This topic describes the best practices for fixing software vulnerabilities on servers.
How to fix software vulnerabilities
Unlike vulnerability fixes on PCs, software vulnerability fixes on servers require professional knowledge. You must follow the following steps to fix software vulnerabilities:
- Check all assets on the target server and log on to Security Center to check system vulnerabilities on the server. For more information about parameters of Linux software vulnerabilities, see Parameters of Linux software vulnerabilities.
- Determine the vulnerabilities that you want to fix. You do not need to fix all vulnerabilities immediately. You can determine the vulnerabilities to fix based on actual business conditions, server usage, and the impacts of these vulnerabilities.
- Install patches for vulnerabilities that you want to fix in the staging environment, test compatibility and security, and generate testing reports on vulnerability fixes after tests are completed. A testing report must contain the vulnerability fix result, fix duration, patch compatibility, and impacts caused by the vulnerability fix.
- Use the backup and recovery system to back up the data on the server in case of exceptions. For example, use the snapshot feature of an ECS instance to back up data.
- Upload vulnerability patches to the server and use the patches to fix vulnerabilities. This task requires a minimum of two administrators: One administrator is responsible for vulnerability fixes and the other one is responsible for records. Exercise all operations with caution.
- Upgrade the system and fix vulnerabilities based on the sequence of system vulnerabilities.
- Validate the vulnerability fixes on the server. Make sure that the vulnerabilities are fixed and that no exception occurs on the server.
- Generate a vulnerability fix report based on the entire vulnerability fix process and archive the relevant documents.
Software vulnerability fix guidelines
We recommend that you take the following measures to minimize the possibility of exceptions and ensure that no damage is caused to the system during vulnerability fixes, and that the system can recover and run normally after the fixes are complete:
- Develop a vulnerability fix plan
Research the operating system and applications of the server and develop an applicable vulnerability fix plan. The feasibility of the plan must be discussed and verified in a testing environment. You must strictly follow the instructions and steps in the vulnerability fix plan to fix vulnerabilities and make sure that no damage is made to the system on the server.
- Use a testing environment
Use a testing environment to verify the feasibility of your vulnerability fix plan. Make sure that the plan has no impact on the online business system that you want to fix.Note The testing environment must use the same operating system and database system as your online business system. The version of applications in the testing environment must be the same as those on your online business system. We recommend that you use the latest replication of the entire business system for testing.
- Back up the business system
Back up the entire business system, which includes the operating system, applications, and data. After you back up the system, you must restore your system to validate the backup. A system backup guarantees the stability of your business. If a system exception or data loss occurs, you can use the backup to restore your system. We recommend that you use the snapshot feature of ECS to quickly back up your business system.