Security Center checks whether the baseline configurations of your servers contain risks based on baseline check policies. This topic describes how to create, modify, and delete baseline check policies, set the risk levels to check, and customize rules for weak password detection.

Prerequisites

You have purchased the Enterprise edition of Security Center. Only the Enterprise edition supports baseline check.
Note You must upgrade the Basic or Advanced edition to the Enterprise edition before you can use baseline check.

Background information

After you activate the baseline check feature, Security Center automatically scans all assets based on the default policy. The time and targets of the automatic scan based on the default policy are described as follows:
  • Scan time: Once every two days, from 00:00 to 06:00.
  • Scan targets: All assets under your Alibaba Cloud account.
Default policy

You can also customize policies to check the baseline items that are not specified in the default policy.

Based on the threat intelligence provided by Alibaba Cloud, Security Center provides default weak password rules. You can also customize weak password rules as needed. For more information, see Custom weak password rules.

Manage baseline check policies

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Baseline Check.
  3. On the Baseline Check page, click Manage Policies in the upper-right corner.
  4. On the Manage Policies tab, you can create, modify, or delete custom baseline check policies. You can also modify the default policy on this tab.
    • In the upper-right corner of the tab, click Create Policy to create a custom policy.Baseline check policies
      Parameter Description
      Policy Name Enter a policy name.
      Schedule Set the time interval for scheduled scan tasks to 1 Day(s), 3 Day(s), 7 Day(s), or 30 Day(s). Select one of the following time periods for scheduled scan tasks: 00:00:00 to 06:00:00, 06:00:00 to 12:00:00, 12:00:00 to 18:00:00, and 18:00:00 to 24:00:00.
      Check Items Select the items to be checked. Check item types include Serious exploit, CIS and China's Protection of Cybersecurity, Best security practices, and Weak password.

      For more information about baseline check items, see Baseline check overview.

      Servers Select the asset groups to which you want to apply this policy.
      Note By default, newly purchased servers belong to Asset Groups > Default. To apply this policy to new servers, select Default.
    • Click Edit or Delete next to the target policy to modify or delete it.
      Note You cannot restore a policy after you delete it.
    • Click Edit in the Actions column for the Default policy to modify the asset groups to which the default policy is applied.
      Note You cannot delete the default policy or modify the check items of the default policy. You can only modify the assets to which the default policy is applied.
      Modify the default policy
    • In the Manage Policies dialog box, select risk levels from High, Medium, and Low.Set risk levels

Custom weak password rules

Security Center provides default weak password rules. You can also customize weak password rules. To customize a weak password rule, follow these steps:

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Baseline Check.
  3. On the Baseline Check page, click Manage Policies in the upper-right corner.
  4. In the Custom Weak Password Rules section, click Download.Custom weak password rules
  5. After you specify weak passwords in the downloaded template, click Import File.
    Note The file must meet the following requirements:
    • The file size cannot exceed 5 MB.
    • Each line in the file contains only one weak password.
    • The file contains a maximum of 2,000 weak passwords.

Related operations

After you create a custom policy, you can use it to check whether your servers contain risks. For more information, see Run a baseline check.