This topic introduces the best practice for fixing software vulnerabilities on servers.
You can use the following method to fix vulnerabilities that have been detected on your server by the vulnerability detection feature of Security Center.
How to fix software vulnerabilities
Unlike fixing vulnerabilities on PCs, fixing software vulnerabilities on servers requires expert knowledge. You must follow these steps to fix software vulnerabilities:
- You must check all assets on the target server and log on to the Security Center console to check system vulnerabilities on the server. For more information about descriptions of Linux software vulnerability attributes in Security Center, see Linux software vulnerability attribute descriptions.
- After checking the system vulnerabilities on the target server, determine the vulnerabilities that need to be fixed urgently. You can determine which vulnerabilities need to be fixed urgently based on the business status, server status, and impacts caused by vulnerability fixes.
- Upload vulnerability patches to the testing environment, test the compatibility and security of these patches, and then generate a vulnerability fix testing report. The vulnerability fix testing report must include vulnerability fix results, vulnerability fix duration, patch compatibility, and impacts caused by vulnerability fixes.
- To prevent exceptions, before fixing the software vulnerabilities, you must use the backup and recovery feature to back up the system of the target server. For example, you can use the snapshot feature of ECS to create a snapshot of the target ECS instance.
- Upload the vulnerability patches to the target server and use the patches to fix the vulnerabilities. This task requires a minimum of two administrators: One administrator takes charge of fixing vulnerabilities and the other one takes charge of making records. Exercise all operations with caution.
- The administrator must follow the system vulnerability list sequentially to upgrade the system and fix vulnerabilities.
Validate vulnerability fixes and generate a report
- Validate the vulnerability fixes on the target server. Make sure that the vulnerabilities have been successfully fixed and that no exceptions have occurred on the target server.
- Generate a vulnerability fix report based on the entire vulnerability fix process and archive the relevant documents.
Software vulnerability fix guidelines
To make sure that the operating system of the target server can run normally during the software vulnerability fix process, and to minimize the possibility of exceptions, follow these guidelines when you fix vulnerabilities:
- Create a vulnerability fix plan
You must inspect the operating system and application system of the target server and create a applicable vulnerability fix plan. The feasibility of the vulnerability fix plan must be discussed and verified in the testing environment. You must strictly follow the instructions and steps in the vulnerability fix plan to fix vulnerabilities and make sure that no damage is made to the systems of the target server.
- Use a testing environment
You must use a testing environment to verify the feasibility of your vulnerability fix plan. Make sure that the plan has no impacts on the online business system to be fixed.Note The testing environment must use the same operating system and database system as your online business system. The application system version of the testing environment must be the same as your online business system. We recommend that you use the latest replica of the entire business system for testing.
- Back up your business system
You must back up the entire business system, including the operating system, applications, and data. After backup, you must validate the backup by restoring your system. System backup guarantees the availability of your business. If a system exception or data loss occurs, you can use the backup to restore your system. We recommend that you use the snapshot feature of ECS to quickly back up your business system.