Security Center checks whether the baseline configurations of your servers contain risks based on baseline check policies. This topic describes how to add, edit, and delete baseline check policies. It also describes how to set baseline check levels and customize weak password rules.

Prerequisites

You have purchased the Enterprise edition of Security Center. Only the Enterprise edition supports baseline check.
Note You must upgrade the Basic or Advanced edition to the Enterprise edition before you can use baseline check.

Background information

After you have activated the baseline check feature, Security Center automatically scans all assets based on the Default Policy.

Automatic scan time by the default policy: from 00:00 to 06:00 on a daily basis.

Automatic scan targets by the default policy: all assets under your Alibaba Cloud account.

The default policy

You can also customize baseline check policies to cover the baseline items that are not covered by the default policy.

Based on the threat intelligence provided by Alibaba Cloud, Security Center provides default weak password rules. You can also customize weak password rules as needed. For more information, see Custom weak password rules.

Manage baseline check policies

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Baseline Check.
  3. On the Baseline Check page, click Manage Policies in the upper-right corner.
  4. On the Manage Policies tab, you can add, modify, or delete custom baseline check policies. You can also modify the default policy on this tab.
    • In the upper-right corner of the tab, click Create Policy to add custom baseline check policies.Baseline check policies
      Parameter Description
      Policy Name Enter a policy name.
      Schedule Select a time interval for scheduled scan tasks from: 1 Day(s), 3 Day(s), 7 Day(s), and 30 Day(s), which respectively represent every second day, every fourth day, every eighth day, and every thirty-first day. You can also select a time period for scheduled scan tasks from: 00:00 to 06:00, 06:00 to 12:00, 12:00 to 18:00, and 18:00 to 24:00.
      Check Items Select the baseline items that need to be checked under these categories: Serious exploit, CIS and China's Protection of Cybersecurity, Best security practices, and Weak password.

      For more information about baseline check items, see Baseline check overview.

      Servers Select the asset groups to which you want to apply this policy.
      Note Newly purchased servers belong to Asset Groups > Default by default. To apply this policy to new servers, select Default.
    • Click Edit or Delete next to the target policy to modify or delete it.
      Note You cannot restore a policy after you delete it.
    • Click Edit in the Actions column next to the Default policy to modify the asset groups to which the default policy is applied.
      Note You cannot delete the default policy or modify the check items of the default policy. You can only modify the asset groups to which the default policy is applied.
      Modify the default policy
    • At the bottom of the Manage Policies tab, you can set the baseline check level from: High, Medium, and Low.Baseline check level

Custom weak password rules

Security Center provides default weak password rules. You can also customize weak password rules. To customize a weak password rule, follow these steps:

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Baseline Check.
  3. On the Baseline Check page, click Manage Policies in the upper-right corner.
  4. In the Custom Weak Password Rules section, click Download.Custom weak password rules
  5. After you have set the custom weak passwords in the downloaded template, click Import File.
    Note The file to be imported has the following limits:
    • The file size cannot exceed 5 MB.
    • The weak passwords in the file must be separated in different lines. Each line contains one weak password only. Otherwise, the weak passwords cannot be detected.
    • The file supports a maximum of 2,000 weak passwords.

Related topics

After you have created custom baseline check policies, you can apply them to the baseline check feature to check whether your servers contain risks. For more information, see Run a baseline check.