Focus

Prisma Cloud Compute Edition Administrator’s Guide

Onboard Oracle Cloud Infrastructure (OCI) Accounts for Agentless Scanning

Table of Contents

Onboard Oracle Cloud Infrastructure (OCI) Accounts for Agentless Scanning

Agentless scanning lets you inspect the risks and vulnerabilities of a virtual machine without having to install an agent or affecting the execution of the instance. Prisma Cloud gives you the flexibility to choose between agentless and agent-based security using Defenders. Currently, Prisma Cloud supports agentless scanning on Oracle Cloud Infrastructure (OCI) for vulnerabilities and compliance. To learn more about how agentless scanning works, see the How Agentless Scanning Works?[How Agentless Scanning Works?]

This guide enables Agentless scanning for Prisma Cloud Compute Edition (PCCE, self-hosted) in OCI.

The procedure shows you how to complete the following tasks.

Create an OCI compartment to run the needed instances in OCI that perform the agentless scanning.

Create a new OCI user for Prisma Cloud to access OCI.

Create an API key in OCI for the new user.

Configure the Prisma Cloud console to access the OCI resources.

Apply the needed permissions in OCI.

Start an agentless scan.

Create an OCI Compartment

Go to the Oracle Cloud console.

In the menu, go to Identity & Security > Compartments
.

Click Create Compartment
.

Enter a name and a description for the compartment.

Click Create Compartment
.

To scan all resources across all regions, you must create the resources for the different regions in the compartment. Make sure to create all needed resources with the same name in all regions.

Create a New OCI User

In the menu, go to Identity & Security > Users
.

Click Create User
.

Select IAM User
.

Enter a Name
and a Description
for the user.

Click Create
.

Create an API Access Key

On the user page, go to Resources > API Key
.

Select Generate API Key Pair
.

Click Download Private Key
.

Click Add
.

The Configuration File Preview
opens.

Copy the key-value pair for user into a text file.

Copy the key-value pair for fingerprint into a text file.

Copy the key-value pair for tenancy into a text file.

Save the text file.

Click Close
.

Configure Agentless Scanning

Complete the agentless scanning configuration for your OCI accounts.

Apply the Permissions in OCI

Go to the Oracle Cloud console.

Click on the terminal icon on the right hand corner and select Cloud Shell
.

Click the gear icon on the shell, and select Upload File
.

Select the pcc-apply-permissions.sh permission template you downloaded from the Prisma Cloud Console.

Make the file executable with the following command.

chmod +x pcc-apply-permissions.sh

Apply the permissions with the following command. Replace <OCI-Compartment> with the name of the created compartment.

apply pcc-apply-permissions.sh <OCI-Compartment>

Verify that the changed statements for the policy are correct and enter y to continue.

Enter y to dismiss the warning about tags.

Once the permissions are applied, you have an OCI user with the needed permissions.

Start an Agentless Scan

Agentless scans start immediately after onboarding the cloud account. By default, agentless scans are performed every 24 hours, but you can change the interval on the Manage > System > Scan
page under Scheduling > Agentless
.