This topic provides answers to some commonly asked questions about vulnerability fixes, baseline checks, and cloud service configuration assessment.

How do I manually scan for Linux software vulnerabilities?

For more information, see How to manually scan for Linux software vulnerabilities.

We recommend that you use the system software vulnerability detection feature of Security Center. This feature can automatically detect system software vulnerabilities on a regular basis.

How do I view the current software version and the vulnerability details?

Security Center assesses whether your server contains software vulnerabilities by comparing the system software version on your server with the software version that has Common Vulnerabilities and Exposures (CVE) vulnerabilities. To view the vulnerability information in the current software version, go to the Security Center console or run commands on your server.
  • View the current software version and vulnerability details in the Security Center console

    Log on to the Security Center console and choose Precaution > Vulnerabilities. On the page that appears, view the system software version and vulnerability details. For more information about the details of system software vulnerabilities, see How do I view parameters of Linux software vulnerabilities?.

  • View details of the current software version on your server
    You can view details of the current software version on your server:
    • CentOS

      Run the rpm -qa | grep xxx command. xxx specifies the name of the software package. For example, you can run the rpm -qa | grep bind-libs command to view the version details of software package bind-libs.

    • Ubuntu and Debian
      Run the dpkg-query -W -f '${Package} -- ${Source}\n' | grep xxx command. xxx specifies the name of the software package. For example, you can run the dpkg-query -W | grep bind-libs command to view the version details of software package bind-libs.
      Note If the specified software package is not found, run the dpkg-query -W command to view all the software installed on your server.
    After you obtain your software version information, you can check whether your software version is mentioned in the descriptions of system software vulnerabilities detected by Security Center. In the descriptions of a vulnerability, Software and Cause specify the version of the current software and the reason why Security Center determines your server has the vulnerability.
    Note After you update software, Security Center may collect the remaining files of the old software version and generate a vulnerability alert on the remaining files. We recommend that you ignore the vulnerability alerts generated in such situations. You can run the yum remove or apt-get remove command to delete the old software package. Before you delete the package, make sure that the old software version is no longer required by services or applications on your server.

How do I update kernel 3.1* to kernel 4.4 in Ubuntu 14.04?

Notice Risks may occur when you update the kernel. We recommend that you follow Fix software vulnerabilities to update the kernel.
To update kernel 3.1* to kernel 4.4 in Ubuntu 14.04, perform the following steps:
  1. Run the uname -av command to check whether the kernel version is 3.1*.Confirm the kernel version
  2. Run the following commands to check whether the update package of the latest kernel is available:
    apt list | grep linux-image-4.4.0-94-generic
    apt list | grep linux-image-extra-4.4.0-94-generic
  3. If no update package is available, you can run the apt-get update command to obtain the latest update package.
  4. Run the following commands to update the kernel:
    apt-get update && apt-get install linux-image-4.4.0-94-generic
    apt-get update && apt-get install linux-image-extra-4.4.0-94-generic
  5. After the update package is installed, restart the server to load the kernel.
  6. After the server is restarted, run the following commands to verify the update:
    • Run the uname -av command to query the current kernel version.Query the current kernel version
    • Run the dpkg -l | grep linux-image command to query the kernel information.Query the current kernel information

Is a system restart required after I fix a vulnerability?

After you fix a Linux kernel vulnerability in the Security Center console, you must restart the server before the fix can take effect.

If one of the following conditions is met, you must restart the system after you fix a vulnerability.
  • The server is Linux-based and the vulnerability that you fix is a Linux kernel vulnerability.
  • On the Linux Software tab, the vulnerability that you fix has tag Restart Required. You can perform the following steps to view the vulnerability information: Log on to the Security Center console. In the left-side navigation pane, choose Precaution > Vulnerabilities.System restart after a vulnerability fix

Why does Security Center still send a vulnerability alert to me after I update the kernel?

This issue may occur if the remaining files of the old kernel version exist. If you confirm that the alert is triggered due to the remaining files of the old kernel version, you can ignore this alert or delete the remaining files. To handle this issue, perform the following steps:

  1. After the kernel is updated, run the uname -av and cat /proc/version commands to view the current kernel version. Make sure that the current version meets the requirements in the vulnerability descriptions.
  2. Run the cat /etc/grub.conf command to query the configuration file. Make sure that the current system uses the latest kernel version.
  3. Security Center assesses whether your server contains Linux software vulnerabilities based on the kernel version. Make sure that your system does not contain the Redhat Package Manager (RPM) package of the old kernel version. If your system contains the RPM package of the old kernel version, you can delete it.
    Note Before you delete the RPM package of the old kernel version, make sure that the current system uses the latest kernel version. We recommend that you create a snapshot for your system before you delete the RPM package of the old kernel version. A snapshot allows you to recover the system in case of unusual situations.
If you do not want to delete the RPM package of the old kernel version, you can take the following steps to ignore alerts generated on the old kernel version. Before you ignore the alerts, make sure that the current system uses the latest kernel version.
  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Vulnerabilities.
  3. On the Linux Software tab, find the vulnerability that you want to ignore and click the vulnerability name. The details page of the vulnerability appears.
  4. In the Actions column, click the More icon icon and select Ignore.

What can I do if I receive messages that indicate some software that has vulnerabilities cannot be updated?

You can perform the following operations based on your needs:

  • You may receive one of the following messages when you update software to fix a vulnerability:
    Package xxx already installed and latest version
    Nothing to do
    or
    No Packages marked for Update

    In this case, wait until an official update of the software is available.

    The following software packages do not have available updates:
    • Gnutls
    • Libnl
    • Mariadb
  • After you update software to the latest version, the software version may still fail to meet the version requirements described in Security Center.

    In this case, check whether the operating system version of your server is supported by Security Center. For example, as of September 1, 2017, Security Center does not support CentOS 6.2 to 6.6 or CentOS 7.1. We recommend that you ignore such a vulnerability in the Security Center console or update the server operating system. If you ignore such a vulnerability, the risk may still exist.

How do I view parameters of Linux software vulnerabilities?

You can log on to the Security Center console, choose Precaution > Vulnerabilities, and then click the Linux Software tab to view Linux software vulnerabilities detected on your assets. You can click the name of a specific vulnerability to go to the details page. The following list describes the parameters of Linux software vulnerabilities.
  • Vulnerability
    The name of a Linux software vulnerability notice, which starts with CVE, RHSA, or USN. For example, RHSA-2016: 2972: vim security update.Vulnerability
  • Impact

    A vulnerability impact, which is a score based on the open criteria Common Vulnerability Scoring System (CVSS). The CVSS score indicates the severity of a vulnerability, which allows you to prioritize the vulnerability.

  • CVE ID

    The Common Vulnerabilities and Exposures ID (CVE ID) of a vulnerability. For example, CVE-2016-XXXX. The CVE system provides a reference-method for public information-security vulnerabilities and exposures. You can find information about vulnerability fixes in a CVE-compatible database to help you solve security issues.

  • Priority
    The priority of a vulnerability, including high, medium, and low.Priority
    Note The vulnerability priority in the preceding figure is Medium. You can fix these vulnerabilities later.
    • The following vulnerabilities have the High priority:
      • Vulnerabilities that attackers can exploit to obtain permissions on your server operating system.
      • Vulnerabilities that attackers can exploit to obtain sensitive data and cause data breaches.
      • Vulnerabilities that can cause unauthorized access to sensitive data.
      • Vulnerabilities that can cause large-scale impacts.
    • The following vulnerabilities have the Medium priority:
      • Vulnerabilities that attackers can exploit to indirectly obtain permissions on your server and application systems.
      • Vulnerabilities that attackers can exploit to read, download, write, or delete files.
      • Vulnerabilities that can cause sensitive data breaches.
      • Vulnerabilities that can cause workload disruption or remote denial-of-service attacks.
    • The following vulnerabilities have the Low priority:
      • Vulnerabilities that affect users during system and user interactions.
      • Vulnerabilities that attackers can exploit to perform unauthorized activities.
      • Vulnerabilities that attackers can exploit after they change local configurations or obtain important information.
      • Vulnerabilities that can cause local denial-of-service attacks.
      • Vulnerabilities that have minor impacts.
  • Impact description

    Provides information about the current software version, the cause of a vulnerability, and the path of the software where the vulnerability is detected.

    On the details page of a vulnerability, click Details in the Actions column to view the impact description of the vulnerability.Vulnerability details
    The impact description includes the following information:
    • Software: the current version of the software. In the preceding figure, the version of mariadb-libs is 5.5.52-1.el7.
    • Cause: explains why the vulnerability is detected. In most cases, the reason is that the current version of the software is outdated. In the preceding figure, the vulnerability is detected because the version of mariadb-libs is earlier than 1:5. 5.56-2.el7.
    • Path: the path of the software where Security Center detects the vulnerability. In the preceding figure, the path of mariadb-libs is /etc/ld.so.conf.d/mariadb-x86_64.con.
  • Actions
    You can perform the following operations on a detected Linux vulnerability:
    • Fix: fixes the vulnerability.
    • Verify: verifies whether the vulnerability is fixed.
    • Ignore: ignores the vulnerability.

    For more information, see Linux software vulnerabilities.

How do I delete a Windows patch from the directory of the Security Center agent?

If you fix a Windows vulnerability by using the vulnerability fix feature, the Security Center agent automatically downloads, installs, and then deletes the patch. If the Security Center agent does not delete the patch three days after the vulnerability is fixed, perform the following steps to manually delete the patch:
  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Settings.
  3. Optional. Disable self-protection for the client.

    By default, self-protection for the client is disabled. If you retain the default settings, skip this step.

    If you enable self-protection for the client, all process files in the directory of the Security Center agent are protected. In this case, Security Center rejects your requests to delete or download a process file from the directory of the Security Center agent. For more information, see Client protection.

  4. Log on to your server as an administrator.
  5. Find the patch and manually delete it.

    The path of the patch: C:\Program Files (x86)\Alibaba\Aegis\globalcfg\hotfix

Can Security Center detect Elasticsearch vulnerabilities?

Yes, Security Center can detect Elasticsearch vulnerabilities.

To check whether Elasticsearch vulnerabilities are detected, perform the following steps: Log on to the Security Center console. In the left-side navigation pane, choose Precaution > Vulnerabilities, and click the Application tab. Then, check whether Elasticsearch vulnerabilities exist. For more information about Elasticsearch vulnerabilities and solutions, see t1866097.html#topic4793.

Note Only the Enterprise edition of Security Center supports application vulnerability detection. Users of the Basic, Basic Anti-virus, and Advanced editions must upgrade Security Center to the Enterprise edition.

How do I handle a connection timeout between my server and the YUM repository of Alibaba Cloud?

If the connection times out, the following error message appears:
[Errno 12] Timeout on http://mirrors.aliyun.com/centos/6/os/x86_64/repodata/repomd.xml: (28, 'connect() timed out!')

Make sure that the DNS settings of your server are normal, and wait a while. If the issue persists, submit a ticket for after-sales service.

How do I handle the Invalid token error when I fix a vulnerability?

If the Invalid token error appears in the Security Center console, you can refresh the page, and log on to the Security Center console again.
Note You can press Ctrl+F5 to refresh the current page.

What can I do if Security Center fails to verify the fix of a system vulnerability?

To handle this issue, perform the following steps:
  1. Check the software version where Security Center detects the vulnerability.
  2. Check whether the system uses the YUM repository of Alibaba Cloud.
  3. Check whether you have verified the vulnerability fix after a system update.
    Note You must restart the system after a kernel update.
  4. Make sure that the software version that you update to is not earlier than the version recommended by Security Center.

If the issue persists, we recommend that you update the operating system.

Why does the status of a vulnerability remain unchanged when I verify the vulnerability fix?

Assume that you have fixed a software vulnerability based on the vulnerability scan result from Security Center. You have upgraded the software to the version that meets the requirements on the Vulnerabilities page in the Security Center console. However, if you click Verify on the Vulnerabilities page, the status of the vulnerability remains Unfixed.

To handle this issue, perform the following steps:
  • Check the priority levels of vulnerabilities that Security Center detects

    Perform the following steps:

    1. Log on to the Security Center console.
    2. In the left-side navigation pane, choose Precaution > Vulnerabilities.
    3. On the Vulnerabilities page, click Settings in the upper-right corner.
    4. On the Settings page, view Vul scan level.

    If you do not select a specific priority level, Security Center does not automatically update the information about vulnerabilities of the priority. You can select priority levels for scan based on your needs.

  • Check whether the version of the Security Center agent is outdated

    If the version of the Security Center agent on your server is outdated, Security Center may not support vulnerability detection. If the Security Center agent is not automatically updated, we recommend that you manually install the latest version. For more information, see Install the Security Center agent.

  • Check whether the Security Center agent is offline

    If the Security Center agent on your server is offline, you cannot verify vulnerability fixes. We recommend that you troubleshoot the issue and make sure that the Security Center agent is online. For more information, see Identify why the agent is offline.

Why does Security Center fail to roll back a vulnerability fix?

To handle this issue, perform the following steps:
  1. Make sure that the Security Center agent on your server is online. If the Security Center agent is offline, troubleshoot the issue. For more information, see Identify why the agent is offline.
  2. Check whether the files related to this vulnerability have already been manually modified or deleted.
    Note To avoid accidental modifications on your files, if the related files have been manually modified or deleted after a vulnerability fix, Security Center cannot roll back the fix.

How often does Security Center detect vulnerabilities?

Security Center can detect and fix vulnerabilities such as Linux software vulnerabilities, Windows vulnerabilities, web CMS vulnerabilities, emergency vulnerabilities, and application vulnerabilities. The following table lists the default scan cycle for each vulnerability type.

Can Security Center detect system and application vulnerabilities?

Yes, Security Center can detect system and application vulnerabilities.

How does Security Center implement real-time vulnerability scan?

Security Center collects new URLs in your assets on a daily basis, and scans these URLs in the early morning. Security Center also checks whether detected vulnerabilities have been fixed. The URLs are collected in real time and scanned in the early morning.

What can I do if Security Center fails to verify a fixed baseline check risk?

To handle this issue, perform the following steps:
  • Check whether the version of the Security Center agent is outdated

    If the version of the Security Center agent on your server is outdated, Security Center may fail to verify a fixed baseline check risk. If the Security Center agent is not automatically updated, we recommend that you manually install the latest version. For more information, see Install the Security Center agent.

  • Check whether the Security Center agent is offline

    If the Security Center agent on your server is offline, Security Center cannot verify a fixed baseline check risk. Make sure that the Security Center agent on your server is online. For more information, see Identify why the agent is offline.

What are the differences between baselines and vulnerabilities?

Baselines describe the minimum security requirements for system configuration and management. For example, the following items are considered baselines: service and application configurations, configurations for operating system components, permission settings, and system management rules. The baseline check feature of Security Center provides security checks for your operating systems, databases, software, and containers. This feature supports the following baseline types: weak passwords, account permissions, identity authentication, password policies, access control, security audit, and intrusion prevention. In this case, you can improve system security based on the check results and suggestions provided by Security Center. For more information about check items, see Check items.

Vulnerabilities refer to flaws in operating system implementation or security policies. Attackers can exploit vulnerabilities to access the data on your servers or undermine the security of your servers. We recommend that you fix detected vulnerabilities in a timely manner to prevent attackers from exploiting the vulnerabilities.

The baseline check feature is a value-added service of Security Center. Only users of the Advanced or Enterprise edition can activate and enable this feature. You must upgrade the Basic or Basic Anti-Virus edition to the Advanced or Enterprise edition before you can use the baseline check feature. For more information about upgrades, see Upgrade and downgrade.