Releases: oci-landing-zones/oci-cis-landingzone-quickstart
Release 3.0.1
July 16, 2025 Release Notes - 3.0.1
Compliance Percentage Field
Added a Compliance Percentage Per Recommendation field in the cis_summary_report.csv. The field is calculated by dividing the number of compliant items by the total number of items. For recommendations that pass/fail, for pass, it puts '100%'. For fail, it puts '0%'. For recommendations that are Not Applicable, it puts 'N/A'.
Disable API Key Usage Check
- Added a new flag,
--disable-api-usage-check,which skips the OCI API Key usage in the last 45 days check, which is part of the recommendation 1.16 - Ensure OCI IAM credentials unused for 45 days or more are disabled. The checking of passwords is not impacted.
Fixes
Updates:
- Updated --redact_output flag to --redact-output for consistency.
- Updated CIS check 1.4 to support tenancies with Identity Domains.
- Migrated CIS and OBP checks to use all_logs to support all log types. Closes Issue 156.
- Updated CSV record column order for block volume and boot volume to be the same. Closes Issue 170.
- Updated VCNs to include NSGs, SLs, and Subnets in the VCN structure and output.
- Improved code readability of obp_checks by breaking it up into multiple functions.
Updates
Fixes:
- Fixed CIS recommendation 4.2 to check that the subscription is active.
- Fixed CIS recommendation checks related to OCI Events to ensure the Event Rule is active.
- Fixed XLSX file not including PNG's Issue 162.
- Fixed protocol check for ICMP to CIS recommendation 2.5 egress rules Issue 168.
- Fixed Instance Principal not able to get the Identity domain data Issue 169.
Release 3.0.0
May 23, 2025 Release Notes - 3.0.0
- CIS OCI Foundations 3.0.0 New Recommendations
- CIS OCI Foundations 3.0.0 Updated Recommendations
- README Updates for CIS Compliance Script
- Bug Fix
CIS OCI Foundations 3.0.0 New Recommendations
With the release of the CIS OCI Foundations Benchmark 3.0.0 the script has added the following new CIS recommendations:
- 1.16 - Ensure OCI IAM credentials unused for 45 days or more are disabled
- 1.17 - Ensure there is only one active API Key for any single OCI IAM user
- 4.18 - Ensure a notification is configured for Local OCI User Authentication
CIS OCI Foundations 3.0.0 Updated Recommendations
With the release of the CIS OCI Foundations Benchmark 3.0.0 the script has updated the following new CIS recommendation:
- 2.5 - Ensure the default security list of every VCN restricts all traffic except ICMP within VCN
README Updates for CIS Compliance Script
As of May 2025, the Terraform template of the CIS Landing Zone is retired. The last release of CIS Landing Zone terraform is Release 2.8.8.
- Users looking for a deployment experience similar to CIS Landing Zone should now use OCI Core Landing Zone. OCI Core Landing Zone evolves CIS Landing Zone and complies with CIS OCI Foundations Benchmark 3.0.0.
- Users looking for a deployment experience based on fully declarable and customizable templates should use the Operating Entities Landing Zone or the OCI Landing Zones Modules in the OCI Landing Zones GitHub organization.
Script Fixes and Updates
Updates:
- Network topology now runs as part of
--all-resourcesflag instead of--obp
Fixes: - Fixed an issue for CIS checks 1.5 and 1.6 an edge case where password history or password expiration is
None - Fixed an issue where the script fails to run in a tenancy with no compartments
- Fixed an issue with the compartment Deeplink for the Root compartment
Release 2.8.8
March 4, 2024 Release Notes - 2.8.8
Updates/Fixes to the CIS Compliance Script
- Fixes:
- Fixed an issue for tenancies that do not have bucket logging enabled.
- Fixed an issue for DB Password expiry check in tenancy's without Identity Domains.
README Update for Core Landing Zone
Updated a broken link and small grammar improvement.
The compliance checker script is not impacted.
Release 2.8.7
February 27, 2024 Release Notes - 2.8.7
README Update for Core Landing Zone
Updated README to guide new Landing Zone adopters to the Core Landing Zone or the Operating Entities Landing Zone.
The compliance checker script is not impacted.
Updates/Fixes to the CIS Compliance Script
- Updates:
- Adding improved support for all OCI Service log types. This is the precursor to completing the feature request 156
- Fixes:
- Fixed check "Ensure user IAM Database Passwords rotate within 90 days" from issue 155
- Fixed check "Ensure VCN flow logging is enabled for all subnets" from issue 149
- Fixed HTML report non-compliant issues text box being too large.
- Fixed check "Ensure Compute Instance Legacy Metadata service endpoint is disabled" level to
2.
Release 2.8.6
November 20, 2024 Release Notes - 2.8.6
Updates/Fixes to the CIS Compliance Script
- Updates:
- Added tenancy ID to search query to improve multi-tenancy access
- Fixes:
- Fixed release version in script
Release 2.8.5
October 23, 2024 Release Notes - 2.8.5
Updates/Fixes to the CIS Compliance Script
- Updates
- CIS Summary HTML report now has Dashboard Graphics. Showing overall CIS Recommendation Compliance and CIS Recommendation Compliance per Focus Area.
- Fixes:
- Fixed a bug related to legacy DRGs with stale states creating exceptions
- Minor HTML fixes to the CIS Summary report
Updates/Fixes to the Terraform
- Updated Network Admin Group IAM permissions for ZPR and OCI Network Firewall
- Allow reading of ZPR namespaces, attributes, and configurations
- Allow management of OCI Network Firewall
- Updated Security Admin Group IAM permissions for ZPR and OCI Network Firewall
- Allow management of ZPR namespaces, attributes, and configurations
- Allow use of OCI Network Firewall
Documentation Updates
- Updated README.md with the current CIS OCI Foundations Benchmark version
Release 2.8.4
July 26, 2024 Release Notes - 2.8.4
- CIS OCI Benchmark Logging and Monitoring Workload
- SIEM (Security information and event management) Workload
- Updates/Fixes to the CIS Compliance Script
- Documentation Updates
CIS OCI Benchmark Logging and Monitoring Workload
The CIS OCI Benchmark Logging and Monitoring Workload adds the following to an existing OCI tenancy:
- Logging Monitoring and Alerting Events and Notifications as recommended by the CIS OCI Foundation Benchmark
- Enables Cloud Guard as recommended by the CIS OCI Foundations Benchmark
- Enables Budgets for Cloud Governance
SIEM (Security information and event management) Workload
The workload can be used to partially set up SIEM integration from the OCI side for integration with SIEMs like Stellar Cyber, Splunk, or SIEMs that read from OCI Streams.
Updates/Fixes to the CIS Compliance Script
Fixes
- Fixed issue on 4.15, “Ensure a notification is configured for Oracle Cloud Guard problems detect” check, which defaulted to True
Updates
- Updated CIS recommendation 4.3 - 4.12 to ensure event notifications are created in all OCI subscribed regions.
Documentation Updates
- Logo Updated.
- Updated README.md, CONTRIBUTING.md, and LICENSE.txt files.
- Added SECURITY.md file.
v2.8.3
June 7, 2024 Release Notes - 2.8.3
- Cloud Guard Detector and Security Zones Rules Mapped to CIS OCI Benchmark 2.0.0
- Updates/Fixes to the CIS Compliance Script
- Updates/Fixes to the Terraform
Cloud Guard Detector and Security Zones Rules Mapped to CIS OCI Benchmark 2.0.0
The CIS OCI Benchmark mapping in the compliance-script.md now maps to Cloud Guard Detectors and Security Zone Rules.
Updates/Fixes to the CIS Compliance Script
Fixes
- Fixed numbering issue for Logging and Monitoring checks 4.3 - 4.12.
- Fixed to Auditor policy documented in the compliance-script.md to support running OBP checks.
- Fixed language for observations and error messages.
Updates
- Reduced code associated with ADB collection function.
- Added additional debugging statements.
Updates/Fixes to the Terraform
Updates
- Updated to Auditor policy to align with the compliance-script.md update.
- Updated Network and Database Admins with permissions to include repo management.
v2.8.2
April 18, 2024 Release Notes - 2.8.2
- New OBP for Certificate Service Certificate Expiration
- OCI CIS Landing Zone Oracle Access Governance Support
- Updates/Fixes to the Terraform
- Updates/Fixes to the CIS Compliance Script
New OBP for Certificate Service Certificate Expiration
A new Oracle Best Practice (OBP) check scans certificates stored in the OCI Certificate Service and finds those that will expire in under 30 days. This check will help customers prevent unintended outages for OCI Services using certificates stored in the certificate service that expires before causing connectivity errors.
OCI CIS Landing Zone Oracle Access Governance Support
The OCI CIS Landing Zone enables accelerated Oracle Access Governance (OAG) deployment. The policies and groups required for OAG are created and aligned with the OCI CIS Foundations Benchmark. To deploy OAG using the CIS Landing Zone, review the Oracle Access Governance section under Governance in the Deployment Guide.
Updates/Fixes to the Terraform
Fixes
Updates/Fixes to the CIS Compliance Script
Updates
- Added support to override
https://cloud.oracle.comin deep link URLs in CSV reports with a customer provided deep link URL using the--deeplink-url-overrideargument. This provides support for other realms. The following--deeplink-url-override https://console.us-langley-1.oraclegovcloud.comwill support OC2's Ashburn region. - Added new actions attribute to OCI Event records.
- Added new compliance checking script FAQ item.
v2.8.1
March 25, 2024 Release Notes - 2.8.1
Updates/Fixes to the CIS Compliance Script
Updates:
- Added flag
--report-prefixto allow unique files for better baseline comparison. - Improved performance in querying Identity Domains users’ API keys.
- Improved Identity Domains checking for federated users by using is_federated flag.
- Added Deep Link with Identity Domain name to user, group, and dynamic group records.
- The audit configuration check has been removed because it is no longer in the benchmark.
- Boot Volume resources were added to the check 6.2 resources in the root compartment.
Fixes:
- Handling KMS keys with date issues.
- Removed duplication of Identity Groups for Identity Domains.
- Consistency and commenting updates.