Oracle Cloud Infrastructure Documentation

Creating a Compute Scan Recipe

Create a Compute (host) scan recipe with or without a host agent.

You have the following options for creating a Compute scan recipe:

Important

  • Before you begin, review the policies documentation for Vulnerability Scanning. See Required IAM Policies for Scanning.
  • After you create an OCI agent or Qualys agent Compute scan recipe, don't change that recipe to change agents. Create another recipe.

  • To create a Compute scan recipe without an agent, complete the following steps:

    1. On the Hosts tab of the Scan Recipes list page, select Create. If you need help finding the list page or the recipe, see Listing Compute Scan Recipes.

      The Create scan recipe panel opens.

    2. Verify that the recipe type is Compute.
    3. Enter a name for the recipe.

      Avoid entering confidential information.

    4. Verify that you want to create the recipe in the selected compartment. Select another compartment if needed.
    5. Verify that you want to create the recipe in the selected compartment. Select another compartment if needed.
    6. Select the level of public IP port scanning for this recipe.
      • Standard: Check the 1,000 most common port numbers.
      • Light (default): Check the 100 most common port numbers.
      • None: Don't check for open ports.

      The Vulnerability Scanning service uses a network mapper that searches your public IP addresses . See Ports that are Scanned.

    7. Clear the Agent based scanning checkbox. Disabling agent based scanning means that you don't want to activate the Vulnerability Scanning agent plugin on the targets assigned to this recipe.

      The Vulnerability Scanning agent runs on the selected targets and checks the OS configuration of targets for vulnerabilities, such as missing patches.

      If you enable both agent based scanning and public IP port scanning, the agent also checks for open ports that aren't accessible from public IP addresses.

      Note

      If you disable both Public IP port scanning and Agent based scanning in this recipe, then the Vulnerability Scanning service doesn't scan any targets assigned to this recipe.
    8. In Schedule, select a schedule for public IP port scanning.

      The schedule controls how often the targets assigned to this recipe are scanned. Select Daily or one of the Weekly values.

      Note

      To configure the Qualys agent scanning schedule or any other Qualys agent configurations, go to the Qualys dashboard.

    9. (Optional) Select Show advanced options to assign tags to the recipe.

      If you have permissions to create a resource, you also have permissions to add free-form tags to that resource.

      To add a defined tag, you must have permissions to use the tag namespace.

      For more information about tagging, see Resource Tags. If you're not sure if you should add tags, skip this option or ask your administrator. You can add tags later.

    10. Save the recipe using one of the following methods.
      • Select Create scan recipe to create the recipe in the Vulnerability Scanning service.
      • Select Save as stack to manage the stack through the Resource Manager service. On the Save as stack window, complete the fields, and then select Save. For more information about stacks, see Managing Stacks.

    After creating a recipe, you can create scan targets and associate them with the recipe. See Creating a Compute Target.

  • Use the oci vulnerability-scanning host scan recipe create command and required parameters to create a new host scan recipe:

    oci vulnerability-scanning host scan recipe create --display-name <name> --compartment-id <compartment_ocid> --agent-settings '{"scanLevel": "<agent_scan_level>"}' --cis-benchmark-settings '{"scanLevel": "<CIS_scan_level>"}' --port-settings '{"scanLevel": "<port_scan_level>"}' --schedule '{"type":"<daily_or_weekly>"}'

    For example:

    oci vulnerability-scanning host scan recipe create --display-name MyRecipe --compartment-id ocid1.compartment.oc1..exampleuniqueID --agent-settings '{"scanLevel": "STANDARD"}' --cis-benchmark-settings '{"scanLevel": "MEDIUM"}' --port-settings '{"scanLevel": "STANDARD"}' --schedule '{"type":"DAILY"}'

    For a complete list of flags and variable options for CLI commands, see the Command Line Reference.

  • Run the CreateHostScanRecipe operation to create a new host scan recipe.

    Note

    The HostEndpointProtectionSettings have no effect and are reserved for future use.

    For information about using the API and signing requests, see REST API documentation and Security Credentials.