Security Center protects servers by using the Security Center agent. Before you can use Security Center to protect your server, you must install the Security Center agent on your server. Your server is protected by Security Center and the information about the server is displayed in the Security Center console only after the Security Center agent is installed on your server. The information includes vulnerabilities, alerts, baseline risks, and asset fingerprints. This topic describes how to install the Security Center agent on a server.

View the servers on which the Security Center agent is not installed

  1. Log on to the Security Center console.In the left-side navigation pane, choose System Configuration > Feature Settings.
  2. On the Agent tab, click the Agent Not Installed tab to view the number and list of servers that do not have the Security Center agent installed.

Initiate automatic installation on ECS instances

Prerequisites

Before you initiate automatic installation, make sure that your server meets the following requirements:
  • Your server is an Elastic Compute Service (ECS) instance. The Security Center agent cannot be automatically installed on servers that are not deployed on Alibaba Cloud. You must manually install the agent on these servers. For more information, see Manually install the Security Center agent.
  • Your server has Cloud Assistant installed. If Cloud Assistant is not installed on your server, you must install Cloud Assistant on your server. Then, you can initiate automatic installation to install the Security Center agent.
  • Your server is running, and the network connection of your server is normal.
  • Third-party security software installed on your server is disabled or no third-party security software is installed on your server. If third-party software on your server is enabled, the Security Center agent may fail to install.
  • Your ECS instance resides in a region that supports automatic installation.
    The following table describes the regions that support automatic installation. If your ECS instance is not deployed in one of the following regions, you cannot install the Security Center agent on your instance with a few clicks.
    Table 1. Regions that support automatic installation
    Region category Region
    Asia Pacific China (Hangzhou), China (Shanghai), China East 2 Finance, China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Shenzhen), China (Hong Kong), Singapore, Australia (Sydney), Malaysia (Kuala Lumpur), Indonesia (Jakarta), and Japan (Tokyo)
    Europe & Americas Germany (Frankfurt), UK (London), US (Silicon Valley), and US (Virginia)
    Middle East & India India (Mumbai) and UAE (Dubai)

Procedure

  1. Log on to the Security Center console.In the left-side navigation pane, choose System Configuration > Feature Settings.
  2. On the Agent tab, click the Agent Not Installed tab. In the list of servers that do not have the Security Center agent installed, find a server and click Install the client in the Actions column to install the agent on the server.
    You can select multiple servers and click One-click installation in the lower-left corner.
    Approximately 5 minutes after the agent is installed, you can view the status of the Security Center agent on the Assets > Host page. If the Security Center agent is installed on the server, the Online icon is displayed in the Agent column of the server. If the agent is not installed, the Offline icon is displayed in the column.

Manually install the Security Center agent

If your server is deployed on a third-party cloud or in a data center, or your ECS instance is deployed in a region that does not support automatic installation, you must manually install the Security Center agent. For more information about the supported regions, see Regions that support automatic installation.

Manually install the Security Center agent on a server

  1. If you installed the Security Center agent on the server, you must uninstall the Security Center agent from the server and delete the files in the directory of the Security Center agent. If you did not install the Security Center agent on the server, skip this step.
    The directory of the Security Center agent varies based on the operating systems:
    • Windows: C:\Program Files (x86)\Alibaba\Aegis
    • Linux: /usr/local/aegis
  2. Log on to the Security Center console.In the left-side navigation pane, choose System Configuration > Feature Settings.
  3. On the Agent tab, click the Installation Command tab to view the command that is required to manually install the Security Center agent.
    • Use a default command

      Security Center provides four default commands. If you do not want to create an image command or you do not want Security Center to add the server on which an installation command is run to a specified server group, you can select a default installation command based on the type and operating system of your server. Then, copy and run the command to install the Security Center agent on your server.

    • Create an installation command

      If you want to create an image command or you want Security Center to add the server on which an installation command is run to a specified server group, you can perform the following operations to create an installation command:

      Click Add Installation Command. In the Add Installation Command dialog box, configure the following parameters and click OK. Then, copy the installation command that is created.

      Parameter Description
      Expiration time Specify the time when the installation command expires.
      Service Provider Select the provider of your server from the drop-down list.
      Default grouping Select the server group for your server on which you want to install the Security Center agent.
      Operating system Select the operating system for your server on which you want to install the Security Center agent.
      Making Image System Select No to install the Security Center agent on a single server.

      If you want to use an image to install the Security Center agent on multiple servers at a time, select Yes. For more information about how to install the Security Center agent on multiple servers at a time, see Install the Security Center agent on multiple servers by creating an image.

      You can view the created installation command on the Installation Command tab.

  4. Log on to the server by using an account that has administrative rights and run the installation command based on the operating system of the server.
    • Windows: Open the Command Prompt window and run the installation command that you copied. Then, the installation package of the Security Center agent is downloaded to and installed on the server.
    • Linux: Open the CLI of the server and run the installation command that you copied. Then, the installation package of the Security Center agent is downloaded to and installed on the server.
    Important After you run the installation command, the latest version of the Security Center agent is downloaded from Alibaba Cloud. If you use a server that is not deployed on Alibaba Cloud, make sure that the server is connected to the Internet before you run the installation command.

Install the Security Center agent on multiple servers by creating an image

  1. If you want to create an image for a server and you installed the Security Center agent on the server, you must uninstall the Security Center agent and delete the files in the directory of the Security Center agent. If you did not install the Security Center agent on the server, skip this step.
    The directory of the Security Center agent varies based on the operating systems:
    • Windows: C:\Program Files (x86)\Alibaba\Aegis
    • Linux: /usr/local/aegis
  2. Log on to the Security Center console.In the left-side navigation pane, choose System Configuration > Feature Settings.
  3. On the Installation Command tab of the Agent tab, click Add Installation Command.
  4. In the Add Installation Command dialog box, configure the parameters and click OK. Then, copy the created command.
    Parameter Description
    Expiration time Specify the time when the installation command expires.
    Service Provider Select the provider of your server from the drop-down list.
    Default grouping Select the server group on which the installation command can be run.
    Operating system Select the operating system of your server.
    Making Image System Select Yes.
  5. Add the latest version number -v=11_41 of the Security Center agent to the installation command. The setting varies based on the operating system of the server.
    • Windows: powershell -executionpolicy bypass -c "(New-Object Net.WebClient).DownloadFile('http://aegis.alicdn.com/download/install/2.0/windows/AliAqsInstall.exe', $ExecutionContext.SessionState.Path.GetUnresolvedProviderPathFromPSPath('.\AliAqsInstall.exe'))"; "./AliAqsInstall.exe -i -v=11_41 -k=IMAGEwH****"
    • Linux: wget "https://aegis.alicdn.com/download/install/2.0/linux/AliAqsInstall.sh" && chmod +x AliAqsInstall.sh && ./AliAqsInstall.sh -i -v=11_41 -k=IMAGE19****
  6. Log on to the server by using an account that has administrative rights and run the installation command after modification on the server.
    • Windows: Open the Command Prompt window and run the installation command that you copied. Then, the installation package of the Security Center agent is downloaded to and installed on the server.
    • Linux: Open the CLI of the server and run the installation command that you copied. Then, the installation package of the Security Center agent is downloaded to and installed on the server.

    After you run the installation command on the server, only the installation package of the Security Center agent is downloaded. After the agent is installed, you can create an image for the operating system of the server. Then, you can use the image as a template to install the Security Center agent on multiple servers at a time. After you create the image, you must restart the server. This way, you can start the processes of the Security Center agent to enable Security Center to protect the server. In this case, the installation command is also referred to as an image command. For more information about the image command, see the "Install the Security Center agent on multiple servers by creating an image" section of this topic.

  7. After the Security Center agent is installed, shut down the server as prompted and create an image for the operating system of the server.
    Important
    • You cannot restart the server until the image is created. Otherwise, the image becomes invalid.
    • If you want to create an image for the operating system of the same server multiple times, you must perform all the steps provided in Install the Security Center agent on multiple servers by creating an image each time you create the image.
    • After you run the image command, the AliYunDun and AliYunDunUpdate processes are not started on the server, and the Security Center agent is not in the Online state. You must restart the server. Then, the status of the Security Center agent is updated to Online.
  8. After you create the image for the operating system of the server, restart the server.
    After the server is restarted, the status of the Security Center agent on the server changes to Online.

Use an installation command for External host to install the Security Center agent

Manage ECS instances across accounts

If you want to monitor the security status of ECS instances within Alibaba Cloud Account B by using Alibaba Cloud Account A, you can perform the following operations:
  1. Submit a ticket and contact technical support to mark Alibaba Cloud Account A.
  2. Log on to the Security Center console by using Alibaba Cloud Account A. Then, copy and run an installation command that is provided for External host to install the Security Center agent on the ECS instances. For more information, see Manually install the Security Center agent.
  3. After you install the Security Center agent, log on to the Security Center console by using Alibaba Cloud Account A. You can view and manage the ECS instances that belong to Alibaba Cloud Account B. The External host tag is added to the ECS instances.

Cancel the cross-account management of ECS instances

If you no longer want to monitor the security status of ECS instances within Alibaba Cloud Account B by using Alibaba Cloud Account A, you can perform the following operations:

  1. Log on to the Security Center console by using Alibaba Cloud Account A. Then, uninstall the Security Center agent from the ECS instances. For more information, see Uninstall the Security Center agent.
  2. Log on to the Security Center console by using Alibaba Cloud Account B. In the left-side navigation pane, choose System Configuration > Feature Settings.
  3. On the Agent tab, click the Installation Command tab. Then, find the installation command based on the operating system of each ECS instance and click Copy command to the right of the command. Then, append -r to the end of the command.
    Example commands:
    • Linux
      wget "https://update2.aegis.aliyun.com/download/install/2.0/linux/AliAqsInstall.sh" && chmod +x AliAqsInstall.sh && ./AliAqsInstall.sh  -k=bE**** -r
    • Windows
      powershell -executionpolicy bypass -c "(New-Object Net.WebClient).DownloadFile('http://update2.aegis.aliyun.com/download/install/2.0/windows/AliAqsInstall.exe', $ExecutionContext.SessionState.Path.GetUnresolvedProviderPathFromPSPath('.\AliAqsInstall.exe'))";  "./AliAqsInstall.exe  -k=1O****" -r
  4. Use an administrator account to log on to each ECS instance on which you want to install the Security Center agent and run the installation command. The administrator account for a Windows operating system is Administrator, and the administrator account for a Linux operating system is root.
  5. After you install the agent, log on to the Security Center console by using Alibaba Cloud Account B. You can view and manage the ECS instances on which the Security Center agent is installed.

Check whether the Security Center agent is installed

After the Security Center agent is installed on a server, Security Center downloads the agent-related files to the server and starts the processes of the Security Center agent. For more information about the processes of the Security Center agent, see Agent processes. You can check whether the Security Center agent is installed by viewing the status of the processes or the Security Center agent in the console.

Method 1: Verify the processes of the Security Center agent

After the Security Center agent is installed on a server, you can check whether the processes of the Security Center agent are running as expected and whether the server is connected to Security Center. If yes, the Security Center agent is successfully installed.

  1. Check whether the AliYunDun and AliYunDunUpdate processes of the Security Center agent are running as expected on your server. For more information about the processes of the Security Center agent, see Security Center agent.
  2. Run the following telnet commands to check whether your server can connect to Security Center:
    Note Make sure that your server can connect to at least one of the following JSRV domain names and one of the following update domain names. JSRV domain names are used to issue instructions such as vulnerability detection and virus detection, and update domain names are used to download and update the Security Center agent.
    • telnet jsrv.aegis.aliyun.com 443/80
    • telnet jsrv2.aegis.aliyun.com 443/80
    • telnet jsrv3.aegis.aliyun.com 443/80
    • telnet update.aegis.aliyun.com 443/80
    • telnet update2.aegis.aliyun.com 443/80
    • telnet update3.aegis.aliyun.com 443/80

Method 2: Verify the installation in the Security Center console

Approximately 5 minutes after the Security Center agent is installed, you can check whether the agent of the server is online on the Host page of the Security Center console. If the following coditions are met, the agent is online:
  • The icon in the Agent column changes from Unprotected to Protected.
  • Servers that are not deployed on Alibaba Cloud are added to the server list, and the icon in the Agent column changes from Unprotected to Protected.
    Important The information about servers that have the Security Center agent installed is automatically synchronized every minute to the Security Center console. Due to network latency, the information about a server that is not deployed on Alibaba Cloud and has the Security Center agent installed may not be immediately displayed on the Host page. In this case, you must manually synchronize the server information. For more information, see Synchronize the information about the most recent servers.

If the verification does not pass, check whether the agent is offline. For more information, see Troubleshoot why the Security Center agent is offline.