Compute Targets

Use Oracle Cloud Infrastructure Vulnerability Scanning Service to create and manage compute (host) targets and to assign them to compute scan recipes. A target is a collection of instances  that you want routinely scanned for security vulnerabilities.

The Scanning service detects vulnerabilities in the following platforms and using the following vulnerability sources.

Platform National Vulnerability Database (NVD) Open Vulnerability and Assessment Language (OVAL) Center for Internet Security (CIS)
Oracle Linux Yes Yes Yes
CentOS Yes Yes Yes
Ubuntu Yes Yes Yes
Windows Yes No No

You have two options when selecting the compute instances for a target.

  • Scan one or more specific instances within a compartment.
  • Scan all instances within a compartment and its subcompartments.

If you create a target for the root compartment, then all compute instances in the entire tenancy are scanned.

The Scanning service saves the results for a compute instance in the same compartment as the instance's Scanning target.

Consider the following example.

  • The compute instance MyInstance is in CompartmentA.
  • MyInstance is specified in Target1.
  • Target1 is in CompartmentB.
  • All reports related to MyInstance are in CompartmentB.

Cloud Guard targets are separate resources from Scanning targets. To use Cloud Guard to detect problems in Scanning reports, the Scanning target compartment must be the same as the Cloud Guard target compartment, or be a subcompartment of the Cloud Guard target compartment.

Required IAM Policy for Compute Scanning

To use Oracle Cloud Infrastructure, you must be granted the required type of access in a policy written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool.

First set up the Agent-Based Standard Policies, and then set up Agent-Based Qualys Policies, if necessary.

Agent-Based Standard Policies

If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you were granted and which compartment  you're supposed to work in.

For example, to allow users in the group SecurityAdmins to create, update, and delete all Vulnerability Scanning resources in the compartment SalesApps:

Allow group SecurityAdmins to manage vss-family in compartment SalesApps

To allow users in a group to read repositories for VSS OCIR container image scans:

Allow group VSSAdmins to read repos in tenancy

If you enable agent-based scanning in your recipe, then you must give the Scanning service permission to deploy the Oracle Cloud Agent to your target compute instances.

The Scanning service must also be able to read the VNIC (virtual network interface card)  on your target compute instances.

For example, to grant this permission for all compute instances in the entire tenancy:

Allow service vulnerability-scanning-service to manage instances in tenancy
Allow service vulnerability-scanning-service to read compartments in tenancy
Allow service vulnerability-scanning-service to read vnics in tenancy
Allow service vulnerability-scanning-service to read vnic-attachments in tenancy

To grant this permission for all instances in a specific compartment:

Allow service vulnerability-scanning-service to manage instances in compartment <compartment_name>
Allow service vulnerability-scanning-service to read compartments in compartment <compartment_name>
Allow service vulnerability-scanning-service to read vnics in compartment <compartment_name>
Allow service vulnerability-scanning-service to read vnic-attachments in compartment <compartment_name>

A VNIC might be in a different compartment from your compute instance. Either grant VNIC permissions for the entire tenancy or for the specific compartment that the VNIC is in as well as the compartments of the compute instances:

Allow service vulnerability-scanning-service to read vnics in compartment <vnic_compartment_name>
Allow service vulnerability-scanning-service to read vnic-attachments in compartment <vnic_compartment_name>

Agent-Based Qualys Policies

Prerequisite: Create a dynamic group of instances that you want to scan. See Managing Dynamic Groups. Instances that meet the criteria defined by any of these rules are included in the dynamic group. For example:
All {instance.compartment.id = <compartment_ocid>}
Note

You can specify an entire tenancy.

To use Qualys agent-based scanning in your recipe, write a policy that grants permission for the dynamic group to access secrets and to access to the data sent back from Qualys.

To grant permission for the dynamic group to access secrets:

Allow dynamic-group <dynamic_group_name> to read vaults in tenancy
Allow dynamic-group <dynamic_group_name> to read keys in tenancy
Allow dynamic-group <dynamic_group_name> to read secret-family in tenancy

To access the data sent back from Qualys:

Define tenancy ocivssprod as ocid1.tenancy.oc1..aaaaaaaa6zt5ejxod5pgthsq4apr5z2uzde7dmbpduc5ua3mic4zv3g5ttma 
Endorse dynamic-group <dynamic_group_name> to read objects in tenancy ocivssprod

For more information and examples, see:

Creating a Compute Target

Use the Console to create a compute (host) scan target.

At least one compute scan recipe must be in your tenancy before creating a target. See Compute Scan Recipes.

If your compute scan recipe is configured for Agent Based Scanning, you must give the Scanning service permission to deploy the agent before creating a target. See Required IAM Policy for Compute Scanning.

A compute instance is associated with a VCN (virtual cloud network)  and a subnet . If an instance in your target is on a private subnet  or has no public IP address, the VCN must include a service gateway  and a route rule for the service gateway. See Access to Oracle Services: Service Gateway.

  1. Open the navigation menu and click Identity & Security. Under Scanning, click Targets.
  2. Select the Compartment in which you want to create the target.
    Note

    The compute instances that you assign to this target can be in a different compartment than the target.
  3. Click the Hosts tab if not already selected.
  4. Click Create.
  5. Verify that the recipe Type is Compute.
  6. Enter a Name and Description for the target.

    Avoid entering confidential information.

  7. Select a Scan recipe for the target.
  8. Select the Target compartment that contains the compute instances you want to scan.
  9. Choose compute instances for this target.
    • All compute instances in the selected target compartment and its subcompartments
    • Selected compute instances in the selected target compartment - Select individual compute instances.

    You can't create a target with a compartment or a compute instance that is already specified in another target. However, multiple targets can scan the same compute instance.

    Note

    Cloud Guard targets are separate resources from Scanning targets. To use Cloud Guard to detect problems in Scanning reports, the Scanning target compartment must be the same as the Cloud Guard target compartment, or be a subcompartment of the Cloud Guard target compartment.

  10. (Optional) Assign tags to the target. Click Show Advanced Options.

    If you have permissions to create a resource, you also have permissions to add free-form tags to that resource.

    To add a defined tag, you must have permissions to use the Tag Namespace.

    For more information about tagging, see Resource Tags. If you aren’t sure if you should add tags, skip this option (you can add tags later) or ask your administrator.

  11. Click Create.

After creating a target, the Scanning service checks your compute instances for security vulnerabilities and open ports based on the parameters and schedule that is configured in the recipe. You can view the results of these scans in reports:

You can also use Cloud Guard to view the results of your scans. See Scanning with Cloud Guard.

Updating a Compute Target

Use the Console to update an existing compute (host) scan target.

Note

After you create an OCI agent or Qualys agent compute scan recipe, don't modify that recipe to change agents. Create a new recipe.
  1. Open the navigation menu and click Identity & Security. Under Scanning, click Targets.
  2. Select the Compartment that contains your target.
  3. Click the Hosts tab if not already selected.
  4. Click the name of the target.
  5. Click Edit.
  6. Modify any of these settings for your target.
    • Name
    • Description
    • Scan recipe
    • Target compartment

    Avoid entering confidential information.

  7. Update the compute instances for this target.
    • All compute instances in the selected target compartment and its subcompartments
    • Selected compute instances in the selected target compartment - Select individual compute instances

    You can't update a target with a compartment or a compute instance that is already specified in another target. However, multiple targets can scan the same compute instance.

  8. Click Save changes
  9. (Optional) Click Tags if you want to manage the tags for this target.

    If you have permissions to create a resource, you also have permissions to add free-form tags to that resource.

    To add a defined tag, you must have permissions to use the Tag Namespace.

    For more information about tagging, see Resource Tags. If you aren’t sure if you should add tags, skip this option (you can add tags later) or ask your administrator.

Viewing the Compute Instances for a Target

Use the Console to view the compute instances (hosts) associated with an existing target.

  1. Open the navigation menu and click Identity & Security. Under Scanning, click Targets.
  2. Select the Compartment that contains your target.
  3. Click the Hosts tab if not already selected.
  4. Click the name of the target.

    The Compute instances table displays.

  5. Click the name of a specific compute instance to view its details.

Viewing the Compute Instance Errors for a Target

Use the Console to view the compute instance (hosts) errors associated with an existing target.

  1. Open the navigation menu and click Identity & Security. Under Scanning, click Targets.
  2. Select the Compartment that contains your target.
  3. (Optional) Filter the table of reports by Risk level.
  4. Click the Hosts tab if not already selected.
  5. Click the name of the target.

    The Compute instances table displays.

  6. Click Instances with errors.
  7. Click the name of a specific compute instance to view its details.

Moving a Target to a Different Compartment

Use the Console to move a scan target from one compartment to another.

Moving a target doesn’t also move the cloud resources (compute instances, for example) in the target.

  1. Open the navigation menu and click Identity & Security. Under Scanning, click Targets.
  2. Select the Compartment that contains your target.
  3. Click the tab for the type of target that you want to move.
    • Hosts (compute)
    • Container image
  4. Click the name of the target.
  5. Click Move Resource.
  6. Choose the destination compartment.
  7. Click Move Resource.

After you move the target to the new compartment, inherent policies apply immediately and affect access to the target through the Console. For more information, see Managing Compartments.

Deleting a Target

Use the Console to delete a target.

Deleting a target doesn’t delete the cloud resources (compute instances, for example) in the target.

  1. Open the navigation menu and click Identity & Security. Under Scanning, click Targets.
  2. Select the Compartment that contains your target.
  3. Click the tab for the type of target that you want to delete.
    • Hosts (compute)
    • Container image
  4. Click the name of the target.
  5. Click Delete.
  6. When prompted for confirmation, click Delete.

Using the CLI

For information about using the CLI, see Command Line Interface (CLI). For a complete list of flags and options available for CLI commands, see CLI Command Reference.

To list all compute (host) scan targets in a compartment:

oci vulnerability-scanning host scan target list --compartment-id <compartment_ocid>

For example:

oci vulnerability-scanning host scan target list --compartment-id ocid1.compartment.oc1..exampleuniqueID

To view the details of a specific compute scan target:

oci vulnerability-scanning host scan target get --host-scan-target-id <target_ocid>

For example:

oci vulnerability-scanning host scan target get --host-scan-target-id ocid1.vsshostscantarget.oc1..exampleuniqueID

To create a compute scan target:

oci vulnerability-scanning host scan target create --display-name <name> --description "<description>" --compartment-id <create_in_compartment_ocid> --host-scan-recipe-id <recipe_ocid> --target-compartment-id <target_compartment_ocid> --instance-ids <compute_instance_ocids>

For example, to scan all compute instances in a compartment:

oci vulnerability-scanning host scan target create --display-name MyTarget --description "All instances in compartment ABC" --compartment-id ocid1.compartment.oc1..exampleuniqueID1 --host-scan-recipe-id ocid1.vsshostscanrecipe.oc1..exampleuniqueID --target-compartment-id ocid1.compartment.oc1..exampleuniqueID2