Vulnerability Scanning

Oracle Vulnerability Scanning Service helps improve your security posture in Oracle Cloud by routinely checking hosts for potential vulnerabilities. The service generates reports with metrics and details about these vulnerabilities.

The Scanning service can identify several types of security issues in your compute instances :

  • Ports that are unintentionally left open might be a potential attack vector to your cloud resources, or enable hackers to exploit other vulnerabilities.
  • OS packages that require updates and patches to address vulnerabilities
  • OS configurations that hackers might exploit
  • Industry-standard benchmarks published by the Center for Internet Security (CIS).

    The Scanning service checks hosts for compliance with the section 5 (Access, Authentication, and Authorization) benchmarks defined for Distribution Independent Linux.

The Scanning service can scan individual compute instances, or it can scan all compute instances within a compartment and its subcompartments. If you configure the Scanning service at the root compartment, then all compute instances in the entire tenancy are scanned.

The Scanning service detects vulnerabilities in the following platforms:
  • Oracle Linux
  • CentOS
  • Ubuntu
  • Windows (no CIS benchmarks)

Scanning Concepts

Understand key concepts and components related to the Scanning service.

The following diagram provides a high-level overview of the service.

A recipe is associated with one or more targets like VMs. The Scanning service scans these targets and generates reports, events, and logs. Cloud Guard can also be used to view scanning problems.
Scan Recipe
Scanning parameters for a type of cloud resource, including what information to examine and how often.
One or more cloud resources that you want to scan using a specific recipe. Resources in a target are of the same type, such as compute instances.
Host Scan
Metrics about a specific cloud resource that was scanned, including the vulnerabilities that were found, their risk levels, and CIS benchmark compliance.

The Scanning service uses a host agent to detect these vulnerabilities.

Port Scan
Open ports that were detected on a specific cloud resource that was scanned.

The Scanning service can detect open ports using a host agent, or using a network mapper that searches your public IP addresses .

Vulnerabilities Report
Information about a specific type of vulnerability that was detected in one or more targets, like a missing update for an OS package.

Integration with Cloud Guard

You can view security vulnerabilities identified by the Scanning service in Cloud Guard.

Cloud Guard is an Oracle Cloud Infrastructure service that provides a central dashboard to monitor all of your cloud resources for security weakness in configuration, metrics, and logs. When it detects a problem, it can suggest, assist, or take corrective actions, based on your Cloud Guard configuration.

Like the Scanning service, Cloud Guard uses recipes and targets.

  • A recipe defines the types of problems that you want Cloud Guard to report
  • A target defines the compartments that you want Cloud Guard to monitor, and is associated with a recipe.

A configuration detector recipe consists of detector rules. The default Cloud Guard configuration detector recipe includes rules that check for vulnerabilities and open ports found by the Scanning service.

For more information, see Scanning with Cloud Guard.

Resource Identifiers

Scanning resources, like most types of resources in Oracle Cloud Infrastructure, have a unique, Oracle-assigned identifier called an Oracle Cloud ID (OCID).

For information about the OCID format and other ways to identify your resources, see Resource Identifiers.

Ways to Access Vulnerability Scanning

You can access Vulnerability Scanning using the Console (a browser-based interface) or the REST API.

Instructions for the Console and API are included in topics throughout this guide. For a list of available SDKs, see Software Development Kits and Command Line Interface.

To access the Console, you must use a supported browser. To go to the Console sign-in page, open the navigation menu at the top of this page and click Infrastructure Console. You will be prompted to enter your cloud tenant, your user name, and your password.

Authentication and Authorization

Each service in Oracle Cloud Infrastructure integrates with IAM for authentication and authorization, for all interfaces (the Console, SDK or CLI, and REST API).

An administrator in your organization needs to set up groups, compartments , and policies  that control which users can access which services, which resources, and the type of access. For example, policies control who can create users, create and manage a VCN , launch instances, and create buckets .

Getting Started

Use the Scanning service to check for security vulnerabilities in the compute instances for a single compartment.

  1. Scanning IAM Policies

    If you are not an administrator, you must be given access to the Scanning service in a policy  written by an administrator.

  2. Required IAM Policy for Host Scanning

    An administrator must grant the Scanning service permission to activate the Scanning agent on your target compute instances.

  3. Creating a Host Scan Recipe
  4. Creating a Host Target
  5. Viewing Host Scans
  6. (Optional) Scanning with Cloud Guard

If you run into problems, see Troubleshooting the Scanning Service.