: Onboard Oracle Cloud Infrastructure (OCI) Accounts for Agentless Scanning

Onboard Oracle Cloud Infrastructure (OCI) Accounts for Agentless Scanning

Table of Contents

Onboard Oracle Cloud Infrastructure (OCI) Accounts for Agentless Scanning

Agentless scanning lets you inspect the risks and vulnerabilities of a virtual machine without having to install an agent or affecting the execution of the instance. Prisma Cloud gives you the flexibility to choose between agentless and agent-based security using Defenders. Currently, Prisma Cloud supports agentless scanning on Oracle Cloud Infrastructure (OCI) for vulnerabilities and compliance. To learn more about how agentless scanning works, see the How Agentless Scanning Works?[How Agentless Scanning Works?]
This guide enables Agentless scanning for Prisma Cloud Compute Edition (PCCE, self-hosted) in OCI.
The procedure shows you how to complete the following tasks.
  1. Create an OCI compartment to run the needed instances in OCI that perform the agentless scanning.
  2. Create a new OCI user for Prisma Cloud to access OCI.
  3. Create an API key in OCI for the new user.
  4. Configure the Prisma Cloud console to access the OCI resources.
  5. Apply the needed permissions in OCI.
  6. Start an agentless scan.

Create an OCI Compartment

  1. Go to the Oracle Cloud console.
  2. In the menu, go to
    Identity & Security > Compartments
  3. Click
    Create Compartment
  4. Enter a name and a description for the compartment.
  5. Click
    Create Compartment
    To scan all resources across all regions, you must create the resources for the different regions in the compartment. Make sure to create all needed resources with the same name in all regions.

Create a New OCI User

  1. In the menu, go to
    Identity & Security > Users
  2. Click
    Create User
  3. Select
    IAM User
  4. Enter a
    and a
    for the user.
  5. Click

Create an API Access Key

  1. On the user page, go to
    Resources > API Key
  2. Select
    Generate API Key Pair
  3. Click
    Download Private Key
  4. Click
  5. The
    Configuration File Preview
    1. Copy the key-value pair for user into a text file.
    2. Copy the key-value pair for fingerprint into a text file.
    3. Copy the key-value pair for tenancy into a text file.
    4. Save the text file.
  6. Click

Configure Agentless Scanning

Complete the agentless scanning configuration for your OCI accounts.

Apply the Permissions in OCI

  1. Go to the Oracle Cloud console.
  2. Click on the terminal icon on the right hand corner and select
    Cloud Shell
  3. Click the gear icon on the shell, and select
    Upload File
  4. Select the pcc-apply-permissions.sh permission template you downloaded from the Prisma Cloud Console.
  5. Make the file executable with the following command.
    chmod +x pcc-apply-permissions.sh
  6. Apply the permissions with the following command. Replace <OCI-Compartment> with the name of the created compartment.
    apply pcc-apply-permissions.sh <OCI-Compartment>
  7. Verify that the changed statements for the policy are correct and enter y to continue.
  8. Enter y to dismiss the warning about tags.
  9. Once the permissions are applied, you have an OCI user with the needed permissions.

Start an Agentless Scan

Agentless scans start immediately after onboarding the cloud account. By default, agentless scans are performed every 24 hours, but you can change the interval on the
Manage > System > Scan
page under
Scheduling > Agentless
To manually start a scan, complete the following steps.
  1. Go to
    Manage > Cloud accounts
  2. Click the scan icon on the top right corner of the accounts table.
  3. Click
    Start Agentless scan
  4. Click the scan icon in the top right corner of the console to view the scan status.
  5. View the results.
    1. Go to
      Monitor > Vulnerabilities > Hosts
      Monitor > Vulnerabilities > Images
    2. Click on the
      Filter hosts
      text bar.
    3. Select the
      Scanned by
    4. Select the

Recommended For You