Skip to content

Config Checks Reference

Jump to bottom
WebbinRoot edited this page Apr 2, 2026 · 1 revision

ConfigChecker - Static Config Checks

Note: This page is a work in progress. It was generated with LLM assistance and is subject to ongoing review and change.

Detailed reference for findings produced by modules run enum_config_check (source: modules/everything/utilities/config_audit.py).

Table of Contents

How to Run

modules run enum_config_check
modules run enum_config_check --services networking,object_storage,identity_domains
modules run enum_config_check --json-out config_audit.json
modules run enum_config_check --quiet

Notes:

  • Checks run on saved SQLite data; stale/partial saves can hide findings.
  • Run enum_all --save (or focused enum_* --save) before config checks for best coverage.

How to Use This Page

Each service has two layers:

  • A compact summary table for quick triage.
  • Detailed finding write-ups with a concise SQLite Detection Metric (Pseudo-code) focused on decision fields/values (excluding generic resource-existence checks).

Quick logic interpretation:

  • field contains 'VALUE' means a positive string match drives the finding.
  • field is empty/missing/false means absence/disabled state drives the finding.
  • truthy(field) means true-like/enabled state checks.

Severity Model

Severity Meaning in this module
CRITICAL Immediate, high-confidence exposure/impact path requiring urgent response.
HIGH Strong security risk with high abuse potential.
MEDIUM Meaningful weakness that often needs additional conditions to abuse.
LOW Hardening/governance weakness with lower immediate impact.
INFO Context/hunting signal that improves visibility and posture understanding.

Coverage Summary

Total implemented finding types: 70 across 30 services.

Service Findings
api_gateway 2
artifact_registry 1
bastion 1
block_storage 2
blockchain 1
cache 3
cloud_guard 2
compute 4
compute_instance_agent 2
container_registry 2
data_science 1
database 4
devops 1
dns 1
email 4
file_storage 2
functions 2
identity 1
identity_domains 4
iot 2
kubernetes 1
logging 2
managed_kafka 2
network_firewall 3
network_load_balancer 2
networking 6
notifications 1
object_storage 6
resource_manager 3
vault 2

Severity Distribution

Severity Count
CRITICAL 4
HIGH 24
MEDIUM 25
LOW 13
INFO 4

Service Index

Finding Catalog

Grouped by service; sorted by severity then issue code.

API Gateway

Quick Triage

Issue Code Severity Source Table Trigger Fields
APIGW_PUBLIC_NO_NSG HIGH apigw_gateways endpoint_type, network_security_group_ids
APIGW_PUBLIC_ENDPOINT MEDIUM apigw_gateways endpoint_type

Details

APIGW_PUBLIC_NO_NSG (HIGH)

What It Detects: Public API Gateway does not appear to have NSGs configured. This reduces network-layer filtering options.

SQLite Detection Metric (Pseudo-code):

  • Checks table apigw_gateways and emits this finding when these decision conditions are true:
    • endpoint_type contains 'PUBLIC'
    • network_security_group_ids is empty/missing/false

Why This Severity: Strong security risk with meaningful abuse potential under common attacker conditions.

Typical Remediation: Remediation: attach restrictive NSGs and limit ingress paths.

Recommended Module Refresh: modules run enum_apigateway --gateways --get --save

APIGW_PUBLIC_ENDPOINT (MEDIUM)

What It Detects: API Gateway is configured with a public endpoint. Public endpoints can increase external attack surface for exposed APIs if authentication and policy controls are weak.

SQLite Detection Metric (Pseudo-code):

  • Checks table apigw_gateways and emits this finding when these decision conditions are true:
    • endpoint_type contains 'PUBLIC'

Why This Severity: Material weakness that often requires additional conditions to produce high-impact abuse.

Typical Remediation: Remediation: prefer private endpoints where feasible, and enforce strong auth/policies for publicly exposed APIs.

Recommended Module Refresh: modules run enum_apigateway --gateways --get --save

Artifact Registry

Quick Triage

Issue Code Severity Source Table Trigger Fields
ARTIFACT_REPOSITORY_MUTABLE MEDIUM ar_repositories is_immutable

Details

ARTIFACT_REPOSITORY_MUTABLE (MEDIUM)

What It Detects: Repository appears mutable. Mutable artifacts can weaken supply-chain integrity since they can be overwritten.

SQLite Detection Metric (Pseudo-code):

  • Checks table ar_repositories and emits this finding when these decision conditions are true:
    • is_immutable is false/empty/disabled

Why This Severity: Material weakness that often requires additional conditions to produce high-impact abuse.

Typical Remediation: Remediation: enable repository immutability for sensitive artifact repositories.

Recommended Module Refresh: modules run enum_artifactregistry --repositories --get --save

Bastion

Quick Triage

Issue Code Severity Source Table Trigger Fields
BASTION_ALLOWLIST_ANY HIGH bastion_bastions CIDR, cidr_block_allow_list, public

Details

BASTION_ALLOWLIST_ANY (HIGH)

What It Detects: Bastion allow list includes 0.0.0.0/0 (or equivalent). This exposes bastion sessions to the internet.

SQLite Detection Metric (Pseudo-code):

  • Checks table bastion_bastions and emits this finding when these decision conditions are true:
    • cidr_block_allow_list includes public CIDR (0.0.0.0/0 or ::/0)

Why This Severity: Strong security risk with meaningful abuse potential under common attacker conditions.

Typical Remediation: Remediation: restrict bastion CIDRs to approved administrative source ranges.

Recommended Module Refresh: modules run enum_core_network --bastion --get --save

Block Storage

Quick Triage

Issue Code Severity Source Table Trigger Fields
BLOCK_VOLUME_NO_CMK LOW blockstorage_volumes ACTIVE, AVAILABLE, IN_USE, PROVISIONING, lifecycle_state
BOOT_VOLUME_NO_CMK LOW blockstorage_boot_volumes ACTIVE, AVAILABLE, IN_USE, PROVISIONING, lifecycle_state

Details

BLOCK_VOLUME_NO_CMK (LOW)

What It Detects: Volume is not tied to a customer-managed KMS key. Default provider-managed encryption may be sufficient for many workloads, but CMK is often required for stricter controls.

SQLite Detection Metric (Pseudo-code):

  • Checks table blockstorage_volumes and emits this finding when these decision conditions are true:
    • notlifecycle_state.upper not in ('AVAILABLE', 'IN_USE', 'PROVISIONING', 'ACTIVE')
    • kms_key_id is empty/missing/false

Why This Severity: Hardening or governance gap with lower immediate exploitability.

Typical Remediation: Remediation: use CMK-backed encryption for high-sensitivity workloads.

Recommended Module Refresh: modules run enum_core_block_storage --volumes --get --save

BOOT_VOLUME_NO_CMK (LOW)

What It Detects: Boot volume is not configured with a customer-managed KMS key.

SQLite Detection Metric (Pseudo-code):

  • Checks table blockstorage_boot_volumes and emits this finding when these decision conditions are true:
    • notlifecycle_state.upper not in ('AVAILABLE', 'IN_USE', 'PROVISIONING', 'ACTIVE')
    • kms_key_id is empty/missing/false

Why This Severity: Hardening or governance gap with lower immediate exploitability.

Typical Remediation: Remediation: evaluate CMK usage for boot volumes that host sensitive workloads.

Recommended Module Refresh: modules run enum_core_block_storage --boot-volumes --get --save

Blockchain

Quick Triage

Issue Code Severity Source Table Trigger Fields
BLOCKCHAIN_SERVICE_ENDPOINT_HTTP HIGH blockchain_platforms http, service_endpoint, startswith

Details

BLOCKCHAIN_SERVICE_ENDPOINT_HTTP (HIGH)

What It Detects: Blockchain platform service endpoint appears to use plaintext HTTP.

SQLite Detection Metric (Pseudo-code):

  • Checks table blockchain_platforms and emits this finding when these decision conditions are true:
    • `service_endpoint starts with '

Why This Severity: Strong security risk with meaningful abuse potential under common attacker conditions.

Typical Remediation: Remediation: require HTTPS endpoints.

Recommended Module Refresh: modules run enum_blockchain --platforms --get --save

Cache

Quick Triage

Issue Code Severity Source Table Trigger Fields
CACHE_CLUSTER_PUBLIC_ENDPOINT_IP HIGH cache_clusters True
CACHE_USER_WEAK_AUTH_MODE HIGH cache_users DISABLED, NONE, NO_AUTH, authentication_mode, strip
CACHE_CLUSTER_NO_NSG MEDIUM cache_clusters _as_json_list, nsg_ids

Details

CACHE_CLUSTER_PUBLIC_ENDPOINT_IP (HIGH)

What It Detects: Cache endpoint IP appears outside RFC1918 private ranges.

SQLite Detection Metric (Pseudo-code):

  • Checks table cache_clusters and emits this finding when these decision conditions are true:
    • cluster endpoint IP is public-routable (non-RFC1918)

Why This Severity: Strong security risk with meaningful abuse potential under common attacker conditions.

Typical Remediation: Remediation: place cache endpoints on private subnets only.

Recommended Module Refresh: modules run enum_all --save

CACHE_USER_WEAK_AUTH_MODE (HIGH)

What It Detects: Cache user authentication_mode is {...}.

SQLite Detection Metric (Pseudo-code):

  • Checks table cache_users and emits this finding when these decision conditions are true:
    • notauthentication_mode.strip.upper not in ('', 'NONE', 'NO_AUTH', 'DISABLED')

Why This Severity: Strong security risk with meaningful abuse potential under common attacker conditions.

Typical Remediation: Remediation: enforce password/token-based authentication modes.

Recommended Module Refresh: modules run enum_all --save

CACHE_CLUSTER_NO_NSG (MEDIUM)

What It Detects: Cache cluster has no NSGs configured, reducing network-level traffic filtering.

SQLite Detection Metric (Pseudo-code):

  • Checks table cache_clusters and emits this finding when these decision conditions are true:
    • nsg_ids is empty/missing/false

Why This Severity: Material weakness that often requires additional conditions to produce high-impact abuse.

Typical Remediation: Remediation: attach restrictive NSGs to cache clusters.

Recommended Module Refresh: modules run enum_all --save

Cloud Guard

Quick Triage

Issue Code Severity Source Table Trigger Fields
CLOUD_GUARD_TARGET_NOT_ACTIVE MEDIUM cloud_guard_targets ACTIVE, lifecycle_state, state
CLOUD_GUARD_DATA_SOURCE_NOT_ACTIVE LOW cloud_guard_data_sources ACTIVE, lifecycle_state

Details

CLOUD_GUARD_TARGET_NOT_ACTIVE (MEDIUM)

What It Detects: Cloud Guard target state={...}, lifecycle_state={...}.

SQLite Detection Metric (Pseudo-code):

  • Checks table cloud_guard_targets and emits this finding when these decision conditions are true:
    • notstate.upper in ('ACTIVE', '') and (lifecycle_state.upper() in ('ACTIVE', '')

Why This Severity: Material weakness that often requires additional conditions to produce high-impact abuse.

Typical Remediation: Remediation: ensure required Cloud Guard targets are in ACTIVE state.

Recommended Module Refresh: modules run enum_cloudguard --targets --save

CLOUD_GUARD_DATA_SOURCE_NOT_ACTIVE (LOW)

What It Detects: Cloud Guard data source lifecycle_state={...}.

SQLite Detection Metric (Pseudo-code):

  • Checks table cloud_guard_data_sources and emits this finding when these decision conditions are true:
    • notlifecycle_state.upper in ('ACTIVE', '')

Why This Severity: Hardening or governance gap with lower immediate exploitability.

Typical Remediation: Remediation: validate detector data sources are healthy and active.

Recommended Module Refresh: modules run enum_cloudguard --data-sources --save

Compute

Quick Triage

Issue Code Severity Source Table Trigger Fields
COMPUTE_IMDS_V1 LOW compute_instances are_legacy_imds_endpoints_disabled, instance_options, json, loads
COMPUTE_IN_TRANSIT_ENCRYPTION LOW compute_instances is_pv_encryption_in_transit_enabled, json, launch_options, loads
COMPUTE_CONFIDENTIAL_COMPUTING INFO compute_instances is_memory_encryption_enabled, json, loads, platform_config
COMPUTE_SHIELDED_INSTANCES INFO compute_instances is_measured_boot_enabled, is_secure_boot_enabled, is_trusted_platform_module_enabled, json, loads

Details

COMPUTE_IMDS_V1 (LOW)

What It Detects: Legacy IMDS (v1) endpoints are enabled. IMDSv1 is more susceptible to SSRF‑style credential theft compared to IMDSv2.

SQLite Detection Metric (Pseudo-code):

  • Checks table compute_instances and emits this finding when these decision conditions are true:
    • instance_options.are_legacy_imds_endpoints_disabled == false

Why This Severity: Hardening or governance gap with lower immediate exploitability.

Typical Remediation: Remediation: disable legacy IMDS endpoints (use IMDSv2 only).

Recommended Module Refresh: modules run enum_kubernetes --clusters

COMPUTE_IN_TRANSIT_ENCRYPTION (LOW)

What It Detects: In‑transit encryption between instance and boot volume is disabled. This can expose data in transit within the host network path.

SQLite Detection Metric (Pseudo-code):

  • Checks table compute_instances and emits this finding when these decision conditions are true:
    • launch_options.is_pv_encryption_in_transit_enabled == false

Why This Severity: Hardening or governance gap with lower immediate exploitability.

Typical Remediation: Remediation: enable in-transit encryption for supported shapes and images.

Recommended Module Refresh: modules run enum_kubernetes --clusters

COMPUTE_CONFIDENTIAL_COMPUTING (INFO)

What It Detects: Confidential computing (memory encryption) is disabled. This reduces isolation of running workloads from host‑level inspection.

SQLite Detection Metric (Pseudo-code):

  • Checks table compute_instances and emits this finding when these decision conditions are true:
    • platform_config.is_memory_encryption_enabled == false

Why This Severity: Informational posture or hunting signal useful for baselining and investigations.

Typical Remediation: Remediation: enable memory encryption on supported shapes.

Recommended Module Refresh: modules run enum_kubernetes --clusters

COMPUTE_SHIELDED_INSTANCES (INFO)

What It Detects: Shielded instance protections are not enabled (secure boot and/or measured boot + TPM). This weakens protections against boot‑level tampering.

SQLite Detection Metric (Pseudo-code):

  • Checks table compute_instances and emits this finding when these decision conditions are true:
    • one or more of platform_config.is_secure_boot_enabled, is_measured_boot_enabled, is_trusted_platform_module_enabled is false

Why This Severity: Informational posture or hunting signal useful for baselining and investigations.

Typical Remediation: Remediation: enable shielded instance settings where supported.

Recommended Module Refresh: modules run enum_kubernetes --clusters

Compute Instance Agent

Quick Triage

Issue Code Severity Source Table Trigger Fields
INSTANCE_AGENT_COMMAND_HISTORY_PRESENT INFO compute_instance_agent_commands computed/derived checks
INSTANCE_AGENT_RUN_COMMAND_ENABLED INFO compute_instance_agent_plugins COMMAND, ENABLED, RUN, RUNNING, _safe_str

Details

INSTANCE_AGENT_COMMAND_HISTORY_PRESENT (INFO)

What It Detects: Instance has recorded Run Command activity. Review command content/output for sensitive operations.

SQLite Detection Metric (Pseudo-code):

  • Checks table compute_instance_agent_commands and emits this finding when these decision conditions are true:
    • at least one command row exists with target_instance_id present

Why This Severity: Informational posture or hunting signal useful for baselining and investigations.

Typical Remediation: Remediation: monitor and restrict who can submit instance agent commands.

Recommended Module Refresh: modules run enum_core_compute --instance-agent-commands --instance-agent-command-executions --get --download --save

INSTANCE_AGENT_RUN_COMMAND_ENABLED (INFO)

What It Detects: Run Command plugin is enabled, which expands remote command-execution surface.

SQLite Detection Metric (Pseudo-code):

  • Checks table compute_instance_agent_plugins and emits this finding when these decision conditions are true:
    • status.upper() in ('RUNNING', 'ENABLED')

Why This Severity: Informational posture or hunting signal useful for baselining and investigations.

Typical Remediation: Remediation: disable Run Command where not required and tightly scope IAM permissions (instance-agent-command-family, instance-agent-command-execution-family).

Recommended Module Refresh: modules run enum_core_compute --instance-agent-plugins --get --save

Container Registry

Quick Triage

Issue Code Severity Source Table Trigger Fields
PUBLIC_REPOSITORY HIGH cr_repositories _truthy_str, is_public
CONTAINER_REGISTRY_REPO_MUTABLE MEDIUM cr_repositories _truthy_str, is_immutable

Details

PUBLIC_REPOSITORY (HIGH)

What It Detects: The repository is public. Images and metadata may be accessible without authentication.

SQLite Detection Metric (Pseudo-code):

  • Checks table cr_repositories and emits this finding when these decision conditions are true:
    • is_public is true/enabled

Why This Severity: Strong security risk with meaningful abuse potential under common attacker conditions.

Typical Remediation: Remediation: set repository visibility to private unless public access is required.

Recommended Module Refresh: modules run enum_containerregistry --repositories --get

CONTAINER_REGISTRY_REPO_MUTABLE (MEDIUM)

What It Detects: Repository is mutable (tags can be overwritten). This can enable supply‑chain confusion, rollback attacks, or untracked image changes.

SQLite Detection Metric (Pseudo-code):

  • Checks table cr_repositories and emits this finding when these decision conditions are true:
    • is_immutable is false/empty/disabled

Why This Severity: Material weakness that often requires additional conditions to produce high-impact abuse.

Typical Remediation: Remediation: enable immutability for sensitive repositories.

Recommended Module Refresh: modules run enum_containerregistry --repositories --get

Data Science

Quick Triage

Issue Code Severity Source Table Trigger Fields
DATA_SCIENCE_PRIVATE_ENDPOINT_NO_SUBNET MEDIUM data_science_private_endpoints _safe_str

Details

DATA_SCIENCE_PRIVATE_ENDPOINT_NO_SUBNET (MEDIUM)

What It Detects: Private endpoint row has no subnet_id, which can indicate incomplete or misconfigured network placement.

SQLite Detection Metric (Pseudo-code):

  • Checks table data_science_private_endpoints and emits this finding when these decision conditions are true:
    • subnet_id is empty/missing/false

Why This Severity: Material weakness that often requires additional conditions to produce high-impact abuse.

Typical Remediation: Remediation: ensure private endpoints are bound to intended private subnets.

Recommended Module Refresh: modules run enum_datascience --private-endpoints --get --save

Database

Quick Triage

Issue Code Severity Source Table Trigger Fields
MYSQL_ENCRYPT_DATA_DISABLED HIGH db_mysql_db_systems _falsy_str, encrypt_data, strip
MYSQL_SECURE_CONNECTIONS_DISABLED HIGH db_mysql_db_systems _falsy_str, secure_connections, strip
POSTGRES_DB_PUBLIC_NETWORK HIGH db_psql_db_systems True, _as_json_dict, _truthy_str, get, is_public
ORACLE_DB_NO_CMK MEDIUM db_oracle_db_systems computed/derived checks

Details

MYSQL_ENCRYPT_DATA_DISABLED (HIGH)

What It Detects: MySQL DB system reports encrypt_data as disabled.

SQLite Detection Metric (Pseudo-code):

  • Checks table db_mysql_db_systems and emits this finding when these decision conditions are true:
    • encrypt_data is false/disabled

Why This Severity: Strong security risk with meaningful abuse potential under common attacker conditions.

Typical Remediation: Remediation: enable encryption at rest for MySQL DB systems.

Recommended Module Refresh: modules run enum_databases --mysql --get --save

MYSQL_SECURE_CONNECTIONS_DISABLED (HIGH)

What It Detects: MySQL DB system reports secure_connections as disabled.

SQLite Detection Metric (Pseudo-code):

  • Checks table db_mysql_db_systems and emits this finding when these decision conditions are true:
    • secure_connections is false/disabled

Why This Severity: Strong security risk with meaningful abuse potential under common attacker conditions.

Typical Remediation: Remediation: enforce TLS-secured client connections.

Recommended Module Refresh: modules run enum_databases --mysql --get --save

POSTGRES_DB_PUBLIC_NETWORK (HIGH)

What It Detects: PostgreSQL network details indicate public exposure.

SQLite Detection Metric (Pseudo-code):

  • Checks table db_psql_db_systems and emits this finding when these decision conditions are true:
    • is_public is true/enabled

Why This Severity: Strong security risk with meaningful abuse potential under common attacker conditions.

Typical Remediation: Remediation: prefer private networking and restrict ingress with NSGs/security lists.

Recommended Module Refresh: modules run enum_databases --postgres --get --save

ORACLE_DB_NO_CMK (MEDIUM)

What It Detects: Oracle DB system does not reference a customer-managed KMS key.

SQLite Detection Metric (Pseudo-code):

  • Checks table db_oracle_db_systems and emits this finding when these decision conditions are true:
    • kms_key_id is empty/missing/false

Why This Severity: Material weakness that often requires additional conditions to produce high-impact abuse.

Typical Remediation: Remediation: use CMK-backed encryption where policy/compliance requires it.

Recommended Module Refresh: modules run enum_databases --oracle --get --save

Devops

Quick Triage

Issue Code Severity Source Table Trigger Fields
DEVOPS_REPOSITORY_HTTP_URL HIGH devops_repositories http, http_url, repository_url, startswith, strip

Details

DEVOPS_REPOSITORY_HTTP_URL (HIGH)

What It Detects: Repository URL appears to use plaintext HTTP transport.

SQLite Detection Metric (Pseudo-code):

  • Checks table devops_repositories and emits this finding when these decision conditions are true:
    • `http_url starts with ' OR repository_url starts with '

Why This Severity: Strong security risk with meaningful abuse potential under common attacker conditions.

Typical Remediation: Remediation: enforce HTTPS/SSH repository URLs.

Recommended Module Refresh: modules run enum_devops --repositories --get --save

DNS

Quick Triage

Issue Code Severity Source Table Trigger Fields
DNS_DNSSEC_DISABLED MEDIUM dns_zones ENABLED, _safe_str, dnssec_state

Details

DNS_DNSSEC_DISABLED (MEDIUM)

What It Detects: DNSSEC is not enabled for this public zone, which can allow DNS spoofing/poisoning.

SQLite Detection Metric (Pseudo-code):

  • Checks table dns_zones and emits this finding when these decision conditions are true:
    • dnssec_state != 'ENABLED'

Why This Severity: Material weakness that often requires additional conditions to produce high-impact abuse.

Typical Remediation: Remediation: enable DNSSEC for public zones where supported.

Recommended Module Refresh: modules run enum_dns --zones

Email

Quick Triage

Issue Code Severity Source Table Trigger Fields
EMAIL_DOMAIN_DKIM_MISSING HIGH email_domains ACTIVE, T_DKIMS, for, get_rows, if
EMAIL_SUBMIT_ENDPOINT_PLAINTEXT HIGH email_configuration http, http_submit_endpoint, smtp_submit_endpoint, startswith
EMAIL_DOMAIN_SPF_MISSING MEDIUM email_domains ACTIVE, T_SPFS, for, get_rows, if
EMAIL_SENDER_NOT_VERIFIED MEDIUM email_senders is_email_verified

Details

EMAIL_DOMAIN_DKIM_MISSING (HIGH)

What It Detects: Domain has no active DKIM configuration, which can weaken sender authenticity guarantees.

SQLite Detection Metric (Pseudo-code):

  • Checks table email_domains and emits this finding when these decision conditions are true:
    • notlifecycle_state.upper not in ('', 'ACTIVE')
    • idnotinemail_domain_idforrinself.get_rowsself.T_DKIMSifemail_domain_idandlifecycle_state.upper == 'ACTIVE'})

Why This Severity: Strong security risk with meaningful abuse potential under common attacker conditions.

Typical Remediation: Remediation: configure and enable DKIM for each sending domain.

Recommended Module Refresh: modules run enum_email --domains --dkims --save

EMAIL_SUBMIT_ENDPOINT_PLAINTEXT (HIGH)

What It Detects: One or more submit endpoints appear to use plaintext HTTP transport.

SQLite Detection Metric (Pseudo-code):

  • Checks table email_configuration and emits this finding when these decision conditions are true:
    • `http_submit_endpoint starts with ' OR smtp_submit_endpoint starts with '

Why This Severity: Strong security risk with meaningful abuse potential under common attacker conditions.

Typical Remediation: Remediation: enforce TLS-enabled submit endpoints.

Recommended Module Refresh: modules run enum_email --email-configuration --save

EMAIL_DOMAIN_SPF_MISSING (MEDIUM)

What It Detects: Domain has no active SPF configuration, which can increase spoofing risk.

SQLite Detection Metric (Pseudo-code):

  • Checks table email_domains and emits this finding when these decision conditions are true:
    • notlifecycle_state.upper not in ('', 'ACTIVE')
    • idnotinemail_domain_idforrinself.get_rowsself.T_SPFSifemail_domain_idandlifecycle_state.upper == 'ACTIVE'})

Why This Severity: Material weakness that often requires additional conditions to produce high-impact abuse.

Typical Remediation: Remediation: configure SPF records for authorized sending infrastructure.

Recommended Module Refresh: modules run enum_email --domains --spfs --save

EMAIL_SENDER_NOT_VERIFIED (MEDIUM)

What It Detects: Sender identity is unverified and may fail anti-spoofing controls or operational checks.

SQLite Detection Metric (Pseudo-code):

  • Checks table email_senders and emits this finding when these decision conditions are true:
    • is_email_verified is false/empty/disabled

Why This Severity: Material weakness that often requires additional conditions to produce high-impact abuse.

Typical Remediation: Remediation: verify sender identities before operational use.

Recommended Module Refresh: modules run enum_email --senders --save

File Storage

Quick Triage

Issue Code Severity Source Table Trigger Fields
FILE_STORAGE_EXPORT_OPEN_TO_ANY HIGH file_storage_exports READONLY, READWRITE, READ_ONLY, READ_WRITE, _is_public_cidr
FILE_STORAGE_MOUNT_TARGET_NO_NSG MEDIUM file_storage_mount_targets _as_json_list, nsg_ids

Details

FILE_STORAGE_EXPORT_OPEN_TO_ANY (HIGH)

What It Detects: Export option allows 0.0.0.0/0 (or equivalent), which can expose NFS shares broadly.

SQLite Detection Metric (Pseudo-code):

  • Checks table file_storage_exports and emits this finding when these decision conditions are true:
    • at least one export option has source as public CIDR AND access in {READ_WRITE, READONLY, READ_ONLY, READWRITE}

Why This Severity: Strong security risk with meaningful abuse potential under common attacker conditions.

Typical Remediation: Remediation: restrict export source CIDRs to trusted networks.

Recommended Module Refresh: modules run enum_filestorage --exports --get --save

FILE_STORAGE_MOUNT_TARGET_NO_NSG (MEDIUM)

What It Detects: Mount target has no NSGs attached, reducing network-level access controls.

SQLite Detection Metric (Pseudo-code):

  • Checks table file_storage_mount_targets and emits this finding when these decision conditions are true:
    • nsg_ids is empty/missing/false

Why This Severity: Material weakness that often requires additional conditions to produce high-impact abuse.

Typical Remediation: Remediation: attach NSGs and limit ingress to required clients only.

Recommended Module Refresh: modules run enum_filestorage --mount-targets --get --save

Functions

Quick Triage

Issue Code Severity Source Table Trigger Fields
FUNCTION_INVOKE_ENDPOINT_HTTP HIGH functions_functions http, invoke_endpoint, startswith
FUNCTION_APP_SYSLOG_HTTP MEDIUM functions_apps http, startswith, strip, syslog_url

Details

FUNCTION_INVOKE_ENDPOINT_HTTP (HIGH)

What It Detects: Invoke endpoint starts with HTTP (plaintext) instead of HTTPS.

SQLite Detection Metric (Pseudo-code):

  • Checks table functions_functions and emits this finding when these decision conditions are true:
    • `invoke_endpoint starts with '

Why This Severity: Strong security risk with meaningful abuse potential under common attacker conditions.

Typical Remediation: Remediation: require HTTPS endpoints for function invocation.

Recommended Module Refresh: modules run enum_functions --functions --get --save

FUNCTION_APP_SYSLOG_HTTP (MEDIUM)

What It Detects: Syslog URL starts with HTTP (plaintext).

SQLite Detection Metric (Pseudo-code):

  • Checks table functions_apps and emits this finding when these decision conditions are true:
    • `syslog_url starts with '

Why This Severity: Material weakness that often requires additional conditions to produce high-impact abuse.

Typical Remediation: Remediation: use TLS-protected log destinations.

Recommended Module Refresh: modules run enum_functions --apps --get --save

Identity

Quick Triage

Issue Code Severity Source Table Trigger Fields
IAM_USER_MULTIPLE_API_KEYS LOW identity_user_api_keys _safe_str, items, len

Details

IAM_USER_MULTIPLE_API_KEYS (LOW)

What It Detects: User has more than one active/recorded API key, which can increase key-sprawl risk.

SQLite Detection Metric (Pseudo-code):

  • Checks table identity_user_api_keys and emits this finding when these decision conditions are true:
    • count(api_keys grouped by user_id) > 1

Why This Severity: Hardening or governance gap with lower immediate exploitability.

Typical Remediation: Remediation: rotate/revoke stale keys and enforce key hygiene.

Recommended Module Refresh: modules run enum_identity --api-keys --save

Identity Domains

Quick Triage

Issue Code Severity Source Table Trigger Fields
IDD_MFA_DISABLED_OR_UNKNOWN HIGH identity_domain_authentication_factor_settings compartment_ocid, domain_ocid, mfa_enabled_category, none, off
IDD_PW_WEAK_POLICY MEDIUM identity_domain_password_policies compartment_ocid, domain_ocid, weak_points
IDD_USER_NOT_IN_GROUP LOW identity_domain_users _as_json_list, compartment_ocid, domain_ocid, groups
IDD_USER_WITH_MULTIPLE_API_KEYS LOW identity_domain_user_api_keys _safe_str, compartment_ocid, domain_ocid, get, key_rows

Details

IDD_MFA_DISABLED_OR_UNKNOWN (HIGH)

What It Detects: MFA appears disabled or unspecified (mfa_enabled_category={...}).

SQLite Detection Metric (Pseudo-code):

  • Checks table identity_domain_authentication_factor_settings and emits this finding when these decision conditions are true:
    • notmfa_enabled_categoryormfa_enabled_category.lower in ('none', 'disabled', 'off')

Why This Severity: Strong security risk with meaningful abuse potential under common attacker conditions.

Typical Remediation: Remediation: enable MFA for the domain and enforce strong MFA policies.

Recommended Module Refresh: modules run enum_identity --domains --save

IDD_PW_WEAK_POLICY (MEDIUM)

What It Detects: Password policy '{...}' has weak settings: "; ".join(weak_points)

SQLite Detection Metric (Pseudo-code):

  • Checks table identity_domain_password_policies and emits this finding when these decision conditions are true:
    • any of min_length < 14, password_expires_after > 60, num_passwords_in_history < 10, max_incorrect_attempts > 4, or complexity fields (min_lower_case/min_upper_case/min_numerals/min_special_chars) <= 0

Why This Severity: Material weakness that often requires additional conditions to produce high-impact abuse.

Typical Remediation: Remediation: increase min length, enforce complexity, reduce expiry window, increase password history, and tighten lockout thresholds.

Recommended Module Refresh: modules run enum_identity --domains --save

IDD_USER_NOT_IN_GROUP (LOW)

What It Detects: User appears to have no group memberships. Centralized group governance may be bypassed.

SQLite Detection Metric (Pseudo-code):

  • Checks table identity_domain_users and emits this finding when these decision conditions are true:
    • groups is empty/missing/false

Why This Severity: Hardening or governance gap with lower immediate exploitability.

Typical Remediation: Remediation: assign users to least‑privilege groups and enforce consistent policies.

Recommended Module Refresh: modules run enum_identity --domains --save

IDD_USER_WITH_MULTIPLE_API_KEYS (LOW)

What It Detects: User has more than one recorded API key, increasing key-sprawl risk.

SQLite Detection Metric (Pseudo-code):

  • Checks table identity_domain_user_api_keys and emits this finding when these decision conditions are true:
    • count(identity_domain_api_keys grouped by user/domain principal) > 1

Why This Severity: Hardening or governance gap with lower immediate exploitability.

Typical Remediation: Remediation: review key sprawl; rotate/revoke unused keys and enforce key hygiene.

Recommended Module Refresh: modules run enum_identity --domains --save

IoT

Quick Triage

Issue Code Severity Source Table Trigger Fields
IOT_DOMAIN_GROUP_VCN_ALLOWLIST_EMPTY HIGH iot_domain_groups db_allow_listed_vcn_ids
IOT_DOMAIN_IDENTITY_GROUP_ALLOWLIST_EMPTY MEDIUM iot_domains db_allow_listed_identity_group_names

Details

IOT_DOMAIN_GROUP_VCN_ALLOWLIST_EMPTY (HIGH)

What It Detects: IoT domain group DB VCN allow list is empty, increasing risk of broad backend DB exposure.

SQLite Detection Metric (Pseudo-code):

  • Checks table iot_domain_groups and emits this finding when these decision conditions are true:
    • db_allow_listed_vcn_ids is empty/missing/false

Why This Severity: Strong security risk with meaningful abuse potential under common attacker conditions.

Typical Remediation: Remediation: restrict DB access to explicit approved VCN IDs.

Recommended Module Refresh: modules run enum_iot --domain-groups --get --save

IOT_DOMAIN_IDENTITY_GROUP_ALLOWLIST_EMPTY (MEDIUM)

What It Detects: IoT domain DB identity-group allow list is empty. Access controls may be overly broad or undefined.

SQLite Detection Metric (Pseudo-code):

  • Checks table iot_domains and emits this finding when these decision conditions are true:
    • db_allow_listed_identity_group_names is empty/missing/false

Why This Severity: Material weakness that often requires additional conditions to produce high-impact abuse.

Typical Remediation: Remediation: define explicit identity groups allowed for DB interactions.

Recommended Module Refresh: modules run enum_iot --domains --get --save

Kubernetes

Quick Triage

Issue Code Severity Source Table Trigger Fields
KUBERNETES_ENGINE_PUBLIC_ENDPOINT HIGH containerengine_clusters _safe_str, bool, dict, else, endpoint_config

Details

KUBERNETES_ENGINE_PUBLIC_ENDPOINT (HIGH)

What It Detects: The Kubernetes control plane has a public endpoint. This increases exposure of the management plane to the internet.

SQLite Detection Metric (Pseudo-code):

  • Checks table containerengine_clusters and emits this finding when these decision conditions are true:
    • endpoint_config.is_public_ip_enabled is true and endpoints.public_endpoint is present

Why This Severity: Strong security risk with meaningful abuse potential under common attacker conditions.

Typical Remediation: Remediation: restrict the endpoint to private IPs or use allow‑listed CIDRs.

Recommended Module Refresh: modules run enum_kubernetes --clusters

Logging

Quick Triage

Issue Code Severity Source Table Trigger Fields
LOGGING_LOG_DISABLED MEDIUM logging_logs is_enabled, on, strip, yes
LOGGING_RETENTION_SHORT LOW logging_logs _as_int, default, retention_duration

Details

LOGGING_LOG_DISABLED (MEDIUM)

What It Detects: Log collection is disabled for this log object.

SQLite Detection Metric (Pseudo-code):

  • Checks table logging_logs and emits this finding when these decision conditions are true:
    • notis_enabled.strip.lower in ('true', '1', 'yes', 'on')

Why This Severity: Material weakness that often requires additional conditions to produce high-impact abuse.

Typical Remediation: Remediation: enable log collection for security-relevant sources.

Recommended Module Refresh: modules run enum_logging --logs --get --save

LOGGING_RETENTION_SHORT (LOW)

What It Detects: Retention duration is {...} day(s), which may be insufficient for investigations.

SQLite Detection Metric (Pseudo-code):

  • Checks table logging_logs and emits this finding when these decision conditions are true:
    • retention_duration is short/invalid

Why This Severity: Hardening or governance gap with lower immediate exploitability.

Typical Remediation: Remediation: align log retention with incident response and compliance needs.

Recommended Module Refresh: modules run enum_logging --logs --get --save

Managed Kafka

Quick Triage

Issue Code Severity Source Table Trigger Fields
KAFKA_PLAINTEXT_BOOTSTRAP_URL HIGH kafka_clusters any, for, if, kafka_bootstrap_urls, p
KAFKA_AUTH_MATERIAL_NOT_CONFIGURED MEDIUM kafka_clusters _safe_str, client_certificate_bundle

Details

KAFKA_PLAINTEXT_BOOTSTRAP_URL (HIGH)

What It Detects: Bootstrap URL appears to include plaintext listener semantics (for example port 9092).

SQLite Detection Metric (Pseudo-code):

  • Checks table kafka_clusters and emits this finding when these decision conditions are true:
    • kafka_bootstrap_urls contains ':9092' OR 'plaintext://'

Why This Severity: Strong security risk with meaningful abuse potential under common attacker conditions.

Typical Remediation: Remediation: prefer TLS-enabled listeners and enforce authenticated client access.

Recommended Module Refresh: modules run enum_managedkafka --clusters --get --save

KAFKA_AUTH_MATERIAL_NOT_CONFIGURED (MEDIUM)

What It Detects: No client auth secret or certificate bundle is recorded for this cluster.

SQLite Detection Metric (Pseudo-code):

  • Checks table kafka_clusters and emits this finding when these decision conditions are true:
    • secret_id is empty AND client_certificate_bundle is empty

Why This Severity: Material weakness that often requires additional conditions to produce high-impact abuse.

Typical Remediation: Remediation: configure authenticated client access paths.

Recommended Module Refresh: modules run enum_managedkafka --clusters --get --save

Network Firewall

Quick Triage

Issue Code Severity Source Table Trigger Fields
NETWORK_FIREWALL_ALLOW_ANY_ANY CRITICAL network_firewall_security_rules ALLOW, _as_dict, _as_str_list, action, all
NETWORK_FIREWALL_ALLOW_WITHOUT_MATCH_CRITERIA CRITICAL network_firewall_security_rules ALLOW, _as_dict, _as_str_list, action, application
NETWORK_FIREWALL_INSPECT_WITHOUT_MODE MEDIUM network_firewall_security_rules INSPECT, INTRUSION_DETECTION, INTRUSION_PREVENTION, action, inspection

Details

NETWORK_FIREWALL_ALLOW_ANY_ANY (CRITICAL)

What It Detects: Rule appears to allow ANY‑to‑ANY traffic. Broad allow rules can bypass segmentation controls and increase blast radius.

SQLite Detection Metric (Pseudo-code):

  • Checks table network_firewall_security_rules and emits this finding when these decision conditions are true:
    • action == 'ALLOW'
    • condition.source_address or condition.destination_address includes any/all/*
    • condition.service includes any/all/*

Why This Severity: Immediate high-confidence exposure or compromise path with urgent response priority.

Typical Remediation: Remediation: narrow to explicit address/service objects and limit to required flows.

Recommended Module Refresh: modules run enum_networkfirewall --firewalls --get --save

NETWORK_FIREWALL_ALLOW_WITHOUT_MATCH_CRITERIA (CRITICAL)

What It Detects: ALLOW rule has no match criteria (no src/dst/app/service/url). This can behave as an overly broad allow in policy evaluation.

SQLite Detection Metric (Pseudo-code):

  • Checks table network_firewall_security_rules and emits this finding when these decision conditions are true:
    • action == 'ALLOW'
    • condition.source_address, condition.destination_address, condition.application, condition.service, and condition.url are all empty

Why This Severity: Immediate high-confidence exposure or compromise path with urgent response priority.

Typical Remediation: Remediation: add explicit source/destination/service/application/url conditions.

Recommended Module Refresh: modules run enum_networkfirewall --firewalls --get --save

NETWORK_FIREWALL_INSPECT_WITHOUT_MODE (MEDIUM)

What It Detects: INSPECT rule has no valid inspection mode. This can weaken intended IDS/IPS behavior.

SQLite Detection Metric (Pseudo-code):

  • Checks table network_firewall_security_rules and emits this finding when these decision conditions are true:
    • action == 'INSPECT'
    • inspection not in ('INTRUSION_DETECTION', 'INTRUSION_PREVENTION')

Why This Severity: Material weakness that often requires additional conditions to produce high-impact abuse.

Typical Remediation: Remediation: set inspection to INTRUSION_DETECTION or INTRUSION_PREVENTION.

Recommended Module Refresh: modules run enum_networkfirewall --firewalls --get --save

Network Load Balancer

Quick Triage

Issue Code Severity Source Table Trigger Fields
NLB_PUBLIC_NO_NSG HIGH network_load_balancers is_private, network_security_group_ids, no, off
NLB_PUBLIC MEDIUM network_load_balancers is_private, no, off

Details

NLB_PUBLIC_NO_NSG (HIGH)

What It Detects: Public NLB has no attached NSGs, reducing network-level filtering controls.

SQLite Detection Metric (Pseudo-code):

  • Checks table network_load_balancers and emits this finding when these decision conditions are true:
    • is_private.lower() in ('false', '0', 'no', 'off')
    • network_security_group_ids is empty/missing/false

Why This Severity: Strong security risk with meaningful abuse potential under common attacker conditions.

Typical Remediation: Remediation: attach restrictive NSGs and explicit ingress policy.

Recommended Module Refresh: modules run enum_network_load_balancers --get --save

NLB_PUBLIC (MEDIUM)

What It Detects: NLB is configured as public and reachable from internet-routed paths.

SQLite Detection Metric (Pseudo-code):

  • Checks table network_load_balancers and emits this finding when these decision conditions are true:
    • is_private.lower() in ('false', '0', 'no', 'off')

Why This Severity: Material weakness that often requires additional conditions to produce high-impact abuse.

Typical Remediation: Remediation: use private NLBs unless internet exposure is required.

Recommended Module Refresh: modules run enum_network_load_balancers --get --save

Networking

Quick Triage

Issue Code Severity Source Table Trigger Fields
VCN_SECURITY_LIST_INGRESS_ANY_ANY HIGH virtual_network_security_lists _is_protocol_any, _is_public_cidr, dict, get, isinstance
VCN_SECURITY_LIST_RDP_OPEN_TO_INTERNET HIGH virtual_network_security_lists TCP, _as_int, _as_json_dict, _is_public_cidr, _safe_str
VCN_SECURITY_LIST_SSH_OPEN_TO_INTERNET HIGH virtual_network_security_lists TCP, _as_int, _as_json_dict, _is_public_cidr, _safe_str
VCN_ROUTE_TABLE_DEFAULT_TO_IGW MEDIUM virtual_network_route_tables _is_public_cidr, _safe_str, destination, dict, gateway
VCN_SUBNET_ALLOWS_PUBLIC_IP MEDIUM virtual_network_subnets no, off, prohibit_public_ip_on_vnic
VCN_SECURITY_LIST_EGRESS_ANY_ANY LOW virtual_network_security_lists _is_protocol_any, _is_public_cidr, destination, dict, get

Details

VCN_SECURITY_LIST_INGRESS_ANY_ANY (HIGH)

What It Detects: Ingress rule allows 0.0.0.0/0 (or equivalent) with any protocol.

SQLite Detection Metric (Pseudo-code):

  • Checks table virtual_network_security_lists and emits this finding when these decision conditions are true:
    • ingress rule source is public CIDR AND protocol is ANY

Why This Severity: Strong security risk with meaningful abuse potential under common attacker conditions.

Typical Remediation: Remediation: restrict source CIDRs and allowed protocols/ports.

Recommended Module Refresh: modules run enum_core_network --security-lists --get --save

VCN_SECURITY_LIST_RDP_OPEN_TO_INTERNET (HIGH)

What It Detects: Ingress rule exposes RDP from any-address CIDR.

SQLite Detection Metric (Pseudo-code):

  • Checks table virtual_network_security_lists and emits this finding when these decision conditions are true:
    • rule.protocol is TCP

Why This Severity: Strong security risk with meaningful abuse potential under common attacker conditions.

Typical Remediation: Remediation: restrict RDP ingress to approved admin CIDRs.

Recommended Module Refresh: modules run enum_core_network --security-lists --get --save

VCN_SECURITY_LIST_SSH_OPEN_TO_INTERNET (HIGH)

What It Detects: Ingress rule exposes SSH from any-address CIDR.

SQLite Detection Metric (Pseudo-code):

  • Checks table virtual_network_security_lists and emits this finding when these decision conditions are true:
    • rule.protocol is TCP

Why This Severity: Strong security risk with meaningful abuse potential under common attacker conditions.

Typical Remediation: Remediation: restrict SSH ingress to approved admin CIDRs.

Recommended Module Refresh: modules run enum_core_network --security-lists --get --save

VCN_ROUTE_TABLE_DEFAULT_TO_IGW (MEDIUM)

What It Detects: Route table contains a default route (0.0.0.0/0 or equivalent) to an internet gateway.

SQLite Detection Metric (Pseudo-code):

  • Checks table virtual_network_route_tables and emits this finding when these decision conditions are true:
    • route_rule.network_entity_id indicates internet gateway

Why This Severity: Material weakness that often requires additional conditions to produce high-impact abuse.

Typical Remediation: Remediation: ensure default internet routes are only attached to intended public subnets.

Recommended Module Refresh: modules run enum_core_network --route-tables --get --save

VCN_SUBNET_ALLOWS_PUBLIC_IP (MEDIUM)

What It Detects: Subnet does not prohibit public IP assignment on attached VNICs.

SQLite Detection Metric (Pseudo-code):

  • Checks table virtual_network_subnets and emits this finding when these decision conditions are true:
    • prohibit_public_ip_on_vnic.lower in ('false', '0', 'no', 'off')

Why This Severity: Material weakness that often requires additional conditions to produce high-impact abuse.

Typical Remediation: Remediation: disable public IP assignment by default for private subnets.

Recommended Module Refresh: modules run enum_core_network --subnets --get --save

VCN_SECURITY_LIST_EGRESS_ANY_ANY (LOW)

What It Detects: Egress rule allows any protocol to 0.0.0.0/0 (or equivalent).

SQLite Detection Metric (Pseudo-code):

  • Checks table virtual_network_security_lists and emits this finding when these decision conditions are true:
    • egress rule destination is public CIDR AND protocol is ANY

Why This Severity: Hardening or governance gap with lower immediate exploitability.

Typical Remediation: Remediation: tighten egress to least privilege.

Recommended Module Refresh: modules run enum_core_network --security-lists --get --save

Notifications

Quick Triage

Issue Code Severity Source Table Trigger Fields
NOTIFICATION_HTTP_SUBSCRIPTION MEDIUM notification_subscriptions HTTP, _safe_str, protocol, strip

Details

NOTIFICATION_HTTP_SUBSCRIPTION (MEDIUM)

What It Detects: Subscription protocol is HTTP, which does not provide TLS protection in transit.

SQLite Detection Metric (Pseudo-code):

  • Checks table notification_subscriptions and emits this finding when these decision conditions are true:
    • protocol.lower == 'http'

Why This Severity: Material weakness that often requires additional conditions to produce high-impact abuse.

Typical Remediation: Remediation: use HTTPS endpoints for notification subscriptions.

Recommended Module Refresh: modules run enum_notifications --subscriptions --get --save

Object Storage

Quick Triage

Issue Code Severity Source Table Trigger Fields
OBJECT_STORAGE_BUCKET_PUBLIC_DOWNLOAD_AND_LIST CRITICAL object_storage_buckets ObjectRead, _safe_str, public_access_type
OBJECT_STORAGE_BUCKET_PUBLIC_DOWNLOAD HIGH object_storage_buckets ObjectRead, ObjectReadWithoutList, _safe_str, public_access_type
OBJECT_STORAGE_BUCKET_CMK_NOT_SET_UP MEDIUM object_storage_buckets bool, get, get_run, r
OBJECT_STORAGE_BUCKET_VERSIONING_DISABLED MEDIUM object_storage_buckets Disabled, _safe_str, versioning
OBJECT_STORAGE_NO_READ_LOG LOW object_storage_buckets True
OBJECT_STORAGE_NO_WRITE_LOG LOW object_storage_buckets True

Details

OBJECT_STORAGE_BUCKET_PUBLIC_DOWNLOAD_AND_LIST (CRITICAL)

What It Detects: Bucket allows anonymous list + download access (ObjectRead). This can expose all object names and contents to the internet if the namespace is known.

SQLite Detection Metric (Pseudo-code):

  • Checks table object_storage_buckets and emits this finding when these decision conditions are true:
    • public_access_type == 'ObjectRead'

Why This Severity: Immediate high-confidence exposure or compromise path with urgent response priority.

Typical Remediation: Remediation: set Public Access Type to “NoPublicAccess” unless explicitly required. Use GetBucket to verify settings and review access logs for potential exposure.

Recommended Module Refresh: modules run enum_objectstorage --buckets --get --namespaces <namespace>

OBJECT_STORAGE_BUCKET_PUBLIC_DOWNLOAD (HIGH)

What It Detects: Bucket allows anonymous downloads (ObjectReadWithoutList). Object contents can be retrieved if names are guessed or leaked.

SQLite Detection Metric (Pseudo-code):

  • Checks table object_storage_buckets and emits this finding when these decision conditions are true:
    • notpublic_access_type == 'ObjectRead')
    • public_access_type == 'ObjectReadWithoutList'

Why This Severity: Strong security risk with meaningful abuse potential under common attacker conditions.

Typical Remediation: Remediation: set Public Access Type to “NoPublicAccess” unless explicitly required. Review logs for potential downloads of sensitive objects.

Recommended Module Refresh: modules run enum_objectstorage --buckets --get --namespaces <namespace>

OBJECT_STORAGE_BUCKET_CMK_NOT_SET_UP (MEDIUM)

What It Detects: Customer‑managed keys (CMK) are not configured. CMK adds an extra authorization layer: principals must hold KMS decrypt permissions to read objects.

SQLite Detection Metric (Pseudo-code):

  • Checks table object_storage_buckets and emits this finding when these decision conditions are true:
    • kms_key_id is empty/missing/false

Why This Severity: Material weakness that often requires additional conditions to produce high-impact abuse.

Typical Remediation: Remediation: enable KMS encryption on sensitive buckets and restrict key usage. GetBucket is required to see CMK settings.

Recommended Module Refresh: modules run enum_objectstorage --buckets --get --namespaces <namespace>

OBJECT_STORAGE_BUCKET_VERSIONING_DISABLED (MEDIUM)

What It Detects: Bucket versioning is disabled. Without versioning, accidental deletes/overwrites or ransomware‑style changes are harder to recover.

SQLite Detection Metric (Pseudo-code):

  • Checks table object_storage_buckets and emits this finding when these decision conditions are true:
    • versioning == 'Disabled'

Why This Severity: Material weakness that often requires additional conditions to produce high-impact abuse.

Typical Remediation: Remediation: enable versioning for buckets that store important or regulated data. The relevant bucket field is only viewable if one has permissions to GetBucket. ListBucket does not contain the info needed.

Recommended Module Refresh: modules run enum_objectstorage --buckets --get --namespaces <namespace>

OBJECT_STORAGE_NO_READ_LOG (LOW)

What It Detects: No read‑level audit logs are configured for the bucket. This limits ability to detect data exfiltration or suspicious access.

SQLite Detection Metric (Pseudo-code):

  • Checks table object_storage_buckets and emits this finding when these decision conditions are true:
    • True is empty/missing/false

Why This Severity: Hardening or governance gap with lower immediate exploitability.

Typical Remediation: Remediation: enable read logs to detect access and potential exfiltration.

Recommended Module Refresh: modules run enum_objectstorage --buckets --get --namespaces <namespace>

OBJECT_STORAGE_NO_WRITE_LOG (LOW)

What It Detects: No write‑level audit logs are configured for the bucket. This reduces visibility into object creation, overwrite, and delete actions.

SQLite Detection Metric (Pseudo-code):

  • Checks table object_storage_buckets and emits this finding when these decision conditions are true:
    • True is empty/missing/false

Why This Severity: Hardening or governance gap with lower immediate exploitability.

Typical Remediation: Remediation: enable write logs to detect create/update/delete activity.

Recommended Module Refresh: modules run enum_objectstorage --buckets --get --namespaces <namespace>

Resource Manager

Quick Triage

Issue Code Severity Source Table Trigger Fields
ORM_STACK_VARIABLE_POTENTIAL_SECRET CRITICAL resource_manager_stacks _as_json_dict, sensitive_hits, variables
ORM_PRIVATE_ENDPOINT_SOURCE_IP_ANY HIGH resource_manager_private_endpoints CIDR, _as_json_list, public, source_ips
ORM_CONFIG_SOURCE_PROVIDER_MISSING_SECRET_REF MEDIUM resource_configuration_source_provider _safe_str, username

Details

ORM_STACK_VARIABLE_POTENTIAL_SECRET (CRITICAL)

What It Detects: Stack variable keys indicate potential secret material (for example password/token/private key). Plaintext stack variables can leak in stack exports and job artifacts.

SQLite Detection Metric (Pseudo-code):

  • Checks table resource_manager_stacks and emits this finding when these decision conditions are true:
    • variables JSON has key names matching sensitive patterns (password/token/key/secret/etc.) with non-empty values

Why This Severity: Immediate high-confidence exposure or compromise path with urgent response priority.

Typical Remediation: notes. Remediation: move secrets to OCI Vault references and avoid plaintext variable values.

Recommended Module Refresh: modules run enum_resourcemanager --stacks --jobs --get --download --save

ORM_PRIVATE_ENDPOINT_SOURCE_IP_ANY (HIGH)

What It Detects: Private endpoint source IP list includes any-address CIDR.

SQLite Detection Metric (Pseudo-code):

  • Checks table resource_manager_private_endpoints and emits this finding when these decision conditions are true:
    • source_ips includes public CIDR (0.0.0.0/0 or ::/0)

Why This Severity: Strong security risk with meaningful abuse potential under common attacker conditions.

Typical Remediation: Remediation: restrict source IPs to specific administration/network ranges.

Recommended Module Refresh: modules run enum_resourcemanager --private-endpoints --get --save

ORM_CONFIG_SOURCE_PROVIDER_MISSING_SECRET_REF (MEDIUM)

What It Detects: Configuration source provider has a username set but no secret_id reference.

SQLite Detection Metric (Pseudo-code):

  • Checks table resource_configuration_source_provider and emits this finding when these decision conditions are true:
    • username is present AND secret_id is empty

Why This Severity: Material weakness that often requires additional conditions to produce high-impact abuse.

Typical Remediation: Remediation: store credentials in OCI Vault and reference them via secret OCIDs.

Recommended Module Refresh: modules run enum_resourcemanager --config-source-providers --get --save

Vault

Quick Triage

Issue Code Severity Source Table Trigger Fields
VAULT_KMS_VIRTUAL_PRIVATE_VAULT MEDIUM vault_vaults DEFAULT, vault_type
VAULT_KMS_SOFTWARE_KEY LOW vault_keys SOFTWARE, protection_mode

Details

VAULT_KMS_VIRTUAL_PRIVATE_VAULT (MEDIUM)

What It Detects: Vault is using the DEFAULT vault type rather than a Virtual Private Vault (VPV). VPVs provide a dedicated HSM partition with stronger isolation and are generally preferred for high‑sensitivity key material and compliance‑driven environments.

SQLite Detection Metric (Pseudo-code):

  • Checks table vault_vaults and emits this finding when these decision conditions are true:
    • vault_type.upper == 'DEFAULT'

Why This Severity: Material weakness that often requires additional conditions to produce high-impact abuse.

Typical Remediation: Remediation: create a Virtual Private Vault and migrate keys/secrets that require stronger isolation. This is often a posture/compliance control rather than an immediate exploit path.

Recommended Module Refresh: modules run enum_vault --vaults --save

VAULT_KMS_SOFTWARE_KEY (LOW)

What It Detects: Key protection mode is SOFTWARE instead of HSM. SOFTWARE keys are cheaper but provide weaker protections for key material compared to HSM‑backed keys.

SQLite Detection Metric (Pseudo-code):

  • Checks table vault_keys and emits this finding when these decision conditions are true:
    • protection_mode.upper == 'SOFTWARE'

Why This Severity: Hardening or governance gap with lower immediate exploitability.

Typical Remediation: Remediation: use HSM protection for sensitive keys. Evaluate alongside IAM controls on key usage (encrypt/decrypt/generateDataKey). This is a posture signal.

Recommended Module Refresh: modules run enum_vault --keys --key-id <key_ocid>

Home | Getting Started | Auth | Workspace | CLI Modules | Downloads to Disk | Data View/Export | OpenGraph - Node/Edge Tables | OpenGraph - Default Priv Escalation Mode | OpenGraph - IAM Conditionals | OpenGraph - Inheritance & IncludeAll | ConfigChecker - Static Config Checks

OCInferno Wiki

Core Operations

Graph and Security

Config Checks

Project

Clone this wiki locally