Use the agentless detection feature - Security Center - Alibaba Cloud Documentation Center

The agentless detection feature adopts the agentless technology to detect security risks on Elastic Compute Service (ECS) instances, without the need to install the Security Center agent. The feature supports non-intrusive security checks to detect vulnerabilities, baseline risks, and alerts on ECS instances that are in the shutdown, idle, or heavily loaded state. The feature does not affect the performance of ECS instances. This topic describes how to use the agentless detection feature.

Scenarios

You want to perform comprehensive security checks on the system disk and data disks of an ECS instance.
You want to perform security checks on an ECS instance that does not have the Security Center agent installed.

Public preview

The agentless detection feature is in public review. If you use the Advanced, Enterprise, or Ultimate edition of Security Center, you can use the feature free of charge. If you use the Basic or Anti-virus edition of Security Center, you must upgrade your Security Center to the Advanced, Enterprise, or Ultimate edition before you can use the feature.

If your Security Center edition supports the feature, you can click Apply now on the Agentless Detection page to use the feature.

Important

You are not charged for the agentless detection feature. However, you are charged for the custom images that you create when you use the agentless detection feature. For more information, see Images.

Limits

The feature is supported only for ECS instances that reside in the China (Hangzhou), China (Shanghai), China (Beijing), China (Shenzhen), China (Hong Kong), and Singapore regions. The feature is not supported for ECS instances that reside in other regions or servers that are not deployed on Alibaba Cloud.
The feature is not supported for ECS instances that run a FreeBSD operating system.
The feature can check only the unencrypted system disks and data disks of ECS instances. The feature cannot check the data disks that are managed by using Logical Volume Manager (LVM), Redundant Array of Independent Disks (RAID), or Resilient File System (ReFS).
The feature can only detect vulnerabilities, baseline configuration risks, and malicious files on ECS instances. The feature cannot fix the detected results. For more information about the check items that are supported, see Supported check items.

Prerequisites

The ECS Snapshot service is activated. For more information, see Activate ECS Snapshot.

Step 1: Create a detection task

The agentless detection feature supports immediate detection and periodic detection methods. Immediate detection supports detection of vulnerabilities, baseline risks, and alerts. Periodic detection supports detection of vulnerabilities and baseline risks. You can select a detection method based on your business requirements.

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose Protection Configuration > Host Protection > Agentless Detection.
The first time you use this feature, click Apply now on the Agentless Detection page.
Note
Only users of Security Center Advanced, Enterprise, and Ultimate can apply for this feature.
On the Agentless Detection page, create an immediate detection task or a periodic detection task.
- Create an immediate detection task
  1. Click Create Detection Task.
  2. In the Create Detection Task panel, select the servers that you want to detect and click Next.
  3. Configure the Scan Scope and Snapshot/Image Storage Time parameters. Then, click Next.
    We recommend that you set the Scan Scope parameter to Data Disk. A more complete data source indicates better detection of vulnerabilities and alerts.
    You are charged for images that you create. A longer retention period indicates higher fees for images. For more information, see Images. You can select Retain Only At-risk Snapshots or Images based on your business requirements. If you select Retain Only At-risk Snapshots or Images, an image is immediately released if no risks are detected on the image. Only at-risk images are retained. This reduces the costs on image storage.
  4. Click Go to Task List to view the progress of the task.
    After you create the task, Security Center automatically creates an image and scans the image. The period of time that is required to complete the scan task varies based on the number of servers on which the scan task is performed.
- Configure a periodic detection task.
  1. Click Scan Configuration.
  2. In the Scan Configuration panel, configure the Scan cycle, Scan Assets, Scope, Baseline Check Scope, Vulnerability Detection Scope, Image Saved At parameters. You can also select or clear Retain Only At-risk Snapshots or Images based on your business requirements.
  3. Click Save.

Step 2: View detection results

The Agentless Detection page displays all risks that are detected on ECS instances. If an ECS instance undergoes multiple checks, only the results of the most recent check are displayed.

On the Agentless Detection page, you can view the detected vulnerabilities, baseline risks, and alerts. Find the required risk item and click View in the Actions column to view the details.

What to do next

View the scan task status

After you create a detection task, click Task Management on the Agentless Detection page. In the Task Management panel, you can view the status of the task. You can find the required task and click Details in the Operate column to view the details of the task.

If a task fails, you can view the cause of the failure on the task details page and resolve the issue based on the following table.

Cause	Solution
Current region unsupported	None. The regions of ECS instances that can be detected are supported. For more information, see Limits. The error is returned only if you call an operation to create the detection task.
Disk connection failed	Click Retry in the Operate column to reconnect to the disk.
Image creation failed	Check whether the number of existing images exceeds the upper limit. If the upper limit is exceeded, you can delete some historical images or increase the upper limit. For more information, see View and increase resource quotas.

Configure a vulnerability whitelist

If you confirm that some vulnerabilities are allowed or can cause low risks, you can configure vulnerability whitelists and add the vulnerabilities to the whitelists. If Security Center detects the vulnerabilities on assets on which the whitelists take effect in the next scan task, the vulnerabilities are not displayed. After you add a vulnerability to a whitelist, the vulnerability remains in the vulnerability list until a scan task is performed.

Create a vulnerability whitelist rule

On the Agentless Detection page, click Scan Configuration. On the Vulnerability Whitelist tab of the Scan Configuration panel, click Add rules. In the Add Vulnerability Whitelist Rule panel, configure the parameters, and click Save. The parameters are Vulnerability Type, Vulnerability Name, Rule Scope, and Remarks.

Edit a vulnerability whitelist rule
After you create a whitelist rule, you can view and edit the rule in the Scan Configuration panel.
On the Agentless Detection page, click Scan Configuration. On the Vulnerability Whitelist tab of the Scan Configuration panel, find the required whitelist rule and click Edit in the Actions column.
Delete a whitelist rule
On the Agentless Detection page, click Scan Configuration. On the Vulnerability Whitelist tab of the Scan Configuration panel, find the required whitelist rule and click Delete in the Actions column.

Configure an alert whitelist

If you confirm that a false positive is reported for a file and you want to prevent unnecessary alerts, you can configure an alert whitelist and add the file to the whitelist. If Security Center detects a file that is added to the whitelist within the asset scope of the whitelist, no alerts are generated.

The following list describes the methods that can be used to add alerts to a whitelist:

Method 1: Add an alert to the whitelist
On the Alerts tab of the Agentless Detection page, find the required alert and click Add to Whitelist in the Actions column. In the Add to Whitelist dialog box, enter a description and click Determine.

Method 2: Create a whitelist rule

On the Agentless Detection page, click Scan Configuration. In the Scan Configuration panel, click the Alert Whitelist tab. On the tab that appears, click Add rules, configure the following parameters, and then click Determine.

Parameter	Description
Event	The default value is All Alerts, which indicates that the whitelist takes effect for all types of alerts and cannot be modified.
Whitelist Field	The default value is fileMd5, which indicates that the MD5 hash value of the file is added to the whitelist and cannot be modified.
Wildcard	The value that you can select is Equal To.
Rule Content	Enter the MD5 hash value of the file.
Rule Scope	Select the servers on which you want to apply the rule.

Note

If you use Method 1, the whitelist takes effect on all assets. If you use Method 2, a whitelist rule takes effect on all or some assets. If you want to add specific files to a whitelist for some assets, you can use only Method 2.

Edit an alert whitelist rule
After you create a whitelist rule, you can view and edit the rule in the Scan Configuration panel.
On the Agentless Detection page, click Scan Configuration. On the Alert Whitelist tab of the Scan Configuration panel, find the required whitelist rule and click Edit in the Actions column.
Delete a whitelist rule
On the Agentless Detection page, click Scan Configuration. On the Alert Whitelist tab of the Scan Configuration panel, find the required whitelist rule and click Delete in the Actions column.

Supported check items

Vulnerabilities

Linux software vulnerabilities, Windows system vulnerabilities, and application vulnerabilities can be detected.

Baseline risks

Baseline type	Check item name
Identity authentication	Ensure root is the only account with UID 0
	Make sure there are no duplicate usernames or UIDs
	Make sure there are no duplicate user groups or Gids
	Ensure that no accounts with empty passwords exist.
	Ensure that no account has the same Hash password.
	Ensure strong password hashing is used
Access Key Leakage	Access Key Leakage
Password	Password leakage
Unauthorized access	Unauthorized access to CouchDB configuration risk
	ES unauthorized access configuration risk
	Hadoop unauthorized access configuration risk
	Jenkins unauthorized access to the configuration risk
	Postgresql unauthorized access to the configuration risk
Weak password	Redis weak password configuration
	rsync weak password configuration
	svn weak password configuration
	Tomcat weak password configuration

Alerts

Alert type	Description	Supported check item
WebShell	Security Center checks whether the script files in your assets are malicious and whether backdoor communications and management exist. After a server is inserted with webshells, the attacker can gain control over the server and uses scripts for additional attacks.	Supported programming languages for detection include PHP, JSP, ASP, and ASPX.
Binary files	Security Center checks whether the binary files in your assets are malicious and whether the binary files can cause damages to or persistent control over the assets. After a server is inserted with binary files, the attacker can gain control over the server and then launch attacks such as mining, DDoS attacks, or asset file encryption. Malicious binary files include mining programs, trojans, webshells, attacker tools, ransomware, and worms.	Tainted basic software
		Suspicious program
		Malware
		Trojan
		Infectious virus
		Worm
		Exploit
		Self-mutating trojan
		Attacker tool
		DDoS trojan
		Webshell
		Malicious program
		Rootkit
		Trojan downloader
		Scanner
		Riskware
		Proxy
		Ransomware
		Backdoor program
		Mining program