This guide explains how to execute Oracle's CIS Compliance Script inside Cloud Shell. The OCI CIS Benchmark is the product of a community consensus process and consists of secure configuration guidelines developed for Oracle Cloud Infrastructure.
The goal is to quickly download a list of security recommendations for your OCI tenancy and bill of materials (BOMs) exported as CSV. Here's a sample video how this process looks like (fallback video link):
cis-report-intro-720p-social.mp4
This script has no prerequisites. Simply copy/paste the following commands into your Cloud Shell to build a CIS report of your tenancy:
# All files live in the cis directory in your home dir
mkdir -p ~/cis
cd ~/cis
# Remove previous report files within our current dir
rm -rf report report.zip > /dev/null
# Get the latest official CIS Compliance Script
wget https://raw.githubusercontent.com/oci-landing-zones/oci-cis-landingzone-quickstart/main/scripts/cis_reports.py
# Build the full CIS report
python3 cis_reports.py -dt --all-resources --report-directory report
# Archive all CIS report files for downloading
zip -r report.zip report
Inside Cloud Shell you should now be able to download the archived report by navigating to "Cog -> Download" (top right) and targeting this file:
cis/report.zip
Now extract that downloaded report.zip and inspect the cis_summary_report.html and for a BOM all raw_data_*.csv files in that archive.
Regarding required IAM permissions and read-only policies see here. For all further information refer to the official CIS Compliance Script repository.