Vulnerability Scanning
A vulnerability scan in Oracle Cloud is used to improve your instance security by scanning your infrastructure for potentially exploitable points. Scanning for vulnerabilities allows security administrators to identify and diagnose vulnerable resources through detailed, metrics-driven reports. These reports are crucial for secure development and operation of an environment, as they not only directly pinpoint misconfigured gaps, but also describe potential approaches bad actors may use for infiltration.
In this post, I will be walking through setting up a scan recipe in OCI, assigning the recipe to a compartment of resources, and scanning the resources for vulnerabilities. I will also setup an identity domain, instance, group, and VCN as additional infrastructure for this demo. For reference, an instance in OCI is a cloud virtual machine that can be used to meet application and compute requirements. A group holds user privileges, and a VCN is a virtual cloud network that allows users to control and configure their cloud infrastructure within it. Now I will begin with developing and deploying the vulnerability scan in Oracle Cloud.
Step 1: Configure Group and Policies
To starting setting up the scan, I first need a user and a set of policies for that user. I have chosen my root user for this demo, although that is not recommended when following proper infrastructure development guidelines. I then need to create a group, so that I can assign policies to the group and place the user within it. However, before doing this I must create an identity domain to house the resources I am using in this demo. To do this, I first ensure that I am in my root compartment, then I navigate to “Domains” and create a new domain called vss-demo-domain.
Now that the domain is created, I need to make a group within the domain. In this scenario, I am creating a group called security-team and adding my root user into it by clicking into the domain and selecting groups. This group is representative of actual security team policies in an organization, so the same technique can be applied to larger scale applications.
After putting my user into the security group, I can create IAM policies for the group to implement the principle of least privilege, which permits every user in the group access to only the minimum resources they need. I will now create a policy called security-policies to grant the following permissions:
- allow group security-team to manage vss-family in tenancy
- allow service vulnerability-scanning-service to read compartments in tenancy
- allow service vulnerability-scanning-service to manage instances in tenancy
- allow service vulnerability-scanning-service to read vnics in tenancy
- allow service vulnerability-scanning-service to read vnic-attachments in tenancy
These are the policies listed by Oracle on their website for a simple vulnerability scanning setup. By allowing the security team to manage vss-family, the team can configure and access scans. The following four policies allow the scanning service in OCI to access resources we may create and generate reports based on its findings. Once the policies for the group are setup, we can move into creating the actual scan recipes.
Step 2: Generate Scan Recipe and Target
Scan recipes are intended to declare what type/amount of scans are being performed and what issues are being scanned. In this demo, I am creating a scan that needs to be executed every day and has a requirement where if more than 20% of the benchmarks fail, the issue is considered “Critical Risk”. I do this by opening the scan recipe tab and enabling a Strict CIS Benchmark Profile, followed by a daily schedule. I will then create the recipe and prepare to assign it to a target.
A scan recipe is useless without a scan target. I think of it as creating a custom basketball video game character. I can customize the character to have flawless shooting technique, great situational awareness, and even top-notch shot range, but none of this would matter if the player was unaware of where to shoot. This character needs to know that the basketball hoop is the “target” to shoot at, so that the player’s custom “recipe” can actually be used. This same concept applies to scan recipe and scan target development, where the scan recipe needs to be given a target to apply itself to.
The target in this demo will be all of the compute instances in our intended compartment. This enables us to have scanning access across all potential applications within our demo compartment. This is done by clicking into scan target and creating a new target called target-scan that is the destination for scan-recipe. I am making sure to select the proper compartment as well.
Step 3: Setup Instance and VCN
Now that my recipe and target have been declared, I need to create a VCN to house my instance. The instance serves the purpose of simulating an application environment, like a virtual machine, that has potentially exploitable entities. The VCN is a logical grouping that contains the instance, so that the compute is running in a given location. I am generating a VCN with a default route table for VSS and the DNS resolver is vulnerability-scan.
I will now create an instance and prepare to view my scan results on that instance. To create an instance, I simply go to the instance tab and create a demo instance. Within my instance, I can view its metrics, log data, and other console history as well. The metrics tab gives me a good overview of the health, capacity, and performance of this instance. Once the instance is setup, it is essential to ensure that the vulnerability scanning plug-in is present in the listed Oracle Cloud Agents. Once the status is set to “running”, I will move on to verifying the results.
Now that the scan and destination are set up, I can check my scan results for metrics and packages with errors.
Step 4: Evaluate Vulnerability Scan Metrics
Once I have navigated to the scanning tab in Oracle Cloud, I can browse through “Vulnerability Reports” and “Scanning Reports” to view my scan results. Note that the “Targets” and “Scan Recipes” pages allow for editing of the scan target or setup. After clicking into “Scanning Reports”, I will further click into vss-demo to see the metrics of my scan. In this case, the scan has a critical risk level and 116 total vulnerabilities.
A more commonly used resource is the “Vulnerabilities” page, as it lists all vulnerability CVE numbers with risk levels added. The typical use case for these is package patching, where each vulnerability corresponds to a package that has been compromised. The security team can look at the list of vulnerabilities and triage them by categorizing the risk level and creating tickets for developers to fix.
It is important to note that the “Vulnerability Reports” tab presents this same report, with all the vulnerabilities listed out. The vulnerability report has now been successfully generated, with lots of metrics and data to analyze.
This concludes my first blog, a cloud project that demonstrates how to set up a vulnerability scan in Oracle Cloud. This demo was created in OCI but it can similarly be generated in any other cloud provider, from AWS to GCP to Azure. Each provider has similar services that can be synonymously used to generate similar results. I plan to continue using this blog platform to expand into AWS projects, so stay tuned for more cloud-based content!