Logo of Trend Micro

Install Security Center Agent

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: AlibabaCloud-SecurityCenter-001

Ensure that Security Center agent is installed on all servers provisioned within your Alibaba Cloud account. Installing the agent on your servers enhances overall security by providing real-time threat detection, vulnerability assessment, and centralized security management, helping to identify and mitigate potential risks to your cloud infrastructure.

Security

In Alibaba Cloud, server protection requires the installation of an agent on the server for functionality. This agent-based approach enables Security Center to deliver a broader range of server endpoint intrusion detection and protection capabilities. These capabilities include remote logon detection, webshell detection and removal, anomaly detection (identifying abnormal process behaviors and network connections), and the detection of alterations in key files and suspicious accounts within systems and applications.

Audit

To determine if Security Center agent is installed on all servers available in your Alibaba Cloud account, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Security Center console available at https://yundun.console.aliyun.com/?p=sas#/overview/home.

03 In the top navigation bar, select the region where your servers reside (China or Outside China).

04 In the left navigation panel, under System Configuration, choose Feature Settings.

05 Choose the Agent tab, select Agent Not Installed, and choose Synchronize Assets to synchronize the information about the most recent servers provisioned in your account.

06 In the The client server is not installed section, check the number of servers on which the Security Center agent is not installed. If the number displayed for The client server is not installed is greater than 0 (zero), the Security Center agent is not installed on all servers provisioned within your Alibaba Cloud account.

Using Alibaba Cloud CLI

01 Run ListUninstallAegisMachines command (OSX/Linux/UNIX) to describe the servers on which the Security Center agent is not installed: 

aliyun sas ListUninstallAegisMachines

02 The command output should return the requested configuration information: 

{
	"CurrentPage": 1,
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
	"PageSize": 5,
	"TotalCount": 89,
	"MachineList": [
		{
			"Uuid": "abcd1234-abcd-1234-abcd-1234abcd1234",
			"MachineRegion": "eu-west-1",
			"InternetIp": "xxx.xxx.xxx.xxx",
			"VendorName": "ALIYUN",
			"InstanceName": "tm-project-db-instance",
			"Os": "linux",
			"InstanceId": "sas-abcd1234abcd1234",
			"IntranetIp": "xxx.xxx.xxx.xxx",
			"Vendor": 0,
			"RegionId": "eu-west-1"
		},
		{
			"Uuid": "1234abcd-1234-abcd-1234-abcd1234abcd",
			"MachineRegion": "eu-west-1",
			"InternetIp": "xxx.xxx.xxx.xxx",
			"VendorName": "ALIYUN",
			"InstanceName": "tm-project-web-instance",
			"Os": "linux",
			"InstanceId": "sas-1234abcd1234abcd",
			"IntranetIp": "xxx.xxx.xxx.xxx",
			"Vendor": 0,
			"RegionId": "eu-west-1"
		}
	]
}

If the "MachineList" attribute value is not an empty array (i.e. []) and one or more servers are returned by the ListUninstallAegisMachines command output, as shown in the example above, the Security Center agent is not installed on all servers provisioned within your Alibaba Cloud account.

Remediation / Resolution

To ensure that the Security Center agent is installed on all servers provisioned in your Alibaba Cloud account, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Security Center console available at https://yundun.console.aliyun.com/?p=sas#/overview/home.

03 In the top navigation bar, select the region where your servers are located (China or Outside China).

04 In the left navigation panel, under System Configuration, choose Feature Settings.

05 Choose the Agent tab, select Agent Not Installed, and choose Synchronize Assets to synchronize the information about the most recent servers deployed in your cloud account.

06 Select all the unprotected servers, choose Install in the Actions column, and select OK for confirmation. This will automatically install the Security Center agent on the selected servers.

Using Alibaba Cloud CLI

01 Run OperateAgentClientInstall command (OSX/Linux/UNIX) to install the Security Center agent on the specified servers. Use the --Uuids command parameter to specify the UUIDs of the servers on which you want to install the Security Center agent. You can separate multiple UUIDs with commas, as shown in the example below: 

aliyun sas OperateAgentClientInstall
  --Uuids 'abcd1234-abcd-1234-abcd-1234abcd1234,1234abcd-1234-abcd-1234-abcd1234abcd'

02 If successful, the output should return the command request ID and the UUIDs of the configured servers: 

{
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
	"AegisCelintInstallResposeList": [
		{
			"Uuid": "abcd1234-abcd-1234-abcd-1234abcd1234",
			"InstanceId": "i-1234abcd1234abcd1234",
			"RecordId": 3118
		},
		{
			"Uuid": "1234abcd-1234-abcd-1234-abcd1234abcd",
			"InstanceId": "i-abcd1234abcd1234abcd",
			"RecordId": 5243
		}
	]
}

References

Publication date Feb 27, 2024

Related AlibabaCloud-SecurityCenter rules