How do I view asset fingerprints? - Security Center - Alibaba Cloud Documentation Center

Security Center provides the asset fingerprints feature. You can configure this feature to collect 11 types of fingerprints of servers. This topic describes how to use the asset fingerprints feature to collect fingerprints and how to view the fingerprints of servers.

Background information

The first time you use the asset fingerprints feature, we recommend that you configure the fingerprint collection frequencies for servers to automate collection tasks. The automatic collection tasks collect the fingerprints of all servers. For more information about the fingerprints that the feature collects, see Fingerprints that the feature collects.

Limits

Only the Enterprise and Ultimate editions of Security Center support this feature. If the edition of your Security Center is not Enterprise or Ultimate, upgrade the edition. For information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center.

Collection methods

Security Center does not automatically collect the fingerprints of servers. You must configure automatic periodic collection tasks or run manual collection tasks to collect the latest fingerprints of servers.

Collection method	Description
Automate periodic collection tasks	Security Center supports automatic collection of the fingerprints of all servers. You can configure the collection frequencies for automatic periodic collection based on your business requirements. For more information, see Configure an automatic periodic collection task.
Collect the latest fingerprints of all servers	If you want to view the fingerprints of all servers, you can click Collect Latest Data to collect the latest fingerprints of all servers with a few clicks. For more information, see Run a manual collection task to collect the latest fingerprints of all servers.
Collect the fingerprints of a specific server	If you want to view the fingerprints of a specific server, you can click Collect Data Now to collect the latest fingerprints of the server with a few clicks. For more information, see Run a manual collection task to collect the latest fingerprints of a specific server.

Collect the fingerprints of servers

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose Assets > Host.
(Optional) On the Host page, click the IDC Probe Finding tab and add a server to the whitelist of Internet Data Center (IDC) probe findings.
An IDC probe that is installed in a data center can scan servers that are deployed in the data center and are not included in the whitelist. If you created an IDC probe, you can view the information about the scanned servers on the IDC Probe Finding tab. For more information about IDC probes, see Manage an IDC probe.
If you do not want the IDC probe to scan a specific server, perform the following operations to add the server to the whitelist:
1. On the IDC Probe Finding tab, find the server that you want to add to the whitelist and click Add to Whitelist in the Actions column.
  After you add the server to the whitelist, the system no longer scans the server or records the information about the server.
2. On the IDC Probe Finding tab, click Whitelist in the upper-right corner of the list of scanned servers to view the information about the servers that are added to the whitelist.
On the Host page, use one of the following methods to collect server fingerprints:

Automate periodic collection tasks

On the Account tab, click Configuration Management.
In the Configuration Management dialog box, configure the collection frequency for each type of fingerprints and click OK.
Note
- If you set a type to Disable, Security Center does not automatically collect the latest fingerprints of the type. By default, the collection frequencies of all types are Disable. You can configure different collection frequencies for different types of fingerprints.
- The fingerprint collection frequency that you set for middleware is also used as the fingerprint collection frequency of databases and web services. To configure a fingerprint collection frequency for middleware, databases, and web services, you can configure the Middleware parameter.
  If you use the asset exposure analysis feature, you can set the Middleware parameter to Collected once an hour, Collected once every 3 hours, Collected once every 12 hours, or Collected once a day. You cannot set the Middleware parameter to Disable or Collected once every 7 days.

After the collection frequencies are configured, Security Center automatically runs collection tasks based on the collection frequencies and synchronizes the collected fingerprints to the tabs of different fingerprint types for you to view. For more information, see View the fingerprints of servers.

Run a manual collection task to collect the latest fingerprints of all servers

On the Account tab, click Collect Latest Data.
In the Collect Latest Data dialog box, select the asset fingerprints that you want to collect and click OK.
Note
The system requires approximately 1 to 5 minutes to collect the fingerprints.

Run a manual collection task to collect the latest fingerprints of a specific server

In the server list of the Server tab, find the server whose fingerprints you want to collect and click View in the Actions column.
On the details page, click the Asset Fingerprints tab. Then, click the tab of the required fingerprint type.
Important
The Asset Fingerprints tab is displayed in the Security Center console only if the edition of your Security Center is Enterprise or Ultimate.
In the upper-right corner, click Collect Data Now. In the Collect data message, click OK.

Note

The system requires approximately 1 to 5 minutes to collect the fingerprints.

View the fingerprints of servers

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose Assets > Host.
On the Host page, view fingerprints.
- View the fingerprints of all servers
  On the Host page, click the tab of the required fingerprint type.
  - Section 1 provides a fingerprint list. The list includes all fingerprints and the number of servers related to each fingerprint.
  - Section 2 provides a list of fingerprint details. In the fingerprint list of the section 1, you can click a fingerprint such as a port number to view the details of the fingerprint in this section.
  - Section 3 provides a filter and a search box. You can configure the filter and enter search conditions in the search box to search for a fingerprint. Fuzzy match is supported.
- View the fingerprints of a specific server
  1. In the server list of the Server tab, find the server whose fingerprints you want to view and click View in the Actions column.
  2. On the details page, click the Asset Fingerprints tab, and then click the tab of the required fingerprint type. On the tab, view the fingerprints.
    Important
    The Asset Fingerprints tab is displayed in the Security Center console only if the edition of your Security Center is Enterprise or Ultimate.

Fingerprints that the feature collects

Fingerprint type	Description
Account	The information about the account of your server. Security Center periodically collects information about the account of your server. The information includes the following items: Server information: the server in which the account is created. Account: the name of the account. ROOT Permission: whether the account is granted the root permissions. User Group: the user group to which the account belongs. Expiration Time: the time when the password of the account expires. Password Expired: whether the password of the account expires. Password Locked: whether the password of the account is locked. Account Expired: whether the account expires. Sudo Account: whether the account is granted the sudo permissions. Interactive Logon Account: whether the account is granted the logon permissions. Last Login: the last logon time of the account. Latest Collection Time: the last time when Security Center collected information from the server.
Port	The information about the listener port of your server. Security Center periodically collects information about the listener port of your server. The information includes the following items: Server information: the server to which the listener port belongs. This column displays the name and IP address of the server. Port: the port number of the listener port. Protocol: the network protocol of the listener port. PID: the ID of the server process that monitors the listener port. Process: the server process that monitors the listener port. IP: the IP address of the network interface controller (NIC) that is associated with the listener port. Latest Collection Time: the last time when Security Center collected the information about the listener port.
Process	The information about the process that runs on your server. Security Center periodically collects information about the process that runs on your server. The information includes the following items: Server information: the server on which the process in running. This column displays the name and IP address of the server. Process name: the name of the process. Process path: the path from which the process is started. Startup parameters: the startup parameters of the process. Start time: the time when the process was started. Running user: the user who started the process. Run permission: the permissions of the user who started the process. PID: the ID of the process. Parent process PID: the ID of the parent process to which the process belongs. File MD5: the MD5 hash value of the process file. Package Process Installation: whether the process is installed by using a package. Process Status: the status of the process. Latest Collection Time: the last time when Security Center collected information from the server.
Middleware	The information about the middleware that runs on your server. Security Center periodically collects information about the middleware of your server. The middleware refers to system components that can independently run, such as MySQL databases and Docker. Docker is a container component. The information includes the following items: Server Information: the server on which the middleware is run. This column displays the name and IP address of the server. Middleware: the name of the middleware. Type: the type of the middleware. Runtime Environment Version: the runtime environment version of the middleware. Version: the version of the middleware. PID: the ID of the process that started the middleware. Process Startup Path: the path from which the middleware is started. Version Verification: the method that is used to obtain the version of the middleware. Parent Process PID: the ID of the parent process that started the middleware. Enable User: the user who started the middleware. Listening IP Address: the listener IP address of the started middleware. Listening Port: the listener port of the started middleware. Listener Status: the status of the listener. Listening Port Protocol: the network protocol of the listener port for the middleware. Process Startup Time: the time when the middleware was started. Process Startup Command: the startup parameters of the middleware. Container Name: the name of the container to which the middleware belongs. Image Name: the name of the image to which the middleware belongs. Configure Path: the absolute path of the startup configurations for the middleware. Latest Collection Time: the last time when Security Center collected information from the server.
Database	The information about the database that runs on your server. Security Center periodically collects information about the database that runs on your server. The information includes the following items: Server Information: the server on which the database is run. This column displays the name and IP address of the server. Database Name: the name of the database. Type: the type of the database. Version: the version of the database. PID: the ID of the process that started the database. Process Startup Path: the path from which the database is started. Version Verification: the method that is used to obtain the version of the database. Parent Process PID: the ID of the parent process that started the database. Enable User: the user who started the database. Listening IP Address: the listener IP address of the started database. Listening Port: the listener port of the started database. Listener Status: the status of the listener. Listening Port Protocol: the network protocol of the listener port for the database. Process Startup Time: the time when the database was started. Process Startup Command: the startup parameters of the database. Container Name: the name of the container to which the database belongs. Image Name: the name of the image to which the database belongs. Configure Path: the absolute path of the startup configurations for the database. Latest Collection Time: the last time when Security Center collected information from the server.
Web service	The information about the web service of your server. Security Center periodically collects information about the web service of the server. The information includes the following items: Server Information: the server on which the web service is run. This column displays the name and IP address of the server. Web Service Name: the name of the web service. Type: the type of the web service. Runtime Environment Version: the Java Development Kit (JDK) version. JDK is the runtime of the web service. Version: the version of the web service. PID: the ID of the process that started the web service. Process Startup Path: the path from which the web service is started. Version Verification: the method that is used to obtain the version of the web service. Parent Process PID: the ID of the parent process that started the web service. Enable User: the user who started the web service. Listening IP Address: the listener IP address of the started web service. Listening Port: the listener port of the started web service. Listener Status: the status of the listener. Listening Port Protocol: the network protocol of the listener port for the web service. Process Startup Time: the time when the website was started. Process Startup Command: the startup parameters of the web service. Container Name: the name of the container to which the web service belongs. Image Name: the name of the image to which the web service belongs. Configure Path: the absolute path of the startup configurations for the web service. Web Directory: the path of the web configuration page. Latest Collection Time: the last time when Security Center collected information from the server.
Software	The information about the software that is installed on your server. Security Center periodically collects information about the software that is installed on your server. The information includes the following items: Server information: the server on which the software is installed This column displays the name and IP address of the server. Software Name: the name of the software. Version: the version of the software. Software Startup Path: the path from which the software is started. Software Update Time: the time when the software version is updated. Latest Collection Time: the last time when Security Center collected the information about the software.
Scheduled Tasks	The information about the scheduled task on your server. Security Center periodically collects information about the path of the scheduled task that is run on your server. The information includes the following items: Server information: the server on which the scheduled task is run. This column displays the name and IP address of the server. Command: the command in the scheduled task. Task Cycle: the interval at which the scheduled task is run. MD5: the MD5 hash value of the process for the scheduled task. Account Name: the name of the account that is used to start the scheduled task. Latest Collection Time: the last time when Security Center collected information from the server.
Startup item	The information about the startup item of your server. Security Center periodically collects information about the startup item of your server. The information includes the following items: Server information: the server on which the startup item is enabled. This column displays the name and IP address of the server. Startup Item Path: the path to the startup item. Latest Collection Time: the last time when Security Center collected information from the server.
Kernel Module	The information about the kernel module of your server. Security Center periodically collects information about the kernel module of your server. The information includes the following items: Server information: the server to which the kernel module belongs. This column displays the name and IP address of the server. Module Name: the name of the kernel module. Module Size: the size of the kernel module file. Module File Path: the path to the kernel module file. Total Submodules: the number of dependent modules. Latest Collection Time: the last time when Security Center collected information from the server.
Website	The information about the website on your server. Security Center periodically collects information about the website on your server. The information includes the following items: Server information: the server on which the website is deployed. This column displays the name and IP address of the server. Domain Name: the domain name of the website. Website Type: the type of the software that is used by the website. Port: the listener port of the website. Web Path: the path to the home directory of the website. Web Root Path: the path of the root directory in the web configuration. User: the user who started the website. Directory Permission: the permissions on the web directory. Monitoring Protocol: the listener protocol of the website. PID: the ID of the process. Process Startup Time: the time when the website was started. Image Name: the name of the image to which the website belongs. Container Name: the name of the container to which the website belongs. Latest Collection Time: the last time when Security Center collected information from the server.
IDC probe findings	The information about each server scanned by an IDC probe. The information includes the following items: Start time: the time when the server is scanned. IP/Port/network segment: the IP address, port number, and CIDR block of the server. IDC room: the name of the data center where the server resides. Client: the status of the Security Center agent installed on the server. Asset judgment: the operating system type of the server. Probe: the name, public IP address, and private IP address of the server on which the IDC probe is installed.