Security Services: Configure

Vulnerability Scanning with

Cloud Guard
Estimated time: 30 mins
Get Started

Overview

Oracle Cloud Infrastructure Vulnerability Scanning Service improves your security posture by
checking hosts for potential vulnerabilities on a regular schedule. The service provides
comprehensive visibility into misconfigured or vulnerable resources and creates reports with
metrics and information about these vulnerabilities, including remediation information, for
developers, operations, and security administrators.

In this lab, you will:

a. Create a Virtual Cloud Network.

b. Create a Compute Instance.

c. Create Scan Recipe.

d. Create Vulnerability Scanning Target.

e. View Scan result.

f. View Vulnerability Reports.

g. Configure Cloud Guard.

h. View Vulnerability Scanning problem in Cloud Guard.

Copyright © 2023, Oracle and/or its affiliates.

122 Security Services: Configure Vulnerability Scanning with Cloud Guard

Prerequisites
• You must have access to the OCI Console.
• The Oracle University lab team set up all the IAM policies required for you to
complete this lab.

Assumptions
• Select the region that’s available in the tenancy allotted to you. In this lab, we are
considering US East (Ashburn) (IAD) as your region.
• You must be familiar with navigating the OCI Console.

Copyright © 2023, Oracle and/or its affiliates.

Security Services: Configure Vulnerability Scanning with Cloud Guard 123

Create a Virtual Cloud Network
In this practice, you will create a Virtual Cloud Network in OCI with a public and a private
subnet using the VCN wizard. The compute instance that you will create later will be hosted in
this VCN's public subnet.

Note: If you have already created VCN in the previous practice and have it in your
compartment, you can skip this practice.

Tasks

1. Open the navigation menu and click Networking. Under Networking, click Virtual Cloud
Network.

2. In the left navigation pane, under List Scope, Select the assigned compartment from the
drop-down menu.

3. Click Start VCN Wizard.

4. Select Create VCN with Internet Connectivity and click Start VCN Wizard.

5. On the Configuration page, enter the following:

a. Name: IAD-OP-LAB09-1-VCN-01

b. Compartment: Select the <compartment name> assigned to you.

Note: Leave all the other options in their default setting.

c. Click Next.

d. Verify the details on the Review and Create page.

6. Click Create to start creating the VCN and its resources.

7. Click View Virtual Cloud Network to verify the creation of the VCN and its resources.

You can now see that the VCN was successfully created and is in the Available state, with
the following components:

VCN, Public subnet, Private subnet, Internet gateway, NAT gateway, and Service gateway.

Copyright © 2023, Oracle and/or its affiliates.

124 Security Services: Configure Vulnerability Scanning with Cloud Guard

Create a Compute Instance

In this practice, you will provision compute instances with vulnerability scanning plugin
enabled.

Note: If you already created/provisioned a compute instance in the previous practice and
have it in your compartment, you can skip this practice. Refer to step 7 in this task to enable
the vulnerability scanning plugin.

Tasks

1. Open the navigation menu and click Compute. Under Compute, click Instances.

2. In the left navigation pane, under List Scope, select the assigned compartment from the
drop-down menu.

3. Click Create Instance. On the Create Instance dialog box, provide the following details:

a. Name: IAD-OP-LAB09-1-VM-01

b. Create in compartment: Select the <compartment name> assigned to you.

c. Placement: Select Availability Domain AD1

d. Note: If Service limit error is displayed, choose a different Availability Domain.

e. Image: Select the image Oracle Linux 8.

f. Shape: Click Change shape.

g. In the Browse all shapes dialog box:

1) Select the Ampere shape series.

2) Select VM.Standard.A1.Flex.

3) Keep 1 OCPU and 6 GB memory selected.

4) Click Select shape.

h. Networking: Pick your VCN IAD-OP-LAB09-1-VCN-01 and Public Subnet.

i. Public IP address – Assign a public IPv4 address.

Copyright © 2023, Oracle and/or its affiliates.

Security Services: Configure Vulnerability Scanning with Cloud Guard 125

 j. Generate (or upload) SSH Keys:

1) Click Generate a key pair for me.

2) Click Save private key. This will save the private key to your local workstation.

3) Click Save public key. This will save the public key to your local workstation.

4) Select the Upload public key (.pub) option button. Upload the recently
downloaded public key. Either drag the key to the Drop .pub files here window,
or click Browse, select the key and click Upload.

Note: Leave all the other options in their default setting.

4. Click Show Advanced Options.

5. On the Oracle Cloud Agent tab, select the Vulnerability Scanning check box.

6. Click Create.

Note: After a couple of minutes, you can see that the instance is successfully created, and
the state is Running.

7. On Instance details page, click the Oracle Cloud Agent tab.

8. Toggle the Enable Plugin switch to Enabled for Vulnerability Scanning plugin Name, if
the switch is disabled.

It can take up to 5-10 minutes for the change to take effect. After a few moments, the
status Running for Vulnerability Scanning enabled service will be displayed.

Copyright © 2023, Oracle and/or its affiliates.

126 Security Services: Configure Vulnerability Scanning with Cloud Guard

Create Scan Recipe
In this practice, you will use Oracle Cloud Infrastructure Vulnerability Scanning Service to
create and manage recipes that scan target compute instances (hosts) for potential security
vulnerabilities.

Tasks

1. Open the navigation menu and click Identity & Security. Under Scanning, click Scan
Recipes.

2. In the left navigation pane, under List Scope, select your assigned compartment from
the drop-down menu.

3. Click the Hosts tab, and then click Create.

4. On the Create scan recipe dialog box, enter the following:

a. Type: Select Compute.

b. Name: IAD-OP-LAB09-1-CSC-01

c. Create in compartment: Select the <compartment name> assigned to you.

d. Public IP port scanning: Select Standard (Top 1000 ports).

e. Select the Agent based scanning check box.

f. Under Agent based scanning, configure CIS benchmark scanning.

1) CIS benchmark profile: Select Strict (More than 20% of the benchmarks
failing is a critical risk).

2) Deselect the Enable file scans check box.

g. Schedule: Select Daily.

5. Click Create scan recipe.

You will see that the scan recipe is successfully created, and the status is Active.

Copyright © 2023, Oracle and/or its affiliates.

Security Services: Configure Vulnerability Scanning with Cloud Guard 127

Create Vulnerability Scanning Target
In this practice, you will use Oracle Cloud Infrastructure Vulnerability Scanning Service to
create compute (host) targets and to assign them to compute scan recipes. A target is a
collection of instances that you want routinely scanned for security vulnerabilities.

Tasks

1. Open the navigation menu and click Identity & Security. Under Scanning, click Targets.

2. In the left navigation pane, under List Scope, select your assigned compartment from
the drop-down menu.

3. Click the Hosts tab, and then click Create.

4. In the Create target dialog box, enter the following:

a. Type: Select Compute.

b. Name: IAD-OP-LAB09-1-CTRG-01

c. Create in compartment: Select the <compartment name> assigned to you.

d. Description: Add meaningful description.

e. Scan recipe in: Select IAD-OP-LAB09-1-CSC-01.

Note: Click Change compartment and select assigned compartment to locate scan
recipe, if not available by default.

f. Target compartment: Select the <compartment name> assigned to you.

g. Under Targets:

1) Choose Selected compute instances in the selected target compartment.

2) Targets: Select IAD-OP-LAB09-1-VM-01 instance as target.

5. Click Create target.

You will see that the target is successfully created, and the status is Active.

Scanning service may take up to 10-15 minutes to check your compute instance for
security vulnerabilities and open ports, based on the parameters and schedule configured
in the scan recipe.

Copyright © 2023, Oracle and/or its affiliates.

128 Security Services: Configure Vulnerability Scanning with Cloud Guard

View Scan result
In this practice, you will view and explore security vulnerabilities discovered in your compute
instance, such as open ports, critical OS patches, and failed benchmark tests.

Tasks

1. Open the navigation menu and click Identity & Security. Under Scanning, click Scanning
Reports.

2. In the left navigation pane, under List Scope, select your assigned compartment from
the drop-down menu.

3. Click the Hosts tab.

4. Locate the Risk level filter drop-down menu. Select All.

5. Locate the Scan start date and Scan end date filter drop-down menus.

By default, only the most recent scan reports are displayed. To view older reports, choose
specific start and end dates.

6. Locate the Reset button. Click Reset at any time to set the risk level and date ranges back
to the default values.

7. (Optional) Click the table columns to sort the container image scans by:

• Risk level
• Issues found
• Scan completed

8. To view a compute scan report, click the name of the compute instance.

Example: IAD-OP-LAB09-1-VM-01

A host scan includes metrics, open ports, vulnerabilities, and benchmarks for a selected
Compute instance.

9. In the left navigation pane, under Resources, click Metrics if not already selected.

a. In Host scan information tab, locate the number of CIS benchmarks passed.

Copyright © 2023, Oracle and/or its affiliates.

Security Services: Configure Vulnerability Scanning with Cloud Guard 129

 b. The Vulnerabilities panel shows the number of security vulnerabilities of each risk
level that were detected during the most recent scan of the selected compute
instance.

10. In the left navigation pane, under Resources, click Open ports.

a. The first panel shows the number of open ports that are detected on each Virtual
Network Interface Card (VNIC) in the selected compute instance.

b. The second panel shows the specific port numbers that were detected in this
compute instance.

11. In the left navigation pane, under Resources, click Vulnerabilities.

12. The following details are shown for each issue that were detected in the selected compute
instance:
• CVE ID
• Risk level
• CVE description
• Last detected
• First detected
• Cause and remediation

Click any View detail button in the Cause and remediation column to get more
information on how to address this vulnerability.

13. In the left navigation pane, under Resources, click CIS benchmarks.

14. The following details are shown for each CIS benchmark the Scanning service tested on
the selected compute instance:
• Benchmark ID
• Result - Pass or Fail
• Summary

Copyright © 2023, Oracle and/or its affiliates.

130 Security Services: Configure Vulnerability Scanning with Cloud Guard

View Vulnerability Reports
In this practice, you will view and explore Vulnerability Reports, accessing information about
specific vulnerabilities that were detected in compute instance targets.

Tasks

1. Open the navigation menu and click Identity & Security. Under Scanning, click
Vulnerability Reports.

2. In the left navigation pane, under List Scope, Select your assigned compartment from
the drop-down menu.

3. In the left navigation pane, under Filters, select the Risk level, All.

4. Click the Risk level column header to sort by risk level.

5. To view a description of a specific vulnerability, click Show in the CVE description column.

6. To view details about a specific vulnerability, click a reported CVE ID.

Example: CVE-2022-40674 under CVE ID column.

This will show a vulnerability report for the selected CVE, which includes details about the
affected resources and CVE information.

7. On the Vulnerabilities report page, under Vulnerability information tab, click the CVE ID
link.

It will redirect to the source of the CVEs database and provide more information about it.

8. In the left navigation pane, under Resources, select Hosts to view a list of compute
instance that are affected by the selected vulnerability.

Copyright © 2023, Oracle and/or its affiliates.

Security Services: Configure Vulnerability Scanning with Cloud Guard 131

Configure Cloud Guard
In this practice, you will configure and use Cloud Guard to monitor security problems detected
in Vulnerability Scanning.

Note: Before using Cloud Guard, at least one Scanning target must exist before the Scanning
service creates any reports. These reports are used by the Cloud Guard detector.

Tasks

1. Open the navigation menu and click Identity & Security. Under Identity & Security, click
Cloud Guard.

2. In the left navigation pane, under Scope, Select the <Tenancy Name>root compartment
from the drop-down menu.

3. In the left navigation pane, under Cloud Guard, click Detector Recipes.

4. Click OCI Configuration Detector Recipe (Oracle managed).

View the detector rules that are included in this recipe.

5. Under Detector Rules, in the Filter by detector rule field, enter scan.

a. Verify that the following Vulnerability Scanning rules are enabled:

• Scanned container image has vulnerabilities

• Scanned host has vulnerabilities
• Scanned host has open ports

6. In the left navigation pane, under Cloud Guard, click Targets.

Note: If you already have a specific target set for your compartment, delete it.

7. Click Create New Target.

8. Enter the following:

a. Target Name: IAD-OP-LAB09-1-CG-01

b. Description: Enter a meaningful description.

c. Compartment: Select the <compartment name> assigned to you.

Copyright © 2023, Oracle and/or its affiliates.

132 Security Services: Configure Vulnerability Scanning with Cloud Guard

 d. Configuration detector recipe: OCI Configuration Detector Recipe (Oracle managed)

e. Threat detector recipe: OCI Threat Detector Recipe (Oracle managed)

f. Activity Detector Recipe: Oracle Activity Detector Recipe (Oracle managed)

g. Responder recipe: OCI Responder Recipe (Oracle managed)

9. Click Create to create target.

The detail page for the new target will be displayed.

Copyright © 2023, Oracle and/or its affiliates.

Security Services: Configure Vulnerability Scanning with Cloud Guard 133

View Vulnerability Scanning Problem in Cloud Guard
In this practice, you will view and explore Cloud Guard reported security problems identified
through vulnerability scanning.

Note: Before using Cloud Guard, at least one Scanning target must exist before the Scanning
service creates any reports. These reports are used by the Cloud Guard detector.

Tasks

1. Open the navigation menu and click Identity & Security. Under Identity & Security, click
Cloud Guard.

2. In the left navigation pane, under List Scope, Select the assigned compartment from the
drop-down menu.

3. In the left navigation pane, under Cloud Guard, click Problems.

4. View the list of problems Cloud Guard has identified with the resources in your assigned
compartment based on your previous practices. The Problems page displays information
about each problem, including:

• Problem Name
• Risk Level
• Detector Type
• Resource affected
• Target
• Region
• Labels
• First Detected
• Last Detected

5. To show only Vulnerability Scanning problems, set Filters to:

Example: Labels = VSS (case-sensitive)

6. Click the name of a Vulnerability Scanning problem to view its details.

Example:

• Scanned host has vulnerabilities

• Scanned host has open ports

Copyright © 2023, Oracle and/or its affiliates.

134 Security Services: Configure Vulnerability Scanning with Cloud Guard

Note: If no Vulnerability Scanning problems are displayed in Cloud Guard, then consider the
following scenarios.

• The Vulnerability Scanning service did not create any reports yet. The schedule
(daily/weekly) is configured in the Scanning target.
• You recently enabled Cloud Guard or the Vulnerability Scanning detector rules, and
Cloud Guard has not run them yet.

7. You can take the necessary steps to eliminate the detected vulnerability and mark the
problem as resolved.

Copyright © 2023, Oracle and/or its affiliates.

Security Services: Configure Vulnerability Scanning with Cloud Guard 135

 Copyright © 2023, Oracle and/or its affiliates.

136 Security Services: Configure Vulnerability Scanning with Cloud Guard