enabled.

oci os bucket get --bucket-name <bucket_name> --query "data.{Visibility:\"public-access-type\",Versioning:versioning,KmsKey:\"kms-key-id\"}"

4.    Review pre-authenticated requests (PARs) for expiry and scope.

oci os preauth-request list --bucket-name <bucket_name>

File Storage (FSS)

1.    List all file systems and mount targets.

oci fs file-system list --compartment-id <compartment_ocid> --availability-domain <ad_name> --all

oci fs mount-target list --compartment-id <compartment_ocid> --availability-domain <ad_name> --all

2.    Review export sets and NFS export options (source CIDR restrictions, root squash settings, access modes).

oci fs export list --compartment-id <compartment_ocid> --all

3.    Confirm that mount targets are placed in private subnets with appropriate NSG rules (port 2048–2050, 111).

OCI Tenancy Audit – Security Services

Vault & Key Management

1.    List all Vaults and keys.

oci kms management vault list --compartment-id <compartment_ocid> --all

2.    Verify key rotation schedule (recommended: every 90 days or per policy).

3.    Confirm that production encryption uses customer-managed keys (not Oracle-managed defaults) for sensitive workloads.

4.    Check Vault type: Virtual Private Vault for highest isolation in regulated environments.

Cloud Guard

1.    Verify Cloud Guard is enabled at the tenancy level.

oci cloud-guard configuration get --compartment-id <tenancy_ocid>

2.    Review detector recipes (Configuration, Activity, Threat) and confirm all critical rules are enabled.

3.    List open problems and review remediation status.

oci cloud-guard problem list --compartment-id <tenancy_ocid> --status OPEN --all

4.    Verify that Cloud Guard reporting region and target compartments are correctly configured.

Vulnerability Scanning

1.    List all vulnerability scanning targets and recipes.

oci vulnerability-scanning host scan-target list --compartment-id <compartment_ocid> --all

2.    Review recent scan results; flag high and critical CVEs on in-scope instances.

3.    Confirm scan frequency (recommended: weekly for production instances).

Bastion Service

1.    List all Bastions.

oci bastion bastion list --compartment-id <compartment_ocid> --all

2.    Review active sessions; confirm maximum session TTL is within policy (recommended: 3 hours or less).

3.    Verify that CIDR allow-lists on Bastions restrict source IPs to corporate/VPN ranges.

OCI Tenancy Audit – Logging, Monitoring & Audit Trail

OCI Audit Service

1.    Verify that the Audit service retention period is set to the maximum (365 days).

oci audit config get --compartment-id <tenancy_ocid>

2.    Sample audit events for key actions (user logins, policy changes, resource creation/deletion).

oci audit event list --compartment-id <tenancy_ocid> --start-time <ISO8601> --end-time <ISO8601> --all

Logging Service

1.    List all Log Groups and Logs. Confirm that VCN flow logs, load balancer access logs, and Object Storage write logs are enabled for production resources.

oci logging log-group list --compartment-id <compartment_ocid> --all

oci logging log list --log-group-id <log_group_ocid> --all

2.    Verify log retention meets compliance requirements.

3.    Check for Service Connector Hub pipelines that archive logs to Object Storage or stream to a SIEM.

oci sch service-connector list --compartment-id <compartment_ocid> --all

Monitoring & Alarms

1.    List all alarms.

oci monitoring alarm list --compartment-id <compartment_ocid> --all

2.    Verify that critical alarms are configured for: high CPU/memory on instances, security list changes, IAM policy modifications, budget threshold breaches, and Cloud Guard critical findings.

3.    Confirm alarm destinations (ONS topics) route to appropriate on-call channels.

Notifications & Events

1.    List notification topics and subscriptions.

oci ons topic list --compartment-id <compartment_ocid> --all

2.    List event rules and confirm rules exist for critical operations (IAM changes, network changes, instance lifecycle events).

oci events rule list --compartment-id <compartment_ocid> --all

OCI Tenancy Audit – Cost & Governance

Budgets

1.    List all budgets.

oci budgets budget list --compartment-id <tenancy_ocid> --all

2.    Verify that budgets are set for each major compartment or cost-tracking tag.

3.    Confirm alert thresholds are configured (e.g., 80% and 100% of budget).

Quotas

1.    List compartment quotas.

oci limits quota list --compartment-id <tenancy_ocid> --all

2.    Verify that quotas prevent uncontrolled resource creation in non-production compartments (e.g., limiting GPU shapes, large VM shapes).

Limits & Service Limits

1.    Review current service limit utilisation against requests.

oci limits service list --compartment-id <tenancy_ocid> --all

2.    Flag any services approaching their limits that could impact availability.

Operating System Audit – Linux

This section applies to all in-scope Linux instances (Oracle Linux, RHEL, Ubuntu, CentOS). Execute all commands via SSH with a least-privilege audit account or via sudo as needed. Record output as evidence.

System Identification

1.    Record hostname, OS version, kernel version, and uptime.

hostnamectl

cat /etc/os-release

uname -r

uptime

2.    Record instance metadata (for OCI instances).

curl -s -H "Authorization: Bearer Oracle" http://169.254.169.254/opc/v2/instance/ | python3 -m json.tool

User & Group Management

1.    List all local users and identify accounts with UID 0 (root equivalents).

awk -F: '{print $1, $3, $7}' /etc/passwd

awk -F: '($3 == 0) {print $1}' /etc/passwd

2.    List users with valid login shells who are not system accounts.

grep -v '/nologin\|/false' /etc/passwd | awk -F: '$3 >= 1000 {print $1}'

3.    Check for empty password fields.

sudo awk -F: '($2 == "") {print $1}' /etc/shadow

4.    Review group memberships, especially wheel/sudo groups.

getent group wheel sudo

5.    Check password ageing policies.

chage -l <username>

grep -E '^PASS_MAX_DAYS|^PASS_MIN_DAYS|^PASS_MIN_LEN|^PASS_WARN_AGE' /etc/login.defs

SSH Configuration

1.    Review SSHD configuration for hardening.

sudo sshd -T | grep -E 'permitrootlogin|passwordauthentication|permitemptypasswords|x11forwarding|maxauthtries|protocol|clientaliveinterval|clientalivecountmax'

2.    Verify that PermitRootLogin is set to 'no' or 'prohibit-password'.

3.    Verify that PasswordAuthentication is set to 'no' (key-based auth enforced).

4.    List authorised SSH keys for each user.

for user in $(awk -F: '$3 >= 1000 {print $1}' /etc/passwd); do echo "--- $user ---"; cat /home/$user/.ssh/authorized_keys 2>/dev/null; done

5.    Check for SSH keys owned by root that grant access to other systems.

sudo ls -la /root/.ssh/

Sudo Configuration

1.    Review sudoers file and drop-in files.

sudo cat /etc/sudoers

sudo ls -la /etc/sudoers.d/

sudo cat /etc/sudoers.d/*

2.    Flag any NOPASSWD entries and entries granting ALL commands to non-admin users.

3.    Verify that sudo logging is enabled (Defaults logfile or Defaults syslog).

Firewall Configuration

1.    Check firewall status and rules (iptables / nftables / firewalld).

sudo iptables -L -n -v

sudo nft list ruleset 2>/dev/null

sudo firewall-cmd --list-all 2>/dev/null

2.    Verify that only required ports are open (compare against application requirements).

Check for any rules allowing unrestricted inbound access (0.0.0.0/0).

Patch Management & Package Integrity

1.    Check for available security updates.

# Oracle Linux / RHEL / CentOS

sudo yum updateinfo list security

# Ubuntu / Debian

sudo apt list --upgradable 2>/dev/null | grep -i security

2.    List installed packages and their versions.

rpm -qa --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\n' | sort   # RPM-based

dpkg -l | awk '/^ii/ {print $2, $3}'   # Debian-based

3.    Verify GPG signature checking is enabled for package repositories.

grep -r gpgcheck /etc/yum.repos.d/

4.    Check last patching date.

rpm -qa --last | head -20   # RPM-based

ls -lt /var/log/apt/history.log   # Debian-based

File System Permissions & Integrity

1.    Check permissions on critical files.

stat -c '%a %U %G %n' /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/sudoers /etc/ssh/sshd_config

2.    Find world-writable files (excluding /proc, /sys, /dev).

sudo find / -xdev -type f -perm -o+w -not -path '/proc/*' -not -path '/sys/*' 2>/dev/null

3.    Find SUID/SGID binaries and compare against a known-good baseline.

sudo find / -xdev -type f \( -perm -4000 -o -perm -2000 \) -exec ls -l {} \; 2>/dev/null

4.    Check for unowned files.

sudo find / -xdev -nouser -o -nogroup 2>/dev/null

Logging & Auditing (Local)

1.    Verify that rsyslog or journald is running and configured.

systemctl status rsyslog

journalctl --disk-usage

2.    Check auditd status and key rules.

sudo systemctl status auditd

sudo auditctl -l

3.    Verify that audit rules cover: user/group modifications, sudo usage, file permission changes, mount operations, and login events.

4.    Check log rotation configuration.

cat /etc/logrotate.conf

ls /etc/logrotate.d/

Network Configuration

1.    List listening services and open ports.

sudo ss -tulnp

2.    Verify that only required services are listening. Flag unexpected listeners on 0.0.0.0 or ::.

3.    Check IP forwarding status (should be disabled unless instance acts as a router/NAT).

sysctl net.ipv4.ip_forward

sysctl net.ipv6.conf.all.forwarding

4.    Review /etc/hosts.allow and /etc/hosts.deny (TCP Wrappers).

cat /etc/hosts.allow /etc/hosts.deny 2>/dev/null

Cron & Scheduled Jobs

1.    List all cron jobs for all users.

for user in $(cut -f1 -d: /etc/passwd); do echo "--- $user ---"; sudo crontab -l -u $user 2>/dev/null; done

ls -la /etc/cron.d/ /etc/cron.daily/ /etc/cron.hourly/ /etc/cron.weekly/ /etc/cron.monthly/

2.    Review for any suspicious or undocumented scheduled tasks.

3.    Check systemd timers.

systemctl list-timers --all

Kernel & System Hardening

1.    Review key sysctl parameters.

sysctl net.ipv4.conf.all.accept_redirects

sysctl net.ipv4.conf.all.send_redirects

sysctl net.ipv4.conf.all.accept_source_route

sysctl net.ipv4.icmp_echo_ignore_broadcasts

sysctl kernel.randomize_va_space

sysctl fs.suid_dumpable

2.    Verify that core dumps are restricted.

cat /etc/security/limits.conf | grep core

3.    Check SELinux or AppArmor status.

getenforce 2>/dev/null || aa-status 2>/dev/null

Operating System Audit – Windows Server

This section applies to all in-scope Windows Server instances. Execute commands via RDP session or remote PowerShell with a least-privilege audit account. Record output as evidence.

System Identification

1.    Record hostname, OS version, build number, and uptime.

systeminfo | findstr /B /C:"Host Name" /C:"OS Name" /C:"OS Version" /C:"System Boot Time"

Get-CimInstance Win32_OperatingSystem | Select Caption, Version, BuildNumber, LastBootUpTime

Local User & Group Management

1.    List all local user accounts; flag disabled, locked, and password-never-expires accounts.

Get-LocalUser | Select Name, Enabled, PasswordExpires, LastLogon, PasswordLastSet | Format-Table -AutoSize

2.    List members of the local Administrators group.

Get-LocalGroupMember -Group 'Administrators' | Format-Table -AutoSize

3.    List all local groups and their memberships.

Get-LocalGroup | ForEach-Object { Write-Host "--- $($_.Name) ---"; Get-LocalGroupMember -Group $_.Name 2>$null | Format-Table }

4.    Check account lockout and password policies.

net accounts

RDP Configuration

1.    Check if RDP is enabled and which port it listens on.

Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name fDenyTSConnections

Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name PortNumber

2.    Verify that Network Level Authentication (NLA) is required.

Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name UserAuthentication

3.    Check RDP session timeout and idle disconnect settings.

Windows Firewall

1.    Check Windows Firewall status for all profiles.

Get-NetFirewallProfile | Select Name, Enabled, DefaultInboundAction, DefaultOutboundAction | Format-Table

2.    List inbound allow rules and flag overly permissive rules.

Get-NetFirewallRule -Direction Inbound -Enabled True -Action Allow | Select DisplayName, Profile, LocalPort, RemoteAddress | Format-Table -AutoSize

3.    Verify that firewall logging is enabled.

Get-NetFirewallProfile | Select Name, LogFileName, LogMaxSizeKilobytes, LogAllowed, LogBlocked | Format-Table

Windows Update & Patch Compliance

1.    Check Windows Update configuration and last update date.

Get-HotFix | Sort-Object InstalledOn -Descending | Select HotFixID, Description, InstalledOn -First 20 | Format-Table

2.    Check for pending updates.

(New-Object -ComObject Microsoft.Update.AutoUpdate).Results | Select LastSearchSuccessDate, LastInstallationSuccessDate

3.    Verify that Windows Update is configured for automatic or WSUS-managed updates.

Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' -ErrorAction SilentlyContinue

Audit Policy & Event Logging

1.    Review current audit policy settings.

auditpol /get /category:*

2.    Verify that the following audit subcategories are set to Success and Failure: Logon/Logoff, Account Logon, Account Management, Policy Change, Object Access (where required), and Privilege Use.

3.    Check event log sizes and retention settings.

Get-WinEvent -ListLog Security, System, Application | Select LogName, MaximumSizeInBytes, RecordCount, IsEnabled | Format-Table

4.    Verify that event log forwarding (WEF) is configured if centralised logging is in scope.

Services & Scheduled Tasks

1.    List all running services; flag unnecessary or unexpected services.

Get-Service | Where-Object {$_.Status -eq 'Running'} | Select Name, DisplayName, StartType | Format-Table -AutoSize

2.    List all scheduled tasks and flag those running as SYSTEM or Administrator.

Get-ScheduledTask | Where-Object {$_.State -ne 'Disabled'} | Select TaskName, TaskPath, State | Format-Table -AutoSize

Get-ScheduledTask | ForEach-Object { $_ | Select TaskName, @{N='RunAs';E={$_.Principal.UserId}} } | Format-Table

Registry & Security Policy Hardening

1.    Check key registry hardening settings.

# LAN Manager authentication level (should be 5 = NTLMv2 only)

Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name LmCompatibilityLevel

# SMBv1 disabled

Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol

# Auto admin logon disabled

Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name AutoAdminLogon -ErrorAction SilentlyContinue

2.    Export local security policy for review.

secedit /export /cfg C:\audit_secpol.cfg

3.    Review password policy, account lockout policy, and user rights assignments from the exported configuration.

Network Configuration

1.    List listening ports and associated processes.

Get-NetTCPConnection -State Listen | Select LocalAddress, LocalPort, OwningProcess, @{N='Process';E={(Get-Process -Id $_.OwningProcess).Name}} | Sort LocalPort | Format-Table

2.    Verify DNS and NTP settings.

Get-DnsClientServerAddress | Format-Table

w32tm /query /status

Evidence Collection & Reporting

12.1 Evidence Naming Convention

All evidence artefacts should follow a consistent naming convention:

[AuditID]-[Section]-[CheckID]-[Hostname/Resource]-[YYYYMMDD].[ext]

Example: AUD2026-S10.3-SSH-config-prodweb01-20260422.txt

Evidence Types

       OCI CLI JSON exports (raw output piped to files).

       Console screenshots with timestamps (for GUI-only verifications such as Cloud Guard dashboards).

       OS command output captured to text files.

       Exported configuration files (sshd_config, sudoers, secpol.cfg, firewall rules).

       Audit log extracts (OCI Audit events, OS audit logs).

Finding Classification

Each finding should be classified using the following severity scale:

 

Severity

Definition

Example

Critical

Immediate risk of compromise or data breach; exploitable without authentication or with default credentials.

Root SSH login enabled with password auth on public subnet instance.

High

Significant control gap that could be exploited under certain conditions.

IAM policy granting manage all-resources to a broad group.

Medium

Control weakness that increases risk but requires additional factors to exploit.

API keys not rotated in over 180 days.

Low

Best practice deviation with limited immediate risk.

Missing tag on non-production resources.

Informational

Observation or recommendation for improvement; no current risk.

Compartment structure could be refined for clarity.

Audit Report Structure

The final audit report should include the following sections:

1.    Executive Summary: High-level overview of findings, risk posture, and key recommendations.

2.    Scope & Methodology: Reiteration of audit scope, tools used, and standards referenced.

3.    Detailed Findings: Each finding with severity, description, evidence reference, affected resource, and remediation recommendation.

4.    Summary of Findings Table: Tabular view with finding count by severity and domain.

5.    Remediation Tracker: Action items with owners, target dates, and status fields.

6.    Appendices: Raw evidence index, glossary of OCI terms, and reference to CIS benchmark mapping.


Appendix A: OCI CLI Quick Reference

Below are commonly used OCI CLI flags for audit operations:

 

Flag

Purpose

--all

Retrieve all records (handles pagination automatically).

--output table

Display output in human-readable table format.

--query

JMESPath query to filter/project JSON output fields.

--compartment-id

Target a specific compartment (use tenancy OCID for root).

--region

Override the default region for the command.

--profile

Use a named OCI CLI profile from ~/.oci/config.

Appendix B: Glossary

Term

Definition

OCID

Oracle Cloud Identifier – unique resource identifier in OCI.

DRG

Dynamic Routing Gateway – virtual router for VCN-to-VCN and on-premises connectivity.

NSG

Network Security Group – virtual firewall rules applied at VNIC level.

VCN

Virtual Cloud Network – software-defined network in OCI.

IMDSv2

Instance Metadata Service v2 – token-based metadata access for enhanced security.

CIS

Center for Internet Security – organisation publishing security benchmarks.

PAR

Pre-Authenticated Request – time-limited URL for Object Storage access without credentials.

SUID/SGID

Set User ID / Set Group ID – file permission bits that run executables with owner/group privileges.

NLA

Network Level Authentication – RDP security feature requiring authentication before session.

 About the Author

Debapriya Biswas
Oracle ACE Apprentice | Sr. Consultant – Cloud Technologies
Focused on OCI Compute, Networking, and Automation


Comments

Post a Comment

Popular posts from this blog

Access Oracle OCI Object Storage through GUI Client

-
Image
 As we already know that there are several GUI clients available for Amazon AWS S3 Object storage like - S3 Browser (https://s3browser.com/), CloudBerry Explorer (https://www.msp360.com/explorer/windows/amazon-s3.aspx), CyberDuck (https://cyberduck.io/) etc. Using these tools we can easily connect to the Object Storage service, upload & download "objects" i.e files and folders and also do some advance management like Bucket Policies, Replication, Versioning, lifecycle policies etc. Now these tools can also be used with Oracle OCI Object storage, but there are some prerequisites to get the proper credentials. You need to get following information before you can connect to you OCI Object storage - Object Storage Namespace: REST Endpoint: Access Key: Secret Key ID: How to get these details - Login to your OCI Account, head over to - Hamburger Icon on left hand top corner -> Storage -> Under Object Storage & Archive -> Buckets. It will list all the buckets in thi...
Read more

Instance OS Baseline Configuration Runbook

-
Overview & Scope This runbook defines the standard baseline configuration procedure for new OCI compute instances across five supported operating system families. It is intended for use by Cloud SRE and operations personnel during initial instance provisioning. Objectives Each OS configuration procedure achieves the following baseline state: •        Set system timezone to Asia/Kolkata (IST, UTC+05:30) •        Apply all available OS security and feature updates •        Enable and configure the host-based firewall to permit SSH (Linux) or RDP (Windows) ingress exclusively from the VCN CIDR block •        Enable EPEL repository where applicable (Oracle Linux, Rocky Linux, Alma Linux) •        Create a named administrative user account separate from the default OCI-provisioned user (opc / Administrator) •   ...
Read more

Accessing OCI Compute Instances Using VNC Console (Instance Console Connection)

-
Image
  Overview In Oracle Cloud Infrastructure (OCI), administrators occasionally face scenarios where SSH access to a compute instance is unavailable —for example, due to network misconfiguration, firewall issues, or OS-level boot problems. To handle such situations, OCI provides Instance Console Connection , which enables VNC-based graphical console access and serial console access to compute instances. In this post, I demonstrate how to access an OCI Compute instance using the VNC console , explain when to use it, and highlight best practices for secure and effective troubleshooting. ⚠️ This demonstration is performed in a personal OCI tenancy using test instances. No customer environments or confidential information are exposed. Oracle Products Used Oracle Cloud Infrastructure OCI Compute Instance Console Connection OCI IAM Virtual Cloud Network (VCN) What Is Instance Console Connection? Instance Console Connection provides ou...
Read more