Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Enable OS Management Service for Compute Instances

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: OCI-Compute-006

Ensure that OS Management Service feature is enabled for your Oracle Cloud Infrastructure (OCI) compute instances in order to automate and simplify operating system lifecycle tasks like patching and package management, which helps maintain security and compliance across your compute instance fleet.

Security

OS Management Service manages and monitors updates and patches for the compute instance operating system (OS). Enabling OS Management Service for OCI compute instances will help you ensure a strong security posture and operational efficiency at scale by automating system patching, maintaining OS compliance, and centralizing the control of software lifecycle management across your fleet of OCI compute instances.

OS Management Service can't be enabled unless the Oracle Cloud Agent is installed on the compute instance. Oracle Cloud Agent is a lightweight process that manages plugins running on your instance. If your compute instance uses a current platform image or a custom image based on one, the Oracle Cloud Agent is installed by default. Otherwise, refer to this guide to install the Oracle Cloud Agent software.

Audit

To determine if the OS Management Service is enabled for your OCI compute instances, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Compute console available at https://cloud.oracle.com/compute/.

03 Choose the OCI compartment that you want to access from the Compartment dropdown list.

04 In the left navigation panel, under Overview, choose Instances to list the compute instances provisioned in the selected OCI compartment.

05 Click on the name (link) of the compute instance that you want to examine, listed in the Name column.

06 Select the Management tab to access the list of plugins supported by the selected instance, managed by the Oracle Cloud Agent.

07 In the Oracle Cloud Agent section, click inside the Search and Filter box, select Plugin name, type OS Management Hub Agent, and choose Apply filter to return the OS Management Hub Agent plugin.

08 Check the OS Management Hub Agent plugin status, listed in the Enable plugin column. If the plugin status is set to Disabled, the OS Management Service is not enabled for the selected Oracle Cloud Infrastructure (OCI) compute instance.

Using OCI CLI

01 Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account: 

oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

02 The command output should return the requested OCI compartment identifiers (OCIDs): 

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

03 Run compute instance list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, the list the ID of each compute instance available in the selected OCI compartment: 

oci compute instance list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--region 'ap-sydney-1'
	--all
	--query 'data[]."id"'

04 The command output should return the requested compute instance IDs: 

[
	"ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234"
]

05 Run compute instance get command (Windows/macOS/Linux) with the ID of the OCI compute instance that you want to examine as the identifier parameter and custom output filters to describe the operational state of each plugin installed on the selected instance, managed by the Oracle Cloud Agent: 

oci compute instance get
	--instance-id 'ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data."agent-config"."plugins-config"'

06 The command output should return the list of plugins installed on the compute instance and their current status: 

[
	{
		"desired-state": "DISABLED",
		"name": "WebLogic Management Service"
	},
	{
		"desired-state": "DISABLED",
		"name": "Vulnerability Scanning"
	},
	{
		"desired-state": "DISABLED",
		"name": "Oracle Java Management Service"
	},
	{
		"desired-state": "DISABLED",
		"name": "OS Management Hub Agent"
	},
	{
		"desired-state": "DISABLED",
		"name": "Management Agent"
	},
	{
		"desired-state": "ENABLED",
		"name": "Custom Logs Monitoring"
	},
	{
		"desired-state": "DISABLED",
		"name": "Compute RDMA GPU Monitoring"
	},
	{
		"desired-state": "DISABLED",
		"name": "Compute Instance Run Command"
	},
	{
		"desired-state": "ENABLED",
		"name": "Compute Instance Monitoring"
	},
	{
		"desired-state": "DISABLED",
		"name": "Compute HPC RDMA Auto-Configuration"
	},
	{
		"desired-state": "DISABLED",
		"name": "Compute HPC RDMA Authentication"
	},
	{
		"desired-state": "DISABLED",
		"name": "Cloud Guard Workload Protection"
	},
	{
		"desired-state": "DISABLED",
		"name": "Block Volume Management"
	},
	{
		"desired-state": "DISABLED",
		"name": "Bastion"
	}
]

Check the "desired-state" property value set for the "OS Management Hub Agent" plugin to determine the operational state of the plugin. If the "desired-state" value is set to "DISABLED", as shown in the output example above, the OS Management Service is not enabled for the selected Oracle Cloud Infrastructure (OCI) compute instance.

Remediation / Resolution

To ensure that OS Management Service is enabled for your Oracle Cloud Infrastructure (OCI) compute instances, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Compute console available at https://cloud.oracle.com/compute/.

03 Choose the OCI compartment that you want to access from the Compartment dropdown list.

04 In the left navigation panel, under Overview, choose Instances to list the compute instances provisioned in the selected OCI compartment.

05 Click on the name (link) of the compute instance that you want to configure, listed in the Name column.

06 Select the Management tab to access the list of supported instance plugins, managed by the Oracle Cloud Agent.

07 In the Oracle Cloud Agent section, click inside the Search and Filter box, select Plugin name, type OS Management Hub Agent, and choose Apply filter to return the OS Management Hub Agent plugin.

08 Click on the Actions button (i.e., 3-dot icon) next to the OS Management Hub Agent plugin and choose Enable to enable the OS Management Service for the selected OCI compute instance. It takes up to 10 minutes for the configuration change to take effect.

Using OCI CLI

01 Set the "desired-state" to "ENABLED" for the "OS Management Hub Agent" plugin to enable the service and save the "plugins-config" object to a file name cc-instance-plugins-config.json. Because the --agent-config parameter for compute instance update command replaces any existing values, ensure that "plugins-config" contains all the plugins managed by the Oracle Cloud Agent, as returned by the compute instance get command in the Audit process: 

{
	"plugins-config":
	[
		{
			"desired-state": "DISABLED",
			"name": "WebLogic Management Service"
		},
		{
			"desired-state": "DISABLED",
			"name": "Vulnerability Scanning"
		},
		{
			"desired-state": "DISABLED",
			"name": "Oracle Java Management Service"
		},
		{
			"desired-state": "ENABLED",
			"name": "OS Management Hub Agent"
		},
		{
			"desired-state": "DISABLED",
			"name": "Management Agent"
		},
		{
			"desired-state": "ENABLED",
			"name": "Custom Logs Monitoring"
		},
		{
			"desired-state": "DISABLED",
			"name": "Compute RDMA GPU Monitoring"
		},
		{
			"desired-state": "DISABLED",
			"name": "Compute Instance Run Command"
		},
		{
			"desired-state": "ENABLED",
			"name": "Compute Instance Monitoring"
		},
		{
			"desired-state": "DISABLED",
			"name": "Compute HPC RDMA Auto-Configuration"
		},
		{
			"desired-state": "DISABLED",
			"name": "Compute HPC RDMA Authentication"
		},
		{
			"desired-state": "ENABLED",
			"name": "Cloud Guard Workload Protection"
		},
		{
			"desired-state": "DISABLED",
			"name": "Block Volume Management"
		},
		{
			"desired-state": "DISABLED",
			"name": "Bastion"
		}
	]
}

02 Run compute instance update command (Windows/macOS/Linux) with the ID of the OCI compute instance that you want to configure as the identifier parameter, to enable the OS Management Service for the selected compute instance. For --agent-config, use the plugins configuration file edited in the previous step (i.e., cc-instance-plugins-config.json): 

oci compute instance update
	--instance-id 'ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--agent-config file://cc-instance-plugins-config.json

03 Type Y and press Enter for confirmation: 

WARNING: Updates to defined-tags and security-attributes and freeform-tags and agent-config and metadata and extended-metadata and shape-config and source-details and instance-options and launch-options and availability-config and platform-config and licensing-configs will replace any existing values. Are you sure you want to continue? [y/N]: Y

04 The command output should return the configuration infromation available for the modified compute instance (including the plugins config): 

{
	"data": {
		"availability-config": {
			"is-live-migration-preferred": null,
			"recovery-action": "RESTORE_INSTANCE"
		},
		"availability-domain": "ABCD:AP-SYDNEY-1-AD-1",
		"capacity-reservation-id": null,
		"cluster-placement-group-id": null,
		"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"dedicated-vm-host-id": null,
		"defined-tags": {},
		"display-name": "cc-project5-compute-instance",
		"extended-metadata": {},
		"fault-domain": "FAULT-DOMAIN-3",
		"freeform-tags": {},
		"id": "ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"image-id": "ocid1.image.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"instance-configuration-id": null,
		"instance-options": {
			"are-legacy-imds-endpoints-disabled": true
		},
		"agent-config": {
			"are-all-plugins-disabled": false,
			"is-management-disabled": false,
			"is-monitoring-disabled": false,
			"plugins-config": [
				{
					"desired-state": "DISABLED",
					"name": "WebLogic Management Service"
				},
				{
					"desired-state": "DISABLED",
					"name": "Vulnerability Scanning"
				},
				{
					"desired-state": "DISABLED",
					"name": "Oracle Java Management Service"
				},
				{
					"desired-state": "ENABLED",
					"name": "OS Management Hub Agent"
				},
				{
					"desired-state": "DISABLED",
					"name": "Management Agent"
				},
				{
					"desired-state": "ENABLED",
					"name": "Custom Logs Monitoring"
				},
				{
					"desired-state": "DISABLED",
					"name": "Compute RDMA GPU Monitoring"
				},
				{
					"desired-state": "DISABLED",
					"name": "Compute Instance Run Command"
				},
				{
					"desired-state": "ENABLED",
					"name": "Compute Instance Monitoring"
				},
				{
					"desired-state": "DISABLED",
					"name": "Compute HPC RDMA Auto-Configuration"
				},
				{
					"desired-state": "DISABLED",
					"name": "Compute HPC RDMA Authentication"
				},
				{
					"desired-state": "ENABLED",
					"name": "Cloud Guard Workload Protection"
				},
				{
					"desired-state": "DISABLED",
					"name": "Block Volume Management"
				},
				{
					"desired-state": "DISABLED",
					"name": "Bastion"
				}
			]
		},
		"ipxe-script": null,
		"is-ai-enterprise-enabled": null,
		"is-cross-numa-node": false,
		"launch-mode": "PARAVIRTUALIZED",
		"launch-options": {
			"boot-volume-type": "PARAVIRTUALIZED",
			"firmware": "UEFI_64",
			"is-consistent-volume-naming-enabled": true,
			"is-pv-encryption-in-transit-enabled": true,
			"network-type": "PARAVIRTUALIZED",
			"remote-data-volume-type": "PARAVIRTUALIZED"
		},
		"licensing-configs": null,
		"lifecycle-state": "RUNNING",
		"metadata": {},
		"placement-constraint-details": null,
		"platform-config": {
			"is-measured-boot-enabled": false,
			"is-memory-encryption-enabled": false,
			"is-secure-boot-enabled": true,
			"is-symmetric-multi-threading-enabled": true,
			"is-trusted-platform-module-enabled": false,
			"type": "AMD_VM"
		},
		"preemptible-instance-config": null,
		"region": "ap-sydney-1",
		"security-attributes": {},
		"security-attributes-state": "STABLE",
		"shape": "VM.Standard.E4.Flex",
		"shape-config": {
			"baseline-ocpu-utilization": null,
			"gpu-description": null,
			"gpus": 0,
			"local-disk-description": null,
			"local-disks": 0,
			"local-disks-total-size-in-gbs": null,
			"max-vnic-attachments": 2,
			"memory-in-gbs": 1.0,
			"networking-bandwidth-in-gbps": 1.0,
			"ocpus": 1.0,
			"processor-description": "2.55 GHz AMD EPYC™ 7J13 (Milan)",
			"vcpus": 2
		},
		"source-details": {
			"boot-volume-size-in-gbs": null,
			"boot-volume-vpus-per-gb": null,
			"image-id": "ocid1.image.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd",
			"instance-source-image-filter-details": null,
			"kms-key-id": null,
			"source-type": "image"
		},
		"system-tags": {},
		"time-maintenance-reboot-due": null
	},
	"opc-work-request-id": "ocid1.coreservicesworkrequest.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
}

References

Publication date Nov 11, 2025

Related OCI-Compute rules