4 minute read

Exercise 02: Manual Remediation

In this exercise, we will configure Cloud Guard to detect public Object Storage buckets by creating a custom detector recipe. You will also set up a target to monitor your compartment and test the configuration by creating a public bucket.

Objectives

  • Clone an existing Oracle-managed detector recipe.
  • Create a new target to monitor objects in your compartment.
  • Create an Object Storage bucket and set its visibility to public.
  • Verify that Cloud Guard generates an alert for the public bucket.

Environment

Perform this exercise within the following environment:

  • Compartment: OCI-SEC-WS-LAB-nn
  • Region: Germany Central (Frankfurt)
  • OCI Console URL: OCI Console Frankfurt - Login
  • OCI User: lab-oci-sec-wsNN
  • OCI Password: provided by trainer

Ensure you are in the correct compartment and region. New resources, such as Cloud Shell configurations and ADB access settings, should be created within your designated compartment.

Solution

Login as User XYZ in OCI console and go to Security -Cloud Guard Overview. Ensure you have select the proper compartment in from the dropdown list on left side.

>> overview

Clone existing Oracle managed recipes

From left menu, select Recipes and Clone.

>> step_1

Clone Detector recipes

Cloud Guard -> Recipes -> Detector recipes

  • Change compartment on top to trivadisbdsxsp (root).
  • Select recipe OCI Activity Detector Recipe (Oracle managed)from dropdown list
  • Set name for cloned recipe , as example OCI Activity Detector Recipe comp-oci-ws-sec-ws-lab-00.
  • Ensure in section Compartment, your compartment is selected.

>> step_2

Press Clone at the bottom.

Repeat the steps for the other Oracle managed detector recipes:

  • OCI Configuration Detector Recipe (Oracle managed)
  • OCI Instance Security Detector Recipe (Oracle managed)

After successful clone, you have recipes for Instance Security, Configuration and Activity.

Clone Responder recipes

Cloud Guard -> Recipes -> Responder recipes

  • Ensure Responder recipes is select from left side menu.
  • Change compartment on top to trivadisbdsxsp (root).
  • Select recipe OCI Activity Detector Recipe (Oracle managed) from dropdown list
  • Set name for cloned recipe , as example _OCI Activity Detector Recipe - _
  • Ensure in section Compartment, your compartment is selected.

>> step_3

Press Clone at the bottom.

Verify cloned recipes

After cloning, you must have three detector recipes and one responder recipes on your compartment.

Detector recipes:

>> step_4

Responder recipe:

>> step_5

Create a new target to observer your compartment objects

In this step, we create a target based in your compartment and add the recipes we created. Ensure, your compartment is selected in panel left.

Identity & Security -> Cloud Guard -> Configuration -> Targets -> Create Target

>> targets_1

Basic Information

Add basic information and description. Use the recipes you created for your compartment.

  • Set target name according compartment, as example cg-tgt-oci-sec-ws-lab-00.
  • Add description
  • Verify compartment is correct according your work compartment.

>> targets_2

Press Next at the bottom.

Configuration

Add basic information and description.

  • In Posture and threat monitoring recipes, select the OCI Configuration Detector Recipe you created for your compartment.
  • In Instance Security recipe, select the OCI Instance Detector Recipe you created for your compartment.
  • Activate All compute instances.

>> targets_3

Press Next at the bottom.

Review

Verify you select the proper recipes based on your compartment.

>> targets_4

Press Create at the bottom. Go back to Cloud Guard Overview page.

Create a object storage bucket and change visibility to public

In this step, we create am Object Storage bucket and change visibility.

Create Bucket

Add basic information and description. Ensure you are in the correct compartment. If not, select your compartment in left side dropdown menu.

Go to Storage -> Object Storage -> Buckets

>> bucket_1

Press Create Bucket.

  • Set Bucket Name to public-bucket and let other settings as per default.

>> bucket_2

Press Create at the bottom.

Edit Visibility

Edit created bucket by click on the three dots -> Edit Visibility.

>> bucket_3

Change visibility to Public. Let checkbox setting as per default.

>> bucket_4

Press Save Changes at the bottom.

Verification

The bucket is set to public and marked by a yellow triangle.

>> bucket_5

Verify new Cloud Guard alert

Identity & Security -> Cloud Guard -> Alerts -> Problems

Verify if the public buckets is recognized by Cloud Guard. Yiu see an entry with risk level Critical.

>> alert_1

Remediation

Select the alert entry by click on the bucket name to see the details and press Remediate.

>> alert_2

Ignore the warning ab out missing permissions as your OCI user is not able to see the policies created on top level compartment.

>> alert_3

Confirm.

>> alert_4

Verification

After some seconds, the visibility for your created Object Storage bucket has changed back to Private.

Storage -> Object Storage -> Buckets

>> alert_5

In Cloud Guard alert view, the state changes after a couple of seconds too.

The alert is not longer visible in alert list.

Summary

In this exercise, you:

  • Cloned an Oracle-managed detector recipe in Cloud Guard.
  • Created a new target to observe and monitor resources in your compartment.
  • Configured an Object Storage bucket with public visibility.
  • Verified that Cloud Guard generated an alert for the public bucket, indicating successful detection.

You are now ready to continue with the next exercise, where you will explore further Cloud Guard configurations.