Logo of Trend Micro

Enable Endpoint Protection

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that endpoint protection with Alibaba Cloud Security Center is enabled for all your ECS virtual machines (VM) instances. Security Center can protect and manage your VM instances only after you install the Security Center agent on your servers. Installing the agent on your ECS instances enhances overall security by providing real-time threat detection, vulnerability assessment, and centralized security management, helping to identify and mitigate potential risks to your compute infrastructure.

Security

In Elastic Compute Service (ECS), endpoint protection requires the installation of an agent on the VM instance for functionality. This agent-based approach enables Security Center to deliver a broader range of server endpoint intrusion detection and protection capabilities. These capabilities include remote logon detection, webshell detection and removal, anomaly detection (identifying abnormal process behaviors and network connections), and the detection of alterations in key files and suspicious accounts within systems and applications.

Audit

To determine if endpoint protection with Security Center is enabled for all ECS instances available within your Alibaba Cloud account, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Security Center console available at https://yundun.console.aliyun.com/?p=sas#/overview/home.

03 In the top navigation bar, select the region where your servers reside (China or Outside China).

04 In the left navigation panel, under System Configuration, choose Feature Settings.

05 Choose the Agent tab, select Agent Not Installed, and choose Synchronize Assets to synchronize the information about the most recent ECS instances provisioned in your account.

06 In the The client server is not installed section, check the number of servers on which the Security Center agent is not installed. If the number displayed for The client server is not installed is greater than 0 (zero), the Security Center agent is not installed on all servers, therefore endpoint protection with Security Center is not enabled for all your ECS virtual machines (VM) instances.

Using Alibaba Cloud CLI

01 Run ListUninstallAegisMachines command (OSX/Linux/UNIX) to describe the servers on which the Security Center agent is not installed: 

aliyun sas ListUninstallAegisMachines

02 The command output should return the requested configuration information: 

{
	"MachineList": [
		{
			"InstanceId": "i-1234abcd1234abcd1234",
			"InstanceName": "tm-project-web-instance",
			"InternetIp": "xxx.xxx.xxx.xxx",
			"IntranetIp": "172.23.39.39",
			"MachineRegion": "eu-west-1-abcd-a01",
			"Os": "linux",
			"RegionId": "eu-west-1",
			"Uuid": "abcd1234-abcd-1234-abcd-1234abcd1234",
			"Vendor": 0,
			"VendorName": "ALIYUN"
		},
		{
			"InstanceId": "i-abcdabcdabcdabcdabcd",
			"InstanceName": "tm-project-db-instance",
			"InternetIp": "",
			"IntranetIp": "172.23.39.40",
			"MachineRegion": "eu-west-1-1234-a02",
			"Os": "linux",
			"RegionId": "eu-west-1",
			"Uuid": "1234abcd-1234-abcd-1234-abcd1234abcd",
			"Vendor": 0,
			"VendorName": "ALIYUN"
		},
		{
			"InstanceId": "i-abcd1234abcd1234abcd",
			"InstanceName": "tm-project-llm-instance",
			"InternetIp": "xxx.xxx.xxx.xxx",
			"IntranetIp": "172.23.39.41",
			"MachineRegion": "eu-west-1-ab12-a03",
			"Os": "linux",
			"RegionId": "eu-west-1",
			"Uuid": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
			"Vendor": 0,
			"VendorName": "ALIYUN"
		}
	],
	"CurrentPage": 1,
	"PageSize": 5,
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
	"TotalCount": 3
}

If the "MachineList" attribute value is not an empty array (i.e. []) and one or more instances are returned by the ListUninstallAegisMachines command output, as shown in the example above, the Security Center agent is not installed on all servers, therefore endpoint protection with Security Center is not enabled for all your ECS virtual machines (VM) instances.

Remediation / Resolution

To enable endpoint protection with Security Center for all your ECS virtual machines (VM) instances, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Security Center console available at https://yundun.console.aliyun.com/?p=sas#/overview/home.

03 In the top navigation bar, select the region where your servers are located (China or Outside China).

04 In the left navigation panel, under System Configuration, choose Feature Settings.

05 Choose the Agent tab, select Agent Not Installed, and choose Synchronize Assets to synchronize the information about the most recent ECS instances deployed in your cloud account.

06 Select all the unprotected servers and choose Install to install the Security Center agent on the selected servers. Choose OK for confirmation. This will automatically enable endpoint protection for all the selected ECS virtual machines (VM) instances.

07 To view the status of the Security Center agent, navigate to Assets, choose Host, and select the Server tab. Choose Synchronize Assets and ensure that the Agent icon is available in the Agent column for each ECS instance.

Using Alibaba Cloud CLI

01 Run OperateAgentClientInstall command (OSX/Linux/UNIX) to install the Security Center agent on the specified servers. Use the --Uuids command parameter to specify the UUIDs of the instances on which you want to install the Security Center agent. You can separate multiple UUIDs with commas, as shown in the example below. This will automatically enable endpoint protection for the specified ECS virtual machines (VM) instances: 

aliyun sas OperateAgentClientInstall 
  --Uuids 'abcd1234-abcd-1234-abcd-1234abcd1234,1234abcd-1234-abcd-1234-abcd1234abcd,abcdabcd-1234-abcd-1234-abcdabcdabcd'

02 If successful, the output should return the command request ID and the UUIDs of the configured servers: 

{
	"AegisCelintInstallResposeList": [
		{
			"InstanceId": "i-1234abcd1234abcd1234",
			"RecordId": 4502,
			"Uuid": "abcd1234-abcd-1234-abcd-1234abcd1234"
		},
		{
			"InstanceId": "i-abcdabcdabcdabcdabcd",
			"Uuid": "abcd1234-abcd-1234-abcd-1234abcd1234",
			"RecordId": 4712
		},
		{
			"InstanceId": "i-abcd1234abcd1234abcd",
			"Uuid": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
			"RecordId": 5243
		}
	],
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"
}

References

Publication date Apr 24, 2024

Related AlibabaCloud-ECS rules