This topic provides answers to some frequently asked questions about the vulnerability management and baseline check features.

How do I manually detect Linux software vulnerabilities on my servers?

You can use command lines to manually detect Linux software vulnerabilities on your servers. For more information, see How do I manually detect Linux software vulnerabilities?

We recommend that you use the feature provided by Security Center to detect Linux software vulnerabilities. This feature automatically detects vulnerabilities in a timely manner on a regular basis.

How do I view the current software version and vulnerability details?

Security Center compares the software version on your server with the software version that has Common Vulnerabilities and Exposures (CVE) to determine whether your server contains software vulnerabilities. To view vulnerability details of the current software version, you can use one of the following methods:
  • View the current software version and vulnerability details in the Security Center console

    Log on to the Security Center console. In the left-side navigation pane, choose Risk Management > Vulnerabilities. On the Vulnerabilities page, you can view the system software version and vulnerability details. For more information about the parameters related to Linux software vulnerabilities, see How do I view the parameters of Linux software vulnerabilities?

  • View details of the current software version on your server
    You can run a command to view details of the current software version:
    • CentOS

      Run the rpm -qa | grep xxx command. xxx specifies the name of the software package. For example, you can run the rpm -qa | grep bind-libs command to view the version details of the bind-libs software package.

    • Ubuntu and Debian
      Run the dpkg-query -W -f '${Package} -- ${Source}\n' | grep xxx command. xxx specifies the name of the software package. For example, you can run the dpkg-query -W | grep bind-libs command to view the version details of the bind-libs software package.
      Note If the specified software package is not found, run the dpkg-query -W command to view all the software that is installed on your server.
    After you obtain the version details of the software, compare the version details with the details of the Linux software vulnerabilities detected by Security Center. In the details of a vulnerability, Software and Cause indicate the version of the current software and the reason based on which Security Center determines that your server has the vulnerability.
    Note After you update a piece of software, Security Center may collect the remaining files of the old software version and generate a vulnerability alert on the remaining files. In this case, we recommend that you ignore this alert. Also, you can run the yum remove or apt-get remove command to delete the software package of the old version. Before you delete the package, make sure that the old software version is no longer required by your workloads or applications.

How do I update kernel 3.1* to kernel 4.4 on Ubuntu 14.04?

Important Risks may arise when you update the kernel version. We recommend that you follow the instructions provided in Fix software vulnerabilities.
To update kernel 3.1* to kernel 4.4 on Ubuntu 14.04, perform the following steps:
  1. Run the uname -av command to confirm that the kernel version is 3.1*. Confirm the kernel version
  2. Run the following commands to check whether the latest kernel update package is available: 
    apt list | grep linux-image-4.4.0-94-generic
apt list | grep linux-image-extra-4.4.0-94-generic
  3. If no package is available, run the apt-get update command to obtain the latest update package.
  4. Run the following commands to install the latest update package: 
    apt-get update && apt-get install linux-image-4.4.0-94-generic
apt-get update && apt-get install linux-image-extra-4.4.0-94-generic
  5. After the update package is installed, restart the server to load the kernel.
  6. After the server is restarted, run the following commands to verify the update:
    • Run the uname -av command to query the current kernel version. Query the current kernel version
    • Run the dpkg -l | grep linux-image command to query the details of the current kernel. Query the details of the current kernel

How do I check whether a vulnerability is fixed by using Ubuntu kernel patches?

If you modified the boot sequence in the GRUB boot menu and installed a new kernel on your Ubuntu server, the new kernel is not enabled when you restart the Ubuntu server. You must configure environment variables to enable the new kernel.

When you fix Ubuntu kernel vulnerabilities in the Log on to the Security Center console, you must restart the system to allow the fix to take effect. If you modified the GRUB boot menu, the system does not automatically create a boot menu for the new kernel when the system is restarted. The system remains in the Handled (To Be Restarted) state after being restarted. In this case, you cannot check whether the vulnerability is fixed.

If you want to use the default settings of the new kernel rather than the original GRUB boot menu configurations, specify the following environment variable on the Linux server before you run the command to fix vulnerabilities. This way, the system uses the default settings of the new kernel. 

export DEBIAN_FRONTEND=noninteractive

If you do not use the default settings of the latest kernel, you can modify the GRUB boot sequence. For more information, see How do I modify the boot sequence of the Linux kernel?

Do I need to restart my server after I fix a vulnerability?

  • Windows servers:

    After you fix a Windows system vulnerability in the Security Center console, you must restart your server to validate the fix.

    This applies to all servers that run Windows.

  • Linux servers:
    After you fix a Linux kernel vulnerability in the Security Center console, you must restart your server to validate the fix. This applies if one of the following conditions are met:
    • Your server runs Linux, and the vulnerability that you fix is a Linux kernel vulnerability.
    • On the Linux Software tab, the vulnerability that you fix is tagged with Restart required. You can perform the following steps to go to the Linux Software tab: Log on to the Security Center console. In the left-side navigation pane, choose Risk Management > Vulnerabilities. Restart required

What do I do if Security Center continues to send a vulnerability alert to me after I update the kernel?

This issue may occur if the remaining files of the old kernel version exist. If you confirm that the alert is triggered due to the remaining files of the old kernel version, you can ignore this alert or delete the remaining files. To fix this issue, you can perform the following steps:

  1. After the kernel is updated, run the uname -av and cat /proc/version commands to view the current kernel version. Make sure that the current kernel version meets the requirement that is described in the vulnerability details.
  2. Run the cat /etc/grub.conf command to query the configuration file. Make sure that the current system uses the latest kernel version.
  3. Security Center determines whether your server contains Linux software vulnerabilities based on the kernel version. If your system contains the Package Manager (RPM) package of the old kernel version, the package is detected by Security Center, which then generates an alert. Make sure that your system does not contain the RPM package of the old kernel version. If your system contains the RPM package of the old kernel version, delete the package.
    Note Before you delete the RPM package of the old kernel version, make sure that the current system uses the latest kernel version. We recommend that you create a snapshot of your system before you delete the RPM package of the old kernel version. If exceptions occur, you can use the snapshot to restore your system.
If you do not want to delete the RPM package of the old kernel version, you can perform the following steps to ignore the alerts that are generated on the old kernel version. Before you ignore the alerts, make sure that the current system uses the latest kernel version.
  1. Log on to the Security Center console.In the left-side navigation pane, choose Risk Management > Vulnerabilities.
  2. Click the Linux Software tab, find the required vulnerability, and then click the vulnerability name. The panel that displays the vulnerability details appears.
  3. In the Actions column, click the More icon icon and select Ignore.

What do I do If no update is released for the software package that has a vulnerability?

Perform the following operations based on your business requirements:

  • You may receive one of the following messages when you update software to fix a vulnerability: 
    Package xxx already installed and latest version
Nothing to do
    Or 
    No Packages marked for Update

    In this case, wait until an official update of the software package is available.

    The following software packages do not have available updates:
    • Gnutls
    • Libnl
    • MariaDB
  • After you update the software package to the latest version, the software package may still fail to meet the version requirement that is described in the Security Center console.

    In this case, check whether the operating system version of your server is supported. For example, since September 1, 2017, CentOS 6.2 to 6.6 and CentOS 7.1 are no longer supported. If your operating system version is not supported, we recommend that you ignore the vulnerability in the Security Center console or update the operating system of your server. If you ignore the vulnerability, the risk may still exist.

How do I view the parameters of Linux software vulnerabilities?

You can log on to the Security Center console, choose Risk Management > Vulnerabilities, and then click the Linux Software tab to view Linux software vulnerabilities that are detected on your assets. You can click the name of a specific vulnerability to go to the details page. The following list describes the parameters of Linux software vulnerabilities:
  • Vulnerability
    The notice name of a Linux software vulnerability. The name starts with CVE, RHSA, or USN. Example: RHSA-2016:2972: vim security update. Vulnerability
  • Impact

    The vulnerability impact score, which is based on the open criteria Common Vulnerability Scoring System (CVSS). The score indicates the severity of a vulnerability, which allows you to prioritize the vulnerability.

  • CVE ID

    The CVE ID of a vulnerability. Example: CVE-2016-XXXX. The CVE system provides a reference method for publicly known information security vulnerabilities and exposures. You can query the information about vulnerability fixes from all databases that are compatible with CVE to solve security issues.

  • Priority
    The priority of a vulnerability. Valid values: High, Medium, and Low. Priority
    Note The vulnerability priority in the preceding figure is Medium. You can fix the vulnerabilities based on your business requirements.
    • The following vulnerabilities have the High priority:
      • Vulnerabilities that attackers can exploit to obtain permissions on the operating system of your server.
      • Vulnerabilities that attackers can exploit to obtain sensitive data and cause data leaks.
      • Vulnerabilities that can cause unauthorized access to sensitive data.
      • Vulnerabilities that can cause large-scale impacts.
    • The following vulnerabilities have the Medium priority:
      • Vulnerabilities that attackers can exploit to indirectly obtain permissions on the operating system of your server and applications.
      • Vulnerabilities that attackers can exploit to read, write, download, or delete files.
      • Vulnerabilities that can cause sensitive data leaks.
      • Vulnerabilities that can cause workload disruption or remote DoS attacks.
    • The following vulnerabilities have the Low priority:
      • Vulnerabilities that affect users only during system and user interactions.
      • Vulnerabilities that attackers can exploit to perform unauthorized operations.
      • Vulnerabilities that attackers can exploit after the attackers change the configurations of on-premises machines or obtain important information.
      • Vulnerabilities that can cause local DoS attacks.
      • Vulnerabilities that have minor impacts.
  • Impact description

    The information about the current version of the software, the reason based on which the vulnerability is detected, and the path of the vulnerability program on your server.

    In the panel that displays the details of a vulnerability, you can click Details in the Actions column to view the impact description of the vulnerability. Vulnerability details
    The impact description includes the following items:
    • Software: the current version of the software. In the preceding figure, the version of mariadb-libs is 5.5.52-1.el7.
    • Cause: the reason based on which the vulnerability is detected. In most scenarios, the reason is that the software is outdated. In the preceding figure, the vulnerability is detected because the version of mariadb-libs is earlier than 5.5.56-2.el7.
    • Path: the path of the vulnerability program on your server. In the preceding figure, the path of mariadb-libs is /etc/ld.so.conf.d/mariadb-x86_64.con.
  • Actions
    You can perform the following operations on a detected Linux software vulnerability:
    • Fix: Fix the vulnerability.
    • Verify: Check whether the vulnerability is fixed.
    • Ignore: Ignore the vulnerability.

How do I fix vulnerabilities?

Security Center can detect Linux software vulnerabilities, Windows system vulnerabilities, Web-CMS vulnerabilities, application vulnerabilities, and urgent vulnerabilities. However, Security Center can fix only Linux software vulnerabilities, Windows system vulnerabilities, and Web-CMS vulnerabilities.

Log on to the Security Center console, choose Risk Management > Vulnerabilities in the left-side navigation pane. On the Vulnerabilities page, find the Linux software vulnerability, Windows system vulnerability, or Web-CMS vulnerability that you want to fix and click Fix in the Actions column. You can create a snapshot before you fix a Linux software vulnerability or Windows system vulnerability. After you fix a vulnerability, the status of the vulnerability that requires a system restart changes to Handled (To Be Restarted). You must restart your server as instructed before you check whether the vulnerability is fixed.

For urgent vulnerabilities and application vulnerabilities, you can manually fix the vulnerabilities based on the fix suggestions that are provided in the vulnerability details panel. After you fix a vulnerability, you can check whether the vulnerability is fixed on the Vulnerabilities page.

I want to fix multiple vulnerabilities at a time in the Security Center console. What is the fixing order?

Linux software vulnerabilities and Web-CMS vulnerabilities are fixed based on the order of vulnerabilities on the vulnerability list in the Security Center console. For specific Windows system vulnerabilities, pre-patches are required before Security Center can fix the vulnerabilities. When multiple Windows system vulnerabilities are fixed, vulnerabilities that require pre-patches are fixed before other vulnerabilities. Other vulnerabilities are fixed based on the order of vulnerabilities on the vulnerability list in the Security Center console.

I fail to create a snapshot when I fix a vulnerability. Why? What do I do?

When you fix a vulnerability, you may fail to create a snapshot due to the following reasons:
  • A RAM user is used to fix the vulnerability: If the RAM user does not have the permissions to create a snapshot, the Security Center console prompts that you cannot create a snapshot. We recommend that you use an Alibaba Cloud account to create a snapshot. For more information about RAM users, see Overview of RAM users.
  • Your server is not deployed on Alibaba Cloud: You can create snapshots to fix vulnerabilities only when your server is deployed on Alibaba Cloud.

Why does Security Center continue to send alerts to me after I fix vulnerabilities? What do I do?

This issue occurs because your server is not restarted and the restart is required after you fix vulnerabilities. The vulnerabilities refer to Linux kernel vulnerabilities in this situation. To restart your server, go to the panel that displays vulnerability details and click Restart in the Actions column. After your server is restarted, you can click Verify in the Actions column. If the status of the vulnerability changes to Handled, the vulnerability is fixed.

What do I do if the "An error occurred while obtaining the permission. Check the permission and try again." message appears when I fix a vulnerability?

This issue occurs because your account does not have permissions to manage the file required to fix the vulnerability. We recommend that you find the vulnerability that you want to fix in the Security Center console and click the vulnerability name. In the panel that appears, view the details of the vulnerability and check whether the owner of the file is the root user. If the owner is not the root user, you must change the owner to the root user. Then, you can go back to the Security Center console to fix the vulnerability.

Why are the records of the detected vulnerabilities still displayed in the Security Center console after the Security Center agent is disabled or disconnected from Alibaba Cloud?

The records of detected vulnerabilities are displayed in the Security Center console after the Security Center agent is disabled or disconnected from Alibaba Cloud.

If the Security Center agent is disabled or disconnected from Alibaba Cloud, the alerts generated for all detected system vulnerabilities become invalid after 3 days, the alerts generated for all detected application vulnerabilities become invalid after 30 days, and the alerts generated for all detected urgent vulnerabilities become invalid after 90 days. In this case, you cannot perform operations on the vulnerabilities. For example, you cannot fix the vulnerabilities or delete the records of the vulnerabilities.

If you do not renew Security Center within seven days after Security Center expires, your data is released and deleted, and the detected vulnerabilities are no longer displayed.

How do I delete a patch that is required to fix a Windows system vulnerability from the directory of the Security Center agent?

If you use the Security Center agent to fix a Windows system vulnerability, the Security Center agent automatically downloads, installs, and deletes the patch. If the Security Center agent does not delete the patch three days after the vulnerability is fixed, perform the following steps to manually delete the patch:
  1. Log on to the Security Center console. In the left-side navigation pane, choose System Configuration > Feature Settings.
  2. If you have enabled client protection, disable client protection in the Client Protection section on the Agent Settings tab.

    If client protection was never enabled, skip this step and go to the next step.

    If client protection is enabled, all process files in the directory of the Security Center agent are protected. In this case, Security Center rejects your requests to delete or download a process file from the directory of the Security Center agent. For more information about client protection, see Client Protection.

  3. Log on to your server as an administrator.
  4. Find the patch and manually delete the patch.

    The path of the patch is C:\Program Files (x86)\Alibaba\Aegis\globalcfg\hotfix.

Can Security Center detect Elasticsearch vulnerabilities?

Yes, Security Center can detect Elasticsearch vulnerabilities.

You can perform the following steps: Log on to the Security Center console. In the left-side navigation pane, choose Risk Management > Vulnerabilities and click the Application tab. Then, check whether Elasticsearch vulnerabilities are detected.

Note Only the Enterprise and Ultimate editions of Security Center can detect application vulnerabilities. If you use the Basic, Anti-virus, or Advanced edition and you want to detect application vulnerabilities, you must upgrade Security Center to the Enterprise edition.

How do I handle a connection timeout between my server and the YUM repository of Alibaba Cloud?

If a connection times out, the following error message appears: 
[Errno 12] Timeout on http://mirrors.aliyun.com/centos/6/os/x86_64/repodata/repomd.xml: (28, 'connect() timed out!')

Make sure that the DNS settings of your server are correct, and wait a while. If the issue persists, submit a ticket to contact technical support.

The "Invalid token" error message appears when I fix a vulnerability. What do I do?

If you receive the Invalid token error message in the Security Center console, you can refresh the current page and log on to the console again.
Note You can press Ctrl+F5 to forcefully refresh the current page.

What do I do if Security Center fails to verify the fix of a system vulnerability?

To fix this issue, perform the following steps:
  1. Check the version information of the vulnerability.
  2. Check whether the system uses the YUM repository of Alibaba Cloud.
  3. Check whether the fix is verified after a system update.
    Note You must restart the system after you update the kernel.
  4. Check whether the destination version of the software update is earlier than the version recommended by Security Center. A later version is required.

If the issue persists, we recommend that you update the operating system.

Can Security Center automatically verify the fix of a vulnerability that requires a system restart?

No, Security Center cannot automatically verify the fix of a vulnerability that requires a system restart.

If a vulnerability is fixed and a system restart is required to verify the fix, the state of the vulnerability is Handled (To Be Restarted). Security Center scans for vulnerabilities on a daily basis. After you fix vulnerabilities of this type, Security Center no longer detects these vulnerabilities. In this case, Security Center retains the information about these vulnerabilities for three days. Make sure that networks can work as expected and no other factors can affect vulnerability detection. After three days, the vulnerability information is deleted.

Why does the state of a vulnerability remain unchanged when I verify the vulnerability fix?

After you run the command generated by Security Center to fix a Linux software vulnerability, the Linux software is updated. The new software version meets the requirement described on the Vulnerabilities page of the Security Center console. However, when you click Verify in the panel that displays the details of the vulnerability, the state of the vulnerability does not change to Fixed.

To handle this issue, perform the following steps:
  • Check the priorities of the vulnerabilities that are detected by Security Center

    Perform the following steps:

    1. Log on to the Security Center console. In the left-side navigation pane, choose Risk Management > Vulnerabilities.
    2. In the upper-right corner of the Vulnerabilities page, click Settings.
    3. In the Settings panel, view Vul scan level.

    If you do not select a specific priority, Security Center does not automatically update the information about the vulnerabilities that have the priority. You can select priorities based on your business requirements.

  • Check whether the version of the Security Center agent is outdated

    If the version of the Security Center agent on your server is outdated, Security Center may not be able to detect vulnerabilities. If the Security Center agent is not automatically updated, we recommend that you manually install the latest version. For more information, see Install the Security Center agent.

  • Check whether the Security Center agent is disconnected from Alibaba Cloud

    If the Security Center agent on your server is disconnected from Alibaba Cloud, you cannot verify the fix for the vulnerability. We recommend that you troubleshoot the issue and ensure that the Security Center agent is connected to Alibaba Cloud. For more information, see Identify why the agent is offline.

Why does Security Center fail to roll back a fix for a vulnerability?

  1. Make sure that the Security Center agent on your server is connected to Alibaba Cloud. If the Security Center agent is disconnected from Alibaba Cloud, troubleshoot the issue. For more information, see Identify why the agent is offline.
  2. Check whether the files related to this vulnerability are manually modified or deleted.
    Note If the related files are manually modified or deleted after the vulnerability is fixed, Security Center cannot roll back the fix.

What do I do if I cannot enable the vulnerability detection feature for a server on the Assets page?

In the upper-right corner of the Vulnerabilities page, click Settings. In the Settings panel, you can select the servers for which you want to enable the vulnerability detection feature. In the following figure, Scan-Disabled: 4 indicates that Security Center cannot detect Linux software vulnerabilities for four servers. To enable Security Center to detect Linux software vulnerabilities for the servers, click Manage. Vulnerability detection disabled

Are my workloads affected when Security Center scans for urgent vulnerabilities?

Security Center checks whether your assets contain urgent vulnerabilities based on the preliminary detection principle. Security Center sends one or two TCP request packets to the IP addresses of all your Elastic Compute Service (ECS) or Server Load Balancer (SLB) instances. The packets do not contain malicious behavior. The feature of urgent vulnerability detection was tested on millions of IP addresses and showed highly stable and reliable performance. However, test environments cannot cover all scenarios. Therefore, unknown risks may still occur. For example, if the business logic of some websites is vulnerable, one or two TCP request packets may cause the server to fail. In this case, your business system may be at risk.

Why are the results different when Security Center scans multiple times for fastjson urgent vulnerabilities?

Whether fastjson vulnerabilities can be detected is based on whether JAR packages are loaded. A web server loads JAR packages in dynamic mode or static mode. In dynamic mode, fastjson vulnerabilities can be detected only if JAR packets are running. Therefore, the scan results are different. We recommend that you scan for fastjson vulnerabilities multiple times to improve the accuracy of scan results.

How often does Security Center detect vulnerabilities?

Security Center can detect vulnerabilities such as Linux software vulnerabilities, Windows system vulnerabilities, Web-CMS vulnerabilities, urgent vulnerabilities, and application vulnerabilities. You can fix the detected vulnerabilities. The following table lists the default scan cycle and scan mode for vulnerabilities of each type.
Type Basic Anti-virus Advanced Enterprise Ultimate
Linux software vulnerability An automatic scan every two days. An automatic scan every day. An automatic scan every day. An automatic scan every day. An automatic scan every day.
Windows system vulnerability An automatic scan every two days. An automatic scan every day. An automatic scan every day. An automatic scan every day. An automatic scan every day.
Web-CMS vulnerability An automatic scan every two days. An automatic scan every day. An automatic scan every day. An automatic scan every day. An automatic scan every day.
Application vulnerability Not supported. Not supported. Not supported. An automatic scan every week. The automatic scan cycle can be modified. An automatic scan every week. The automatic scan cycle can be modified.
Urgent vulnerability Not supported. Not supported. Not supported. You can specify a scan cycle to perform periodic scans. Not supported. You can specify a scan cycle to perform periodic scans. Not supported. You can specify a scan cycle to perform periodic scans.

If you want to enable or disable scans for vulnerabilities of a specific type, or modify the scan cycles for application vulnerabilities and urgent vulnerabilities, click Settings in the upper-right corner of the Vulnerabilities page. For more information, see Scan for vulnerabilities. If you want to immediately scan for vulnerabilities on your assets, you can use the quick scan feature that is provided by Security Center. For more information, see Scan for vulnerabilities.

After the vulnerability detection is complete, choose Risk Management > Vulnerabilities in the left-side navigation pane of the Security Center console to view the detection results and handle vulnerabilities if vulnerabilities are detected.

Can Security Center detect system- and application-layer vulnerabilities?

Yes, Security Center can detect system- and application-layer vulnerabilities.

What do I do if Security Center fails to verify a fixed baseline check risk?

To handle this issue, perform the following steps:
  • Check whether the version of the Security Center agent is outdated

    If the version of the Security Center agent on your server is outdated, Security Center may fail to verify a fixed baseline risk. If the Security Center agent is not automatically updated, we recommend that you manually install the latest version. For more information, see Install the Security Center agent.

  • Check whether the Security Center agent is connected to Alibaba Cloud

    If the Security Center agent on your server is disconnected from Alibaba Cloud, Security Center cannot verify a fixed baseline risk. Make sure that the Security Center agent on your server is connected to Alibaba Cloud. For more information, see Identify why the agent is offline.

What are the differences between baselines and vulnerabilities?

Baselines describe the minimum security requirements for system configurations and management. Baselines include service and application configurations, configurations for operating system components, permission settings, and system management rules. The baseline check feature of Security Center provides security checks for your operating systems, databases, software, and containers. This feature supports the following baseline types: weak passwords, account permissions, identity authentication, password policies, access control, security audit, and intrusion prevention. This way, you can improve system security based on the check results and suggestions provided by Security Center. For more information about check items, see Baselines.

Vulnerabilities refer to flaws in operating system implementation or security policies. The flaws include defects that exist in the design of operating system software or applications, and errors that occur during the development of the software or applications. Attackers can exploit vulnerabilities to access and steal the data on your servers or undermine the security of your servers. We recommend that you fix detected vulnerabilities at the earliest opportunity to protect your assets.

Baseline check is a value-added feature of Security Center. Only users of the Advanced, Enterprise, and Ultimate editions can use this feature. Users of the Basic and Anti-virus editions must upgrade Security Center to the Advanced or Enterprise edition to use this feature. For more information about upgrades, see Upgrade and downgrade Security Center.

What do I do if sensitive information is leaked?

When enterprises or individuals use GitHub, Gitee, or other platforms to manage source code, the source code contains or may contain the following sensitive information: AccessKey pairs of Alibaba Cloud accounts, accounts and passwords of ApsaraDB RDS databases, email accounts and passwords, and accounts and passwords of self-managed databases that are hosted on ECS instances. If the preceding account information is leaked, attackers may use the information to access Alibaba Cloud resources and data of enterprises or individual users.

After an enterprise creates a database on an ECS instance, developers may write sensitive information to the configuration file that is used to connect to the database. Sensitive information includes database connection passwords and email passwords. After attackers obtain the leaked passwords from GitHub and pass authentication, the attackers can obtain the data of the enterprise. This causes major security risks for the enterprise.

Solutions
  • We recommend that you use a private GitHub codebase or build an internal code management system to prevent leaks of source code and sensitive information.
  • If sensitive information such as an Alibaba Cloud AccessKey pair is leaked, you must log on to the Alibaba Cloud Resource Access Management (RAM) console, and disable and reset the leaked AccessKey pair, or delete the AccessKey pair. Then, delete the hosted code in GitHub at the earliest opportunity.
  • Regularly log on to the Log Service console to view the server access logs and check whether a data leak occurred. For example, search for web access logs and specify the URI field to identify the paths that contain files related to AccessKey pairs.
  • Develop internal standards on security O&M and red lines for development operations. Provide training sessions for IT administrators to improve information security.