How to Set Up Vulnerability Scanning Service in OCI (Step-by-Step Guide)

 

Introduction

Securing your cloud infrastructure is critical, and Oracle Cloud Infrastructure (OCI) provides a built-in Vulnerability Scanning Service (VSS) to detect security risks in your compute instances. In this guide, we’ll walk through the complete setup—from scan recipes to remediation.

---

Prerequisites

• A running OCI compute instance
• Proper access to OCI Console
• Required permissions to configure security services

Create scan recipes

Click on create scan recipe

Go to the compute instance and Enable the VSS agent

Create target. In this example, i am taking a single compute instance as an example.

Configure Cloud Guard and click on recipes

change it to root

click on Detector Rules tab and make sure the below ones are enabled

from the home page, click on configuration and then create new targets

Once the target is created, then move to scan reports

Click on vulnerability report

Go to cloud guard >Alerts>problems

The next step would be to remediate the problems based upon the individual scenarios one by one.

Conclusion

OCI’s Vulnerability Scanning Service combined with Cloud Guard provides a powerful security layer. Regular scans and proactive remediation ensure your infrastructure remains secure and compliant.

Strengthen Your Cloud Security: Exploring OCI Vulnerability Scanning Services

  In Oracle Cloud Infrastructure (OCI), vulnerability scanning services are offered to help ensure the security of your infrastructure. The OCI vulnerability scanning service is designed to scan virtual cloud networks (VCNs) and identify vulnerabilities in the cloud infrastructure

In this post, we are going to explain, once a CVE is detected, then what is the approach we can take to mitigate those CVE risks. But before we do so, i would suggest we go through the official Oracle Documentations VSS.

You can access the vulnerability scanning service in OCI through the OCI console. Here's a brief guide on how to do it:

Log in to the OCI Console.

Open the "Security" menu.

Click on "Security Advisor".

Navigate to "Vulnerability Scanning".

Now, let us go through the remediation steps. You might get the CVEs as listed below

If we click on "View Details", we might see the below information for cause and remediation.

The errata details can be found in the link which is considered to be as the database for CVEs.

https://nvd.nist.gov

Server was already having the version 4.5.0-36.el7_9.5

 Command to check:

rpm -qa|grep libvirt

Thus, we came to conclusion that the CVEs are being reported for the existing package which is there in the server and in order to mitigate them, we need to upgrade the version to 5.

Steps:

Steps:-

1.       cd /etc/yum.repos.d

2.       took the backup of file public-yum-ol7.repo

3.       took the backup of boot volume

4.       in the file public-yum-ol7.repo, enabled the flag as 1 for section

y    yum update

1.       Reboot the server

2.       Disable and enable VSS

3.       Verify the Scanning report

4.       Check with the application team for sanity before moving it to next higher instances

y

These are the many ways through which we can mitigate the CVEs being reported by VSS in OCI. I hope this post will help someone. Till then, happy learning cloud.