Compute Scan Recipes

Use Oracle Cloud Infrastructure Vulnerability Scanning Service to create and manage recipes that scan target compute instances  (hosts) for potential security vulnerabilities.

A recipe determines which types of security issues that you want scanned:

  • Port scanning: check for open ports using a network mapper that searches your public IP addresses 
  • Agent-based scanning:
    • Check for open ports on all attached VNICs , including VNICs for both public and private IP addresses
    • Check for OS vulnerabilities like missing patches
    • Check for compliance with industry-standard benchmarks published by the Center for Internet Security (CIS)
    • Check for vulnerabilities in third-party application files

The Scanning service checks hosts for compliance with the section 5 (Access, Authentication, and Authorization) benchmarks defined for Distribution Independent Linux.

A host scan recipe also defines a schedule, or how often scanning is performed.

Required IAM Policy for Compute Scanning

To use Oracle Cloud Infrastructure, you must be granted the required type of access in a policy written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool.

If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you were granted and which compartment  you are supposed to work in.

For example, to allow users in the group SecurityAdmins to create, update, and delete all Vulnerability Scanning resources in the compartment SalesApps:

Allow group SecurityAdmins to manage vss-family in compartment SalesApps

If you enable agent-based scanning in your recipe, then you must give the Scanning service permission to deploy the Oracle Cloud Agent to your target compute instances.

The Scanning service must also be able to read the VNIC (virtual network interface card)  on your target compute instances.

For example, to grant this permission for all compute instances in the entire tenancy:

Allow service vulnerability-scanning-service to manage instances in tenancy
Allow service vulnerability-scanning-service to read compartments in tenancy
Allow service vulnerability-scanning-service to read vnics in tenancy
Allow service vulnerability-scanning-service to read vnic-attachments in tenancy

To grant this permission for all instances in a specific compartment:

Allow service vulnerability-scanning-service to manage instances in compartment <compartment_name>
Allow service vulnerability-scanning-service to read compartments in compartment <compartment_name>
Allow service vulnerability-scanning-service to read vnics in compartment <compartment_name>
Allow service vulnerability-scanning-service to read vnic-attachments in compartment <compartment_name>

A VNIC might be in a different compartment from your compute instance. Either grant VNIC permissions for the entire tenancy or for the specific compartment that the VNIC is in as well as the compartments of the compute instances:

Allow service vulnerability-scanning-service to read vnics in compartment <vnic_compartment_name>
Allow service vulnerability-scanning-service to read vnic-attachments in compartment <vnic_compartment_name>

For more information and examples, see:

Creating a Compute Scan Recipe

Use the Console to create a compute (host) scan recipe.

  1. Open the navigation menu and click Identity & Security. Under Scanning, click Scan Recipes.
  2. Open the Create scan recipe dialog.
    • If no scan recipes exist, the Welcome page is displayed, which includes an introduction to the service.

      Click Create scan recipe, and then select the Compartment in which you want to create the recipe.

    • If scan recipes exist, select the Compartment in which you want to create the recipe, click the Hosts tab, and then click Create.
  3. Verify that the recipe Type is Compute.
  4. Enter a Name for the recipe.

    Avoid entering confidential information.

  5. Select the level of Public IP port scanning for this recipe.
    • Standard - Check the 1000 most common port numbers.
    • Light (default) - Check the 100 most common port numbers.
    • None - Do not check for open ports.

    The Scanning service uses a network mapper that searches your public IP addresses . See Ports that are Scanned.

  6. (Optional) Disable Agent based scanning if you don't want to activate the Vulnerability Scanning agent plugin on the targets assigned to this recipe.

    The Vulnerability Scanning agent runs on the selected targets and checks the OS configuration of targets for vulnerabilities, such as missing patches.

    If you enable both Agent based scanning and Public IP port scanning, then the agent also checks for open ports that are not accessible from public IP addresses.

    Note

    If you disable both Public IP port scanning and Agent based scanning in this recipe, then the Scanning service doesn't scan any targets assigned to this recipe.
  7. (Optional) If Agent based scanning is enabled, then configure CIS benchmark scanning.
    1. Disable CIS benchmark scanning if you don't want the agent to check targets for compliance with industry-standard benchmarks published by the Center for Internet Security (CIS).
    2. If CIS benchmark scanning is enabled, then select the CIS benchmark profile for this recipe.
      • Strict - If more than 20% of the CIS benchmarks fail, then the target is assigned a risk level of Critical.
      • Medium (default) - If more than 40% of the CIS benchmarks fail, then the target is assigned a risk level of High.
      • Lightweight - If more than 80% of the CIS benchmarks fail, then the target is assigned a risk level of High.
  8. (Optional) If Agent based scanning is enabled, then scan specific folders for vulnerabilities in third-party applications.
    Note

    Currently, the Scanning service checks for vulnerabilities only in log4j and spring4shell.
    1. Select Enable file scans.
    2. For Linux folders to scan, specify at least one folder to scan on target Linux hosts.

      Separate multiple folders using semicolons.

    3. For Windows folders to scan, specify folders to scan on target Windows hosts.
      Note

      Reserved for future use by Oracle. File scans are currently not available for the Windows operating system.

      Separate multiple folders using semicolons.

    4. Configure a File scan schedule.

      This schedule controls how frequently the files on the targets assigned to this recipe are scanned.

      Choose from Bi-weekly or Monthly.

  9. Configure the Schedule for the recipe.

    The schedule controls how frequently the targets assigned to this recipe are scanned.

    Choose from Daily or Weekly.

  10. (Optional) Assign tags to the recipe. Click Show Advanced Options.

    If you have permissions to create a resource, you also have permissions to add free-form tags to that resource.

    To add a defined tag, you must have permissions to use the Tag Namespace.

    For more information about tagging, see Resource Tags. If you are not sure if you should add tags, skip this option (you can add tags later) or ask your administrator.

  11. Click Create.

After creating a recipe, you can create scan targets and associate them with the recipe. See Creating a Compute Target.

Updating a Compute Scan Recipe

Use the Console to update an existing compute (host) scan recipe.

  1. Open the navigation menu and click Identity & Security. Under Scanning, click Scan Recipes.
  2. Select the Compartment that contains your recipe.
  3. Click the Hosts tab if not already selected.
  4. Click the name of the recipe.
  5. Click Edit.
  6. Modify any of these settings for your recipe.
    • Name (Avoid entering confidential information)
    • Public IP port scanning
    • Agent based scanning
    • CIS benchmark scanning
    • CIS benchmark profile
    • Enable file scans
    • Linux folders to scan

      Separate multiple folders using semicolons.

    • Windows folders to scan
      Note

      Reserved for future use by Oracle. File scans are currently not available for the Windows operating system.
    • File scan schedule
    • Schedule

    The Vulnerability Scanning agent checks the OS configuration of targets for vulnerabilities, such as missing patches. The agent can also check targets for:

    • Compliance with industry-standard benchmarks published by the Center for Internet Security (CIS)
    • Vulnerabilities in third-party applications within specific folders

    The schedule controls how frequently the targets assigned to this recipe are scanned.

  7. Click Save changes
  8. (Optional) Click Tags if you want to manage the tags for this recipe.

    If you have permissions to create a resource, you also have permissions to add free-form tags to that resource.

    To add a defined tag, you must have permissions to use the Tag Namespace.

    For more information about tagging, see Resource Tags. If you are not sure if you should add tags, skip this option (you can add tags later) or ask your administrator.

Moving a Scan Recipe to a Different Compartment

Use the Console to move a scan recipe from one compartment to another.

  1. Open the navigation menu and click Identity & Security. Under Scanning, click Scan Recipes.
  2. Select the Compartment that contains your recipe.
  3. Click the tab for the type of recipe you want to move.
    • Hosts (compute)
    • Container image
  4. Click the name of the recipe.
  5. Click Move Resource.
  6. Choose the destination compartment.
  7. Click Move Resource.

After you move the recipe to the new compartment, inherent policies apply immediately and affect access to the recipe through the Console. For more information, see Managing Compartments.

Deleting a Scan Recipe

Use the Console to delete a scan recipe.

To delete a scan recipe, it must not be associated with any scan targets. See Deleting a Target.

  1. Open the navigation menu and click Identity & Security. Under Scanning, click Scan Recipes.
  2. Select the Compartment that contains your recipe.
  3. Click the tab for the type of recipe you want to delete.
    • Hosts (compute)
    • Container image
  4. Click the name of the recipe.
  5. Click Delete.
  6. When prompted for confirmation, click Delete.

Using the CLI

For information about using the CLI, see Command Line Interface (CLI). For a complete list of flags and options available for CLI commands, see CLI Command Reference.

To list all compute (host) scan recipes in a compartment:

oci vulnerability-scanning host scan recipe list --compartment-id <compartment_ocid>

For example:

oci vulnerability-scanning host scan recipe list --compartment-id ocid1.compartment.oc1..exampleuniqueID

To view the details of a specific compute scan recipe:

oci vulnerability-scanning host scan recipe get --host-scan-recipe-id <recipe_ocid>

For example:

oci vulnerability-scanning host scan recipe get --host-scan-recipe-id ocid1.vsshostscanrecipe.oc1..exampleuniqueID

To create a compute scan recipe:

oci vulnerability-scanning host scan recipe create --display-name <name> --compartment-id <compartment_ocid> --agent-settings '{"scanLevel": "<agent_scan_level>"}' --cis-benchmark-settings '{"scanLevel": "<CIS_scan_level>"}' --port-settings '{"scanLevel": "<port_scan_level>"}' --schedule '{"type":"<daily_or_weekly>"}'

For example:

oci vulnerability-scanning host scan recipe create --display-name MyRecipe --compartment-id ocid1.compartment.oc1..exampleuniqueID --agent-settings '{"scanLevel": "STANDARD"}' --cis-benchmark-settings '{"scanLevel": "MEDIUM"}' --port-settings '{"scanLevel": "STANDARD"}' --schedule '{"type":"DAILY"}'