This topic describes how to use the baseline check feature and handle risks found in server configurations.

Features

After you enable baseline check, Security Center automatically detects risks related to systems, accounts, databases, passwords, and security compliance configurations of your servers, and provides fixes accordingly. For more information about the check items, see the Baseline check items table.

Security Center automatically runs baseline checks between 00:00 to 06:00 every two days. You can create and manage baseline check policies. You can customize the check items, interval, and effective time period in a baseline check policy, and select the servers to which you want to apply this policy.

Limits

Baseline check is a value-added service of Security Center. Only Enterprise edition users can activate and use this service. You must upgrade the Basic or Advanced edition to the Enterprise edition before you can use this feature.

Some check items on weak passwords, system security compliance, and Center for Internet Security (CIS) standards are disabled by default. MySQL, PostgreSQL, and Microsoft SQL Server weak password checks may be conducted through logon attempts, which consume server resources and generate multiple logon failure records. Before you check these items, be aware of the risks and select the check items when you customize the baseline check policy.

Baseline check items

Category Check item
Databases Detection for risks in Redis, Memcached, MongoDB, MySQL, and Oracle 11g monitoring and startup permission configurations.
Operating systems The classified protection standard compliance check that covers check items following the level 2 and level 3 security requirements stated in China Classified Protection Standard 2.0. The security baseline check that follows the security standards of Alibaba Cloud and CIS. Security Center checks these items on the following systems:
  • Aliyun Linux 2: baseline checks that follow classified protection requirements and CIS security standards.
  • CentOS Linux 6 and 7: baseline checks that follow classified protection requirements, and Alibaba Cloud and CIS security standards.
  • Red Hat Linux 6 and 7: baseline checks that follow classified protection requirements and Alibaba Cloud security standards.
  • Ubuntu: baseline checks that follow Alibaba Cloud security standards.
  • Ubuntu 14 and 16: baseline checks that follow classified protection requirements and CIS security standards.
  • Debian Linux 8: baseline checks that follow classified protection requirements, and Alibaba Cloud and CIS security standards.
  • Windows 2008 R2, 2012 R2, 2016 R2, and 2019 R2: baseline checks that follow classified protection requirements, and Alibaba Cloud and CIS security standards.
  • BC-Linux 6 and 7: baseline checks that follow classified protection requirements.
  • SUSE Linux Enterprise Server 10, 11, and 12: baseline checks that follow classified protection requirements.
Weak passwords Weak passwords in PostgreSQL
Weak passwords in Windows
Weak passwords in Microsoft SQL Server
Weak passwords in Linux
Weak passwords in MySQL
Weak passwords in MongoDB, including 2.x versions
Anonymous FTP logon configurations
FTP weak passwords
Middleware Baseline checks following Alibaba Cloud security standards on Apache, Apache Tomcat, Docker, IIS 8, Nginx, WebSphere Application Server, and WebLogic Server 12c.