The Security Center agent is a local plug-in provided by Security Center. Before you can use Security Center to protect your server, you must install the Security Center agent on your server. This topic describes how to install the Security Center agent.

Background information

Your server is protected by Security Center and the information about the server is displayed in the Security Center console only after your server has the Security Center agent installed. The information includes vulnerabilities, alerts, baseline risks, and asset fingerprints.

After you install the Security Center agent, the installation path of the agent varies based on the operating system of your server:

  • Windows: C:\Program Files (x86)\Alibaba\Aegis
  • Linux: /usr/local/aegis

View the servers on which the Security Center agent is not installed

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Overview.
  3. On the Overview tab, view the value of Unprotected assets (ECS) in the section that displays the overview of your Security Center edition. This parameter specifies the servers that do not have the Security Center agent installed.
    Note You must install the Security Center agent on each server that requires protection from Security Center.
    Unprotected assets
  4. Click Install now to go to the Settings page. Click the Agent tab and then the Client to be installed tab. On the Client to be installed tab, view the total number and list of servers that do not have the Security Center agent installed.
    Client to be installed
    Note You can also view the status of the Security Center agent on the Server(s) tab of the Assets page. The following list describes the status of the Security Center agent:
    • If the status of the agent is Enable, the Security Center agent is installed and running as expected.
    • If the status of the agent is Close, the Security Center agent is not installed or is disconnected from Alibaba Cloud.
  5. Click the Client Installation Guide tab to install the Security Center agent. Automatic installation and manual installation are supported.

    You can install the agent by using one of the following methods:

    • Automatic installation

      If you initiate automatic installation, you need only to install the Security Center agent in the Security Center console with a few clicks. No plug-ins are required. For more information, see Initiate automatic installation on ECS instances.

      Note Automatic installation is suitable only for the Elastic Compute Service (ECS) instances that have Cloud Assistant installed. If your server is not deployed on Alibaba Cloud or your ECS instance does not have Cloud Assistant installed, you must manually install the Security Center agent on your server.
    • Manual installation

      To manually install the Security Center agent, you must create installation commands on the Client Installation Guide tab. For more information, see Manually install the Security Center agent on your server.

      Note Manual installation is suitable only for the ECS instances that do not have Cloud Assistant installed and the servers that are not deployed on Alibaba Cloud.

Initiate automatic installation on ECS instances

Automatic installation indicates that you can install the Security Center agent in the Security Center console.

Before you initiate automatic installation, make sure that your server meets the following requirements:
  • Your server is an ECS instance.

    Automatic installation cannot be used for the servers that are not deployed on Alibaba Cloud. To install the Security Center agent for these servers, you can use manual installation.

  • Your server has Cloud Assistant installed.

    If Cloud Assistant is not installed on your server, you must install Cloud Assistant on your server. Then, you can initiate automatic installation to install the Security Center agent.

  • The ECS instance on which you want to install the Security Center agent is deployed in a region that supports automatic installation.

    For more information about supported regions, see Regions that support automatic installation.

  • Your server is running.
  • The network connection of your server is normal.
  • If third-party security software is installed on your server, you may fail to install the Security Center agent. Before you install the Security Center agent, we recommend that you check whether such software is installed on your server. If third-party security software is installed on your server, we recommend that you disable or uninstall the software before you install the agent.

Procedure

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Settings.
  3. On the Settings page, click the Agent tab.
  4. On the Client to be installed tab of the Agent tab, find the server that you want to install the agent and click Install the client in the Actions column. You can select multiple servers and click One-click installation in the lower-left corner.
    One-click installation
    Approximately 5 minutes after the agent is installed, you can view the status of the Security Center agent on the Assets page. The status in the Agent column changes from Close to Enable.
    Note If the status in the Agent column is Failed and a message appears indicating that Cloud Assistant is not installed, you must install Cloud Assistant before you install the Security Center agent. For more information about how to install Cloud Assistant, see Cloud Assistant.

Manually install the Security Center agent on your server

If your server is deployed on a third-party cloud or in a data center, or your ECS instance is deployed in a region that does not support automatic installation, you must manually install the Security Center agent. For more information, see Regions that support automatic installation.

Procedure

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Settings.
  3. On the Settings page, click the Agent tab.
  4. Click the Client Installation Guide tab.
    Security Center provides four default installation commands on the Client Installation Guide tab. If you do not want Security Center to create an image based on an installation command, or you do not want the server on which the installation command is run to be automatically added to a specified server group, you can select an installation command based on the type of your server and the operating system that your server runs. Then, you can run a default command to install the Security Center agent on your server.
  5. Optional:On the Client Installation Guide tab, click Add Installation Command to create an installation command.
    Notice If you use a default installation command, skip this step.
    You can create an installation command to achieve the following purposes:
    • Enable Security Center to create an image based on the installation command, and use the image to preinstall the Security Center agent on multiple servers.
    • Bind a server group to the installation command. After you run the command to install the Security Center agent on a server, the server is automatically added to the server group.
    1. In the Add Installation Command dialog box, configure the parameters.

      The following table describes the parameters.

      Parameter Description
      Expiration time The time when the installation command expires.
      Service Provider The provider of your server.
      Default grouping The server group that you want to bind to the installation command.
      Operating system The operating system in which the installation command can be run. Valid values: Windows, Linux, and windows-2003.
      Making Image System Specifies whether to enable Security Center to create an image. Valid values: Yes and No.
      • If you select Yes, Security Center automatically creates an image based on the installation command. You can use the image to preinstall the Security Center agent on multiple servers at a time without the need to run the installation command on each server.
        Note After you run the installation command on your server, only the installation package of the Security Center agent is downloaded to the server. The process of the Security Center agent is not started. If you want Security Center to protect your server, you must restart the server to start the process of the Security Center agent.
      • If you select No, Security Center generates an installation command but does not create an image based on the installation command.
    2. Click OK. An installation command is generated. Then, copy the command.

      You can view the generated installation command on the Client Installation Guide tab.

  6. Log on to the server on which you want to install the agent by using an account that has administrative rights.
    The tool that you can use to run the installation command varies based on the operating system of the server.
    • Windows: Open the Command Prompt and run the installation command that you copied. Then, the installation package of the Security Center agent is downloaded to and installed on the server.
    • Linux: Open the CLI and run the installation command that you copied. Then, the installation package of the Security Center agent is downloaded to and installed on the server.
    Notice After you run the installation command, the latest version of the Security Center agent is downloaded from Alibaba Cloud. If you use a server that is not deployed on Alibaba Cloud, make sure that the server is connected to the Internet before you run the installation command.
    You can view the status of the agent on the Assets page approximately 5 minutes after the agent is installed.
    • If you use an ECS instance, the status in the Agent column of the instance changes from Close to Enable.
    • If you use a server that is not deployed on Alibaba Cloud, the server is added to the server list on the Assets page.
      Notice Due to network latency, a server that is not deployed on Alibaba Cloud and has the Security Center agent installed may not be immediately displayed on the Assets page. In this case, you must click Synchronize Asset on the Server(s) tab of the Assets page to update the information about the server.

Install the Security Center agent on the servers that are not deployed on Alibaba Cloud

For a Windows server that is not deployed on Alibaba Cloud, you can download the installer to install the Security Center agent. For a Linux server that is not deployed on Alibaba Cloud, you can run the installation command to install the Security Center agent. For more information, see Manually install the Security Center agent on your server.

If you installed the Security Center agent on a server that is not deployed on Alibaba Cloud in the following ways, delete the directory of the Security Center agent. Then, follow the manual installation instructions to reinstall the Security Center agent.
  • Use an image that includes the Security Center agent to install the Security Center agent on multiple servers at a time.
  • Copy the installation package from a server on which the Security Center agent is installed to install the Security Center agent.

Check whether the Security Center agent is installed

We recommend that you perform the following steps to check whether the Security Center agent is installed.

  1. Check whether the AliYunDun and AliYunDunUpdate processes of the Security Center agent are running as expected on your server. For more information about the processes of the Security Center agent, see Security Center agent.
  2. Run the following telnet commands to check whether your server can connect to the Security Center server:
    Note Make sure that your server can connect to at least one of the following JSRV domain names and one of the following update domain names. JSRV domain names are used to issue instructions such as vulnerability detection and virus detection. Update domain names are used to download and update the Security Center agent.
    • telnet jsrv.aegis.aliyun.com 443/80
    • telnet jsrv2.aegis.aliyun.com 443/80
    • telnet jsrv3.aegis.aliyun.com 443/80
    • telnet update.aegis.aliyun.com 443/80
    • telnet update2.aegis.aliyun.com 443/80
    • telnet update3.aegis.aliyun.com 443/80

If your server cannot connect to the Security Center server, perform troubleshooting. For more information, see Troubleshoot why the Security Center agent is offline.

Regions that support automatic installation

The following table lists the regions that support automatic installation. If your ECS instance is not deployed in one of the following regions, you cannot install the Security Center agent on your instance with a few clicks.

District Region
Asia Pacific China (Hangzhou)
China (Shanghai)
China East 2 Finance
China (Qingdao)
China (Beijing)
China (Zhangjiakou)
China (Hohhot)
China (Shenzhen)
China (Hong Kong)
Singapore (Singapore)
Australia (Sydney)
Malaysia (Kuala Lumpur)
Indonesia (Jakarta)
Japan (Tokyo)
Europe & Americas Germany (Frankfurt)
UK (London)
US (Silicon Valley)
US (Virginia)
Middle East & India India (Mumbai)
UAE (Dubai)

References

Install the Security Center agent on multiple ECS instances at a time

Install the Security Center agent on servers not deployed on Alibaba Cloud