Security Center checks whether the baseline configurations of your servers contain risks based on baseline check policies. This topic describes how to create, modify, and delete baseline check policies.

Prerequisites

You have purchased the Advanced or Enterprise Edition of Security Center. Only the Advanced and Enterprise Editions support the baseline check feature.
Note Before you use the baseline check feature, upgrade the Basic or Basic Anti-Virus Edition to the Advanced or Enterprise Edition.

Background information

After you enable the baseline check feature, Security Center automatically scans all assets based on the default policy. The following content describes the time and targets of the automatic scan based on the default policy:
  • Scan time: once every second day, from 00:00 to 06:00.
  • Scan targets: All assets under your Alibaba Cloud account.
Default policy
You can also create custom policies to check the baseline items that are not specified in the default policy.
Note Only the Enterprise edition of Security Center supports custom check policies. The Advanced edition does not support custom check policies. The Advanced edition supports baseline checks based on the default check policy and existing check policies.

Based on Alibaba Cloud threat intelligence, Security Center provides default rules to detect weak passwords. You can also create custom rules to detect weak passwords. For more information, see Custom rules to detect weak passwords.

Manage baseline check policies

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Baseline Check.
  3. On the Baseline Check page, click Manage Policies in the upper-right corner.
  4. On the Manage Policies page, you can create, modify, or delete custom baseline check policies. You can also modify the default policy on this tab.
    • In the upper-right corner of the tab, you can click Create Policy to create a custom policy.Baseline check policies

      Set the following parameters.

      Parameter Description
      Policy Name Enter a policy name.
      Schedule Set the time interval for scheduled scan tasks to 1 Day(s), 3 Day(s), 7 Day(s), or 30 Day(s). Select one of the following time periods for scheduled scan tasks: 00:00 to 06:00, 06:00 to 12:00, 12:00 to 18:00, and 18:00 to 24:00.
      Check Items Select the items to be checked. You can select items from the following drop-down lists: High risk exploit, Container security, CIS and China's Protection of Cybersecurity, Best security practices, and Weak password.

      For more information about baseline check items, see Baseline check overview.

      Servers Select the asset groups to which you want to apply this policy.
      Note By default, newly purchased servers belong to Asset Groups > Default. To apply this policy to new servers, select Default. To add or modify a group, see Manage asset groups.
    • You can click Edit or Delete in the Actions column to modify or delete a policy.
      Note You cannot restore a policy after you delete it.
    • You can click Edit in the Actions column for the Default policy to modify the asset groups to which the default policy is applied.
      Note You cannot delete the default policy or modify the check items of the default policy. You can only modify the assets to which the default policy is applied.
      Modify the default policy
    • On the Manage Policies page, you can select the baseline level from High, Medium, and Low.Set the baseline level

Custom rules to detect weak passwords

Security Center provides default rules to detect weak passwords. You can also create custom rules to detect weak passwords. To create a custom rule, take the following steps:

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Baseline Check.
  3. On the Baseline Check page, click Manage Policies in the upper-right corner.
  4. In the Custom Weak Password Rules section, click Download.The Custom Weak Password Rules section
  5. After you specify weak passwords in the downloaded template, click Import File.
    Note The file must meet the following requirements:
    • The file size cannot exceed 5 KB.
    • Each line in the file contains only one weak password.
    • The file contains at most 2,000 weak passwords.

Related topics

After you create a custom policy, you can use it to check whether your servers contain risks. For more information, see Run a baseline check.