Hardening Oracle Cloud Infrastructure – Part 1: Identification

Cloud Security When you search with the term “Cloud Breaches 2022” in one of the search engines, there is a almost endless list of breaches. In this 2-part blog post I show you an easy way, to level up your security in Oracle Cloud Infrastructure. For example listed on https://www.immuniweb.com/blog/top-10-cloud-security-incidents-in-2022.html: As you can see here, these are all issues related to security settings done by the owner of the accounts. No special hacking methods, no social engineering. Just wrong settings. Sure, there are also technical bugs possible, this one has happened in summer 2022 in Oracle Cloud Infrastructure and was called #AttachMe: https://www.wiz.io/blog/attachme-oracle-cloud-vulnerability-allows-unauthorized-cross-tenant-volume-access Cloud Security Risks – Items These items are all configurable by customer, like roles not according least-privilege…

Read More

Oracle Cloud Infrastructure Quick Tip – Unlock the Windows OPC User Account

Today, after testing some Oracle Cloud Infrastructure firewall changes and login tests into a running Windows 2019 Server, the account of the administration user opc was locked. The referenced account is currently locked out and may not be logged on. And now? There was no other user available with administrator privileges to unlock this account. We have basically two methods to solve the issue.                      a) The Coffee Cup Style – just wait You know the password? The Oracle Cloud Infrastructure provided Windows Server 2019 images use a 5 minutes lock out policy until you can try again – so grab a cup of coffee and wait. FYI, these 5 mins…

Read More

Oracle Linux Automation Manager 2.0 in the Oracle Cloud – A Story about 10.0.2.0/24

no route to host Since some days I was struggling after an OLAM2 – Oracle Automation Manager 2.0 – setup, to connect to specific hosts. As you can see here in the picture, I was able to execute OLAM2 job templates (Ansible Playbooks) against a host in same subnet in 10.0.1.0/24, but not for the other one in subnet 10.0.2.0/24. The message was always the same: no route to host. But, in OCI basically each subnet has connection to the the other one, there is no special subnet routing withing a VCN Virtual Cloud Network. The setup on an OL8 machine was execute as described in the installation guide: Installation Guide (oracle.com). The setup type was Single Host. For testing…

Read More

Oracle Cloud Infrastructure – Housekeeping, a story about pre-authenticated Object Storage URLs

The year 2022 was ending, time for housekeeping the Oracle Cloud Infrastructure account. And there was an old IAM account in the list, containing the “old” company name and nobody knew where this account was used for. So, we removed it. Some hours later I got a message: Pls can you look; we are not able to run OCI Resource Manager Stacks to ramp up training environments … Cannot load package. The URL might not be valid. Contact the package author. The error in the resource manager was clear – Cannot load package. The URL might not be valid. Contact the package author.                   Background Information Our training department provides training setups…

Read More

Oracle Cloud Infrastructure – use the Force of Tags, Luke

Yesterday… … I got a question from a good friend in my company who had this use case in Oracle Cloud Infrastructure – thanks Roli from Lucerne for the input for this blog post, the next “Zwätschgelutz” is offered by me. When several OCI compute instances are available in same compartment, how can a user be restricted to just start and stop one of these machines? I have extended this question: How to restrict users to start and stop a subset of Compute Instances in the same compartment. In my use-case, a Windows and Linux admin group is working together in the same compartment. The first question how to restrict instance actions on level start and stop was easy to…

Read More