OCI Network Exposure Scanner


OCI Network Exposure Scanner

Introduction Of A Python Tool That Scans OCI Security Lists And NSGs For Internet Exposed Ingress Rules And Risky Open Ports

Description

I built the OCI Network Exposure Scanner as a lightweight Python auditing tool to quickly identify internet exposed ingress rules in OCI. It scans Security Lists and Network Security Groups (NSGs) for inbound TCP rules that allow traffic from 0.0.0.0/0 on common ports like SSH (22), RDP (3389), HTTP (80), and HTTPS (443), then generates timestamped JSON + Markdown reports and uploads them to OCI Object Storage so the results are easy to review, share, and keep as audit evidence. 

Codebase

GitHub Code: Click Here

Why This Is Useful

In most OCI environments, network rules evolve quickly as teams ship features, open temporary access for troubleshooting or create new subnets and services. Over time, it becomes easy to accidentally leave behind world open ingress rules, especially on ports like SSH and RDP. This tool gives a fast, repeatable way to answer: “Do we have any Security Lists or NSGs that are exposing common services to the internet right now?”. It is designed to be simple enough to run ad-hoc during reviews and structured enough to run periodically and compare results over time. 


What The Tool Does

The scanner audits a target compartment and flags exposure patterns that are often high risk in real-world setups:

  • Enumerates Security Lists and checks ingress TCP rules where the source is 0.0.0.0/0

  • Enumerates NSGs and checks ingress TCP rules where the source is 0.0.0.0/0

  • Detects whether the rule’s TCP destination port range includes any of these common exposure ports: 22, 3389, 80, 443

  • If a rule has no destination port range specified, it treats it as ALL ports and marks it HIGH risk

  • Produces findings with consistent fields like resource type, resource name, ports, risk and a short explanation note


High Level Architecture

The flow is intentionally straightforward and production safe:

  1. Load config from environment variables and authenticate using the OCI config profile (defaults to DEFAULT).

  2. Create OCI clients for VCN and Object Storage.

  3. Run two scanners: one for Security Lists, one for NSGs, collecting all findings into a single list.

  4. Generate a UTC timestamp and write outputs to a local reports/ folder as:

    • network_exposure_<timestamp>.json

    • network_exposure_<timestamp>.md

  5. Ensure the target Object Storage bucket exists (creates it if missing) and upload both artifacts under a prefix (default network-exposure). 


Prerequisites

To run it, you need:

  • Python 3.x and dependencies from requirements.txt

  • OCI authentication configured via ~/.oci/config (the script uses OCI_PROFILE, defaulting to DEFAULT)

  • IAM permissions to read VCN security configuration (Security Lists + NSG rules) in the target compartment

  • IAM permissions to write to Object Storage (and to create the bucket if it does not exist), since the tool uploads the reports and may create the bucket 


Expected Output

Each run creates two timestamped artifacts in reports/:

  • Markdown report with a summary and a table of findings (Type, Resource, Ports, Risk, Note)

  • JSON report containing the same findings as structured objects for diffing/automation

Example filenames:

  • reports/network_exposure_2026-02-15_XXXXXX_UTC.md

  • reports/network_exposure_2026-02-15_XXXXXX_UTC.json

The same files are uploaded into Object Storage under:
<prefix>/network_exposure_<timestamp>.*


Safety Notes

This tool does not change any network rules. It only reads Security Lists and NSG rules, generates reports and then uploads those reports to Object Storage. The only write behavior is related to reporting. It may create the Object Storage bucket (if missing) and will upload the generated artifacts.










Comments

Post a Comment

Popular posts from this blog

Your Cloud Is Talking Are You Listening OCI Logging Events and Notifications

Image
  Your Cloud Is Talking Are You Listening OCI Logging Events and Notifications A practical, human guide to how Oracle Cloud Infrastructure can collect what is happening, spot what matters and alert the right people before small issues turn into big ones. The problem with modern cloud is not lack of data Cloud platforms produce a huge amount of signals. Logs, metrics, state changes, access activity and service health updates are happening all the time. The problem is not that nothing is visible. The problem is that everything is visible in too many places and when something goes wrong, you do not know where to look first. This is why good teams still get surprised. Not because they are careless, but because attention is limited. You can only watch so many dashboards. You can only skim so many notifications. And when an incident starts, the first five minutes matter most. The goal of observability is simple. Make it easier to answer three questions quickly. What happened. Where ...
Read more

When Your Apps Refuse to Talk Oracle Integration Cloud for the Rest of Us

Image
  When Your Apps Refuse to Talk Oracle Integration Cloud for the Rest of Us Oracle Integration Cloud is the Grown Up Way to Make Those Systems Cooperate. The quiet chaos of modern work Most companies do not run on one system. They run on a collection of tools that grew over time. Finance has one platform, sales has another, HR has its own portal and operations lives inside a mix of email, shared drives and service tickets. On paper, everything is digital. In reality, people still spend their days doing digital manual work. They export a spreadsheet, paste values into another system, forward approvals through email and hope everyone is looking at the latest version. It works until it does not. Then someone asks why the customer record is inconsistent, why invoices are delayed or why a new employee is not provisioned correctly. This is exactly the kind of problem Oracle Integration Cloud is meant to reduce. Oracle positions it as an integration service that helps connect applicati...
Read more