All Products
Search

This Product

    Container Service for Kubernetes:Instructions for ACK MLPS 2.0 security hardening

    Document Center

    Container Service for Kubernetes:Instructions for ACK MLPS 2.0 security hardening

    Last Updated:Mar 26, 2026

    ACK provides Multi-Level Protection Scheme (MLPS) 2.0 Level 3 compliance for Alibaba Cloud Linux node pools. Enable MLPS security hardening when creating a cluster, and ACK automatically configures the required OS-level controls. After enabling, run a baseline check in Security Center to verify that your nodes meet the classified protection requirements specified in GB/T 22239-2019 Information Security Technology - Baseline for Classified Protection of Cybersecurity.

    What ACK does automatically: Configures all OS-level security controls across five domains (identity authentication, access control, security audit, intrusion prevention, and malware prevention) on every node in the pool.

    What you do manually: Purchase a Security Center edition that supports baseline checks, then configure and run a baseline check policy to verify compliance.

    Classified protection compliance requirements

    MLPS 2.0 Level 3 requires the following OS-level protections on Alibaba Cloud Linux nodes:

    • Identity authentication — Enforce password complexity, restrict root SSH access, lock accounts after failed logon attempts, and disable insecure protocols like Telnet.

    • Access control — Assign separate accounts for administrators, auditors, and security personnel; enforce least privilege with umask 027; restrict su and sudo access.

    • Security audit — Run auditd and rsyslog/syslog-ng to collect events for file deletions, sudoers changes, and user/group modifications.

    • Intrusion prevention — Follow minimal installation principles, close vulnerable ports, and restrict SSH access by IP address.

    • Malware prevention — Use Security Center or equivalent anti-malware software with an up-to-date signature database.

    Check rules for Alibaba Cloud Linux MLPS 2.0 Level 3 images

    Alibaba Cloud Linux MLPS 2.0 Level 3 images are hardened according to GB/T 22239-2019. The following table lists every check item ACK automatically configures.

    Check item type

    Check item name

    Check content

    Identity authentication

    The identity of logon users must be authenticated and unique. Authentication information must meet complexity requirements and be changed periodically.

    • Check for accounts with empty passwords.

    • Ensure that user IDs (UIDs) are unique.

    • Set password complexity requirements.

    • Change passwords periodically.

    • Set a minimum time interval for password changes to prevent unauthorized users from changing passwords multiple times in a short period.

    • Restrict password reuse.

    • Ensure that root is the only account with a UID of 0.

    Necessary measures must be taken to prevent authentication information from being intercepted during network transmission when a server is managed remotely.

    • Check whether SSHD is configured to use only the SSHv2 protocol.

    • Disable insecure remote connection services such as Telnet.

    A logon failure handling feature must be implemented. Measures such as session termination, limits on failed logon attempts, and automatic logout on connection timeout must be configured and enabled.

    Check whether a logon failure lockout policy is configured, an idle session timeout is set, and the client is configured to disconnect after a logon timeout.

    Access control

    Assign accounts and permissions to logon users.

    • In addition to system administrators, accounts must be assigned for regular users, auditors, and security administrators.

    • Ensure that the user umask is 027 or stricter.

    • Ensure that the permissions for each user's home directory are set to 750 or stricter.

    Rename or delete default accounts and change their default security tokens.

    • The root account in Linux cannot be deleted. Instead, check whether direct logon as the root user over the Secure Shell (SSH) protocol is disabled.

    • Disable logon for default system accounts and database accounts other than root.

    • Ensure that no weak passwords exist and that the weak password baseline check passes.

    The granularity of access control must be at the user or process level for entities and at the file or database table level for objects.

    Check whether the permissions of important files, such as access control and user permission configuration files, have user-level granularity.

    Promptly delete or disable redundant or expired accounts. Avoid using shared accounts.

    • Disable logon for default system accounts and database accounts other than root.

    • Lock or delete the shutdown and halt accounts.

    Grant administrative users the least privilege required and use permission separation.

    • Ensure that access to the `su` command is restricted.

    • Check the /etc/sudoers file for users with `sudo` permissions. If required, configure `sudo` permissions for users other than root. Do not grant `ALL` permissions to any user except the administrator.

    An authorized entity must configure the access control policy, which specifies the rules for entity access to objects.

    • Ensure that the permissions for each user's home directory are set to 750 or stricter.

    • If required, reset the ownership of ownerless files or folders to an active user on the system.

    • Set the permissions and ownership of the SSH host public key file.

    • Set the permissions and ownership of the SSH host private key file.

    Security audit

    Audit records must be protected. They must be backed up periodically to prevent unexpected deletion, modification, or overwriting.

    Check the `auditd` file size, log splitting configuration, or backup to a log server. If automatic repair fails, you must first fix the check item for enabling the security audit feature.

    Audit records must include the date and time of the event, the user, the event type, the event outcome (success or failure), and other audit-related information.

    This item is met if the check item for enabling the security audit feature is met.

    The security audit feature must be enabled. The audit must cover every user and record important user behaviors and security events.

    • Enable the auditd service.

    • Enable the rsyslog or syslog-ng service.

    • Ensure that file deletion events by users are collected.

    • Ensure that changes to the system administration scope (sudoers) are collected.

    • Ensure that events related to modifying user or group information are collected. If you use a third-party log collection service, you can provide evidence and ignore this item.

    Audit processes must be protected from unexpected interruptions.

    `auditd` is the daemon process for the `audit` process, and `syslogd` is the daemon process for the `syslog` process. Check whether these system processes are running.

    Intrusion prevention

    Known vulnerabilities must be detected. After thorough testing and evaluation, the vulnerabilities must be patched promptly.

    The vulnerability detection and fixing features of Security Center can meet this requirement. If you use other methods, you can provide evidence and ignore this item.

    Follow the principle of minimal installation by installing only necessary components and applications.

    • Alibaba Cloud Linux 3: Uninstall software such as avahi-daemon, Bluetooth, firstboot, Kdump, wdaemon, wpa_supplicant, and ypbind.

    • Alibaba Cloud Linux 2: Uninstall software such as NetworkManager, avahi-daemon, Bluetooth, firstboot, Kdump, wdaemon, wpa_supplicant, and ypbind.

    Shut down unnecessary system services, default shares, and vulnerable ports.

    • Shut down unnecessary system services and file sharing services.

    • Close vulnerable ports such as 21, 23, 25, 111, 427, and 631.

    • If you have special requirements that necessitate a strict access control policy, you can provide evidence and ignore this item.

    Intrusions on important nodes must be detected, and alerts must be provided for critical intrusion events.

    The intrusion detection and alerting features of Security Center can meet this requirement. If you have other detection and alerting methods, you can provide evidence and ignore this item.

    Restrict management terminals that are managed over the network by setting the connection type or address range.

    • Alibaba Cloud Linux 3:

      1. Edit the /etc/ssh/sshd_config file based on the configuration of the terminal used to log on to the server.

      2. Set the AllowUsers <user>@<host> parameter as required.

        Note

        <user> specifies the username for logging on to the server. <host> specifies the IP address of the server. Replace them as required.

      3. After you finish editing, press the Esc key, enter :wq, and then press the Enter key to save the file and exit.

      4. Run the sudo systemctl restart sshd command to restart the sshd service.

    • Alibaba Cloud Linux 2:

      • The /etc/hosts.allow file specifies the IP addresses that are allowed to connect to the host. It must not be set to ALL:ALL.

      • The /etc/hosts.deny file specifies the IP addresses that are prohibited from connecting to the host. It must be set to ALL:ALL to deny all connections by default.

      The two files must be used together, and the /etc/hosts.allow rule must be configured first. If you implemented this restriction using other methods, such as security groups or firewalls, you can provide evidence and ignore this item.

    Malware protection

    • Alibaba Cloud Linux 3: Use technical measures to protect against malware attacks, or use an active immune-based trusted verification mechanism to promptly detect and block intrusions and virus behaviors.

    • Alibaba Cloud Linux 2: Install anti-malware software and promptly update the software version and malware signature database.

    Check whether Security Center is installed and used. If you have installed other anti-malware software, you can provide evidence and ignore this item.

    Enable MLPS security hardening

    When creating an ACK cluster, enable MLPS Security Hardening in the cluster configuration. ACK automatically configures security hardening items for the cluster, meeting the classified protection requirements specified in GB/T 22239-2019.

    image
    Important

    Enabling MLPS security hardening has two consequences that affect node access:

    • ACK creates three regular users by default in the hardened Alibaba Cloud Linux: ack_admin, ack_audit, and ack_security.

    • MLPS 2.0 security-hardened Alibaba Cloud Linux prohibits logging on as the root user over SSH. To create a regular user that can log on over SSH, use the ECS console to connect to an instance using VNC.

    Configure a baseline check policy

    After enabling MLPS security hardening, run a classified protection compliance baseline check in Security Center to verify that your nodes meet every check item in the check rules table. This section uses Alibaba Cloud Linux 3 as an example. Alibaba Cloud provides classified protection compliance baseline check standards and scanners for both Alibaba Cloud Linux 2 and Alibaba Cloud Linux 3 MLPS 2.0 Level 3 images.

    Prerequisites

    Before you begin, ensure that you have:

    Create and run the baseline check policy

    1. Log on to the Security Center console.Log on to the Security Center console.

    2. On the Risk Governance > CSPM page, click Policy Management.

    3. On the Policy Management panel, click the Baseline Check Policy tab.

    4. Set the baseline scan coverage level. Select one or more levels: High, Medium, and Low. This setting applies to all scan policies.

    5. Click Create Standard Policy. On the Baseline Check Policy panel, configure the following fields and click OK:

      • Policy Name: Enter a descriptive name, such as Alibaba Cloud Linux 3 Classified Protection Compliance Check. Select a Detection Cycle and a Check Start Time.

      • Baseline Name: Search for and select MLPS Level 3 - Alibaba Cloud Linux 3 Compliance Baseline.

      • Scan Method: Select one of the following modes:

        • Group: Scans servers by asset group. Selects all servers in one or more groups.

        • ECS: Scans servers by ECS instance. Selects specific servers across groups.

      • Effective Server: Select the asset groups to apply this policy to. To include newly purchased servers, select Default — new servers are added to the Default group automatically.

      After saving, click Edit or Delete in the Actions column to modify or remove the policy.

      A deleted policy cannot be recovered. Default policies cannot be deleted, and their baseline check items cannot be modified. Only the start time and target servers of a default policy can be changed.

    6. Run the baseline check. On the Risk Governance > CSPM page, click the System Baseline Risks tab. On the Baseline Check Policy tab, click the 三角 icon to expand the policy list. Select the classified protection compliance baseline check policy, then click Check Now in the Check Item Scan section. Check Now is unavailable while a scan is running. Wait for the scan to complete.

      image

    7. After the scan completes, go to System Baseline Risks > Risk Details to review failed check items and fix them. For details, see View and handle baseline risk items.

    What's next