[MUSIC] Welcome to this demo on Oracle Vulnerability Scanning Service. This service is also referred to as sometimes just as a scanning service. And what it does is it routinely checks compute host for potential vulnerabilities. Common vulnerabilities and exposures, also referred to as CVE, is a known database of vulnerabilities each assigned a unique ID. And this particular service now identifies security vulnerabilities for operating systems and other software, including things like critical patch updates, and security alert advisories. So let us see how this service works in action. So to bring up the service, click on the Service Navigation menu and click on Identity and Security and as I said, sometimes it's also referred to as a Scanning Service. Click on scanning here and this will bring up the window for this particular service. So the first thing you need to do to get started is you have to create what are called as scan recipes. And right here there is a more information on the things you need to do, particularly, most importantly, you need to create these policies which allow the service Vulnerability Scanning to act on your behalf. Check these host computers, read their network interfaces etc. So to do that, if we click on this particular link, you can see these are the policies which are required, so let me first go ahead and create those policies. For all our demos we are in the sandbox compartment, so we'll create a policy in that particular compartment. So I'll go to Identity and Security bring up policies and we'll create a policy here right in the sandbox compartment. So we'll call this policy for vulnerability scanning, that's just a short form for vulnerability scanning. I'll put these statements here and as you can see here, this particular statement allows the scanning service to manage instances, read compartments, read virtual network interface card, etc. So and we are just limiting the scope to the sandbox compartment. So I'll create these policies because without these policies, my rest of the operations steps would not work. So I'll go back to Identity Security bring up Scanning and I need to create a Scan Recipe. So let me click Scan Recipe here, and I need to give it a name so I'll call this mine. FirstScanRecipe and right here there are two kinds of scanning which I can do, one is called Port Scanning the other is called Agent Based Scanning. Port Scanning basically checks for open ports using a network mapper that searches your public IP address. Agent Based Scanning searches for things like OS, vulnerabilities and things like missing patches. It also checks for compliance with industry standard benchmarks published by the Center for Internet Security also referred to as CIS. So those are the two options, I could decide not to do Agent Based Scanning but in this case, I'm going to do both. So when I checked the Public IP Port Scanning, you can see it gives me a couple of options. It gives me standard ports, which are 1000 ports it checks for, and there's an option for light which is the top 100 ports. And I think there's a link here, if I click on that link you can see the ports. Ports are published here, these are the ports which gets scanned. So I'm going to this light option you could go with this standard option and checking for massive number of ports as you can see, top 1000 ports. So, let me go with light, and then right here is Agent Based Scanning. And when I do that, the policies we have provided, so that's fine. And then right here, it also gives you an option to enable CIS, Center for Internet Security benchmark scanning. And the CIS publishes a set of benchmarks and the service scans against that benchmark and assigns a score. And there are three kinds of levels here, there is lightweight, there is medium and there is strict. You could assign any one of them, I'll go with strict is fine. And then right here, there is a schedule and the schedule is daily or you could do it on a weekly basis. Now again, for the sake of this demo, I'm going to do daily and then I'll create this standard recipe and it's as simple as that. Once you create the Scan Recipe, next you need to create the targets on which to run these recipes. So you click on Create Target and when you do that, you have to pick your compartment. So in this case, I am choosing the sandbox compartment and this is my recipe and the target compartment is sandbox as well. And now gives me a couple of options, it says, to scan whether all the compute instances in the selected compartment and its children compartment, its sub compartment. Or I could just select specific compute instances, so I have four instances running here, I could just select one of them. Here are multiple of them if I want to, I'm going to do all compute instances, that's fine and I'll click Create. And now what the service will do is it will scan these compute instances and check for things like always vulnerabilities and missing target. And as this step take some time as you can see the target is getting created here. When we come back, we can view the scan results but there is one thing we need to do before we see the scan results, and if I go back to my compute instances. In this particular compartment sandbox and let me just bring up, I don't know which one has the plugin enabled images, click here. As you can see here, there is a plugin for vulnerabilities scanning. And as you can see the information here it says that this particular plugin scans the instance for security vulnerabilities and it's enabled. Now, I have a couple of instances where it's not enabled, so let me find those instances out, it's enabled here as well. It's enabled here, also I think one of the instances doesn't have it enabled, let me see. All right, it's enabled in all of them, but if it was not, I could just come here. Let's say if it was disabled and I would come and I would enable it and it typically takes something like 10 minutes to get enabled and you can stop the plugins and start again. But since the Agents, the plugins are all ready enabled, and we created a Scan Recipe and we put these compute instances as a target for those Scan Recipes. In a few minutes when we come back we can see results for Hosts Scans, Port Scans, Vulnerability Reports, etc. So let me just go back quickly at the target and see if it is created. All right, it looks like it's active and if I click on View Scan Results. As you can see here, it's showing me, but then, literally, within few seconds, and it's still going through the process. It's showing me all the ports which are open and I opened Port 22 because this particular website installing bunch of software so you can see Port 22 is open, and so on and so forth. You can see some UDP ports open some TCP ports open, so it gives me a report and remember we just did the top 100 ports, if we had done more, we will see more ports listed here. If I click on Vulnerabilities, I can see that the service is checking against these vulnerabilities. These are again, if you click on them you can see more details just bring it up here. It tells me what this vulnerability is and there's a CVE ID which goes, if you click on this it goes to an external link, right? So again this CVE database is maintained and the service is checking against that, right? So I can see here all the CVEs and it says there is no risk involved. And then if I click on CIS Benchmarks, the service is checking against this particular benchmark. And it has things like host SSH host based authentication is disabled and so on and so forth. And some of these are failing and some of these are passing like the SSH root login is disabled, in my case it's not disabled so the test is failing. So this hopefully gives you a quick overview of how the service works, and still the target is still going on. And as you can see here now, we have done the port scanning for all the four instances running and you can see this had the maximum number of open ports. Some of these had less ports open and if I click on Vulnerabilities Report here, now the list is even longer because it's checking against more vulnerabilities and so forth. So, hopefully and you can see the Host Scan two service here and it's going to scan more overtime. So this is a quick demo and hopefully you can see how the Scanning Service also referred to as Oracle Vulnerability Scanning Service works and you found this demo useful.
