Oracle Cloud Infrastructure Documentation
Try Free Tier

Enabling Instance Security for an On Premises Network

Describes the steps to enable the Instance Security agent on an on-premises network.

If you are running a custom image on a fleet that does not have Oracle Cloud Agent enabled then you have to install theInstance Security (formerly the Workload Protection or WLP) agent by hand.

You must upgrade the agent on your fleet every month, see Manually Updating the Instance Security Agent.

To delete Instance Security agent, see Uninstalling the Instance Security Agent.

Note

These steps are only for tenancies on-premises hosts.

Prerequisites

  1. Enable Instance Security in Cloud Guard by following the tasks in Enabling Instance Security to:
    • Apply one of the Oracle-managed Instance Security detector recipes to a target.
    • Add the policy statements for Instance Security in the console.
  2. Make a note of the compartment OCID. See Listing Compartments.

Adding Policies

You need to add the following policies in the Console. See Creating a Policy.

Agent download policy, which allows the Instance Security agent to be downloaded.
Endorse any-user to read objects in any-tenancy where all { target.bucket.name = 'wlp-agent' }
Agent operations policies, which allow regular agent operations.
Allow any-user to { WLP_BOM_READ, WLP_CONFIG_READ } in tenancy where all { request.principal.id = target.agent.id, request.principal.type = 'workloadprotectionagent'}
 
Endorse any-user to { WLP_LOG_CREATE, WLP_METRICS_CREATE, WLP_ADHOC_QUERY_READ, WLP_ADHOC_RESULTS_CREATE } in any-tenancy where all { request.principal.id = target.agent.id, request.principal.type = 'workloadprotectionagent' }
On-premises agent policies
Allow any-user to { WLP_AGENT_CREATE, WLP_AGENT_DELETE, WLP_AGENT_UPDATE } in tenancy
 
Endorse any-user to inspect certificate-authority-family in any-tenancy where request.obo-service.name = 'workloadprotection'
 
Endorse any-user to use certificate-authority-delegate in any-tenancy where request.obo-service.name = 'workloadprotection'
 
Endorse any-user to manage leaf-certificate-family in any-tenancy where request.obo-service.name = 'workloadprotection'
 
Endorse any-user to read leaf-certificate-bundles in any-tenancy where any {request.principal.id = target.resource.tag.wlp.userid, request.principal.id = target.resource.tag.wlp.agentid}
 
Endorse any-user to use tag-namespaces in any-tenancy where request.obo-service.name = 'workloadprotection'

Prepare to Create the On-Premises Config File

  1. Get a user principal session token.
  2. Use CLI to generate a private key and session token. In a terminal on your computer run:
    oci session authenticate --region <region>

    A new browser page opens where you enter your OCI credentials. After successful authentication, close the browser.

    If you don't have OCI CLI installed, follow the steps in the Install CLI quickstart.

  3. In the terminal, enter a profile name to save your user session token.
    Example:
    $ oci session authenticate --region us-ashburn-1
    Please switch to newly opened browser window to log in!
    You can also open the following URL in a web browser window to continue:
    https://login.us-ashburn-1.oraclecloud.com/v1/oauth2/authorize?action=login&client_id=iaas_console&response_type=token+id_token&nonce=<unique-ID>
    Completed browser authentication process!
Enter the name of the profile you would like to create: production
Config written to: /Users/<user>/.oci/config
 
    Try out your newly created session credentials with the following example command:
 
 oci iam region list --config-file /Users/<user>/.oci/config --profile production --auth security_token
  4. Run this to validate your user session token.
    oci session validate --config-file <YOUR_CONFIG_FILE_PATH> --profile <YOUR_PROFILE_NAME> --region <region> --auth security_token

    This shows you the credential expiry time (around 1 hour) and asks you to re-authenticate it if it's already expired.

    Example:
    $ oci session validate --config-file /Users/<user>/.oci/config --profile production --region us-ashburn-1 --auth security_token
Session is valid until 2024-05-07 16:41:32
  5. Create a new folder on your remote host at a location where your user has write access, for example, .oci. If you already have a folder with this name, create one with a different name.
  6. get private key and session token to the folder you created:
    • For Linux: Use scp for private key and session token to the folder you created.
      # Private key example path - ~/.oci/sessions/<YOUR_PROFILE_NAME>/oci_api_key.pem
            # Token example path = ~/.oci/sessions/<YOUR_PROFILE_NAME>/token
 
 scp -i <ssh-key> ~/.oci/sessions/<YOUR_PROFILE_NAME>/oci_api_key.pem opc@<ip>:/home/opc/.oci
            scp -i <ssh-key> ~/.oci/sessions/<YOUR_PROFILE_NAME>/token opc@<ip>:/home/opc/.oci
    • For Windows: copy and paste the same two files to C:\Users\opc, or another location where your user has write access.

Create the On-Premises Config File

  1. The location is controlled by an environment variable.
    • For Linux, the environment variable is WLP_ON_PREM_AGENT_CONFIG_PATH and the default path is /etc/wlp/config.
    • For Windows, the environment variable is wlp_on_prem_agent_prod_config_path and the default path is C:\ProgramData\wlpagent\config.
  2. Possible content for the on-premises config file:
    • region: monitoring region for the on-premises host.
    • tenantId: Tenancy OCID where you have enabled WLP and created the target.
    • compartmentId: compartment OCID associated with the target where the WLP recipe is attached
    • privateKeyPath: the private key file path saved by OCI session authenticate command
    • securityTokenPath: The security token path saved by OCI session authenticate command
    • httpsProxyEndpoint: The https proxy endpoint of the proxy server. This one is only needed when you have your own proxy server setup and want all requests from agents to be controlled by your proxy server. Instance Security also uses the websocket endpoint for on-demand query execution, so your proxy server should also be configured to support websocket proxy. In order to have the Instance Security agent working properly, you need to allowlist these server endpoints:
      • dp.workloadprotection.{region}.oci.{domain_name} (e.g. dp.workloadprotection.us-ashburn-1.oci.oralcecloud.com)
      • adhoc.workloadprotection.{region}.oci.{domain_name} (e.g. workloadprotection.us-ashburn-1.oci.oraclecloud.com)
      • cloudguard-cp-api.{region}.oci.{domain_name} (e.g. cloudguard-cp-api.us-ashburn-1.oci.oraclecloud.com)
      • certificates.{region}.oci.{domain_name} (e.g. certificates.us-ashburn-1.oraclecloud.com)
  3. Create the config file and its contents:
    • For Linux:
      #ubuntu@wlp-cp-ubuntu-1:~$ sudo su
root@wlp-cp-ubuntu-1:/home/opc# mkdir -p /etc/wlp
root@wlp-cp-ubuntu-1:/home/ubuntu# cd /etc/wlp/
root@wlp-cp-ubuntu-1:/etc/wlp# touch config
# paste or edit the contents of config in vi config as shown below
root@wlp-cp-ubuntu-1:/etc/wlp# vi config
root@wlp-cp-ubuntu-1:/etc/wlp# cat config
{
  "region": "us-ashburn-1",
  "tenantId": "ocid1.tenancy.oc1..<example-ID>",
              "compartmentId": "ocid1.compartment.oc1..<example-ID>",
  "privateKeyPath": "/home/ubuntu/.oci/oci_api_key.pem",
  "securityTokenPath": "/home/ubuntu/.oci/token",
  "proxyEndpoint": "http://user:pass@proxy.com:3333"
}
    • For Windows:
      • Go to this location C:\ProgramData\wlpagent.
      • Create a new file called config.
      • Past this code into the new config file.
      cd C:\ProgramData\wlpagent
C:\ProgramData\wlpagent>(
More? echo {
More? echo  "region": "us-ashburn-1",
More? echo "tenantId": "ocid1.tenancy.oc1..aaaaaaaa4t6edhuglsk33i4waq5c7udkgbek72up2iswkciyimh44tawhpea",
More? echo  "compartmentId": "ocid1.compartment.oc1..aaaaaaaaedatxkoovn424u2azxrqn47nsrmrn6vi72joim6nn6mme3rmgqoq",
More? echo "privateKeyPath": "C:\Users\opc\oci_api_key.pem",
More? echo "securityTokenPath": "C:\Users\opc\token"
More? echo "proxyEndpoint": "http://user:pass@proxy.com:3333"
More? echo }
More? ) > config
 
C:\ProgramData\wlpagent>
C:\ProgramData\wlpagent>more config
{
 "region": "us-ashburn-1",
"tenantId": "ocid1.tenancy.oc1..aaaaaaaa4t6edhuglsk33i4waq5c7udkgbek72up2iswkciyimh44tawhpea",
 "compartmentId": "ocid1.compartment.oc1..aaaaaaaaedatxkoovn424u2azxrqn47nsrmrn6vi72joim6nn6mme3rmgqoq",
"privateKeyPath": "C:\Users\opc\oci_api_key.pem",
"securityTokenPath": "C:\Users\opc\token",
"proxyEndpoint": "http://user:pass@proxy.com:3333" 
}
 
C:\ProgramData\wlpagent>

Install the Instance Security Agent

  1. From the table below, download and copy the Instance Security agent installer to the host.
  2. Run the command to install the agent.
Host OS Link to download Commands
Linux https://objectstorage.us-ashburn-1.oraclecloud.com/n/idaork8onzto/b/wlp-agent/o/wlp-agent-1.0.87.x86_64.rpm

sudo yum install <your-installer-full-path>

or

sudo rpm -ivh <your-installer-full-path>
Debian https://objectstorage.us-ashburn-1.oraclecloud.com/n/idaork8onzto/b/wlp-agent/o/wlp-agent-1.0.87.amd64.deb

sudo DEBIAN_FRONTEND=noninteractive apt-get -y install <your-installer-full-path>

or

sudo dpkg -i <your-installer-full-path>
Windows https://objectstorage.us-ashburn-1.oraclecloud.com/n/idaork8onzto/b/wlp-agent/o/wlp-agent-1.0.87.amd64.exe
  • Copy (upload) the installer at a convenient location (for example, C:\Users\opc).
  • Open a command terminal (not powershell) in Administrator mode.

  • Inside terminal, run:

    • cmd /c start <installer-full-path> /quiet
    • Wait for 5 seconds.
  • Logs will be available at C:\Program Files\wlpagent\logs\wlpagent.log.

Check the Instance Security Agent Status

Check the Instance Security agent status and its log to see whether the on-premises identity has been picked up.

  • Restart agent:
    • Linux: sudo systemctl status wlp-agent-osqueryd.service
    • Windows: go to administrator tools, then service and search for wlp-agent and check the service status.
  • Check the agent log:
    • Linux: sudo tail -f /var/log/wlp-agent/wlp-agent.log
    • Windows: C:\Program Files\wlp-agent\logs\wlpagent.log

Was this article helpful?