The baseline check feature provides security checks for your operating systems, databases, software, and containers. This feature also provides descriptions and suggestions based on the check results. The baseline check feature reinforces the security of your assets, reduces the risk of intrusion, and allows you to comply with classified protection policies.

Scenarios

Scenarios

Descriptions

The baseline check feature can detect the weak passwords in your operating systems, databases, software, and containers. This feature also detects the configuration risks in account permissions, identity authentication, password polices, access control, security audit, and intrusion prevention. In addition, this feature provides suggestions based on the detected risks. For more information, see Check items.

Security Center automatically runs a baseline check between 00:00 to 06:00 every other day based on the default check policy. You can create custom check policies and weak passwords, and specify the scan level (high, medium, low). For more information, see Set baseline check policies.

Limits

The baseline check feature is a value-added service of Security Center. Only users of the Advanced or Enterprise edition can activate and enable this feature. You must upgrade the Basic or Basic Anti-Virus edition to the Advanced or Enterprise edition before you can use the baseline check feature. For more information about upgrades, see Upgrade and downgrade.

The following table lists the baseline types supported by each edition.
Baseline type Basic edition Basic Anti-Virus edition Advanced edition Enterprise edition
Weak passwords X X
High-risk exploitation X X X
Best security practice
Container security
Classified protection compliance
The following table describes the differences of policy management between the Advanced and Enterprise editions.
Edition Supported baseline type Policy management Automatic fix
Advanced Weak passwords Not supported Not supported
Enterprise
  • High-risk exploitation
  • Container security
  • Best practice for security
  • Classified protection compliance
  • Weak passwords
Yes Check items that are related to Alibaba Cloud standards and classified protection baselines support automatic fixes.
Note Users of the Enterprise edition can use all functions of the baseline check feature. Users of the Advanced edition can use only the default check policy and cannot create custom check policies.

Check items

Baseline type Check standard and item Covered system and service Description
Weak passwords Checks whether your system contains weak passwords by using the non-brute-force method. The non-brute-force method does not lock your account or interrupt your workloads.
  • Operating systems:

    Linux and Windows

  • Databases:

    MySQL, Redis, SQL Server, MongoDB, and PostgreSQL

  • Applications

    Tomcat, FTP, Rsync, and SVN

Urgent fixing is required. We recommend that you fix relevant risks when your systems are open to the Internet. This prevents data breaches or intrusion events.
High-risk exploitation
  • Unauthorized access baseline

    Checks whether your servers allow unauthorized access. This prevents intrusion events and data breaches.

  • Other high-risk baselines

    Checks whether your services contain high-risk configurations. This prevents risks such as remote file read and command running.

Memcached, Elasticsearch, Docker, CouchDB, Zookeeper, Jenkins, Hadoop, and Tomcat
Best practice for security Alibaba Cloud standards

Checks whether the following items contain risks based on the Alibaba Cloud standards of best security practices: account permissions, identity authentication, password policies, access control, security audit, and intrusion prevention.

  • Operating systems
    • CentOS 6, 7, and 8
    • Redhat 6 and 7
    • Ubuntu 12, 14, and 16
    • Debian 8
    • Aliyun Linux 2
    • Windows 2008, 2012, 2016, and 2019 R2
  • Databases:

    MySQL, Redis, MongoDB, SQL server, and Oracle 11g

  • Applications

    Tomcat, IIS, Nginx, and Apache

We recommend that you fix relevant risks. Security Center can reinforce the security of your assets based on the Alibaba Cloud standards of best security practices. This prevents attacks or malicious configuration modifications against your assets.
Container security Alibaba Cloud standards

Checks whether the Kubernetes master nodes contain risks based on the Alibaba Cloud standards of best practice for container security.

  • Docker
  • Kubernetes clusters
Classified protection compliances
  • Level-two and level-three classified protection compliance

    Security Center provides baseline checks based on classified protection compliances. This checks whether your asset environments comply with the classified protection requirements.

  • Center for Internet Security (CIS) standards

    Security Center provides baseline checks for your operating systems based on CIS standards.

  • Classified protection compliance
    • CentOS 6, 7, and 8
    • Redhat 6 and 7
    • Ubuntu 12, 14, and 16
    • SUSE 10, 11, and 12
    • Debian 8
    • Aliyun Linux 2
    • Windows 2008, 2012, 2016, and 2019 R2
  • CIS standards
    • CentOS 6 and 7
    • Ubuntu 12, 14, and 16
    • Debian 8
    • Aliyun Linux 2
    • Windows 2008, 2012, 2016, and 2019 R2
We recommend that you fix relevant risks based on whether your services comply with the standards.