Datadog & Oracle VCN: Unexpected SSH Access & Proposed Fix

Introduction

In the realm of cloud infrastructure and monitoring, the seamless integration of various tools and platforms is paramount. Datadog, a leading monitoring and security platform, offers robust integration capabilities with Oracle Cloud Infrastructure (OCI). However, a recent observation has highlighted a potential security concern arising from the interaction between Datadog's integration stack and Oracle's Virtual Cloud Network (VCN) default security list. This article delves into the specifics of this issue, exploring the unexpected behavior of SSH access being opened to 0.0.0.0/0, the implications for security, and a proposed solution to mitigate the risk. Understanding the intricacies of cloud security is crucial for maintaining a robust and secure infrastructure. This article aims to provide a comprehensive overview of the issue, its potential impact, and a clear path towards resolution, ensuring that your cloud environment remains secure and compliant with your organization's security policies.

The Core Issue: Datadog, Oracle VCN, and Public SSH Ingress

The crux of the matter lies in the Datadog integration stack's behavior when auto-creating networking resources within Oracle Cloud Infrastructure. Specifically, when the Datadog stack is deployed without pre-existing subnet Object Storage Identifiers (OCIDs), it invokes the oracle-terraform-modules/vcn/oci module with the parameter lockdown_default_seclist set to false. According to Issue #22 in the oracle-terraform-modules/terraform-oci-vcn repository, this setting instructs the Oracle module to recreate the default security list rules, including the potentially problematic SSH/ICMP rules, on any newly created VCN. The Datadog stack's hard-coded nature of this setting, without exposing it as a configurable option, leads to a situation where every new VCN created by Datadog inherits a public SSH ingress unexpectedly. This means that SSH access (port 22) is open to the entire internet (0.0.0.0/0), which can be a significant security risk.

To illustrate the problem, consider the following scenario: a company is migrating its infrastructure to Oracle Cloud and using Datadog for monitoring. They deploy the Datadog stack to monitor their new environment, relying on the auto-networking feature for ease of setup. Unbeknownst to them, this deployment inadvertently opens SSH access to the public internet, potentially exposing their systems to unauthorized access. This highlights the critical need for understanding the default configurations and their implications when using cloud integration tools.

Steps to Reproduce the Issue

Reproducing this issue is straightforward and can be done with a few simple steps:

1. Deploy the Datadog stack without providing existing subnet OCIDs. This will trigger the auto-networking feature.
2. Inspect the default security list on the newly generated VCN within the Oracle Cloud Infrastructure console.
3. Observe the security list rules, specifically looking for TCP port 22 being open from 0.0.0.0/0. This confirms the presence of the public SSH ingress.

By following these steps, users can quickly verify whether their Datadog deployments are affected by this issue and take appropriate action to mitigate the risk.

Impact: Security Policy Violations and Potential Risks

The implications of this behavior are significant, particularly from a security standpoint. Any organization utilizing the auto-networking option within the Datadog integration stack may inadvertently expose their Oracle Cloud Infrastructure environments to public SSH access. This not only deviates from the principle of least privilege but also potentially violates established security policies and compliance requirements. Publicly accessible SSH ports are prime targets for malicious actors seeking to gain unauthorized access to systems. Automated bots constantly scan the internet for open SSH ports, attempting to brute-force credentials or exploit vulnerabilities. By leaving port 22 open to 0.0.0.0/0, organizations significantly increase their attack surface and risk of compromise.

Furthermore, this unexpected behavior can create a false sense of security. Organizations may assume that their cloud environments are properly secured based on their understanding of the default configurations or their own security policies. However, the Datadog integration stack's behavior overrides these assumptions, potentially leaving systems vulnerable without the organization's knowledge. This underscores the importance of regular security audits and thorough understanding of the interactions between different cloud services and integrations.

Questions and Proposed Fix: A Path Towards Resolution

Key Questions Arising from the Issue

This situation raises several critical questions that need to be addressed to fully understand the issue and its implications:

• Is this behavior intentional? Was the decision to set lockdown_default_seclist to false a deliberate choice to preserve Oracle's default security list behavior?
• If preserving the default security list was the goal, could a more flexible approach be implemented? Specifically, could the option be exposed as a configurable flag, defaulting to true, to allow users who rely on the default rules to explicitly opt-in?

Proposed Solution: Enhancing User Control and Security

To address this issue and provide a more secure and user-friendly experience, a proposed solution involves introducing a surfaced variable, lockdown_vcn_default_seclist, across the relevant configuration files: variables.tf, schema.yaml, and regional_stack.tf. This variable would control the lockdown_default_seclist flag within the Oracle module. By default, this variable would be set to true, effectively disabling the recreation of the default security list rules and mitigating the risk of unintended public SSH access. This approach provides users with explicit control over the security posture of their VCNs, allowing them to align their configurations with their specific security requirements and policies.

In addition to introducing the variable, it's crucial to thoroughly document its behavior and implications. This documentation should clearly explain the purpose of the lockdown_vcn_default_seclist flag, its default value, and the potential security implications of changing it. Clear and comprehensive documentation is essential for ensuring that users understand the configuration options and can make informed decisions about their cloud security settings.

Technical Details: Implementing the Proposed Fix

The proposed fix involves modifying the Datadog integration stack's Terraform configuration to introduce the lockdown_vcn_default_seclist variable. This requires changes across several files:

1. variables.tf: This file defines the input variables for the Terraform module. The lockdown_vcn_default_seclist variable would be added here, specifying its type (boolean), default value (true), and a description explaining its purpose.
2. schema.yaml: This file defines the schema for the Datadog integration. The new variable would need to be added to the schema to ensure that it can be configured through the Datadog user interface or API.
3. regional_stack.tf: This file contains the main Terraform configuration for deploying the Datadog stack in a specific region. The lockdown_vcn_default_seclist variable would be used to control the lockdown_default_seclist parameter passed to the oracle-terraform-modules/vcn/oci module.

By implementing these changes, the Datadog integration stack can be updated to provide users with greater control over the security of their Oracle Cloud Infrastructure environments. A pull request (PR) has been created with these changes for the team's review and consideration.

Conclusion: Prioritizing Security in Cloud Integrations

This analysis highlights the importance of carefully considering the security implications of cloud integrations. While tools like Datadog offer valuable monitoring and security capabilities, it's crucial to understand how they interact with other cloud services and the potential for unintended consequences. The issue of unexpected public SSH ingress in Oracle VCNs due to the Datadog integration stack's default configuration underscores the need for: - Clear documentation - Configurable options - Proactive security measures

By addressing this issue and implementing the proposed fix, Datadog can further enhance its integration with Oracle Cloud Infrastructure, providing users with a more secure and reliable monitoring solution. It is important for organizations to regularly review their cloud security configurations and ensure that they align with their security policies and compliance requirements. Cloud security is a shared responsibility, and it's essential to take proactive steps to protect your cloud environments from potential threats.

For more information on Oracle Cloud Infrastructure security best practices, consider exploring the resources available on the Oracle Cloud Security Documentation website. This external resource provides valuable insights and guidance on securing your Oracle Cloud deployments.