Getting Started with Cloud Guard

Review Oracle Cloud Guard concepts, ensure you meet prerequisites, enable Cloud Guard initially, and then access Cloud Guard routinely.

Planning for Cloud Guard

Spending some time planning how Cloud Guard functionality is mapped onto your environment, before you enable and configure Cloud Guard, might save you some time later.

You can enable Cloud Guard and begin monitoring your environment immediately. All you need to do is specify a single target that maps to the top-level compartment in the branch of your Oracle Cloud Infrastructure that you want to monitor. Then, over time, you can customize the Cloud Guard configuration, based on your experience with processing the problems that Cloud Guard detects. You can continually customize the Cloud Guard configuration to optimize performance toward a two-part goal:

  1. Not letting anything that represents a potential security risk go undetected.
  2. Not detecting "too many" false positives - problems that do not actually represent potential security risks.

If you do some planning, you might be able to get a head start on this two-part goal. All you need to do is survey how the resources in your Oracle Cloud Infrastructure tenancy are organized into compartments.

Survey Your Environment

Examine the types of resources that are stored in different parts of the compartment hierarchy in your Oracle Cloud Infrastructure tenancy. Are there groups of resources in different parts of that compartment hierarchy that need to be monitored for in different ways, in order to detect different types of threats? Would the same problem, if detected in different compartments, represent different risk levels?

Cloud Guard lets you define different areas within your Oracle Cloud Infrastructure tenancy that can be monitored in different ways. The trade-off is that all compartments within a defined area are monitored in the same way.

Familiarize Yourself with Cloud Guard Terminology

Cloud Guard Concepts defines the terms that you learn as you work with Cloud Guard. To get started, the following list summarizes what you need to know to get started planning for Cloud Guard.

Target
Defines the scope of what Cloud Guard checks. All compartments within a target are checked in the same way and you have the same options for processing problems that are detected.
Detector
Performs checks to identify potential security problems based on activities or configurations. Rules followed to identify problems are the same for all compartments in a target.
Responder
Specifies actions that Cloud Guard can take when detectors identify problems. Rules for how to process identified problems are the same for all compartments in a target.

Familiarize Yourself with Cloud Guard Detector Recipes

Look over the rules described in the sections of Detector Recipe Reference for different detectors. Within your environment:

  • Are there any compartments that you do not want Cloud Guard to monitor at all? If so, you have to define one or more targets in a way that excludes these compartments.
  • Do you think that you might want to set the risk level differently, or enable and disable rules differently, for resources in different parts of your Oracle Cloud Infrastructure compartment hierarchy? To configure detector rules differently for different compartments, you have to define separate targets for those compartments.

    For example, for the "Bucket is public" configuration rule, the default risk level is "CRITICAL" and the rule is enabled by default. Should these settings be the same for all compartments?

  • You can disable responder recipe actions on problems that detectors identify. If you want actions for a particular responder rule to be enabled in some compartments, but disabled in others, you have to define separate targets for those compartments.

    For example, the "Make Bucket Private" responder rule is enabled by default. Do you have some compartments in which all buckets are public by design, and so you can disable this rule?

Plan How Targets Will Map to Compartments

If at this point you don't think you need to define multiple targets, and you have completed the Prerequisites, you can proceed with Enabling Cloud Guard. You can always change your target configuration later, as the need arises.

If you think you need to set up targets to allow different compartments to be monitors differently, keep these guidelines in mind when mapping targets to compartments:

  • All of a target's compartments inherit that target's configuration. The detector and responder rule settings for a target apply to the top-level compartment assigned to that target, and to any subordinate compartments below it in the compartment hierarchy.

    If you want to exclude some compartments from monitoring, create targets below the root level and do not include the root compartment in any target.

  • Target defined within an existing target overrides inherited configuration. Within an existing target, you can assign a compartment below the target's top-level compartment to a new target. You can change the detector and responder rule settings for the new target, and those settings now apply to the top-level compartment assigned to that target, and to all the subordinate compartments below it in the compartment hierarchy.

Carefully Choose Your Reporting Region

When you enable Cloud Guard, you are asked to choose a reporting region. Carefully consider these consequences of your reporting region choice:

  • The reporting region you select commits your organization to comply with all legal requirements of the country where the reporting region is hosted.
  • After Cloud Guard is enabled, you can't change the reporting region without disabling and re-enabling Cloud Guard.
  • All customizations, and existing problems (including their history) are lost when you disable Cloud Guard, so you would have to manually restore those customizations.
  • All API calls, except for READs, must be made on the reporting region.

Ensure that you make the best decision for your reporting region, before you begin Steps to Enable Cloud Guard.

Enabling Cloud Guard

Perform this task to enable Oracle Cloud Guard from the OCI Console.

Prerequisite: Complete the tasks in Prerequisites and Planning for Cloud Guard.

Two Strategies

You can use either of two basic approaches for enabling Cloud Guard:

  1. Start with Default Configuration: You want Cloud Guard to start reporting problems as soon as possible after completing the enablement process.

    Don't skip any optional selections during the enablement process.

    Note

    If you skip any of the optional selections during enablement process, Cloud Guard does not automatically start reporting problems after completing the enablement process. If you skip optional settings during enablement, Cloud Guard can't start reporting problems until you add detector recipes to the specified target. See Modifying Recipes Added to a Target.
  2. Customize Configuration First: You want to customize Cloud Guard's configuration before Cloud Guard starts reporting problems.

    You can skip any or all optional selections during the enablement process.

Whichever approach you take to enable Cloud Guard, you can refine the Cloud Guard configuration as needed after enablement.

Steps to Enable Cloud Guard

  1. Log in to the OCI Console as the Oracle Cloud Guard user you created in Prerequisites, in the "Creating the Cloud Guard User and Group" section.
  2. Open the navigation menu and click Identity & Security. Under Cloud Guard, click any resource.
    Note

    If the page for the Cloud Guard resource that you clicked opens, Cloud Guard is already enabled.
  3. On the Cloud Guard page, click the Enable Cloud Guard button at top right.
  4. In the Enable Cloud Guard dialog box:
    1. In the Tenancy Policies section, click one of the enable links.

      If all required policies are successfully created, the link text changes to enabled.

      Note

      These policies are read-only privileges that allow Cloud Guard to monitor OCI resources within your tenancy. These policies you do not provide Cloud Guard with any manage privileges for the resources.

      The following IAM policies are automatically added to the “Cloud Guard Policies” policy group when you click Enable at the bottom of the Enable Cloud Guard dialog box:

      allow service cloudguard to read keys in tenancy
      allow service cloudguard to read compartments in tenancy
      allow service cloudguard to read compute-management-family in tenancy
      allow service cloudguard to read instance-family in tenancy
      allow service cloudguard to read virtual-network-family in tenancy
      allow service cloudguard to read volume-family in tenancy
      allow service cloudguard to read tenancies in tenancy
      allow service cloudguard to read audit-events in tenancy
      allow service cloudguard to read vaults in tenancy
      allow service cloudguard to read object-family in tenancy
      allow service cloudguard to read load-balancers in tenancy
      allow service cloudguard to read groups in tenancy
      allow service cloudguard to read dynamic-groups in tenancy
      allow service cloudguard to read users in tenancy
      allow service cloudguard to read database-family in tenancy
      allow service cloudguard to read authentication-policies in tenancy
      allow service cloudguard to read policies in tenancy
      allow service cloudguard to use network-security-groups in tenancy
      allow service cloudguard to read data-safe-family in tenancy 
      
    2. If any of the enable links change to failed:
      1. Move the mouse pointer over the failed link to see what the issue was that prevented the policy from being created.
      2. Keep the Enable Cloud Guard dialog box open in your browser.

        If necessary, you can close the dialog box and return later, restarting the enablement process.

      3. Resolve the issue.

        For any policy which still shows as failed, you might not have sufficient permissions to create the policy. Check with your tenancy administrator for any privileges that are needed.

      4. In the Enable Cloud Guard dialog box, Policy Required To Execute panel, click the failed link.

        The failed link should now change to enabled.

    3. Select a Reporting Region.
      The reporting region must be a region that Cloud Guard supports. If Cloud Guard doesn't support the region you select, select a different region.
      Caution

      Give careful consideration to your reporting region selection:

      • The reporting region you select commits your organization to comply with all legal requirements of the country where the reporting region is hosted.
      • After Cloud Guard is enabled, you can't change the reporting region without disabling and re-enabling Cloud Guard.
      • All customizations, and existing problems (including their history) are lost when you disable Cloud Guard, so you would have to manually restore those customizations.
      • All API calls, except for READs, must be made on the reporting region.
    4. Specify Compartments To Monitor in the OCI tenancy.

      Choose one of these options:

      • All to monitor all compartments.
      • Select compartments, and then select from the list, to monitor only compartments that you specify.
      • None to monitor no compartments. You might want to select None to simply view the contents of the detector recipes, before you enable any of them.
        Note

        Your selection here defines a target for Cloud Guard to monitor. To enable with the "Start with Default Configuration" option, don't select None.
    5. (Optional) Select an OCI Configuration Detector Recipe from the list.
      Note

      To enable with the "Start with Default Configuration" option, don't skip this selection.
    6. (Optional) Select an OCI Activity Detector Recipe from the list.
      Note

      To enable with the "Start with Default Configuration" option, don't skip this selection.
    7. Click Enable.

      A progress bar replaces the Enable Cloud Guard button on the Cloud Guard page.

      Note

      If you have reached this point in a free tenancy, the enablement does not proceed.
  5. When enablement completes, on the Cloud Guard page, click Go To Cloud Guard.

    The Cloud Guard Overview page appears, and the guided tour starts. Gradually,

    Note

    If you followed the "Start with Default Configuration" approach in the enablement process, information about problems detected begins to appear.
  6. Take the guided tour to familiarize yourself with the features on the Overview page.

What's Next

Note

Whichever approach you followed in the enablement process, Cloud Guard disables two OCI Configuration Detector rules by default in new tenancies. Disabling these rules initially is necessary to prevent Cloud Guard from generating an excessive number of problems that you would consider false positives. For more information about these rules, see:
  • If you followed the "Start with Default Configuration" approach in the enablement process, information on problems soon starts to appear in Cloud Guard. How soon the problem information starts to appear depends on your environment, your configuration of targets and detectors, and the number of problems that are occurring for Cloud Guard to detect.
  • If you followed the "Customize Configuration First" approach in the enablement process, no information on problems appears until you complete any of the configuration tasks that were skipped during enablement:
    1. Define one or more targets. See Creating a Target.
    2. (Optional) Clone Oracle-managed detector recipes. See Cloning a Detector Recipe.
    3. (Optional) Customize detector recipes for your environment. See Modifying a Detector Recipe.
    4. Add detector recipes to each target. See Modifying Recipes Added to a Target.
  • After Cloud Guard has started reporting problems:

Accessing Cloud Guard Routinely

Perform this task to access Cloud Guard from the OCI Console, after Cloud Guard is enabled.

Prerequisite: Perform the task in Enabling Cloud Guard.

  1. Log in to the Console as a tenancy administrator with minimum privileges required for Cloud Guard.

    Your administrator creates the users and assigns them to a special group that provides access to Cloud Guard.

  2. Open the navigation menu and select Identity & Security, then click Cloud Guard.

    The Cloud Guard Overview page appears.

What's Next

Integrating Cloud Guard with Other Services

Ensure that configuration details necessary to support Cloud Guard integration with other services are in place.

After you have finished performing the tasks in Enabling Cloud Guard, plus some follow-up tasks if you use the Customize Configuration First strategy, all integrations with other services should be functioning smoothly.

When new services that support integration with Cloud Guard later become available, you need to ensure that your Cloud Guard configuration details correctly support the new service:

  • Cloud Guard targets must contain all the compartments where resources from the new service that Cloud Guard is to monitor are located.
  • The Cloud Guard detector recipes that contain the rules that are specific to the new service must be attached to those Cloud Guard targets.

Expand one of the following service names to see the steps to follow to ensure that your Cloud Guard configuration details correctly support the service.

Certificates Service

Prerequisite: Ensure that the Certificates service is already enabled and operating properly.

  1. If Cloud Guard is NOT already enabled:
    1. Enable Cloud Guard – see Enabling Cloud Guard.

      Follow steps for “Start with Default Configuration.”

    2. Ensure that you enable the OCI Activity Detector Recipe.
    3. Ensure that you define a Cloud Guard target that covers the OCI compartments you want Cloud Guard to monitor for the Certificates service.
    4. Ensure that the OCI Activity Detector Recipe is attached to the Cloud Guard target - see Viewing Details for a Target.
  2. If Cloud Guard IS already enabled, ensure that your Cloud Guard tenancy has:
  3. If necessary, refine the configuration of these rules listed in the OCI Activity Detector Recipe (either Oracle-managed or user-managed) - see Modifying Rule Settings in a Target's Recipes.
    • CA bundle updated
    • Certificate Authority (CA) deleted
    • Intermediate Certificate Authority (CA) revoked

    Your goal is to optimize the rule configurations so that you don’t miss real problems, but you are not overwhelmed with false positives. It might be necessary to monitor problems generated from the Certificates service for a while, before you can determine whether any rule modifications are needed.

  4. View problems generated from the Certificates service on the Cloud Guard Problems page - see Viewing the Problems List.
    To see problems for the Certificates service only, filter the Problems list using Labels = Certificates.
    Note

    The Labels entry isn't case-sensitive, but you must match the characters in "certificates" exactly.
Data Safe Service

Prerequisite: Ensure that the Data Safe service is already enabled and operating properly. If you perform the following steps before the Data Safe service is enabled, Cloud Guard alerts you that you need to enable Data Safe, whenever it finds a database.

  1. If Cloud Guard is NOT already enabled:
    1. Enable Cloud Guard – see Enabling Cloud Guard.

      Follow steps for “Start with Default Configuration.”

    2. Ensure that you enable the OCI Configuration Detector Recipe.
    3. Ensure that you define a Cloud Guard target that covers the OCI compartments you want Cloud Guard to monitor for the Data Safe service.
    4. Ensure that the OCI Configuration Detector Recipe is attached to the Cloud Guard target - see Viewing Details for a Target.
  2. If Cloud Guard IS already enabled, ensure that your Cloud Guard tenancy has:
  3. Add the following policy to your Cloud Guard tenancy to enable access to the Data Safe information:

    allow service cloudguard to read data-safe-family in tenancy

  4. If necessary, refine the configuration of these rules listed in the OCI Configuration Detector Recipe (either Oracle-managed or user-managed) - see Modifying Rule Settings in a Target's Recipes.
    • Data Safe is not enabled (this rule is inoperative after Data Safe is enabled)
    • Database is not registered with Data Safe (this rule is inoperative, if Data Safe isn't enabled

    Your goal is to optimize the rule configurations so that you don’t miss real problems, but you are not overwhelmed with false positives. It might be necessary to monitor problems generated from the Data Safe service for a while, before you can determine whether any rule modifications are needed.

  5. View problems generated from the Data Safe service on the Cloud Guard Problems page - see Viewing the Problems List.
    To see problems for the Data Safe service only, filter the Problems list using Labels = Database Security.
    Note

    The Labels entry isn't case-sensitive, but you must match the characters in "database security" exactly.