Creating a Compute Target
Create a Compute (host) scan target.
At least one Compute scan recipe must be in the tenancy before creating a target. See Compute Scan Recipes.
If the Compute scan recipe is configured for Agent Based Scanning, you must give the Vulnerability Scanning service permission to deploy the agent before creating a target. See Required IAM Policy for Compute Scanning Recipes.
A Compute instance is associated with a virtual cloud network (VCN) and a subnet . If an instance in the target is on a private subnet or has no public IP address, the VCN must include a service gateway and a route rule for the service gateway. See Access to Oracle Services: Service Gateway.
To create a Compute target, complete the following steps:
- Open the navigation menu and click Identity & Security. Under Scanning, click Targets.
Select the compartment in which you want to create the target.
The Compute instances that you assign to this target can be in a different compartment than the target.
- Click the Hosts tab if not already selected.
- Click Create.
- Verify that the recipe type is Compute.
Enter a name and description for the target.
Avoid entering confidential information.
- Select a scan recipe for the target.
- Select the target compartment that contains the Compute instances that you want to scan.
Choose the instances for this target.
- All compute instances in the selected target compartment and its subcompartments
- Selected compute instances in the selected target compartment- Select individual Compute instances.
You can't create a target with a compartment or an instance that's already specified in another target. However, multiple targets can scan the same instance.Note
Cloud Guard targets are separate resources from Vulnerability Scanning targets. To use Cloud Guard to detect problems in Vulnerability Scanning reports, the Vulnerability Scanning target compartment must be the same as the Cloud Guard target compartment, or be a subcompartment of the Cloud Guard target compartment.
Click Show advanced options to assign tags to the target.
If you have permissions to create a resource, you also have permissions to add free-form tags to that resource.
To add a defined tag, you must have permissions to use the tag namespace.
For more information about tagging, see Resource Tags. If you're not sure if you should add tags, skip this option or ask your administrator. You can add tags later.
Save the target by using one of the following methods:
- Click Create target to create the recipe in Vulnerability Scanning.
- Click Save as stack to manage the stack through the Resource Manager service. On the Save as stack window, complete the fields, and then click Save. For more information about stacks, see Managing Stacks.
After creating a target, Vulnerability Scanning checks the instances for security vulnerabilities and open ports based on the parameters and schedule that's configured in the recipe. You can view the results of these scans in the following reports:
You can also use Cloud Guard to view the results of the scans. See Scanning with Cloud Guard.
Use the oci vulnerability-scanning host scan target create command and required parameters to create a new compute (host) target:
oci vulnerability-scanning host scan target create --display-name <name> --description "<description>" --compartment-id <create_in_compartment_ocid> --host-scan-recipe-id <recipe_ocid> --target-compartment-id <target_compartment_ocid> --instance-ids <compute_instance_ocids>
For example, to scan all Compute instances in a compartment:
oci vulnerability-scanning host scan target create --display-name MyTarget --description "All instances in compartment ABC" --compartment-id ocid1.compartment.oc1..exampleuniqueID1 --host-scan-recipe-id ocid1.vsshostscanrecipe.oc1..exampleuniqueID --target-compartment-id ocid1.compartment.oc1..exampleuniqueID2
For a complete list of flags and variable options for CLI commands, see the Command Line Reference.
Run the CreateHostScanTarget operation to create a new compute (host) target.