https://manual.sakura.ad.jp/cloud/design-pattern/tips_mkt/cloudone/cloudonetips-1.html
https://cloudone.trendmicro.com/
https://docs.trendmicro.com/en-us/documentation/article/trend-micro-cloud-one-workload-security-Get-started
前提: トレンドマイクロ Trend Cloud Oneアカウント作成済
※ 30日トライアルあり
-- 1. VPC、サブネット、コンピュートインスタンス作成
cat <<-'EOF' > variables.tf
locals {
tenancy_ocid = "ocid1.tenancy.oc1..111111111111111111111111111111111111111111111111111111111111"
}
variable "compartment_name" {
description = "compartment_name"
type = string
default = "cmp01"
}
EOF
cat <<-'EOF' > main.tf
terraform {
required_version = ">= 1.0.0, < 2.0.0"
required_providers {
oci = {
source = "hashicorp/oci"
version = "= 5.23.0"
}
}
}
provider "oci" {
tenancy_ocid = local.tenancy_ocid
user_ocid = "ocid1.user.oc1..111111111111111111111111111111111111111111111111111111111111"
private_key_path = "~/.oci/oci_api_key.pem"
fingerprint = "45:ed:22:e6:cc:fd:63:97:12:9d:62:7a:90:12:65:7a"
region = "us-ashburn-1"
}
resource "oci_identity_compartment" "cmp01" {
# Required
compartment_id = local.tenancy_ocid
description = var.compartment_name
name = var.compartment_name
enable_delete = true
}
resource "oci_core_vcn" "vcn01" {
#Required
compartment_id = oci_identity_compartment.cmp01.id
#Optional
cidr_block = "10.0.0.0/16"
display_name = "vcn01"
dns_label = "vcn01"
}
resource "oci_core_internet_gateway" "igw01" {
#Required
compartment_id = oci_identity_compartment.cmp01.id
vcn_id = oci_core_vcn.vcn01.id
#Optional
enabled = true
display_name = "igw01"
}
resource "oci_core_route_table" "rt01" {
#Required
compartment_id = oci_identity_compartment.cmp01.id
vcn_id = oci_core_vcn.vcn01.id
#Optional
display_name = "rt01"
route_rules {
network_entity_id = oci_core_internet_gateway.igw01.id
destination = "0.0.0.0/0"
}
}
resource "oci_core_security_list" "sl01" {
#Required
compartment_id = oci_identity_compartment.cmp01.id
vcn_id = oci_core_vcn.vcn01.id
#Optional
display_name = "sl01"
egress_security_rules {
protocol = "all"
destination = "0.0.0.0/0"
stateless = false
}
ingress_security_rules {
protocol = "6"
source = "0.0.0.0/0"
stateless = false
tcp_options {
max = 22
min = 22
}
}
ingress_security_rules {
protocol = "all"
source = "10.1.0.0/24"
stateless = false
}
}
resource "oci_core_subnet" "subnet01" {
#Required
cidr_block = "10.0.0.0/24"
compartment_id = oci_identity_compartment.cmp01.id
vcn_id = oci_core_vcn.vcn01.id
#Optional
display_name = "subnet01"
dns_label = "subnet01"
route_table_id = oci_core_route_table.rt01.id
security_list_ids = [oci_core_security_list.sl01.id]
}
data "oci_core_images" "ol8_latest" {
#Required
compartment_id = oci_identity_compartment.cmp01.id
#Optional
operating_system = "Oracle Linux"
operating_system_version = "8"
shape = "VM.Standard.E2.1"
sort_by = "TIMECREATED"
sort_order = "DESC"
filter {
name = "display_name"
values = ["Oracle-Linux-8*"]
regex = true
}
}
resource "oci_core_instance" "vm01" {
#Required
availability_domain = "OEIw:US-ASHBURN-AD-1"
compartment_id = oci_identity_compartment.cmp01.id
shape = "VM.Standard.E2.1"
agent_config {
plugins_config {
desired_state = "ENABLED"
name = "OS Management Service Agent"
}
plugins_config {
desired_state = "ENABLED"
name = "Compute Instance Run Command"
}
plugins_config {
desired_state = "ENABLED"
name = "Compute Instance Monitoring"
}
}
create_vnic_details {
#Optional
assign_public_ip = true
subnet_id = oci_core_subnet.subnet01.id
}
display_name = "vm01"
fault_domain = "FAULT-DOMAIN-1"
metadata = {
ssh_authorized_keys = file("~/.ssh/id_rsa.pub")
}
source_details {
#Required
source_id = data.oci_core_images.ol8_latest.images[0].id
source_type = "image"
#Optional
boot_volume_size_in_gbs = 50
}
preserve_boot_volume = false
preemptible_instance_config {
preemption_action {
type = "TERMINATE"
preserve_boot_volume = false
}
}
}
EOF
cat <<-'EOF' > outputs.tf
output "cmp01_id" {
value = oci_identity_compartment.cmp01.id
description = "cmp01.id"
}
output "vcn01_id" {
value = oci_core_vcn.vcn01.id
description = "vcn01.id"
}
output "igw01_id" {
value = oci_core_internet_gateway.igw01.id
description = "igw01.id"
}
output "rt01_id" {
value = oci_core_route_table.rt01.id
description = "rt01.id"
}
output "sl01_id" {
value = oci_core_security_list.sl01.id
description = "sl01.id"
}
output "subnet01_id" {
value = oci_core_subnet.subnet01.id
description = "subnet01.id"
}
EOF
terraform init
terraform fmt
terraform -version
export TF_VAR_compartment_name=cmp01
terraform plan
terraform apply -auto-approve
# terraform destroy -auto-approve
-- 2. Agentのインストール
コンソールよりインストールスクリプト(AgentDeploymentScript.sh)をダウンロード
----------------
#!/bin/bash
ACTIVATIONURL='dsm://agents.workload.jp-1.cloudone.trendmicro.com:443/'
MANAGERURL='https://workload.jp-1.cloudone.trendmicro.com:443'
CURLOPTIONS='--silent --tlsv1.2'
linuxPlatform='';
isRPM='';
if $(/usr/bin/id -u) -ne 0 ; then
echo You are not running as the root user. Please try again with root privileges.;
logger -t You are not running as the root user. Please try again with root privileges.;
exit 1;
fi;
if ! type curl >/dev/null 2>&1; then
echo "Please install CURL before running this script."
logger -t Please install CURL before running this script
exit 1
fi
CURLOUT=$(eval curl -L $MANAGERURL/software/deploymentscript/platform/linuxdetectscriptv1/ -o /tmp/PlatformDetection $CURLOPTIONS;)
err=$?
if $err -eq 60 ; then
echo "TLS certificate validation for the agent package download has failed. Please check that your Workload Security Manager TLS certificate is signed by a trusted root certificate authority. For more information, search for \"deployment scripts\" in the Deep Security Help Center."
logger -t TLS certificate validation for the agent package download has failed. Please check that your Workload Security Manager TLS certificate is signed by a trusted root certificate authority. For more information, search for \"deployment scripts\" in the Deep Security Help Center.
exit 1;
fi
if [ -s /tmp/PlatformDetection ]; then
. /tmp/PlatformDetection
else
echo "Failed to download the agent installation support script."
logger -t Failed to download the Deep Security Agent installation support script
exit 1
fi
platform_detect
if -z "${linuxPlatform}" || -z "${isRPM}" ; then
echo Unsupported platform is detected
logger -t Unsupported platform is detected
exit 1
fi
if ${linuxPlatform} == *"SuSE_15"* ; then
if ! type pidof &> /dev/null || ! type start_daemon &> /dev/null || ! type killproc &> /dev/null; then
echo Please install sysvinit-tools before running this script
logger -t Please install sysvinit-tools before running this script
exit 1
fi
fi
echo Downloading agent package...
if $isRPM == 1 ; then package='agent.rpm'
else package='agent.deb'
fi
curl -H "Agent-Version-Control: on" -L $MANAGERURL/software/agent/${runningPlatform}${majorVersion}/${archType}/$package?tenantID=62561 -o /tmp/$package $CURLOPTIONS
echo Installing agent package...
rc=1
if $isRPM == 1 && -s /tmp/agent.rpm ; then
rpm -ihv /tmp/agent.rpm
rc=$?
elif -s /tmp/agent.deb ; then
dpkg -i /tmp/agent.deb
rc=$?
else
echo Failed to download the agent package. Please make sure the package is imported in the Workload Security Manager
logger -t Failed to download the agent package. Please make sure the package is imported in the Workload Security Manager
exit 1
fi
if ${rc} != 0 ; then
echo Failed to install the agent package
logger -t Failed to install the agent package
exit 1
fi
echo Install the agent package successfully
sleep 15
/opt/ds_agent/dsa_control -r
/opt/ds_agent/dsa_control -a $ACTIVATIONURL "tenantID:11111111-2222-3333-4444-555555555555" "token:66666666-7777-8888-9999-000000000000"
# /opt/ds_agent/dsa_control -a dsm://agents.workload.jp-1.cloudone.trendmicro.com:443/ "tenantID:11111111-2222-3333-4444-555555555555" "token:66666666-7777-8888-9999-000000000000"
----------------
ssh -i $HOME/.ssh/id_rsa opc@192.0.2.1
scp -i $HOME/.ssh/id_rsa ./AgentDeploymentScript.sh opc@192.0.2.1:~
sudo su -
cd ~opc
./AgentDeploymentScript.sh
systemctl status ds_agent
systemctl stop ds_agent
systemctl start ds_agent
