The baseline check feature provides security checks for your operating systems, databases, software, and containers. This feature also provides descriptions and suggestions based on the check results. The baseline check feature reinforces the security of your assets, reduces the risk of intrusion, and allows you to comply with classified protection policies.
Scenarios
Descriptions
The baseline check feature can detect the weak passwords in your operating systems, databases, software, and containers. This feature also detects the configuration risks in account permissions, identity authentication, password polices, access control, security audit, and intrusion prevention. In addition, this feature provides suggestions based on the detected risks. For more information, see Check items.
Security Center automatically runs a baseline check between 00:00 to 06:00 every other day based on the default check policy. You can create custom check policies and weak passwords, and specify the scan level (high, medium, low). For more information, see Set baseline check policies.
Limits
The baseline check feature is a value-added service of Security Center. Only users of the Advanced or Enterprise edition can activate and enable this feature. You must upgrade the Basic or Basic Anti-Virus edition to the Advanced or Enterprise edition before you can use the baseline check feature. For more information about upgrades, see Upgrade and downgrade.
| Baseline type | Basic edition | Basic Anti-Virus edition | Advanced edition | Enterprise edition |
|---|---|---|---|---|
| Weak passwords | X | X | √ | √ |
| High-risk exploitation | X | X | X | |
| Best security practice | ||||
| Container security | ||||
| Classified protection compliance |
| Edition | Supported baseline type | Policy management | Automatic fix |
|---|---|---|---|
| Advanced | Weak passwords | Not supported | Not supported |
| Enterprise |
|
Yes | Check items that are related to Alibaba Cloud standards and classified protection baselines support automatic fixes. |
Check items
| Baseline type | Check standard and item | Covered system and service | Description |
|---|---|---|---|
| Weak passwords | Checks whether your system contains weak passwords by using the non-brute-force method. The non-brute-force method does not lock your account or interrupt your workloads. |
|
Urgent fixing is required. We recommend that you fix relevant risks when your systems are open to the Internet. This prevents data breaches or intrusion events. |
| High-risk exploitation |
|
Memcached, Elasticsearch, Docker, CouchDB, Zookeeper, Jenkins, Hadoop, and Tomcat | |
| Best practice for security | Alibaba Cloud standards
Checks whether the following items contain risks based on the Alibaba Cloud standards of best security practices: account permissions, identity authentication, password policies, access control, security audit, and intrusion prevention. |
|
We recommend that you fix relevant risks. Security Center can reinforce the security of your assets based on the Alibaba Cloud standards of best security practices. This prevents attacks or malicious configuration modifications against your assets. |
| Container security | Alibaba Cloud standards
Checks whether the Kubernetes master nodes contain risks based on the Alibaba Cloud standards of best practice for container security. |
|
|
| Classified protection compliances |
|
|
We recommend that you fix relevant risks based on whether your services comply with the standards. |