Managing Host Scan Recipes

Use Oracle Vulnerability Scanning Service to create and manage recipes that scan target compute instances , or hosts, for potential security vulnerabilities.

A recipe determines which types of security issues that you want scanned:

  • Port scanning: check for open ports using a network mapper that searches your public IP addresses 
  • Agent-based scanning:
    • Check for open ports that are not accessible from public IP addresses
    • Check for OS vulnerabilities like missing patches
    • Check for compliance with industry-standard benchmarks published by the Center for Internet Security (CIS)

The Scanning service checks hosts for compliance with the section 5 (Access, Authentication, and Authorization) benchmarks defined for Distribution Independent Linux.

A recipe also defines a schedule, or how often scanning is performed.

Required IAM Policy

To use Oracle Cloud Infrastructure, you must be granted the required type of access in a policy  written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool.

If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you were granted and which compartment  you are supposed to work in.

For example, to allow users in the group SecurityAdmins to create, update, and delete all Vulnerability Scanning resources in the compartment SalesApps:

Allow group SecurityAdmins to manage vss-family in compartment SalesApps

See Scanning IAM Policies.

Required IAM Policy for Host Scanning

If you enable agent-based scanning in your recipe, then you must give the Scanning service permission to deploy the Oracle Cloud Agent to your target compute instances.

To grant this permission for all compute instances in the entire tenacy:

allow service vulnerability-scanning-service to manage instances in tenancy
allow service vulnerability-scanning-service to read compartments in tenancy
allow service vulnerability-scanning-service to read vnics in tenancy
allow service vulnerability-scanning-service to read vnic-attachments in tenancy

To grant this permission for all compute instances in a specific compartment:

allow service vulnerability-scanning-service to manage instances in compartment <compartment_name>
allow service vulnerability-scanning-service to read compartments in compartment <compartment_name>
allow service vulnerability-scanning-service to read vnics in compartment <compartment_name>
allow service vulnerability-scanning-service to read vnic-attachments in compartment <compartment_name>

See Policy Details for the Core Services.

Creating a Host Scan Recipe

Use the Console to create a host scan recipe.

Note

Vulnerability Scanning is a new service and to use it you must submit a request to increase your Vulnerability Scanning limits. See Requesting a Service Limit Increase.
  1. Open the navigation menu and click Identity & Security. Under Scanning, click Scan Recipes.
  2. Select the Compartment in which you want to create the recipe.

    The targets that you assign to this recipe can be in a different compartment than the recipe.

  3. Click Create.

    All recipes in the Scanning service are the Compute configuration type.

  4. Enter a Name for the recipe.

    Avoid entering confidential information.

  5. Select the level of Port Scanning for this recipe.
    • Standard - Check the 1000 most common port numbers.
    • Light (default) - Check the 100 most common port numbers.
    • None - Do not check for open ports.

    The Scanning service uses a network mapper that searches your public IP addresses .

  6. (Optional) Disable Agent Based Scanning if you don't want to activate the Vulnerability Scanning agent plugin on the targets assigned to this recipe.

    The Vulnerability Scanning agent runs on the selected targets and checks the OS configuration of targets for vulnerabilities, such as missing patches.

    If you enable both Agent Based Scanning and Port Scanning, then the agent also checks for open ports that are not accessible from public IP addresses.

    Note

    If you disable both Port Scanning and Agent Based Scanning in this recipe, then the Scanning service doesn't scan any targets assigned to this recipe.
  7. (Optional) If Agent Based Scanning is enabled, then configure more agent parameters.
    1. Disable CIS Benchmark Scanning if you don't want the agent to check targets for compliance with industry-standard benchmarks published by the Center for Internet Security (CIS).
    2. If CIS Benchmark Scanning is enabled, then select the CIS Benchmark Profile for this recipe.
      • Strict - If more than 20% of the CIS benchmarks fail, then the target is assigned a risk level of Critical.
      • Medium (default) - If more than 40% of the CIS benchmarks fail, then the target is assigned a risk level of High.
      • Lightweight - If more than 80% of the CIS benchmarks fail, then the target is assigned a risk level of High.
  8. Configure the Schedule for the recipe.

    The schedule controls how frequently the targets assigned to this recipe are scanned.

    Choose from Daily or Weekly.

  9. (Optional) Assign tags to the recipe.

    If you have permissions to create a resource, you also have permissions to add free-form tags to that resource.

    To add a defined tag, you must have permissions to use the Tag Namespace.

    For more information about tagging, see Resource Tags. If you are not sure if you should add tags, skip this option (you can add tags later) or ask your administrator.

  10. Click Create.

After creating a recipe, you can create scan targets and associate them with the recipe. See Managing Host Targets.

Updating a Host Scan Recipe

Use the Console to update an existing host scan recipe.

  1. Open the navigation menu and click Identity & Security. Under Scanning, click Scan Recipes.
  2. Select the Compartment that contains your recipe.
  3. Click the name of the recipe.
  4. Click Edit.
  5. Modify any of these settings for your recipe.
    • Name (Avoid entering confidential information)
    • Port Scanning
    • Agent Based Scanning
    • CIS Benchmark Scanning
    • CIS Benchmark Profile
    • Schedule

    The Vulnerability Scanning agent checks the OS configuration of targets for vulnerabilities, such as missing patches. The agent can also check targets for compliance with industry-standard benchmarks published by the Center for Internet Security (CIS).

    The schedule controls how frequently the targets assigned to this recipe are scanned.

  6. Click Save Changes
  7. (Optional) Click Tags if you want to manage the tags for this recipe.

    If you have permissions to create a resource, you also have permissions to add free-form tags to that resource.

    To add a defined tag, you must have permissions to use the Tag Namespace.

    For more information about tagging, see Resource Tags. If you are not sure if you should add tags, skip this option (you can add tags later) or ask your administrator.

Moving a Scan Recipe to a Different Compartment

Use the Console to move a scan recipe from one compartment to another.

  1. Open the navigation menu and click Identity & Security. Under Scanning, click Scan Recipes.
  2. Select the Compartment that contains your recipe.
  3. Click the name of the recipe.
  4. Click Move Resource.
  5. Choose the destination compartment.
  6. Click Move Resource.

After you move the recipe to the new compartment, inherent policies apply immediately and affect access to the recipe through the Console. For more information, see Managing Compartments.

Deleting a Scan Recipe

Use the Console to delete a scan recipe.

To delete a scan recipe, it must not be associated with any scan targets. See Deleting a Target.

  1. Open the navigation menu and click Identity & Security. Under Scanning, click Scan Recipes.
  2. Select the Compartment that contains your recipe.
  3. Click the name of the recipe.
  4. Click Delete.
  5. When prompted for confirmation, click Delete.

Using the CLI

For information about using the CLI, see Command Line Interface (CLI). For a complete list of flags and options available for CLI commands, see CLI Help.

To list all host scan recipes in a compartment:

oci vulnerability-scanning host scan recipe list --compartment-id <compartment_ocid>

For example:

oci vulnerability-scanning host scan recipe list --compartment-id ocid1.compartment.oc1..exampleuniqueID

To view the details of a specific host scan recipe:

oci vulnerability-scanning host scan recipe get --host-scan-recipe-id <recipe_ocid>

For example:

oci vulnerability-scanning host scan recipe get --host-scan-recipe-id ocid1.vsshostscanrecipe.oc1..exampleuniqueID

To create a host scan recipe:

oci vulnerability-scanning host scan recipe create --display-name <name> --compartment-id <compartment_ocid> --agent-settings '{"scanLevel": "<agent_scan_level>"}' --cis-benchmark-settings '{"scanLevel": "<CIS_scan_level>"}' --port-settings '{"scanLevel": "<port_scan_level>"}' --schedule '{"type":"<daily_or_weekly>"}'

For example:

oci vulnerability-scanning host scan recipe create --display-name MyRecipe --compartment-id ocid1.compartment.oc1..exampleuniqueID --agent-settings '{"scanLevel": "STANDARD"}' --cis-benchmark-settings '{"scanLevel": "MEDIUM"}' --port-settings '{"scanLevel": "STANDARD"}' --schedule '{"type":"DAILY"}'