Logo of Trend Micro

Apply Latest OS Patches

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the latest OS patches for ECS virtual machines (VM) instances are applied in order to mitigate security vulnerabilities and ensure optimal performance and stability.

Security

Keeping your Linux and Windows virtual machines (VM) instances patched ensures centralized, automated updates, minimizing security vulnerabilities and maximizing your cloud environment's overall protection.

Audit

To determine if the latest OS patches for Linux and Windows virtual machines (VM) instances are applied, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Security Center console available at https://yundun.console.aliyun.com/?p=sas#/overview/home.

03 In the top navigation bar, select the region where your servers reside (China or Outside China).

04 In the left navigation panel, under Risk Governance, choose Vulnerabilities.

05 In the Vulnerability Scan section, choose Scan now. You can also follow the steps outlined on this page to ensure that the vulnerability scanning feature is enabled for Linux and Windows vulnerability types.

06 In the Vulnerability Scan box, ensure that the Linux Software Vulnerability and Windows System Vulnerability checkboxes are selected, then choose OK to start the scanning process. The scan requires 30 minutes to complete.

07 After the scanning process is completed, check the Vul Servers attribute value to identity the number of servers on which vulnerabilities are detected. If the number displayed for Vul Servers is greater than 0 (zero), there are ECS virtual machines (VM) instances that requires OS patching within your Alibaba Cloud account.

Using Alibaba Cloud CLI

01 Run ModifyStartVulScan command (OSX/Linux/UNIX) to enable the quick scan feature. You can also follow the steps outlined on this page to ensure that the vulnerability scanning feature is enabled for Linux and Windows vulnerability types: 

aliyun sas ModifyStartVulScan

02 If successful, the output should return the command request ID: 

{"RequestId":"ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"}

03 Run DescribeVulList command (OSX/Linux/UNIX) to describe the Linux software vulnerabilities found for the ECS virtual machine (VM) instances provisioned in your Alibaba Cloud account. Change the --Type command parameter to sys to describe the Windows system vulnerabilities found your ECS instances: 

aliyun sas DescribeVulList --Type cve

04 The command output should return the requested configuration information: 

{
	"CurrentPage": 1,
	"TotalCount": 2,
	"PageSize": 80,
	"VulRecords": [
		{
			"RaspStatus": 1,
			"Type": "cve",
			"InstanceName": "tm-project-prod-server",
			"Online": true,
			"OsVersion": "linux",

			...

			"Name": "alilinux2:2.1903:ALINUX2-SA-2022:0007",
			"InstanceId": "i-1234abcd1234abcd1234",
			"RegionId": "eu-west-1",
			"Necessity": "asap",
			"Uuid": "abcd1234-abcd-1234-abcd-1234abcd1234"
		},
		{
			"RaspStatus": 1,
			"Type": "cve",
			"InstanceName": "tm-project-llm-server",
			"Online": true,
			"OsVersion": "linux",

			...

			"Name": "oval:com.redhat.rhsa:def:20170574",
			"InstanceId": "i-abcd1234abcd1234abcd",
			"RegionId": "eu-west-1",
			"Necessity": "asap",
			"Uuid": "1234abcd-1234-abcd-1234-abcd1234abcd"
		}
	],
	"NextToken": "ABCDABCDABCDABCDABCDABCDABCDABCD",
	"RequestId": "1234ABCD-1234-ABCD-1234-ABCD1234ABCD"
}

Check the "TotalCount" attribute value to identify the total number of vulnerabilities found for your Linux/Windows servers. If the "TotalCount" value is greater than 0 (zero), there are ECS virtual machines (VM) instances that requires OS patching within your Alibaba Cloud account.

Remediation / Resolution

To ensure that the latest OS patches for ECS virtual machines (VM) instances are applied, perform the following operations:

The vulnerability fixing feature is available on the Advanced, Enterprise Edition, or Ultimate plan only. If your Security Center plan is Basic, Value-added, or Anti-virus edition, you must purchase the vulnerability fixing feature based on the pay-as-you-go or subscription billing method.

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Security Center console available at https://yundun.console.aliyun.com/?p=sas#/overview/home.

03 In the top navigation bar, select the region where your servers reside (China or Outside China).

04 In the left navigation panel, under Risk Governance, choose Vulnerabilities.

05 Choose the Linux Software Vulnerability/Windows System Vulnerability tab, select the vulnerability that you want to fix and choose Fix in the Actions column. In the Fix box, select an option to determine whether to create a snapshot of the server and choose Fix Now to apply the latest OS patches.

06 After you fix a Linux/Windows software vulnerability in the Security Center console, you may need to restart the system for the vulnerability fix to take effect. If the vulnerability fix is marked with Restart Required, choose Restart in the Actions column to restart the system.

Using Alibaba Cloud CLI

01 Run ModifyOperateVul command (OSX/Linux/UNIX) to fix Linux/Windows software vulnerabilities detected by Security Center. The following command request fixes a software vulnerability named "alilinux2:2.1903:ALINUX2-SA-2022:0007", for a Linux server identified by the UUID "abcd1234-abcd-1234-abcd-1234abcd1234". To fix Windows software vulnerabilities, set the --Info "tag" parameter value to "system" and the --Type parameter value to sys: 

aliyun sas ModifyOperateVul 
  --Info '[{"name":"alilinux2:2.1903:ALINUX2-SA-2022:0007","uuid":"abcd1234-abcd-1234-abcd-1234abcd1234","tag":"oval","isFront":0}]' 
  --OperateType vul_fix 
  --Type cve

02 If successful, the output should return the command request ID: 

{"RequestId":"1234ABCD-1234-ABCD-1234-ABCD1234ABCD"}

References

Publication date Apr 24, 2024

Related AlibabaCloud-ECS rules