Troubleshooting the Vulnerability Scanning service
Use troubleshooting information to identify and address common issues that can occur while working with Oracle Cloud Infrastructure Vulnerability Scanning Service.
Can’t Create Scan Recipes or Scan Targets
Fix problems that prevent you from creating scan recipes or scan targets for compute (host) or image scans.
To create a Vulnerability Scanning recipe or Vulnerability Scanning target, you must be given the required type of access in a policy (IAM) written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool.
Use the following documentation to verify that you have the required policies for creating compute and image scan recipes and targets.
Fix general problems that prevent you from seeing any type of Vulnerability Scanning report.
Target Was Created Less Than 24 Hours Ago
After you create a target, the Vulnerability Scanning service doesn’t immediately scan the specified target resources.
After creating a target that's associated with your recipe, it can take up to 24 hours for the Vulnerability Scanning service to perform the first scan of the target resources. For Compute targets, this delay occurs if you configured your recipe with a Daily schedule or a Weekly schedule.
Wait 24 hours and then check for scan results.
Missing IAM Policy
To view any type of Vulnerability Scanning report, you must be given the required type of access in a policy (IAM) written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool.
For example, to allow users in the group SecurityAuditors to view all Vulnerability Scanning resources in the compartment SalesApps:
Copy
Allow group SecurityAuditors to read vss-family in compartment SalesApps
Within the Console, be sure to choose the Compartment that contains the Vulnerability Scanning results for the targets that you want to view.
The Vulnerability Scanning service saves the results for a Compute instance in the same compartment as the instance's Vulnerability Scanning target.
Consider the following example.
The Compute instance MyInstance is in CompartmentA.
MyInstance is specified in Target1.
Target1 is in CompartmentB.
All reports related to MyInstance are in
CompartmentB.
The Vulnerability Scanning service saves the results for an image repository in the same compartment as the repository's Vulnerability Scanning target.
Consider the following example.
The repository MyRepo in Container Registry is in CompartmentA.
MyRepo is specified in Target1.
Target1 is in CompartmentB.
All reports related to MyRepo are in
CompartmentB.
In the Console, go to Scanning Reports and ensure that the correct compartment is selected. See Scanning Reports.
All Features in the Recipe Are Disabled
If you created a recipe in the Vulnerability Scanning service, but you disabled all scanning options in the recipe, then the Vulnerability Scanning service doesn't scan any targets assigned to this recipe.
In the Console, go to the recipe and enable the necessary scanning options. See:
To create host scans, the Vulnerability Scanning service uses the Oracle Cloud Agent, which runs on the target Compute instances. By default, Agent Based Scanning is enabled in a recipe. If you disabled this option in your recipe, then the Vulnerability Scanning service doesn’t create host scans for the targets that are associated with your recipe.
The Oracle Cloud Agent process manages plugins running on the Compute instance. The Vulnerability Scanning plugin is used to detect vulnerabilities and to test CIS benchmarks. By default, the Vulnerability Scanning plugin is enabled on all instances running the agent, but the plugin can be disabled.
If you manually disabled the Vulnerability Scanning plugin on the target Compute instances, you must enable it.
Enable the Vulnerability Scanning plugin on the target Compute instances. See Oracle Cloud Agent.
Missing IAM Policy to Deploy the Agent
If the target Compute instances aren’t running the Oracle Cloud Agent, the Vulnerability Scanning service automatically deploys the agent to the instances. However, an administrator must give the Vulnerability Scanning service permission to update your target Compute instances.
Missing Service Gateway for Instances with No Public IP Address
A Compute instance is associated with a virtual cloud network (VCN) and a subnet . If an instance in the target is on a private subnet or has no public IP address, the VCN must include a service gateway and a route rule for the service gateway. See Access to Oracle Services: Service Gateway.
If the VCN or service gateway isn’t configured correctly, the Vulnerability Scanning service isn’t able to communicate with Compute instances on the private subnet and perform a host scan.
Configure the service gateway to allow traffic for all supported services in the region. For example, All PHX Services in Oracle Services Network is a service CIDR label that represents all supported services in the Oracle Services Network in the US West (Phoenix) region.
Note
The service gateway can't be configured to allow traffic for a single service only, such as Object Storage.
Traffic Forwarding Is Disabled on an Instance with No Public IP Address
A VNIC enables an instance to connect to a VCN and determines how the instance connects with endpoints inside and outside the VCN. Each VNIC resides in a subnet in a VCN. If a Compute instance in your target is on a private subnet or has no public IP address, the instance's VNICs must be able to forward traffic.
If the VNICs aren’t configured correctly, the Vulnerability Scanning service isn’t able to communicate with a Compute instance on a private subnet and perform a host scan.
Edit the instance's VNICs and select the option Skip source/destination check. See Update an Existing VNIC.
No Container Image Scans đź”—
Fix problems that prevent you from seeing the results of container image scans.
Fix problems that prevent you from exporting scan reports or vulnerability reports to your local machine.
Missing IAM Policies
To export a Vulnerability Scanning report, you must be given the required type of access in a policy (IAM) written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool.
For example, to allow users in the group SecurityAuditors to view all Vulnerability Scanning resources in the compartment SalesApps and to export the results:
Copy
Allow group SecurityAuditors to read vss-family in compartment SalesApps
Allow group SecurityAuditors to manage host-agent-scan-results in compartment SalesApps where request.operation = 'ExportHostAgentScanResultCsv'
Allow group SecurityAuditors to manage host-vulnerabilities in compartment SalesApps where request.operation = 'ExportHostVulnerabilityCsv'
Note
The export operation is available for the host-vulnerabilities resource type, not the vss-vulnerabilities resource type.
Delete Compartment Failed đź”—
Fix problems that prevent you from deleting a compartment that you used for Vulnerability Scanning targets and reports.
Reports Exist in the Compartment
A compartment must be empty before you can delete it, including all scan reports. You can't delete reports using the Console. Use the CLI or API.
There are separate CLI commands and API operations for each report type. For example:
To quickly delete all types of reports from a compartment, you can run a script using Cloud Shell.
Copy and paste this text into a file on your local computer.
Copy
import oci
import sys
compartment = "<compartment_ocid>"
def list(list_func, compartment):
try:
scans = oci.pagination.list_call_get_all_results(
list_func,
compartment
).data
return scans
except Exception as e:
raise RuntimeError("Error listing scans in compartment " + compartment + ": " + str(e.args))
def delete_scans(delete_func, scans):
for s in scans:
try:
delete_func(s.id)
except Exception as e:
raise RuntimeError("Error deleting scan " + s["id"] + ": " + str(e.args))
config = oci.config.from_file()
# Quick safety check
print("Using compartment " + compartment)
if input("Do you want to delete all scan results (host, port, CIS, container) in this compartment? [y/N]: ") != "y":
sys.exit()
# Create the client from the config
client = oci.vulnerability_scanning.VulnerabilityScanningClient(config)
# Host agent scans
print("Listing agent scans to delete...")
host_scans = list(client.list_host_agent_scan_results, compartment)
print("Deleting " + str(len(host_scans)) + " host scans")
delete_scans(client.delete_host_agent_scan_result, host_scans)
# Host port scans
print("Listing port scans to delete...")
port_scans = list(client.list_host_port_scan_results, compartment)
print("Deleting " + str(len(port_scans)) + " port scans")
delete_scans(client.delete_host_port_scan_result, port_scans)
# Host CIS benchmarks
print("Listing CIS scans to delete...")
cis_benchmarks = list(client.list_host_cis_benchmark_scan_results, compartment)
print("Deleting " + str(len(cis_benchmarks)) + " CIS scans")
delete_scans(client.delete_host_cis_benchmark_scan_result, cis_benchmarks)
# Container scans
print("Listing container image scans to delete...")
container_scans = list(client.list_container_scan_results, compartment)
print("Deleting " + str(len(container_scans)) + " container image scans")
delete_scans(client.delete_container_scan_result, container_scans)
Replace <compartment_ocid> with the OCID of the compartment that you want to delete.
Save the file as delete-reports.py.
From the Console header, select the region that contains the reports you want to delete.
From the Console header, click the Cloud Shell icon.
The Cloud Shell displays at the bottom of the Console. Wait for the prompt $ to display.
Drag and drop delete-reports.py from your local machine onto Cloud Shell.
From the Cloud Shell prompt, run the Python script.
python3 delete-reports.py
When prompted to delete all reports, enter y.
You can now delete the compartment if there are no other resources in it.
Reported CVE is Already Fixed in Host (False Positive) đź”—
Fix problems that cause host scans to report vulnerabilities that were already fixed.
Oracle uses common vulnerabilities and exposures (CVE) numbers to identify security vulnerabilities for operating systems and other software, including critical patch updates and security alert advisories. CVE numbers are unique, common identifiers for publicly known information about security vulnerabilities. View Qualys IDs (QIDs) in the Vulnerability Scanning service user interface.
During a host scan, the Vulnerability Scanning service compares the version of OS packages on the host with the fixed version of the packages in the open source CVE database.
If you're using the OS Management service to update the target hosts, then the following scenario often indicates a false positive:
The Vulnerability Scanning service report says that a specific CVE number isn’t fixed in a target host.
The OS Management service says that there are no security updates to install on the same target host.
CVE Database Inaccuracies
Oracle Cloud Infrastructure Vulnerability Scanning Service is continually working to improve scan results by using the latest Oracle Linux and open source databases, but there can be inaccuracies in these databases, or in the method used by the service to detect the CVE. For example, the Vulnerability Scanning service can report a security issue in a Linux instance even though:
The issue was recently fixed in the latest Linux distribution
The issue was fixed in the latest Linux distribution but recently backported to older versions
If you're concerned that a vulnerability detected by the Vulnerability Scanning service might be a false positive, then you can use a CVE number to verify whether the vulnerability is already fixed in your Compute instance.
From the Errata Information in the CVE details, identify the Release Date for the version of Oracle Linux running on the Compute instance.
If the version has a release date, then the CVE is fixed in that version.
Connect to the Compute instance using SSH.
Search the package change log for the CVE number.
Copy
rpm -q --changelog package | grep <CVE>
CVE Fixed Using Ksplice
Oracle Ksplice allows you to update Oracle Linux hosts with important security patches without needing to reboot.
If you fixed a CVE using Ksplice and didn’t reboot the host, the Vulnerability Scanning service might continue to report it as a vulnerability. You can use the CVE number to verify whether the vulnerability is already fixed in your Compute instance.
Oracle Autonomous Linux is a self-patching operating system image based on Oracle Linux. It automatically applies patches daily using Oracle Ksplice. Because Oracle Autonomous Linux updates the kernel without rebooting the host, the Vulnerability Scanning service might continue to report a vulnerability even though it was fixed.
Old Kernel or Package Files
If old, unused kernel or package files are present on your host's file system, the Vulnerability Scanning service might report these old files as a vulnerability. This scenario can occur if you created backup copies of these files, or the files weren’t cleaned up properly during an update or uninstall.
Refer to the detected CVE description to identify the list of files associated with the vulnerability.
Search your target host for any copies of these files and delete them.
No Cloud Guard Results đź”—
Fix problems that prevent you from seeing any Vulnerability Scanning problems in Cloud Guard.
Cloud Guard analyzes the results of the Vulnerability Scanning service and reports the following types of problems:
The Cloud Guard Targets Don’t Include Target Hosts or Containers
Cloud Guard targets are separate resources from Vulnerability Scanning targets. To use Cloud Guard to detect problems in Vulnerability Scanning reports, the Vulnerability Scanning target compartment must be the same as the Cloud Guard target compartment, or be a subcompartment of the Cloud Guard target compartment.
Consider this scenario.
CompartmentA and CompartmentB are siblings (one isn’t a subcompartment of the other).
The Compute instance MyInstance and the image repository MyRepo are in CompartmentA.
The Vulnerability Scanning target ScanTarget1 is set to CompartmentA.
The Cloud Guard target CGTarget1 is set to CompartmentB.
In this example, Cloud Guard doesn’t show problems for vulnerabilities detected in MyInstance and MyRepo. Inspect your target settings in Cloud Guard and the Vulnerability Scanning service. If the Cloud Guard target is set to the root compartment for your tenancy, then no change is needed.
Create a Cloud Guard target that includes the compartments in your Vulnerability Scanning targets. See Managing Targets.
The Vulnerability Scanning Rules Are Disabled
In an Oracle-managed detector recipe like OCI Configuration Detector Recipe, all detector rules are enabled. However, if you created a custom detector recipe and didn’t enable the Vulnerability Scanning detector rules, Cloud Guard doesn’t report any Vulnerability Scanning problems.
The Vulnerability Scanning Rule Settings Exclude Your Vulnerabilities
In Cloud Guard detector recipes, the settings for the Vulnerability Scanning detector rules control which vulnerabilities are reported as problems in Cloud Guard.
Disallowed port numbers that Cloud Guard reports as a problem
Allowed port numbers that Cloud Guard ignores
Vulnerability risk levels (Low, Medium, High, Critical) that Cloud Guard reports as a problem
Consider the following examples.
A port scan in the Vulnerability Scanning service identifies the open ports 111 and 123, but the Vulnerability Scanning detector rules in Cloud Guard are configured to allow ports 111 and 123.
A host scan in the Vulnerability Scanning service identifies vulnerabilities with the risk level Medium, but the Vulnerability Scanning detector rules in Cloud Guard are configured only to report vulnerabilities that are High or Critical.
Fix problems that prevent you from installing the Qualys agent.
Missing IAM Policies
To install the Qualys agent, you and the Qualys agent must be given the required type of access in a policy (IAM) written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool.
The Vulnerability Management application wasn't selected when you generated the Cloud Agent Activation key in the Qualys portal.
Go to the Qualys portal and select the Vulnerability Management application for the Activation Key. See the Qualys Cloud Platform documentation for instructions.
Install the Qualys agent.
Can’t See the Qualys Scan Reports in the OCIConsole 🔗
Fix problems that prevent you from viewing Qualys scan reports in the OCIConsole.
Note
If the Qualys scan reports appear only in the Qualys portal but not the OCIConsole, open support ticket using the Support Center.
Wrong Compartment Is Specified
Within the Console, be sure to choose the Compartment that contains the Vulnerability Scanning results for the targets that you want to view.
The Vulnerability Scanning service saves the results for a Compute instance in the same compartment as the instance's Vulnerability Scanning target.
Consider the following example.
The Compute instance MyInstance is in CompartmentA.
MyInstance is specified in Target1.
Target1 is in CompartmentB.
All reports related to MyInstance are in
CompartmentB.
Follow the steps to view host scans and ensure that you have the correct compartment selected. See Listing Host Scans.
Recipe Isn’t a Qualys Agent Scan Recipe
The Qualys agent must be specified in the Compute scan recipe.
The Qualys agent might not be installed and provisioned properly.
Confirm that the Compute instance shows up in the Qualys portal.
Confirm that there are no errors associated with the Compute instance in the Target Errors page.
Egress Rules Not Set Up Correctly
Ensure that any egress rules set up on your VCN allow the Qualys agent to communicate to servers outside of OCI.
Vulnerability Scanning Oracle Cloud Agent Plugin not Working in a Windows Domain Controller Instance đź”—
Fix problems that prevent you from running the Vulnerability Scanning Oracle Cloud Agent Plugin.
Cause
When you use a Windows Server instance as a domain controller, features that depend on Oracle Cloud Agent, such as the Monitoring service and the OS Management service, aren't available.