Host Scans

Oracle Vulnerability Scanning Service scans your targets based on the schedule and scanning properties in the recipe assigned to each target. Use host scans to identify security vulnerabilities in your compute instances  like open ports, critical OS patches, and failed benchmark tests.

At least one host target must exist before any host scans are created. See Managing Host Targets.

The Scanning service creates a separate report for each compute instance that you added to your target configurations. The report has the same name as the compute instance.

The Scanning service saves the results for a compute instance in the same compartment as the instance's Scanning target.

Consider the following example.

  • The compute instance MyInstance is in CompartmentA.
  • MyInstance is specified in Target1.
  • Target1 is in CompartmentB.
  • All reports related to MyInstance are in CompartmentB.

The Scanning service categorizes problems by these risk levels.

  • Critical - the most serious problems detected, which should be your highest priority to resolve.
  • High - the next most serious problems.
  • Medium - problems that are a bit less serious.
  • Low - problems that are still less serious.
  • Minor - the least serious problems detected; they still need be resolved eventually, but can be your lowest priority.

Required IAM Policy

To use Oracle Cloud Infrastructure, you must be granted the required type of access in a policy  written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool.

If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you were granted and which compartment  you are supposed to work in.

For example, to allow users in the group SecurityAdmins to create, update, and delete all Vulnerability Scanning resources in the compartment SalesApps:

Allow group SecurityAdmins to manage vss-family in compartment SalesApps

See Scanning IAM Policies.

Viewing Host Scans

Use the Console to browse and search for host scans.

  1. Open the navigation menu and click Identity & Security. Under Scanning, click Host Scans.
  2. Select the Compartment in which you created the target.
  3. (Optional) Click the table columns to sort the host scans by:
    • Type
    • Risk Level
    • Issues Found
    • Operating System
    • Scan Completed date

    All reports in the Scanning service are type Compute.

  4. To view the host scan's details, click its name.

A host scan includes metrics, open ports, vulnerabilities, and benchmarks for a specific compute instance.

Viewing Metrics for a Host Scan

Use the Console to view the metrics for a specific compute instance that was scanned.

  1. Open the navigation menu and click Identity & Security. Under Scanning, click Host Scans.
  2. Select the Compartment in which you created the target.
  3. Click the name of the host scan.
  4. Click Metrics if not already selected.

    The Vulnerabilities panel shows the number of security vulnerabilities of each risk level that were detected during the most recent scan of this compute instance.

Viewing Open Ports in a Host Scan

Use the Console to view details about the open ports that were detected on a specific compute instance that was scanned.

Ports that are unintentionally left open might be a potential attack vector to your cloud resources, or enable hackers to exploit other vulnerabilities.

  1. Open the navigation menu and click Identity & Security. Under Scanning, click Host Scans.
  2. Select the Compartment in which you created the target.
  3. Click the name of the host scan.
  4. Click Open Ports.
    • The first panel shows the number of open ports that were detected on each Virtual Network Interface Card (VNIC) in this compute instance.

      A VNIC  enables a compute instance to connect to a specific VCN . You can mousover the name of a VNIC to view its details.

    • The second panel shows the specific port numbers that were detected in this compute instance.
  5. (Optional) Select one or more VNIC(s) to show only those ports that were detected on the selected VNICs.

Viewing Vulnerabilities in a Host Scan

Use the Console to view details about potential OS vulnerabilities that were detected on a specific compute instance.

Common Vulnerabilities and Exposures (CVE) numbers are used by Oracle to identify security vulnerabilities for operating systems and other software, including Critical Patch Updates and Security Alert advisories. CVE numbers are unique, common identifiers for publicly known information about security vulnerabilities.

  1. Open the navigation menu and click Identity & Security. Under Scanning, click Host Scans.
  2. Select the Compartment in which you created the target.
  3. Click the name of the host scan.
  4. Click Vulnerabilities.

    The following details are shown for each issue that was detected in this compute instance:

    • Issue ID
    • Risk Level
    • Issue Title
    • Last Detected
    • First Detected
    • Hosts Impacted
  5. Click an Issue ID to view more details about a specific vulnerability.

Because Oracle Linux and other enterprise Linux distributions back ports security fixes to the version that is included in a given major release, the Scanning service can incorrectly report vulnerabilities on OS packages that have already been fixed. Additionally, the Scanning service can incorrectly report Oracle Linux vulnerabilities that have been fixed by Ksplice. See Troubleshooting the Scanning Service.

You can use vulnerabilities reports to browse all vulnerabilities that the Scanning service detected.

Viewing CIS Benchmarks in a Host Scan

Use the Console to view the results of CIS benchmark testing on a specific compute instance.

The Center for Internet Security (CIS) publishes best practices for devices and operating systems, which result from the collaboration of cybersecurity professionals and subject matter experts. The Scanning service checks hosts for compliance with the section 5 (Access, Authentication, and Authorization) benchmarks defined for Distribution Independent Linux.

  1. Open the navigation menu and click Identity & Security. Under Scanning, click Host Scans.
  2. Select the Compartment in which you created the target.
  3. Click the name of the host scan.
  4. Click CIS Benchmarks.

    The following details are shown for each CIS benchmark that the Scanning service tested on this compute instance:

    • Benchmark ID
    • Result - pass or fail
    • Summary
  5. You can learn more about a specific benchmark by downloading the document for Distribution Independent Linux.

Exporting a Host Scan

Use the Console to export all host scans as a file in comma-separated value (CSV) format for offline analysis.

Example output:

resultId,instanceId,compartmentId,highestProblemSeverity,operatingSystem,startDate,endDate,problemCount
ocid1.vsshostscanresult.example123,ocid1.instance.example123,ocid1.compartment.example123,MEDIUM,linux,2020-12-21T17:44:58Z,2020-12-21T17:44:59Z,2
  1. Open the navigation menu and click Identity & Security. Under Scanning, click Host Scans.
  2. Select the Compartment in which you created the target.
  3. Click Export.

Using the CLI

For information about using the CLI, see Command Line Interface (CLI). For a complete list of flags and options available for CLI commands, see CLI Help.

To list all host scans (agent scans, port scans, and CIS benchmark scans) in a compartment:

oci vulnerability-scanning host scan result agent list --compartment-id <compartment_ocid>
oci vulnerability-scanning host scan result port list --compartment-id <compartment_ocid>
oci vulnerability-scanning host scan result cis-benchmark list --compartment-id <compartment_ocid>

For example:

oci vulnerability-scanning host scan result agent list --compartment-id ocid1.compartment.oc1..exampleuniqueID
oci vulnerability-scanning host scan result port list --compartment-id ocid1.compartment.oc1..exampleuniqueID
oci vulnerability-scanning host scan result cis-benchmark list --compartment-id ocid1.compartment.oc1..exampleuniqueID

To view the details of a specific host agent scan:

oci vulnerability-scanning host scan result agent get --host-agent-scan-result-id <agent_scan_ocid>

For example:

oci vulnerability-scanning host scan result agent get --host-agent-scan-result-id ocid1.vsshostscanresult.oc1..exampleuniqueID

Using the API

For information about using the API and signing requests, see REST APIs and Security Credentials.

For information about SDKs, see Software Development Kits and Command Line Interface.

Use the following operations to view host scans, port scans, and CIS benchmark scans:

Note

The HostEndpointProtectionScanResult APIs have no effect and are reserved for future use.