All Products
Search

This Product

    Security Center:Set and apply baseline check policies

    Document Center

    Security Center:Set and apply baseline check policies

    Last Updated:Apr 08, 2025

    You can set baseline risk check policies based on policy types, baseline whitelists, or custom weak password rules, and then run baseline risk checks on target servers. This ensures that the check results are more accurate and meet your requirements.

    Prerequisites

    1. Enable the baseline risk check feature.

    2. The servers to be checked have the Security Center agent installed and are connected to Security Center. For more information, see Install the agent and Manage servers.

    Set check policies

    The default baseline check policy includes more than 70 baselines of specific baseline types. To best suit your business requirements, you can create other types of baseline check policies and configure baselines for the policies.

    1. Log on to the Security Center console. In the upper-left corner of the console, select the region where your assets reside: China or Outside China.

    2. In the upper-right corner of the Risk Management > Cloud Security Posture Management page, click Policy Management.

    3. In the Policy Management panel, configure baseline check policies as needed.

      Configure scan policies

      On the Baseline Scan Policy tab, configure and add scan policies as needed.

      • Set the baseline scan coverage level.

        You can set any or all levels in the level range (High, Medium, and Low). This configuration applies to all scan policies.

      • Add scan policies.

        You can add standard policies to further improve the baseline configuration checks for your assets. You can also add custom policies to check whether your assets have risks in the operating system custom baseline configurations. Security Center runs baseline checks on your assets based on the policy that you create.

        1. Click Add Standard Policy or Add Custom Policy.

        2. In the Baseline Check Policy panel, enter a Policy Name for identification, select Detection Cycle and Detection Start Time, and select the Baseline Classification and Baseline Name to check.

          For details about baseline check items, see Baseline check content.

          Note

          You can modify the parameters of some custom baselines based on your business requirements.

          image

        3. Select the servers to which the policy applies, and then click OK.

          Parameter

          Description

          Scan Method

          The method for scanning servers. Valid values:

          • Group: Scans servers by server group. You can select all servers in one or more server groups.

          • ECS: Scans servers by ECS instance. You can select some or all servers in different server groups.

          Effective Server

          The servers to which the baseline check policy applies.

          Note

          • Newly purchased assets are automatically added to All Groups > Ungrouped. If you want to automatically apply the policy to newly purchased assets, select Ungrouped. If you want to add a new server group or modify an existing server group, see Manage servers.

          • You can apply only one custom baseline check policy to the servers that belong to the same server group. If a server group is selected for an existing custom baseline check policy, you can no longer select the server group for the Effective Server parameter when you create a custom baseline check policy.

        After you complete the scan policy configuration, you can also click Operation in the column of the policy and select Edit or Delete to modify or delete the policy based on your business scenario.

        Note

        After you delete a policy, you cannot restore the policy.

        For the Default Policy, you cannot delete it or modify the baseline check items. You can only modify the Detection Start Time and the Effective Server to which the default policy applies.

      Configure custom weak passwords

      Security Center provides built-in weak password rules. After you customize weak passwords, Security Center checks whether your assets have weak password risks based on your custom weak password rules.

      On the Custom Weak Password tab, you can add or generate new custom weak password rules by Uploading Files or using Custom Dictionary.

      Important

      • Before you upload a file, make sure that the following requirements are met:

        • The size of the file cannot exceed 40 KB.

        • Each line in the file contains only one weak password. Otherwise, Security Center cannot accurately detect weak passwords.

        • The file contains up to 3,000 weak passwords.

        • The uploaded file directly overwrites the custom weak password rules to generate new custom weak password rules.

      • The custom dictionary tool supports two methods to generate custom weak password rules: Overwrite and Add.

      Generate new custom weak password rules by uploading a file

      Security Center checks whether weak passwords are configured for your assets based on the custom rules.

      1. On the Upload File tab, click Download Template, and then complete the custom weak password settings in the downloaded template.

      2. Click the Drag And Upload File area to upload the weak password template and complete the weak password configuration.

      image

      Overwrite or add custom weak password rules by using a custom dictionary

      1. On the Custom Dictionary tab, click Generate With One Click (for the first time you customize a dictionary) or Regenerate.

      2. Configure the custom dictionary information, including the Domain Name of the asset, Company Name, and Keywords to be added to the weak password dictionary.

        image

      3. Click Generate Weak Password Dictionary.

        You can view all generated weak passwords in the Weak Password Dictionary area. You can manually add, modify, and delete weak passwords.

      4. Use one of the following methods to complete the dictionary configuration:

        • Click Add and then click OK to add the generated weak password dictionary to the existing weak password rules.

        • If you regenerate a dictionary, you can click Overwrite and then click OK to overwrite the existing weak password rules.

      Configure baseline whitelists

      If you confirm that certain baseline check items do not pose security risks to all or some servers, you can use the Baseline Whitelist feature to add baseline whitelist rules in advance to whitelist specific servers for specific check types and check items. After you add the baseline check items for the servers to the baseline whitelist, Security Center ignores the risks that are detected based on the baseline check items.

      1. On the Whitelist Policy > Host Baseline Whitelist tab, click Add Rule.

      2. In the Create Baseline Whitelist Rule panel, select the Check Item Type and corresponding Check Item to be whitelisted.

      3. Select the Rule Application Scope: All Hosts or Some Hosts.

      4. Click Save.

      5. Optional: You can find the target rule in the rule list on the Baseline Whitelist tab:

        • Click Operation in the column and select Edit to modify the Rule Application Scope, delete or add whitelisted hosts.

        • Click Operation in the column and select Delete to directly delete the rule and resume baseline checks on the hosts.

    Apply baseline check policies

    The baseline check feature supports periodic and automatic checks and manual checks. The following list describes the detection modes:

    • Periodic and automatic checks: Security Center automatically runs baseline checks at regular intervals based on the default baseline check policy, standard policies, and custom policies that you set. Security Center runs comprehensive baseline checks from 00:00 to 06:00 every two days or during the time range that you specify based on the default baseline check policy.

    • Manual checks: If you add or modify a check policy, you can select the policy on the Baseline Check page of the Baseline Check Policy tab to immediately run baseline checks and view whether the corresponding baseline risks exist on your servers in real time.

    If you need to immediately run baseline checks, you can perform the following operations on the Threat Administration > Cloud Security Center Baseline Risk tab of the page.

    • (Recommended) On the Risk Status tab:

      1. Click Scan Now on the right side of the Check Item Statistics section.

      2. In the Scan By Policy panel, select the target policy, and click Scan in the Operation column to run baseline checks.

      image

    • On the Baseline Check Policy tab:

      1. Click the 三角 icon to expand the scan policy menu, and select the policy name for which you want to run manual checks.

        image

      2. Click Check Item Scan on the right and then click Check Now.

        After the scan policy is executed, the Check Now button is grayed out until the scan is complete.

    What to do next

    After the baseline check is complete, you need to view the failed check items and check details on the Baseline Risk > Risk Status tab, and promptly fix the risk check items. For more information, see View and handle baseline risk items.