Vulnerability Scan¶
HSS can scan for Linux, Windows, Web-CMS, and application vulnerabilities. Automatic, scheduled (vulnerability policy configuration), and manual scans are supported.
Automatic scan
When collecting asset fingerprints, HSS automatically scans vulnerabilities. For Linux, Windows, and Web-CMS vulnerabilities, HSS scans them based on the software collection period. For application vulnerabilities, HSS scans them based on the middleware collection period. For details about the asset fingerprint collection period, see Collecting Server Asset Fingerprints.
If vulnerabilities have been manually scanned or a scheduled vulnerability scanning task has been triggered within the asset fingerprint collection period, HSS will automatically scan vulnerabilities when collecting asset fingerprints next time. This collection mode is affected by the other two scanning modes, and the scanning period is not fixed. You are advised to use the other two scan methods.
Scheduled scan
By default, HSS performs a full server vulnerability scan once a week. To ensure service security, you are advised to set a proper scan period and scan server scope to periodically scan server vulnerabilities.
Manual scan
If you want to view the vulnerability fixing status or real-time vulnerabilities of a server, you are advised to manually scan for vulnerabilities.
This section describes how to manually scan for vulnerabilities and configure a scheduled scan policy.
Constraints¶
If the agent version of the Windows OS is 4.0.18 or later, application vulnerability scan is supported.
The Server Status is Running, Agent Status is Online, and Protection Status is Protected. Otherwise, vulnerability scan cannot be performed.
For details about the types of vulnerabilities that can be scanned by different HSS editions, see Types of Vulnerabilities That Can Be Scanned and Fixed.
For details about the OSs supported, see Table 1.
¶ OS Type
Supported OS
Windows
Windows Server 2019 Datacenter 64-bit English (40 GB)
Windows Server 2019 Datacenter 64-bit Chinese (40 GB)
Windows Server 2016 Standard 64-bit English (40 GB)
Windows Server 2016 Standard 64-bit Chinese (40 GB)
Windows Server 2016 Datacenter 64-bit English (40 GB)
Windows Server 2016 Datacenter 64-bit Chinese (40 GB)
Windows Server 2012 R2 Standard 64-bit English (40 GB)
Windows Server 2012 R2 Standard 64-bit Chinese (40 GB)
Windows Server 2012 R2 Datacenter 64-bit English (40 GB)
Windows Server 2012 R2 Datacenter 64-bit Chinese (40 GB)
Linux
EulerOS 2.2, 2.3, 2.5, 2.8, and 2.9 (64-bit)
CentOS 7.4, 7.5, 7.6, 7.7, 7.8 and 7.9 (64-bit)
Ubuntu 16.04, 18.04, 20.04, 22.04 (64-bit)
Debian 9, 10, and 11 (64-bit)
Kylin V10 (64-bit)
UnionTech OS V20 server E and V20 server D (64-bit)
Manual Vulnerability Scan¶
Log in to the management console.
In the navigation pane, choose Prediction > Vulnerabilities.
Click Scan in the upper right corner of the Vulnerabilities page.
In the Scan for Vulnerability dialog box displayed, select the vulnerability type and scope to be scanned. For more information, see Table 2.
¶ Parameter
Description
Type
Select one or more types of vulnerabilities to be scanned. Possible values are as follows:
Linux
Windows
Web-CMS
Application
Scan
Select the servers to be scanned. Possible values are as follows:
All servers
Selected servers
You can select a server group or search for the target server by server name, ID, EIP, or private IP address.
Note
The following servers cannot be selected for vulnerability scan:
Servers that are not in the Running state
Servers whose agent status is Offline
Click OK.
Click Manage Task in the upper right corner of the Vulnerabilities page. On the Manage Task slide-out panel displayed, click the Scan Tasks tab to view the status and scan result of the vulnerability scan task.
Click the number next to the red figure in the Scan Result column to view information about the servers that fail to be scanned.
Note
You can also choose Asset Management > Servers & Quota and scan a single server for vulnerabilities on the Servers tab. The procedure is as follows:
Click a server name.
Choose Vulnerabilities.
Choose the vulnerability type to be scanned and click Scan.