Managing Host Targets

Use Oracle Vulnerability Scanning Service to create and manage host targets and to assign them to scan recipes. A host target is a collection of compute instances  that you want routinely scanned for security vulnerabilities.

Note

The Scanning service detects vulnerabilities in the following platforms:
  • Oracle Linux
  • CentOS
  • Ubuntu
  • Windows (no CIS benchmarks)

You have two options when selecting the compute instances for a host target.

  • Scan one or more specific compute instances within a compartment.
  • Scan all compute instances within a compartment and its subcompartments.

If you create a target for the root compartment, then all compute instances in the entire tenancy are scanned.

The Scanning service saves the results for a compute instance in the same compartment as the instance's Scanning target.

Consider the following example.

  • The compute instance MyInstance is in CompartmentA.
  • MyInstance is specified in Target1.
  • Target1 is in CompartmentB.
  • All reports related to MyInstance are in CompartmentB.

Cloud Guard targets are separate resources from Scanning targets. To use Cloud Guard to detect problems in Scanning reports, the Scanning target compartment must be the same as the Cloud Guard target compartment, or be a subcompartment of the Cloud Guard target compartment.

Required IAM Policy

To use Oracle Cloud Infrastructure, you must be granted the required type of access in a policy  written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool.

If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you were granted and which compartment  you are supposed to work in.

For example, to allow users in the group SecurityAdmins to create, update, and delete all Vulnerability Scanning resources in the compartment SalesApps:

Allow group SecurityAdmins to manage vss-family in compartment SalesApps

See Scanning IAM Policies.

Required IAM Policy for Host Scanning

If you enable agent-based scanning in your recipe, then you must give the Scanning service permission to deploy the Oracle Cloud Agent to your target compute instances.

To grant this permission for all compute instances in the entire tenacy:

allow service vulnerability-scanning-service to manage instances in tenancy
allow service vulnerability-scanning-service to read compartments in tenancy
allow service vulnerability-scanning-service to read vnics in tenancy
allow service vulnerability-scanning-service to read vnic-attachments in tenancy

To grant this permission for all compute instances in a specific compartment:

allow service vulnerability-scanning-service to manage instances in compartment <compartment_name>
allow service vulnerability-scanning-service to read compartments in compartment <compartment_name>
allow service vulnerability-scanning-service to read vnics in compartment <compartment_name>
allow service vulnerability-scanning-service to read vnic-attachments in compartment <compartment_name>

See Policy Details for the Core Services.

Creating a Host Target

Use the Console to create a host scan target.

Note

Vulnerability Scanning is a new service and to use it you must submit a request to increase your Vulnerability Scanning limits. See Requesting a Service Limit Increase.

At least one host scan recipe must be in your tenancy before creating a target. See Managing Host Scan Recipes.

If your host scan recipe is configured for Agent Based Scanning, you must give the Scanning service permission to deploy the agent before creating a target. See Required IAM Policy for Host Scanning.

A compute instance is associated with a VCN  and a subnet . If a compute instance in your target is on a private subnet  (no public IP addresses), the VCN must include a service gateway  and a route rule for the service gateway. See Access to Oracle Services: Service Gateway.

  1. Open the navigation menu and click Identity & Security. Under Scanning, click Targets.
  2. Select the Compartment in which you want to create the target.
    Note

    The compute instances that you assign to this target can be in a different compartment than the target.
  3. Click Create.

    All targets in the Scanning service are the Compute configuration type.

  4. Enter a Name and Description for the target.

    Avoid entering confidential information.

  5. Select a Scan Recipe for the target.
  6. Select the Target Compartment that contains the compute instances you want to scan.
  7. Choose compute instances for this target.
    • All compute instances in the selected target compartment and its subcompartments
    • Specific compute instances in the selected target compartment - Select individual compute instances.

    You can't create a target with a compartment or a compute instance that is already specified in another target. However, multiple targets can scan the same compute instance.

    Note

    Cloud Guard targets are separate resources from Scanning targets. To use Cloud Guard to detect problems in Scanning reports, the Scanning target compartment must be the same as the Cloud Guard target compartment, or be a subcompartment of the Cloud Guard target compartment.

  8. (Optional) Assign tags to the target.

    If you have permissions to create a resource, you also have permissions to add free-form tags to that resource.

    To add a defined tag, you must have permissions to use the Tag Namespace.

    For more information about tagging, see Resource Tags. If you are not sure if you should add tags, skip this option (you can add tags later) or ask your administrator.

  9. Click Create.

After creating a target, the Scanning service checks your compute instances for security vulnerabilities and open ports based on the parameters and schedule that is configured in the recipe. You can view the results of these scans in reports:

You can also use Cloud Guard to view the results of your scans. See Scanning with Cloud Guard.

Updating a Host Target

Use the Console to update an existing host scan target.

  1. Open the navigation menu and click Identity & Security. Under Scanning, click Targets.
  2. Select the Compartment that contains your target.
  3. Click the name of the target.
  4. Click Edit.
  5. Modify any of these settings for your target.
    • Name
    • Description
    • Scan Recipe
    • Target Compartment

    Avoid entering confidential information.

  6. Update the compute instances for this target.
    • All compute instances in the selected target compartment and its subcompartments
    • Specific compute instances in the selected target compartment - Select individual compute instances

    You can't update a target with a compartment or a compute instance that is already specified in another target. However, multiple targets can scan the same compute instance.

  7. Click Save Changes
  8. (Optional) Click Tags if you want to manage the tags for this target.

    If you have permissions to create a resource, you also have permissions to add free-form tags to that resource.

    To add a defined tag, you must have permissions to use the Tag Namespace.

    For more information about tagging, see Resource Tags. If you are not sure if you should add tags, skip this option (you can add tags later) or ask your administrator.

Viewing the Compute Instances for a Host Target

Use the Console to view the compute instances associated with an existing host scan target.

  1. Open the navigation menu and click Identity & Security. Under Scanning, click Targets.
  2. Select the Compartment that contains your target.
  3. Click the name of the target.

    The Compute Instances table displays.

  4. Click the name of a specific compute instance to view its details.

Moving a Target to a Different Compartment

Use the Console to move a scan target from one compartment to another.

Moving a target does not also move the compute instances in the target.

  1. Open the navigation menu and click Identity & Security. Under Scanning, click Targets.
  2. Select the Compartment that contains your target.
  3. Click the name of the target.
  4. Click Move Resource.
  5. Choose the destination compartment.
  6. Click Move Resource.

After you move the target to the new compartment, inherent policies apply immediately and affect access to the target through the Console. For more information, see Managing Compartments.

Deleting a Target

Use the Console to delete a target.

Deleting a target does not delete the compute instances in the target.

  1. Open the navigation menu and click Identity & Security. Under Scanning, click Targets.
  2. Select the Compartment that contains your target.
  3. Click the name of the target.
  4. Click Delete.
  5. When prompted for confirmation, click Delete.

Using the CLI

For information about using the CLI, see Command Line Interface (CLI). For a complete list of flags and options available for CLI commands, see CLI Help.

To list all host scan targets in a compartment:

oci vulnerability-scanning host scan target list --compartment-id <compartment_ocid>

For example:

oci vulnerability-scanning host scan target list --compartment-id ocid1.compartment.oc1..exampleuniqueID

To view the details of a specific host scan target:

oci vulnerability-scanning host scan target get --host-scan-target-id <target_ocid>

For example:

oci vulnerability-scanning host scan target get --host-scan-target-id ocid1.vsshostscantarget.oc1..exampleuniqueID

To create a host scan target:

oci vulnerability-scanning host scan target create --display-name <name> --description "<description>" --compartment-id <create_in_compartment_ocid> --host-scan-recipe-id <recipe_ocid> --target-compartment-id <target_compartment_ocid> --instance-ids <compute_instance_ocids>

For example, to scan all compute instances in a compartment:

oci vulnerability-scanning host scan target create --display-name MyTarget --description "All instances in compartment ABC" --compartment-id ocid1.compartment.oc1..exampleuniqueID1 --host-scan-recipe-id ocid1.vsshostscanrecipe.oc1..exampleuniqueID --target-compartment-id ocid1.compartment.oc1..exampleuniqueID2