Scanning with Cloud Guard

Use Cloud Guard to detect and respond to security vulnerabilities identified by Oracle Vulnerability Scanning Service.

Cloud Guard is an Oracle Cloud Infrastructure service that provides a central dashboard to monitor all of your cloud resources for security weaknesses in configuration, metrics, and logs. When it detects a problem, it can suggest, assist, or take corrective actions, based on your Cloud Guard configuration.

Cloud Guard Concepts

Compare the concepts and features of the Scanning service with Cloud Guard.

Like the Scanning service, Cloud Guard supports recipes and targets.

  • A Cloud Guard recipe defines the types of resources and problems that you want to monitor
  • A Cloud Guard target defines one or more compartments that you want to monitor, and is associated with a Cloud Guard recipe.

A configuration detector recipe consists of detector rules. The default Cloud Guard configuration detector recipe includes rules that check for vulnerabilities and open ports found in reports created by Vulnerability Scanning. You can use this Oracle-managed configuration detector recipe or clone it to create a custom recipe.

You can also modify the default settings for the Scanning detector rules.

  • Disallowed port numbers that Cloud Guard reports as a problem
  • Allowed port numbers that Cloud Guard ignores
  • Vulnerability risk levels (Low, Medium, High, Critical) that Cloud Guard reports as a problem

Using the Cloud Guard Scanning Detector Rules

Configure and use Cloud Guard to monitor security problems detected in Vulnerability Scanning.

Enable Cloud Guard and create at least one Cloud Guard target, if the service is not already enabled. See Getting Started with Cloud Guard and Managing Targets.

Before using Cloud Guard, at least one Scanning target must exist before the Scanning service creates any reports. These reports are used by the Cloud Guard detector. See Managing Host Targets.

Note

Cloud Guard targets are separate resources from Scanning targets. To use Cloud Guard to detect problems in Scanning reports, the Scanning target compartment must be the same as the Cloud Guard target compartment, or be a subcompartment of the Cloud Guard target compartment.

To view Scanning problems in Cloud Guard:

  1. If you created a custom configuration detector recipe in Cloud Guard, verify that the Vulnerability Scanning detector rules are enabled in your recipe.

    All detector rules are automatically enabled in Oracle-managed recipes like OCI Configuration Detector Recipe, and can't be disabled.

    1. From the Cloud Guard console, click Detector Recipes.
    2. Click your custom configuration detector recipe.
    3. Under Detector Rules, in the Filter by detector rule field, enter scan.
    4. Select the check boxes for the Vulnerability Scanning rules.
      • Scanned host has vulnerabilities
      • Scanned host has open ports
    5. If these rules are not already enabled, click Enable.

    For more information, see Modifying a Detector Recipe.

  2. From the Cloud Guard console, click Problems.
  3. Click the name of a Vulnerability Scanning problem to view its details.
    • Scanned host has vulnerabilities
    • Scanned host has open ports
    Tip

    To filter the list of problems, scroll down and locate the Labels field. Enter "VSS" (case-sensitive) and click Apply Filters.

    Vulnerability Scanning problems include links to the corresponding Host Scans and Port Scans.

    If no Vulnerability Scanning problems are displayed in Cloud Guard, then consider the following scenarios.

    • The Vulnerability Scanning service did not create any reports yet. The schedule (daily/weekly) is configured in the Scanning target.
    • You recently enabled Cloud Guard or the Vulnerability Scanning detector rules and Cloud Guard has not run them yet.

    For more information, see Processing Reported Problems and Troubleshooting the Scanning Service.

Updating the Scanning Detector Rules

In Cloud Guard recipes, you can modify the default settings for the Vulnerability Scanning detector rules. These settings control which vulnerabilities are reported as problems in Cloud Guard.

For example, you can configure which vulnerability risk levels are problems, or configure which TCP or UDP open ports are problems.

You can modify some rule settings in an Oracle-managed detector recipe like OCI Configuration Detector Recipe, and you can modify all rule settings in a custom recipe. You can't disable rules in Oracle-managed recipes.

  1. From the Cloud Guard console, click Detector Recipes.
  2. Click your configuration detector recipe.
  3. Under Detector Rules, in the Filter by detector rule field, enter scan.
  4. Click the Actions icon for the rule Scanned host has vulnerabilities, and then select Edit.
  5. After updating the rule's settings, click Save.
  6. Repeat this step on the rule Scanned host has open ports.

For more information, see Modifying Rule Settings in a Detector Recipe.