The agentless detection feature adopts the agentless technology to detect security risks on Elastic Compute Service (ECS) instances, without the need to install the Security Center agent. The feature supports non-intrusive security checks to detect vulnerabilities, baseline risks, and alerts on ECS instances that are in the shutdown, idle, or heavily loaded state. The feature does not affect the performance of ECS instances. This topic describes how to use the agentless detection feature.
You want to perform comprehensive security checks on the system disk and data disks of an ECS instance.
You want to perform security checks on an ECS instance that does not have the Security Center agent installed.
Apply for public preview
The agentless detection feature is in public review. If you use the Advanced, Enterprise, or Ultimate edition of Security Center, you can use the feature free of charge. If you use the Basic or Anti-virus edition of Security Center, you must upgrade your Security Center to the Advanced, Enterprise, or Ultimate edition before you can use the feature.
If your Security Center edition supports the feature, you can click Apply now on the Agentless Detection page to use the feature.
You are not charged for the agentless detection feature. However, you are charged for the custom images that you create when you use the agentless detection feature. For more information, see Images.
The feature is supported only for ECS instances that reside in the China (Hangzhou), China (Shanghai), China (Beijing), China (Shenzhen), China (Hong Kong), and Singapore regions. The feature is not supported for ECS instances that reside in other regions or servers that are not deployed on Alibaba Cloud.
The feature is not supported for ECS instances that run a FreeBSD operating system.
The feature can check the system disk and data disks of ECS instances but cannot check the data disks that are managed by using Logical Volume Manager (LVM), Redundant Array of Independent Disks (RAID), or Resilient File System (ReFS).
The feature can only detect vulnerabilities, baseline configuration risks, and malicious files on ECS instances. The feature cannot fix the detected results. For more information about the check items that are supported, see Supported check items.
Step 1: Create a detection task
The agentless detection feature supports immediate detection and periodic detection methods. Immediate detection supports detection of vulnerabilities, baseline risks, and alerts. Periodic detection supports detection of vulnerabilities. You can select a detection method based on your business requirements.
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose .
On the Agentless Detection page, create an immediate detection task or a periodic detection task.
Create an immediate detection task
Click Create Detection Task.
In the Create Detection Task panel, select the servers that you want to detect and click Next.
Configure the Scan Scope and Image Saved At parameters. Then, click Next.
We recommend that you set the Scan Scope parameter to Data Disk. A more complete data source indicates better detection of vulnerabilities and alerts.
You are charged for images that you create. A longer retention period indicates higher fees for images. For more information, see Images. You can select Retain Only At-risk Snapshots or Images based on your business requirements. If you select Retain Only At-risk Snapshots or Images, an image is immediately released if no risks are detected on the image. This reduces the cost on image storage.
Click Go to Task List to view the progress of the task.
After you create the task, Security Center automatically creates an image and scans the image. The period of time that is required to complete the scan task varies based on the number of servers on which the scan task is performed.
Configure a periodic detection task.
Click Scan Configuration.
In the Scan Configuration panel, specify the scan cycle, asset scope, scan scope, vulnerability check scope, and image retention period.
Step 2: View detection results
The Agentless Detection page displays all risks that are detected on ECS instances. If an ECS instance undergoes multiple checks, only the results of the most recent check are displayed.
On the Agentless Detection page, you can view the detected vulnerabilities, baseline risks, and alerts. Find the required risk item and click View in the Actions column to view the details.
What to do next
View the scan task status
After you create a detection task, click Task management on the Agentless Detection page. In the Task management panel, you can view the status of the task. You can find the required task and click Details in the Operate column to view the details of the task.
If a task fails, you can view the cause of the failure on the task details page and resolve the issue based on the following table.
Current region unsupported
None. The regions of ECS instances that can be detected are supported. For more information, see Limits. The error is returned only if you call an operation to create the detection task.
Disk connection failed
Click Retry in the Operate column to reconnect to the disk.
Image creation failed
Check whether the number of existing images exceeds the upper limit. If the upper limit is exceeded, you can delete some historical images or increase the upper limit. For more information, see View and increase resource quotas.
Configure an alert whitelist
If you confirm that a false positive is reported for a file and you want to prevent unnecessary alerts, you can configure an alert whitelist and add the file to the whitelist. If Security Center detects a file that is added to the whitelist within the asset scope of the whitelist, no alerts are generated.
The following list describes the methods that can be used to add alerts to a whitelist:
Method 1: Add an alert to the whitelist
On the Alerts tab of the Agentless Detection page, find the required alert and click Add to Whitelist in the Actions column. In the Add to Whitelist dialog box, enter a description and click Determine.
Method 2: Add a whitelist rule
On the Agentless Detection page, click Scan Configuration. In the Scan Configuration panel, click the Alert Whitelist tab.On the tab that appears, click Add rules, configure the following parameters, and then click Determine.
The default value is All Alerts, which indicates that the whitelist takes effect for all types of alerts and cannot be modified.
The default value is fileMd5, which indicates that the MD5 hash value of the file is added to the whitelist and cannot be modified.
The value that you can select is Equal To.
Enter the MD5 hash value of the file.
Select the servers on which you want to apply the rule.
If you use Method 1, the whitelist takes effect on all assets. If you use Method 2, a whitelist rule takes effect on all or some assets. If you want to add specific files to a whitelist for some assets, you can use only Method 2.
Edit an alert whitelist rule
After you add a whitelist rule, you can view and edit the rule in the Scan Configuration panel.
On the Agentless Detection page, click Scan Configuration. On the Alert Whitelist tab of the Scan Configuration panel, find the required whitelist rule and click Edit in the Actions column.
Delete a whitelist rule
On the Agentless Detection page, click Scan Configuration. On the Alert Whitelist tab of the Scan Configuration panel, find the required whitelist rule and click Delete in the Actions column.
Supported check items
Application vulnerabilities and system vulnerabilities can be detected. The vulnerabilities that can be detected on servers vary based on the operating systems of the servers.
System vulnerabilities: Linux operating system
Application vulnerabilities: Linux and Windows operating systems
Check item name
Ensure root is the only account with UID 0
Make sure there are no duplicate usernames or UIDs
Make sure there are no duplicate user groups or Gids
Ensure that no accounts with empty passwords exist.
Ensure that no account has the same Hash password.
Ensure strong password hashing is used
Access Key Leakage
Access Key Leakage
Unauthorized access to CouchDB configuration risk
ES unauthorized access configuration risk
Hadoop unauthorized access configuration risk
Jenkins unauthorized access to the configuration risk
Postgresql unauthorized access to the configuration risk
Redis weak password configuration
rsync weak password configuration
svn weak password configuration
Tomcat weak password configuration
Supported check item
Security Center checks whether the script files in your assets are malicious and whether backdoor communications and management exist. After a server is inserted with webshells, the attacker can gain control over the server and uses scripts for additional attacks.
Supported programming languages for detection include PHP, JSP, ASP, and ASPX.
Security Center checks whether the binary files in your assets are malicious and whether the binary files can cause damages to or persistent control over the assets. After a server is inserted with binary files, the attacker can gain control over the server and then launch attacks such as mining, DDoS attacks, or asset file encryption. Malicious binary files include mining programs, trojans, webshells, attacker tools, ransomware, and worms.
Tainted basic software