OCI Logging – Auditing VCN Security list changes

In this article, we discuss a common governance requirement: auditing changes to a VCN Security List. VCN security list has set of firewall rules, but it doesn’t list information about when a rule has added/modified/removed. But this information will be very much required when we work on finding route cause of security related issues. It’s highly possible that security list changes would have created violations and we need to identify who changed what, when, and from where. 

Lets explore how OCI Audit helps to get the details. Choose a Security list and perform changes in the security list rules.

 

Add a Ingress security rule to the security list.

Add Ingress rule

Also add a egress rule to the security list.

Egress rule has been added.

We have added an Ingress and egress rule. Now our task is to identify when the ingress/egress rule has been changed and what changes have been done.

We can find the details at Observability Management -> Logging -> Audit. OCI Audit records control-plane events - meaning actions performed through the OCI Console, OCI CLI, SDK, Terraform, or APIs that create, update, or delete OCI resources.

In the Audit page, first select the compartment where you want to review activity. Audit entries record control-plane events, such as creating, updating, or deleting OCI resources.

The most important filter on this page is the Time range. By default, the console shows events from the last 5 minutes. When you open the Audit page, it loads all audit events that occurred within that default time window.

Other filters—such as User, Resource, Request action, and related fields will be populated based on the events retrieved for the selected compartment and time range. If you expand the time window (for example, last 1 hour or last 24 hours), you will see more events and more filter values available.

Another important filter is Event type. All audit events have event type. Choosing right event type will help us to reach the event that we look for. In this exercise, we target the security list changes. Event type having security list change is “com.oraclecloud.virtualNetwork.UpdateSecurityList”.

In case if we are not seeing this event type, then we may need to increase the Filter by time.

Once the event type is chosen, we could see the related events. In our case Ingress and Egress change have happened at different time, hence it has created two different Audit events.

Click the arrow button located in the right corner, that will expand the event.

The event contains many details. To identify what changed in the Security List, locate the stateChange section. It contains two parts:

• current: the Security List state after the change
• previous: the Security List state before the change

Comparing these two sections reveals exactly what was modified.

The current denotes the current status of security list and previous denotes the state of security list before change. Comparing both will give the details of the change.

Under the current we can find egressSecurityRules and ingressSecurityRules which has details of security rules.

Click the egressSecurityRules

Collect egressSecurityRules from previous section.

We could the difference is “2” which is present only in current version. It means a rule has been added by the update.

Checking ingressSecurityRules, we could see it has same number of rules for current and previous section, which means only egress rule got changed at this time.

Along with the actual changes, we can fine some additional details.

Timecreated -> the time the change has happened.
CompartmentId -> compartment of security list
VcnID -> OCID of VCN
id -> OCID of security list.

In summary, OCI Audit logs provide a reliable way to track and prove changes made to VCN Security Lists, something the Security List UI alone does not capture.