Oracle Cloud Infrastructure Documentation

Troubleshooting the Vulnerability Scanning service

Use troubleshooting information to identify and address common issues that can occur while working with Oracle Cloud Infrastructure Vulnerability Scanning Service.

Can’t Create Scan Recipes or Scan Targets

Fix problems that prevent you from creating scan recipes or scan targets for compute (host) or image scans.

To create a Vulnerability Scanning recipe or Vulnerability Scanning target, you must be given the required type of access in a policy (IAM)  written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool.

  1. Use the following documentation to verify that you have the required policies for creating compute and image scan recipes and targets.
    1. Required IAM Policy for Compute Scanning Recipes
    2. Required IAM Policy for Image Scanning Recipes
  2. Add any missing required policies.

No Vulnerability Scanning Results

Fix general problems that prevent you from seeing any type of Vulnerability Scanning report.

Target Was Created Less Than 24 Hours Ago

After you create a target, the Vulnerability Scanning service doesn’t immediately scan the specified target resources.

After creating a target that's associated with your recipe, it can take up to 24 hours for the Vulnerability Scanning service to perform the first scan of the target resources. For Compute targets, this delay occurs if you configured your recipe with a Daily schedule or a Weekly schedule.

Wait 24 hours and then check for scan results.

Missing IAM Policy

To view any type of Vulnerability Scanning report, you must be given the required type of access in a policy (IAM)  written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool.

For example, to allow users in the group SecurityAuditors to view all Vulnerability Scanning resources in the compartment SalesApps:

Allow group SecurityAuditors to read vss-family in compartment SalesApps

Verify that you have the required policies to view scanning results. See Vulnerability Scanning IAM Policies.

Wrong Compartment Is Specified

Within the Console, be sure to choose the Compartment that contains the Vulnerability Scanning results for the targets that you want to view.

The Vulnerability Scanning service saves the results for a Compute instance in the same compartment as the instance's Vulnerability Scanning target.

Consider the following example.

  • The Compute instance MyInstance is in CompartmentA.
  • MyInstance is specified in Target1.
  • Target1 is in CompartmentB.
  • All reports related to MyInstance are in CompartmentB.

The Vulnerability Scanning service saves the results for an image repository in the same compartment as the repository's Vulnerability Scanning target.

Consider the following example.

  • The repository MyRepo in Container Registry is in CompartmentA.
  • MyRepo is specified in Target1.
  • Target1 is in CompartmentB.
  • All reports related to MyRepo are in CompartmentB.
In the Console, go to Scanning Reports and ensure that the correct compartment is selected. See Scanning Reports.

All Features in the Recipe Are Disabled

If you created a recipe in the Vulnerability Scanning service, but you disabled all scanning options in the recipe, then the Vulnerability Scanning service doesn't scan any targets assigned to this recipe.

In the Console, go to the recipe and enable the necessary scanning options. See:

No Host Scans

Fix problems that prevent you from seeing the results of host scans for Compute targets.

If your issue isn't listed here, see No Vulnerability Scanning Results for other common scanning issues.

Agent-Based Scanning Isn’t Enabled

To create host scans, the Vulnerability Scanning service uses the Oracle Cloud Agent, which runs on the target Compute instances. By default, Agent Based Scanning is enabled in a recipe. If you disabled this option in your recipe, then the Vulnerability Scanning service doesn’t create host scans for the targets that are associated with your recipe.

In the Console, go to the recipe and enable the necessary scanning options. See Editing a Compute Scan Recipe.

Scanning Plugin Is Disabled on the Agent

The Oracle Cloud Agent process manages plugins running on the Compute instance. The Vulnerability Scanning plugin is used to detect vulnerabilities and to test CIS benchmarks. By default, the Vulnerability Scanning plugin is enabled on all instances running the agent, but the plugin can be disabled.

If you manually disabled the Vulnerability Scanning plugin on the target Compute instances, you must enable it.

Enable the Vulnerability Scanning plugin on the target Compute instances. See Oracle Cloud Agent.

Missing IAM Policy to Deploy the Agent

If the target Compute instances aren’t running the Oracle Cloud Agent, the Vulnerability Scanning service automatically deploys the agent to the instances. However, an administrator must give the Vulnerability Scanning service permission to update your target Compute instances.

Verify that the Vulnerability Scanning service has the required policies to update your target Compute instances. See Required IAM Policy for Compute Scanning Recipes.

Instance Isn’t Running the Latest Agent

If the target Compute instance is running Oracle Cloud Agent version 1.11.0, it might not automatically update itself to the latest version.

Manually update Oracle Cloud Agent on the instance. See:

Missing Service Gateway for Instances with No Public IP Address

A Compute instance is associated with a virtual cloud network (VCN)  and a subnet . If an instance in the target is on a private subnet  or has no public IP address, the VCN must include a service gateway  and a route rule for the service gateway. See Access to Oracle Services: Service Gateway.

If the VCN or service gateway isn’t configured correctly, the Vulnerability Scanning service isn’t able to communicate with Compute instances on the private subnet and perform a host scan.

Configure the service gateway to allow traffic for all supported services in the region. For example, All PHX Services in Oracle Services Network is a service CIDR label that represents all supported services in the Oracle Services Network in the US West (Phoenix) region.
Note

The service gateway can't be configured to allow traffic for a single service only, such as Object Storage.

Traffic Forwarding Is Disabled on an Instance with No Public IP Address

A VNIC enables an instance to connect to a VCN  and determines how the instance connects with endpoints inside and outside the VCN. Each VNIC resides in a subnet  in a VCN. If a Compute instance in your target is on a private subnet  or has no public IP address, the instance's VNICs must be able to forward traffic.

If the VNICs aren’t configured correctly, the Vulnerability Scanning service isn’t able to communicate with a Compute instance on a private subnet and perform a host scan.

Edit the instance's VNICs and select the option Skip source/destination check. See Update an Existing VNIC.

No Container Image Scans

Fix problems that prevent you from seeing the results of container image scans.

If your issue isn't listed here, see No Vulnerability Scanning Results for other common scanning issues.

Missing IAM Policy to Access Container Registry

An administrator must give the Vulnerability Scanning service permission to pull images from Container Registry.

The policy must specify the compartments that contain your target image repositories.

Verify that you have the required policies to pull images from Container Registry. See Required IAM Policy for Image Scanning Recipes.

Can't Export Scanning Results

Fix problems that prevent you from exporting scan reports or vulnerability reports to your local machine.

Missing IAM Policies

To export a Vulnerability Scanning report, you must be given the required type of access in a policy (IAM)  written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool.
Note

If you can't view the scan results either, see No Vulnerability Scanning Results.

Your administrator might have given you read permissions for scan reports and vulnerability reports, but not export permissions.

Verify that you have the required policies to export Vulnerability Scanning reports. See Vulnerability Scanning IAM Policies.

For example, to allow users in the group SecurityAuditors to view all Vulnerability Scanning resources in the compartment SalesApps and to export the results:

Allow group SecurityAuditors to read vss-family in compartment SalesApps
Allow group SecurityAuditors to manage host-agent-scan-results in compartment SalesApps where request.operation = 'ExportHostAgentScanResultCsv'
Allow group SecurityAuditors to manage host-vulnerabilities in compartment SalesApps where request.operation = 'ExportHostVulnerabilityCsv'
Note

The export operation is available for the host-vulnerabilities resource type, not the vss-vulnerabilities resource type.

Delete Compartment Failed

Fix problems that prevent you from deleting a compartment that you used for Vulnerability Scanning targets and reports.

Reports Exist in the Compartment

A compartment must be empty before you can delete it, including all scan reports. You can't delete reports using the Console. Use the CLI or API.

There are separate CLI commands and API operations for each report type. For example:

To quickly delete all types of reports from a compartment, you can run a script using Cloud Shell.

  1. Copy and paste this text into a file on your local computer. 
    import oci
import sys

compartment = "<compartment_ocid>"

def list(list_func, compartment):
    try:
        scans = oci.pagination.list_call_get_all_results(
            list_func,
            compartment
        ).data
        return scans
    except Exception as e:
        raise RuntimeError("Error listing scans in compartment " + compartment + ": " + str(e.args))

def delete_scans(delete_func, scans):
    for s in scans:
        try:
            delete_func(s.id)
        except Exception as e:
            raise RuntimeError("Error deleting scan " + s["id"] + ": " + str(e.args))

config = oci.config.from_file()

# Quick safety check
print("Using compartment " + compartment)
if input("Do you want to delete all scan results (host, port, CIS, container) in this compartment? [y/N]: ") != "y":
    sys.exit()

# Create the client from the config
client = oci.vulnerability_scanning.VulnerabilityScanningClient(config)

# Host agent scans
print("Listing agent scans to delete...")
host_scans = list(client.list_host_agent_scan_results, compartment)
print("Deleting " + str(len(host_scans)) + " host scans")
delete_scans(client.delete_host_agent_scan_result, host_scans)

# Host port scans
print("Listing port scans to delete...")
port_scans = list(client.list_host_port_scan_results, compartment)
print("Deleting " + str(len(port_scans)) + " port scans")
delete_scans(client.delete_host_port_scan_result, port_scans)

# Host CIS benchmarks
print("Listing CIS scans to delete...")
cis_benchmarks = list(client.list_host_cis_benchmark_scan_results, compartment)
print("Deleting " + str(len(cis_benchmarks)) + " CIS scans")
delete_scans(client.delete_host_cis_benchmark_scan_result, cis_benchmarks)

# Container scans
print("Listing container image scans to delete...")
container_scans = list(client.list_container_scan_results, compartment)
print("Deleting " + str(len(container_scans)) + " container image scans")
delete_scans(client.delete_container_scan_result, container_scans)
  2. Replace <compartment_ocid> with the OCID of the compartment that you want to delete.
  3. Save the file as delete-reports.py.
  4. From the Console header, select the region that contains the reports you want to delete.
  5. From the Console header, click the Cloud Shell icon.

    The Cloud Shell displays at the bottom of the Console. Wait for the prompt $ to display.

  6. Drag and drop delete-reports.py from your local machine onto Cloud Shell.
  7. From the Cloud Shell prompt, run the Python script. 
    python3 delete-reports.py
  8. When prompted to delete all reports, enter y.

    You can now delete the compartment if there are no other resources in it.

Reported CVE is Already Fixed in Host (False Positive)

Fix problems that cause host scans to report vulnerabilities that were already fixed.

Oracle uses common vulnerabilities and exposures (CVE) numbers to identify security vulnerabilities for operating systems and other software, including critical patch updates and security alert advisories. CVE numbers are unique, common identifiers for publicly known information about security vulnerabilities. View Qualys IDs (QIDs) in the Vulnerability Scanning service user interface.

During a host scan, the Vulnerability Scanning service compares the version of OS packages on the host with the fixed version of the packages in the open source CVE database.

If you're using the OS Management service to update the target hosts, then the following scenario often indicates a false positive:

  • The Vulnerability Scanning service report says that a specific CVE number isn’t fixed in a target host.
  • The OS Management service says that there are no security updates to install on the same target host.

CVE Database Inaccuracies

Oracle Cloud Infrastructure Vulnerability Scanning Service is continually working to improve scan results by using the latest Oracle Linux and open source databases, but there can be inaccuracies in these databases, or in the method used by the service to detect the CVE. For example, the Vulnerability Scanning service can report a security issue in a Linux instance even though:

  • The issue was recently fixed in the latest Linux distribution
  • The issue was fixed in the latest Linux distribution but recently backported to older versions

If you're concerned that a vulnerability detected by the Vulnerability Scanning service might be a false positive, then you can use a CVE number to verify whether the vulnerability is already fixed in your Compute instance.

For example, to verify a CVE for Oracle Linux:

  1. From Unbreakable Linux Network CVE Summary, search for the CVE number.
  2. From the Errata Information in the CVE details, identify the Release Date for the version of Oracle Linux running on the Compute instance.

    If the version has a release date, then the CVE is fixed in that version.

  3. Connect to the Compute instance using SSH.
  4. Search the package change log for the CVE number.
    rpm -q --changelog package | grep <CVE>

CVE Fixed Using Ksplice

Oracle Ksplice allows you to update Oracle Linux hosts with important security patches without needing to reboot.

If you fixed a CVE using Ksplice and didn’t reboot the host, the Vulnerability Scanning service might continue to report it as a vulnerability. You can use the CVE number to verify whether the vulnerability is already fixed in your Compute instance.

Oracle Autonomous Linux is a self-patching operating system image based on Oracle Linux. It automatically applies patches daily using Oracle Ksplice. Because Oracle Autonomous Linux updates the kernel without rebooting the host, the Vulnerability Scanning service might continue to report a vulnerability even though it was fixed.

Old Kernel or Package Files

If old, unused kernel or package files are present on your host's file system, the Vulnerability Scanning service might report these old files as a vulnerability. This scenario can occur if you created backup copies of these files, or the files weren’t cleaned up properly during an update or uninstall.

  1. Refer to the detected CVE description to identify the list of files associated with the vulnerability.
  2. Search your target host for any copies of these files and delete them.

No Cloud Guard Results

Fix problems that prevent you from seeing any Vulnerability Scanning problems in Cloud Guard.

Cloud Guard analyzes the results of the Vulnerability Scanning service and reports the following types of problems:

  • Scanned container image has vulnerabilities
  • Scanned host has vulnerabilities
  • Scanned host has open ports

Before troubleshooting Cloud Guard, be sure you're able to view Host Scans, Port Scans, or Container Image Scans in the Vulnerability Scanning service. If not, see No Vulnerability Scanning Results.

For more information about common Cloud Guard problems, see Troubleshooting Cloud Guard.

The Cloud Guard Targets Don’t Include Target Hosts or Containers

Cloud Guard targets are separate resources from Vulnerability Scanning targets. To use Cloud Guard to detect problems in Vulnerability Scanning reports, the Vulnerability Scanning target compartment must be the same as the Cloud Guard target compartment, or be a subcompartment of the Cloud Guard target compartment.

Consider this scenario.

  • CompartmentA and CompartmentB are siblings (one isn’t a subcompartment of the other).
  • The Compute instance MyInstance and the image repository MyRepo are in CompartmentA.
  • The Vulnerability Scanning target ScanTarget1 is set to CompartmentA.
  • The Cloud Guard target CGTarget1 is set to CompartmentB.

In this example, Cloud Guard doesn’t show problems for vulnerabilities detected in MyInstance and MyRepo. Inspect your target settings in Cloud Guard and the Vulnerability Scanning service. If the Cloud Guard target is set to the root compartment for your tenancy, then no change is needed.

Create a Cloud Guard target that includes the compartments in your Vulnerability Scanning targets. See Managing Targets.

The Vulnerability Scanning Rules Are Disabled

In an Oracle-managed detector recipe like OCI Configuration Detector Recipe, all detector rules are enabled. However, if you created a custom detector recipe and didn’t enable the Vulnerability Scanning detector rules, Cloud Guard doesn’t report any Vulnerability Scanning problems.

Enable the Scanning detector rules. See Using the Cloud Guard Vulnerability Scanning Detector Rules.

The Vulnerability Scanning Rule Settings Exclude Your Vulnerabilities

In Cloud Guard detector recipes, the settings for the Vulnerability Scanning detector rules control which vulnerabilities are reported as problems in Cloud Guard.

  • Disallowed port numbers that Cloud Guard reports as a problem
  • Allowed port numbers that Cloud Guard ignores
  • Vulnerability risk levels (Low, Medium, High, Critical) that Cloud Guard reports as a problem

Consider the following examples.

  • A port scan in the Vulnerability Scanning service identifies the open ports 111 and 123, but the Vulnerability Scanning detector rules in Cloud Guard are configured to allow ports 111 and 123.
  • A host scan in the Vulnerability Scanning service identifies vulnerabilities with the risk level Medium, but the Vulnerability Scanning detector rules in Cloud Guard are configured only to report vulnerabilities that are High or Critical.

Verify the settings for the Vulnerability Scanning detector rules in your configuration detector recipe. See Updating the Vulnerability Scanning Detector Rules.

Qualys Agent Installation Failed

Fix problems that prevent you from installing the Qualys agent.

Missing IAM Policies

To install the Qualys agent, you and the Qualys agent must be given the required type of access in a policy (IAM)  written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool.

  1. Verify that you have the required policies to install the Qualys agent. See Agent-Based Standard Policies and Agent-Based Qualys Policies.
  2. Add any missing required policies.

Invalid License

The Vulnerability Management application wasn't selected when you generated the Cloud Agent Activation key in the Qualys portal.

  1. Go to the Qualys portal and select the Vulnerability Management application for the Activation Key. See the Qualys Cloud Platform documentation for instructions.
  2. Install the Qualys agent.

Can’t See the Qualys Scan Reports in the OCI Console

Fix problems that prevent you from viewing Qualys scan reports in the OCI Console.

Note

If the Qualys scan reports appear only in the Qualys portal but not the OCI Console, open support ticket using the Support Center.

Wrong Compartment Is Specified

Within the Console, be sure to choose the Compartment that contains the Vulnerability Scanning results for the targets that you want to view.

The Vulnerability Scanning service saves the results for a Compute instance in the same compartment as the instance's Vulnerability Scanning target.

Consider the following example.

  • The Compute instance MyInstance is in CompartmentA.
  • MyInstance is specified in Target1.
  • Target1 is in CompartmentB.
  • All reports related to MyInstance are in CompartmentB.
Follow the steps to view host scans and ensure that you have the correct compartment selected. See Listing Host Scans.

Recipe Isn’t a Qualys Agent Scan Recipe

The Qualys agent must be specified in the Compute scan recipe.

Ensure that you’ve created an agent scan recipe with Qualys option selected. See Creating a Compute Scan Recipe with a Qualys Agent.

Qualys License Key Stored in the Wrong Format

The license key used in the Qualys agent scan recipe must be stored in plain text.

Follow the steps to define a secret for a scan recipe. See Defining a Secret for a Compute Scan Recipe.

Unsuccessful Qualys Agent Install

The Qualys agent might not be installed and provisioned properly.

  1. Confirm that the Compute instance shows up in the Qualys portal.
  2. Confirm that there are no errors associated with the Compute instance in the Target Errors page.

Egress Rules Not Set Up Correctly

Ensure that any egress rules set up on your VCN allow the Qualys agent to communicate to servers outside of OCI.

Vulnerability Scanning Oracle Cloud Agent Plugin not Working in a Windows Domain Controller Instance

Fix problems that prevent you from running the Vulnerability Scanning Oracle Cloud Agent Plugin.

Cause

When you use a Windows Server instance as a domain controller, features that depend on Oracle Cloud Agent, such as the Monitoring service and the OS Management service, aren't available.

Remedy

See the following MOS article for the remedy: Doc ID 2919839.1.