Security Center allows you to configure vulnerability settings. You can enable or disable automatic scan for each type of vulnerabilities, and enable vulnerability scan for specific servers. You can also specify the scan cycle, specify the number of days after which a detected vulnerability is automatically deleted, and remove vulnerabilities from the whitelist. This topic describes how to configure vulnerability settings.

Background information

You can select multiple vulnerabilities from the list of Linux software vulnerabilities, Windows system vulnerabilities, Web-CMS vulnerabilities, or application vulnerabilities. Then, you can add the selected vulnerabilities to the whitelist at a time. After you add vulnerabilities to the whitelist, Security Center no longer detects these vulnerabilities. You can also remove vulnerabilities from the whitelist in the Settings panel based on your business requirements.

Procedure

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Vulnerabilities.
  3. In the upper-right corner of the Vulnerabilities page, click Settings.
  4. In the Settings panel, configure the parameters based on your business requirements.
    Settings
    The following table describes the parameters.
    Parameter Description
    Linux Software Turn on or turn off the switch to enable or disable the scan for Linux software vulnerabilities. After you turn on the switch, you can click Manage on the right to add or remove servers that you want to scan for Linux software vulnerabilities.
    Windows System Turn on or turn off the switch to enable or disable the scan for Windows system vulnerabilities. After you turn on the switch, you can click Manage on the right to add or remove servers that you want to scan for Windows system vulnerabilities.
    Web CMS Turn on or turn off the switch to enable or disable the scan for Web-CMS vulnerabilities. After you turn on the switch, you can click Manage on the right to add or remove servers that you want to scan for Web-CMS vulnerabilities.
    Emergency Turn on or turn off the switch to enable or disable the scan for urgent vulnerabilities. After you turn on the switch, you can click Manage on the right to add or remove servers that you want to scan for urgent vulnerabilities.
    Application Turn on or turn off the switch to enable or disable the scan for application vulnerabilities.
    YUM/APT Source Configuration Turn on or turn off the switch to specify whether to preferentially use YUM or APT sources of Alibaba Cloud to fix vulnerabilities.
    Note Before you fix a Linux software vulnerability, you must specify a valid YUM or APT source. If you specify an invalid YUM or APT source, the vulnerability may fail to be fixed. After you turn on the switch, Security Center automatically selects a YUM or APT source of Alibaba Cloud. This improves the success rate of vulnerability fixing. We recommend that you turn on YUM/APT Source Configuration.
    Emergency vul(s) Scan Cycle Specify the scan cycle for urgent vulnerabilities. Valid values:
    • 3 Days
    • One week
    • Two weeks
    • Stop
    Note
    • Only users of the Advanced, Enterprise, and Ultimate editions of Security Center can specify the Emergency vul(s) Scan Cycle parameter. By default, the scan period for urgent vulnerabilities is 00:00:00 to 07:00:00.
    • If your servers are deployed in a private network or urgent vulnerability detection is not required, you can set Emergency vul(s) Scan Cycle to Stop.
    • Your servers may be attacked in various ways. We recommend that you set Emergency vul(s) Scan Cycle to a value other than Stop. This way, Security Center detects urgent vulnerabilities on your servers in a timely manner.
    Application Vul(s) Scan Cycle Specify the scan cycle for application vulnerabilities. Valid values:
    • 3 Days
    • One week
    • Two weeks
    Note Only users of the Enterprise and Ultimate editions of Security Center can specify the Application Vul(s) Scan Cycle parameter. By default, the scan period for application vulnerabilities is 00:00:00 to 07:00:00.
    Retain Invalid Vul for Specify the number of days after which a detected vulnerability is automatically deleted. Valid values:
    • 7Day(s)
    • 30Day(s)
    • 90Day(s)
    Note If you do not handle a detected vulnerability and the vulnerability is no longer detected in multiple subsequent detection, the vulnerability is automatically removed from the Vulnerabilities page after the specified number of days. If vulnerabilities of the same type are detected, Security Center still generates alerts.
    Vul scan level Specify priorities for the vulnerabilities that Security Center detects. Valid values:
    • High
    • Medium
    • Low
    Note Security Center detects and displays only vulnerabilities that have the priorities specified by the Vul scan level parameter. If you set this parameter to High and Medium, Security Center detects only vulnerabilities that have High and Medium priorities. On the Vulnerabilities page, only vulnerabilities that have High and Medium priorities are displayed.
    Vul Whitelist Manage the vulnerability whitelist. You can perform the following operations:
    • Add whitelist rules: Click Add rules on the right. In the AddVulnerability rule panel, configure a whitelist rule based on a specific type of vulnerabilities.
    • Edit whitelist rules: Click Edit on the right of the vulnerability that is added to a whitelist rule. In the panel that appears, modify the Rule scope and Note parameters.
    • Remove vulnerabilities from the whitelist: Click Delete on the right of a vulnerability to remove the vulnerability from the whitelist. After you remove the vulnerability from the whitelist, Security Center can detect the vulnerability and generate alerts for the vulnerability.
    After the vulnerability settings are configured, Security Center detects vulnerabilities on your servers based on the configurations.