Scanning Overview

Oracle Vulnerability Scanning Service helps improve your security posture in Oracle Cloud by routinely checking hosts for potential vulnerabilities. The service generates reports with metrics and details about these vulnerabilities.

The Scanning service can identify several types of security issues in your compute instances :

  • Ports that are unintentionally left open might be a potential attack vector to your cloud resources, or enable hackers to exploit other vulnerabilities.
  • OS packages that require updates and patches to address vulnerabilities
  • OS configurations that hackers might exploit
  • Industry-standard benchmarks published by the Center for Internet Security (CIS).

    The Scanning service checks hosts for compliance with the section 5 (Access, Authentication, and Authorization) benchmarks defined for Distribution Independent Linux.

Note

Oracle Vulnerability Scanning Service can help you quickly correct vulnerabilities and exposures, but the service is not a Payment Card Industry (PCI) compliant scanner. Do not use the Scanning service to meet PCI compliance requirements.

The Scanning service detects vulnerabilities in the following platforms and using the following vulnerability sources.

Platform National Vulnerability Database (NVD) Open Vulnerability and Assessment Language (OVAL) Center for Internet Security (CIS)
Oracle Linux Yes Yes Yes
CentOS Yes Yes Yes
Ubuntu Yes Yes Yes
Windows Yes No No
Note

Because Windows scanning does not include OVAL data, we don't recommend you rely solely on Oracle Vulnerability Scanning Service to ensure that your Windows instances are up-to-date and secure.

The Scanning service can scan individual compute instances, or it can scan all compute instances within a compartment and its subcompartments. If you configure the Scanning service at the root compartment, then all compute instances in the entire tenancy are scanned.

Concepts

Understand key concepts and components related to the Scanning service.

The following diagram provides a high-level overview of the service.


A recipe is associated with one or more targets like VMs. The Scanning service scans these targets and generates reports, events, and logs. Cloud Guard can also be used to view scanning problems.
Scan Recipe
Scanning parameters for a type of cloud resource, including what information to examine and how often.
Target
One or more cloud resources that you want to scan using a specific recipe. Resources in a target are of the same type, such as compute instances.
Host Scan
Metrics about a specific cloud resource that was scanned, including the vulnerabilities that were found, their risk levels, and CIS benchmark compliance.

The Scanning service uses a host agent to detect these vulnerabilities.

Port Scan
Open ports that were detected on a specific cloud resource that was scanned.

The Scanning service can detect open ports using a host agent, or using a network mapper that searches your public IP addresses .

Vulnerabilities Report
Information about a specific type of vulnerability that was detected in one or more targets, like a missing update for an OS package.

Integration with Cloud Guard

You can view security vulnerabilities identified by the Scanning service in Cloud Guard.

Cloud Guard is an Oracle Cloud Infrastructure service that provides a central dashboard to monitor all of your cloud resources for security weakness in configuration, metrics, and logs. When it detects a problem, it can suggest, assist, or take corrective actions, based on your Cloud Guard configuration.

Like the Scanning service, Cloud Guard uses recipes and targets.

  • A recipe defines the types of problems that you want Cloud Guard to report
  • A target defines the compartments that you want Cloud Guard to monitor, and is associated with a recipe.

A configuration detector recipe consists of detector rules. The default Cloud Guard configuration detector recipe includes rules that check for vulnerabilities and open ports found by the Scanning service.

For more information, see Scanning with Cloud Guard.

Resource Identifiers

Scanning resources, like most types of resources in Oracle Cloud Infrastructure, have a unique, Oracle-assigned identifier called an Oracle Cloud ID (OCID).

For information about the OCID format and other ways to identify your resources, see Resource Identifiers.

Ways to Access Vulnerability Scanning

You can access Vulnerability Scanning using the Console (a browser-based interface), the command line interface (CLI), or the REST API. Instructions for the Console, CLI, and API are included in topics throughout this guide.

To access the Console, you must use a supported browser. You can use the Console link at the top of this page to go to the sign-in page. You are prompted to enter your cloud tenant, your user name, and your password.

For a list of available SDKs, see Software Development Kits and Command Line Interface. For general information about using the APIs, see REST API.

Authentication and Authorization

Each service in Oracle Cloud Infrastructure integrates with IAM for authentication and authorization, for all interfaces (the Console, SDK or CLI, and REST API).

An administrator in your organization needs to set up groups, compartments , and policies  that control which users can access which services, which resources, and the type of access. For example, policies control who can create users, create and manage a VCN (virtual cloud network) , launch instances, and create buckets .

Security

In addition to creating IAM policies, there are other tasks related to the security of Vulnerability Scanning.

For example:

  • Configure a service gateway so you can scan hosts without public IP addresses
  • Perform a security audit of scanning operations

See Securing Vulnerability Scanning.

Monitoring

To monitor scanning activity, Vulnerability Scanning integrates with these other services in Oracle Cloud Infrastructure.

  • The Audit service automatically records calls to all public Vulnerability Scanning API endpoints as log entries. See Overview of Audit.
  • The Monitoring service enables you to monitor your Vulnerability Scanning resources using metrics and alarms. See Scanning Metrics.
  • The Events service allows your development teams to automatically respond when a Vulnerability Scanning resource changes its state. See Scanning Events.

Getting Started

Use the Scanning service to check for security vulnerabilities in the compute instances for a single compartment.

  1. Create Scanning IAM Policies.

    If you are not an administrator, you must be given access to the Scanning service in a policy (IAM)  written by an administrator.

  2. Create the Required IAM Policy for Host Scanning.

    An administrator must grant the Scanning service permission to activate the Scanning agent on your target compute instances.

  3. Open the navigation menu and click Identity & Security. Click Scanning.
  4. Click Create Scan Recipe.
  5. Click Create Target.
  6. Click View Scan Result.

    Results are typically available 15 minutes after creating a new target, but it can take up to 24 hours.

    See Viewing Host Scans.

  7. (Optional) Scanning with Cloud Guard

If you run into problems, see Troubleshooting the Scanning Service.