Logo of Trend Micro

Enable Scheduled Vulnerability Scan

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: AlibabaCloud-SecurityCenter-002

To ensure timely detection of system vulnerabilities, make sure that Security Center's scheduled vulnerability scan is enabled for all vulnerability types.

Security

Enabling Security Center's scheduled vulnerability scan for all vulnerability types ensures proactive identification and mitigation of potential security risks. It helps maintain a secure cloud environment by regularly assessing and addressing vulnerabilities, minimizing the threat of cyberattacks, data breaches, and ensuring compliance with industry standards.

Audit

To determine if scheduled vulnerability scan is enabled for all system vulnerabilities, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Security Center console available at https://yundun.console.aliyun.com/?p=sas#/overview/home.

03 In the top navigation bar, select the region where your servers reside (China or Outside China).

04 In the left navigation panel, under Risk Governance, choose Vulnerabilities.

05 Choose Settings from the page top-right menu, select the Vulnerability Settings tab, and check the configuration status for each type of supported vulnerability. If scanning for one or more vulnerability types is disabled or the Vul scan level configuration setting is not set to High and Medium, the Security Center's scheduled vulnerability scan is not enabled for all vulnerability types.

Using Alibaba Cloud CLI

01 Run DescribeVulConfig command (OSX/Linux/UNIX) to describe the configuration status for each type of vulnerability supported by Security Center: 

aliyun sas DescribeVulConfig

02 The command output should return the configuration status for each type of vulnerability (cve for Linux software vulnerabilities, sys for Windows system vulnerabilities, cms for Web-CMS vulnerabilities, emg for urgent vulnerabilities, and yum where YUM or APT sources of Alibaba Cloud are used to fix vulnerabilities): 

{
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
	"TargetConfigs": [
			{
					"Config": "off",
					"Type": "yum"
			},
			{
					"Config": "off",
					"Type": "cve"
			},
			{
					"Config": "90",
					"Type": "imageVulClean"
			},
			{
					"Config": "off",
					"Type": "cms"
			},
			{
					"Config": "all",
					"Type": "scanMode"
			},
			{
					"Config": "off",
					"Type": "sys"
			},
			{
					"Config": "off",
					"Type": "emg"
			},
			{
					"Config": "on",
					"Type": "app"
			}
	],
	"TotalCount": 8
}

If at least one of the following vulnerability detection mechanisms: yum, cve, sys, cms, and emg, is disabled (i.e. "Config" is set to "off"), the Security Center's scheduled vulnerability scan is not enabled for all vulnerability types.

03 Run DescribeConcernNecessity command (OSX/Linux/UNIX) to determine the priorities to fix vulnerabilities within Security Center. 

aliyun sas DescribeConcernNecessity

04 The command output should return the requested configuration information: 

{
	"ConcernNecessity": [
		"nntf"
	],
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"
}

The vulnerability scan levels used by Security Center are: asap for high, later for medium, nntf for low. For compliance, asap and later scan levels should be enabled. If the "ConcernNecessity" attribute value does not include asap and later, the Security Center's scheduled vulnerability scan feature is not properly configured.

Remediation / Resolution

To enable Security Center's scheduled vulnerability scan for all vulnerability types (for all servers), perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Security Center console available at https://yundun.console.aliyun.com/?p=sas#/overview/home.

03 In the top navigation bar, select the region where your servers reside (China or Outside China).

04 In the left navigation panel, under Risk Governance, choose Vulnerabilities.

05 Choose Settings from the page top-right menu, select the Vulnerability Settings tab, and perform the following settings:

  1. Ensure that scheduled vulnerability scanning is enabled for each type of supported vulnerability.
  2. Use the Retain Invalid Vul for dropdown list to configure the necessary retention period.
  3. Set Vul scan level to High and Medium.

Using Alibaba Cloud CLI

01 Run ModifyVulConfig command (OSX/Linux/UNIX) to enable scheduled vulnerability scanning for each type of supported vulnerability. The types of vulnerabilities supported by the scheduled vulnerability scan feature are: cve for Linux software vulnerabilities, sys for Windows system vulnerabilities, cms for Web-CMS vulnerabilities, emg for urgent vulnerabilities, and yum where YUM or APT sources of Alibaba Cloud are used to fix vulnerabilities. The following command example enables scanning for Linux software vulnerabilities: 

aliyun sas ModifyVulConfig 
  --Type cve 
  --Config on

02 If successful, the output should return the command request ID: 

{"RequestId":"ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"}

03 Run ModifyConcernNecessity command (OSX/Linux/UNIX) to enable the vulnerability scan levels required by the scheduled vulnerability scan feature. For compliance, asap and later scan levels should be enabled: 

aliyun sas ModifyConcernNecessity 
  --ConcernNecessity 'asap,later'

04 If successful, the output should return the command request ID: 

{"RequestId":"1234ABCD-1234-ABCD-1234-ABCD1234ABCD"}

References

Publication date Feb 27, 2024

Related AlibabaCloud-SecurityCenter rules