Review Oracle Cloud Guard concepts, ensure you meet prerequisites, enable Cloud Guard initially, and then access Cloud Guard routinely.
Planning for Cloud Guard
Spending some time planning how Cloud Guard functionality is mapped onto your
environment, before you enable and configure Cloud Guard, might save you some time
later.
You can enable Cloud Guard and begin monitoring your environment immediately. All you
need to do is specify a single target that maps to the top-level compartment in the
branch of your Oracle Cloud Infrastructure that you want to monitor.
Then, over time, you can customize the Cloud Guard configuration, based on your
experience with processing the problems that Cloud Guard detects. You can continually
customize the Cloud Guard configuration to optimize performance toward a two-part goal:
Not letting anything that represents a potential security risk go undetected.
Not detecting "too many" false positives - problems that do not actually represent
potential security risks.
If you do some planning, you might be able to get a head start on this two-part goal. All
you need to do is survey how the resources in your Oracle Cloud Infrastructure tenancy are organized into compartments.
Survey Your Environment 🔗
Examine the types of resources that are stored in different parts of the compartment
hierarchy in your Oracle Cloud Infrastructure tenancy. Are there
groups of resources in different parts of that compartment hierarchy that need to be
monitored for in different ways, in order to detect different types of threats?
Would the same problem, if detected in different compartments, represent different
risk levels?
Cloud Guard lets you define different areas within your Oracle Cloud Infrastructure tenancy that can be monitored in
different ways. The trade-off is that all compartments within a defined area are
monitored in the same way.
Familiarize Yourself with Cloud Guard Terminology 🔗
Cloud Guard Concepts defines the terms that you learn as you work with Cloud Guard. To get started, the following list
summarizes what you need to know to get started planning for Cloud Guard.
Target
Defines scope of what Cloud Guard checks. All compartments within a target are checked in the same way and you have the same options for processing problems that are detected.
Detector
Performs checks to identify potential security problems based on activities
or configurations. Rules followed to identify problems are the same for all
compartments in a target.
Responder
Specifies actions that Cloud Guard can take when detectors identify
problems. Rules for how to process identified problems are the same for all
compartments in a target.
Familiarize Yourself with Cloud Guard Detector Recipes 🔗
Look over the rules described in the sections of Detector Recipe Reference for different detectors. Within your environment:
Are there any compartments that you do not want Cloud Guard to monitor at all?
If so, you have to define one or more targets in a way that excludes these
compartments.
Do you think that you might want to set the risk level differently, or enable
and disable rules differently, for resources in different parts of your Oracle Cloud Infrastructure compartment hierarchy? To configure
detector rules differently for different compartments, you have to define
separate targets for those compartments.
For example, for the "Bucket is
public" configuration rule, the default risk level is "CRITICAL" and the
rule is enabled by default. Should these settings be the same for all
compartments?
You can disable responder recipe actions on problems that detectors identify. If
you want actions for a particular responder rule to be enabled in some
compartments, but disabled in others, you have to define separate targets for
those compartments.
For example, the "Make Bucket Private" responder rule is
enabled by default. Do you have some compartments in which all buckets are
public by design, and so you can disable this rule?
Plan How Targets Will Map to Compartments 🔗
If at this point you don't think you need to define multiple targets, and you have
completed the Prerequisites, you can proceed with Enabling Cloud Guard. You can always change your target configuration
later, as the need arises.
If you think you need to set up targets to allow different compartments to be monitored differently, keep these guidelines in mind when mapping targets to compartments:
All of a target's compartments inherit that target's configuration. The
detector and responder rule settings for a target apply to the top-level
compartment assigned to that target, and to any subordinate compartments below
it in the compartment hierarchy.
If you want to exclude some compartments from
monitoring, create targets below the root level and do not include the root
compartment in any target.
Target defined within an existing target overrides inherited
configuration. Within an existing target, you can assign a compartment
below the target's top-level compartment to a new target. You can change the
detector and responder rule settings for the new target, and those settings now
apply to the top-level compartment assigned to that target, and to all the
subordinate compartments below it in the compartment hierarchy.
Carefully Choose Your Reporting Region 🔗
When you enable Cloud Guard, you are asked to choose a reporting region. Carefully
consider these consequences of your reporting region choice:
The reporting region you select commits your organization to comply with all legal requirements of the country where the reporting region is hosted.
After Cloud Guard is enabled, you can't change the reporting region without disabling and re-enabling Cloud Guard.
All customizations, and existing problems (including their history) are lost when you disable Cloud Guard, so you would have to manually restore those customizations.
All API calls, except for READs, must be made on the reporting region.
Ensure that you make the best decision for your reporting region, before you begin
Steps to Enable Cloud Guard.
Enabling Cloud Guard 🔗
Perform this task to enable Oracle Cloud Guard from the OCI
Console.
You can use either of two basic approaches for enabling Cloud Guard:
Start with Default Configuration: You want Cloud Guard to start reporting problems as soon as possible
after completing the enablement process.
Don't skip any optional selections during the
enablement process.
Note
If you skip any of the optional selections during enablement
process, Cloud Guard does not automatically start
reporting problems after completing the enablement process. If you skip optional settings
during enablement, Cloud Guard can't start reporting
problems until you add detector recipes to the specified target. See Editing an OCI Target and Its Attached Recipes.
Customize Configuration First: You want to customize Cloud Guard's configuration before Cloud Guard starts reporting problems.
You can skip any or
all optional selections during the enablement process.
Whichever approach you take to enable Cloud Guard, you can
refine the Cloud Guard configuration as needed after
enablement.
Log in to the OCI Console as the Oracle Cloud Guard user you created in Prerequisites, in the "Creating the Cloud Guard User and Group" section.
Open the navigation menu and click
Identity & Security. Under Cloud Guard, click any resource.
Note
If the page for the Cloud Guard resource that you clicked opens, Cloud Guard is already enabled.
On the Cloud Guard page, click the Enable Cloud Guard button at top right to open the Enable Cloud Guard dialog box.
The Cloud Guard policy panel displays a list of all the OCI policies that must be enabled in order for Cloud Guard to be fully functional. The column on the right shows:
Not added if policy is NOT currently enabled.
Added if policy IS currently enabled.
Unless you are re-enabling Cloud Guard after disabling, all the entries should be Not added.
Note
These policies are read-only privileges that allow Cloud Guard to monitor OCI resources within your tenancy. These policies you do not provide Cloud Guard with any manage privileges for the resources,
Exception: The manage cloudevents-rules policy allows Cloud Guard to create audit event subscription rules, which are critical for Cloud Guard to detect problems. Cloud Guard's activity detector rules work by ingesting and analyzing the audit events in your tenancy. Cloud Guard needs to create a cloud event-managed rule in your tenancy, so that it can subscribe to your audit events. The USE privilege is necessary to allow Cloud Guard to list NSG security rules.
The following IAM policies are automatically added to the "Cloud Guard Policies" policy group when you click Create policy at the bottom of Cloud Guard policy panel in the Enable Cloud Guard dialog box:
allow service cloudguard to manage cloudevents-rules in tenancy where target.rule.type='managed'
allow service cloudguard to read audit-events in tenancy
allow service cloudguard to read authentication-policies in tenancy
allow service cloudguard to read autonomous-database-family in tenancy
allow service cloudguard to read compartments in tenancy
allow service cloudguard to read compute-management-family in tenancy
allow service cloudguard to read database-family in tenancy
allow service cloudguard to read data-safe-family in tenancy
allow service cloudguard to read dynamic-groups in tenancy
allow service cloudguard to read groups in tenancy
allow service cloudguard to read instance-family in tenancy
allow service cloudguard to read keys in tenancy
allow service cloudguard to read load-balancers in tenancy
allow service cloudguard to read log-groups in tenancy
allow service cloudguard to read object-family in tenancy
allow service cloudguard to read policies in tenancy
allow service cloudguard to read tenancies in tenancy
allow service cloudguard to read users in tenancy
allow service cloudguard to read vaults in tenancy
allow service cloudguard to read virtual-network-family in tenancy
allow service cloudguard to read volume-family in tenancy
allow service cloudguard to use network-security-groups in tenancy
At the bottom of the Cloud Guard policy panel, click Create policy.
If all required policies are successfully created, the entries in the column on the right are now Added.
If any of the entries in the column on the right still show to Not added, add those polices manually:
Depending on how you are using the OCI Identity service, see:
Click Next to proceed to the Basic information panel.
Select a Reporting region.
The reporting region must be a region that Cloud Guard supports. If Cloud Guard doesn't support the region you select, select a different region.
Caution
Give careful consideration to your reporting region selection:
The reporting region you select commits your organization to comply with all legal requirements of the country where the reporting region is hosted.
After Cloud Guard is enabled, you can't change the reporting region without disabling and re-enabling Cloud Guard.
All customizations, and existing problems (including their history) are lost when you disable Cloud Guard, so you would have to manually restore those customizations.
All API calls, except for READs, must be made on the reporting region.
Ensure that you record the name of the reporting region that you specify.
In all configuration and troubleshooting tasks that you perform after enablement, you must specify the Cloud Guard reporting region, not the OCI home region.
A progress bar replaces the Enable Cloud Guard button on the Cloud Guard page.
Note
If you have reached this point in a free tenancy, the enablement does not proceed.
When enablement completes, on the Cloud Guard page, click Go To Cloud Guard.
The Cloud Guard
Overview page appears, and the guided tour starts. Gradually,
Note
If you followed the "Start with Default Configuration" approach in the enablement process, information on problems soon starts to appear in Cloud Guard. How soon the problem information starts to appear depends on your environment, your configuration of targets and detectors, and the number of problems that are occurring for Cloud Guard to detect.
Take the guided tour to familiarize yourself with the features on the
Overview page.
What's Next
Note
Whichever approach you followed in the enablement process, Cloud Guard disables two OCI Configuration Detector rules by default in new tenancies. Disabling these rules initially is necessary to prevent Cloud Guard from generating an excessive number of problems that you would consider false positives. For more information about these rules, see:
Some of the detector rules that are enabled by default might produce an excessive
number of problems in your particular environment. To be able to disable
detector rules, you must clone the Oracle-managed detector recipe to create a
user-managed version, See Cloning an OCI Detector Recipe.
To quickly clear problems that you now consider to be false positives, for each
user-managed recipe rule that produces an excessive number of problems:
Determine the rule settings to change so that the rule no longer generates those false positives.
If you followed the "Start with Default Configuration" approach in the enablement process, information on problems soon starts to appear in Cloud Guard. How soon the problem information starts to appear depends on your environment, your configuration of targets and detectors, and the number of problems that are occurring for Cloud Guard to detect.
Note
If you followed the "Customize Configuration First" approach in the enablement process, no information on problems appears until you complete all of the configuration tasks that you skipped during enablement:
To interpret the summary information on detected problems, drill down into the details, and resolve specific problems, see Processing Reported Problems.
Ensure that configuration details necessary to support Cloud Guard integration with other services are in
place.
After you have finished performing the tasks in Enabling Cloud Guard, plus
some follow-up tasks if you use the Customize
Configuration First strategy, all integrations with other services should be
functioning smoothly.
When new services that support integration with Cloud Guard
later become available, you need to ensure that your Cloud Guard configuration details correctly support the new service:
Cloud Guard targets must contain all the compartments
where resources from the new service that Cloud Guard is to
monitor are located.
The Cloud Guard detector recipes that contain the rules
that are specific to the new service must be attached to those Cloud Guard targets.
Expand one of the following service names to see the steps to follow to ensure that your Cloud Guard configuration details correctly support the
service.
If Cloud Guard IS already enabled, ensure that
your Cloud Guard tenancy has:
Cloud Guard targets defined that include
all the OCI compartments you want Cloud Guard to monitor for the
Certificates service - see Viewing Details for a
Target.
The OCI Activity Detector Recipe (either Oracle-managed or
user-managed) attached to each of those targets – see Viewing Details for a
Target.
If necessary, refine the configuration of these rules listed in the OCI
Activity Detector Recipe (either Oracle-managed or user-managed) - see
Modifying Rule Settings in a Target's
Recipes.
CA bundle updated
Certificate Authority (CA) deleted
Intermediate Certificate Authority (CA) revoked
Your goal is to optimize the rule configurations so that you don't miss real problems, but you are not overwhelmed with false positives. It might be necessary to monitor problems generated from the Certificates service for a while, before you can determine whether any rule modifications are needed.
View problems generated from the Certificates service on the Cloud Guard
Problems page - see Viewing the Problems List.
To see problems for the Certificates service only, filter the Problems
list using Labels = Certificates.
Note
The Labels entry isn't
case-sensitive, but you must match the characters in
"certificates" exactly.
Prerequisite: Ensure that the Data Safe service is already enabled and
operating properly. If you perform the following steps before the Data Safe service
is enabled, Cloud Guard alerts you that you need to
enable Data Safe, whenever it finds a database.
If Cloud Guard IS already enabled, ensure that
your Cloud Guard tenancy has:
Cloud Guard targets defined that include
all the OCI compartments you want Cloud Guard to monitor for the Data Safe
service - see Viewing Details for a
Target.
The OCI Configuration Detector Recipe (either Oracle-managed or
user-managed) attached to each of those targets – see Viewing Details for a
Target.
Add the following policies to your Cloud Guard tenancy to enable access to the
Data Safe information:
allow service cloudguard to read data-safe-family in
tenancy
allow service cloudguard to read autonomous-database-family in
tenancy
If necessary, refine the configuration of these rules listed in the OCI
Configuration Detector Recipe (either Oracle-managed or user-managed) -
see Modifying Rule Settings in a Target's
Recipes.
Data Safe is not enabled (this rule is inoperative after Data Safe is
enabled)
Database is not registered with Data Safe (this rule is inoperative, if
Data Safe isn't enabled)
Your goal is to optimize the rule configurations so that you don't miss real problems, but you are not overwhelmed with false positives. It might be necessary to monitor problems generated from the Data Safe service for a while, before you can determine whether any rule modifications are needed.
View problems generated from the Data Safe service on the Cloud Guard
Problems page - see Viewing the Problems List.
To see problems for the Data Safe service only, filter the Problems
list using Labels = Database Security.
Note
The Labels entry isn't
case-sensitive, but you must match the characters in "database
security" exactly.
Prerequisite: Ensure that both Cloud Guard and
Threat Intelligence services are enabled. Cloud Guard begins reporting problems, based on information from Threat Intelligence Service,
without any further configuration.
To allow users to click a link from Problem Details, on the Cloud Guard
Problems page and view detailed information in Threat Intelligence, ensure
that a policy is in place that grants the user permission:
Instance Security uses the OCI Logging service to record activity.
Prerequisite: Ensure that both Cloud Guard and the Logging service are enabled.
There are two types of log produced by Cloud Guard.
Cloud Guard Raw Logs, produced by Instance Security. You can enable these logs when you attach an Instance Security recipe to a target. Alternatively, you can enable them from the Logging service.
Cloud Guard Query Results Logs, produced by scheduled queries.