Oracle Cloud Infrastructure (OCI) Vulnerability Scanning Service eliminates risk from new, unpatched vulnerabilities and open ports by assessing and monitoring cloud hosts. The service gives development teams the confidence to develop their code on hosts with the latest security patches and helps ensure a smooth transition to build production code. Used with Oracle Cloud Guard, operations teams gain a unified view of all hosts to quickly remediate any open ports or patch unsafe packages discovered by Vulnerability Scanning Service.
OCI Vulnerability Scanning is a service that scans virtual machines (VMs) and bare metal (BMs) machines created from the OCI base compute images. We also offer detectors in Oracle Cloud Guard that allow customers to fine tune what findings should become problems in Oracle Cloud Guard.
Scanning is available within an OCI tenancy and can be accessed from the OCI security console. Here are the steps for enabling scanning for the first time:
OCI Vulnerability Scanning Service monitors compute instances for open ports and other potential vulnerabilities, such as vulnerable OS packages, missed CIS benchmarks, and endpoint protection in place and running.
Resources defined in a target are scanned on a daily or weekly basis as detailed in the target’s recipe.
OCI Vulnerability Scanning Service is offered at no cost for all paying customers. Customers can later choose the option of integrating with optional third-party scanning vendors to see findings in those platforms, as well as in OCI.
OCI Vulnerability Scanning Service is a regional service, but results are forwarded to the global Oracle Cloud Guard reporting region. This allows the customer to view the scanning reports in the local region while others can see findings from all regions in the central global Oracle Cloud Guard reporting view.
All commercial regions for the tenancy will be monitored as part of the OCI Vulnerability Scanning Service. For a list of currently supported regions, see Regions and Availability Domains.
Make sure that the correct region and compartment were selected when OCI Vulnerability Scanning Service is configured. Next, make sure that the target compartment is pointing to the correct compartment with the hosts. Finally, check that the OS on these hosts are currently supported: Oracle Linux, CentOS, Ubuntu, and Windows Server.
If the host agent is not allowed to be used, the Vulnerability Scanning Service will still scan all public facing IPs and report on the top 1000 or 100 most common ports and how those ports are typically used.
This can happen while there are older kernel files still in the file system. Our service will look for everything on these instances, and we will see that these older kernels are still there. We match that information up to the older CVEs. You can remove the old kernel files if you want or ignore these CVEs. Autonomous Linux is always on top of getting patches to your systems in a timely manner while OSMS will give you the latest patches to install to keep your instances up to date.
For more information about the OCI Vulnerability Scanning Service, please read the announcement.