Security baseline check

Database Autonomy Service (DAS) provides the security baseline check feature to help you quickly identify potential security risks in database instances and improve database security and reliability. This feature allows you to easily identify and fix security risks of various database engines in different regions, and view results in an intuitive manner.

Background information

The Verizon 2023 report indicates that approximately 50% of database breaches are related to weak passwords and dictionary attacks.
A report from the Cyberspace Administration of China reveals that thousands of domestic databases were exposed to unauthorized access and weak password risks in 2023, with 11.3% of 8,000 database instances identified as problematic.

Note

These issues include weak password vulnerabilities and unchanged default administrator passwords. Database instances that are exposed to the Internet face higher risks from weak passwords.

Limits

The database instance must reside in one of the following regions:
- Alibaba Cloud public cloud
  China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Shenzhen), China (Heyuan), China (Zhangjiakou), China (Hohhot), China (Chengdu), China (Guangzhou), China (Ulanqab), Indonesia (Jakarta), US (Virginia), US (Silicon Valley), Japan (Tokyo), Germany (Frankfurt), UK (London), Philippines (Manila), Malaysia (Kuala Lumpur), Singapore, and China (Hong Kong).
- Alibaba Finance Cloud
  China East 1 Finance, China East 2 Finance, China North 2 Finance (invitational preview), and China South 1 Finance.
Only MySQL, PolarDB for MySQL, and PolarDB-X 2.0 instances are supported.
Note
Backup detection is not supported by PolarDB-X 2.0 instances.

Features

Scope
- Database configuration: checks the password policy complexity. For example, you can configure a strong password policy for ApsaraDB RDS for MySQL databases.
- Network configuration: checks whitelist-based access control and SSL security configuration.
- Access control: checks for weak passwords.
- Storage pool: checks backup settings.
  Note
  Backups are crucial when the database encounters events. For example, you can restore your database from a backup when you accidentally lock or delete the database.
- Post-event security: checks whether the audit log feature is enabled to offer tracking and detection capabilities.
Check mechanism
Immediate check: allows you to manually initiate a specific compliance check.

Weak password detection

Detection model
- Uses a dictionary library that includes tens of millions of common weak passwords found on the Internet and works with the cloud security team to identify new weak passwords.
- Supports batch detection of password strength policies.
Protection measures
Security alerts are triggered when accounts with weak passwords are identified.

Procedure

Log on to the DAS console.

In the left-side navigation pane, choose Security Center > Security Baseline Check.

On the Security Baseline Check page, click Initiate Inspection. In the dialog box that appears, select the instances that you want to inspect, click the icon to add the instances to the Selected Instances section on the right, and then click OK.
Note
Security inspection may take several minutes to dozens of minutes, depending on the number and complexity of selected instances. Then, you can return to the Security Baseline Check page to view the inspection results.

The inspection results are displayed in a list where each instance is represented by a single row of data.

Note

Inspection results are highlighted in colors: red (danger), yellow (warning), and green (safe).

Check item	Check rule	Description
Weak password	Danger: Weak passwords are detected. Warning: N/A. Safe: No weak password is detected.	Indicates whether an account with a weak password exists.
Whitelist	Danger: `0.0.0.0/0` is added to the whitelist, which allows all IP addresses to access the account. Warning: A large public CIDR block `/8` is configured in the whitelist. Safe: No high-risk whitelist configuration is detected.	Indicates whether the IP address whitelist complies with security specifications. Note A whitelist security risk exists if the instance is open to the Internet and the whitelist is configured with `0.0.0.0/0` or a large public CIDR block such as `/8`.
SSL certificate	Danger: N/A. Warning: SSL is disabled for the instance. Safe: SSL is enabled for the instance.	Indicates whether SSL encryption is enabled for the database connection.
Backup	Danger: No backup sets are generated in the previous seven days. Warning: Backup sets are generated within previous two to seven days. Safe: Backup sets are generated within the previous day.	The time when the latest backup set was generated is related to the backup policy. Note PolarDB-X 2.0 is not supported. If no automatic backup policy is configured and no backup sets are generated within seven consecutive days, the instance is marked as Danger.
Audit	Danger: N/A. Warning: The audit log feature is disabled. Safe: The audit log feature is enabled.	Indicates whether the log audit feature is enabled.

Find the inspection task and click Details in the Actions column to view the inspection details.
Note
In the Details panel, click Inspect Again if you want to inspect the instance again.
Click the icon in the upper-right corner of the Security Baseline Check page to download the inspection results.
You can turn on the Subscribe switch in the upper-right corner to enable the subscription service.
Note
After you enable the subscription service, Alibaba Cloud sends security notifications at the earliest opportunity through multiple methods, such as internal messages and SMS messages, when the following important events occur:
- Alibaba Cloud receives or discovers security threats.
- Regulatory authorities, such as the State Cyberspace Administration, issue the latest compliance requirements.

Suggestions

If security risks are detected, perform the following operations to fix issues:

Weak password: Make sure that your database password complies with complexity requirements, especially for databases that must be exposed to the Internet.
Note
If you use an ApsaraDB RDS for MySQL database, we recommend that you install validate_password. After you reset the password, you can execute the SHOW VARIABLES LIKE 'validate_password%' statement to check whether the new password takes effect.
- The password must be 8 to 32 characters in length.
- It must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters.
- Special characters include ! @ # $ % ^ & * ( ) _ + - =
- For more information about how to reset the password for each database type, see the following topics:
Whitelist: We recommend that you modify the whitelist settings of databases that are exposed to the Internet and remove unnecessary IP addresses from the whitelist. Make sure that only trusted IP addresses can access your database to reduce potential security risks.
SSL certificate: If your database is exposed to the Internet, we strongly recommend that you enable SSL encryption to protect data in transit. This prevents security risks such as data interception and unauthorized modification.
Backup: You must back up your database at appropriate intervals, such as daily or weekly, based on your business requirements. This ensures data security and business continuity in emergencies.
Audit log: We recommend that you enable the audit log feature for your database. This feature facilitates accountability and compliance and detects security risks in real time, improving the security level of the database.

Note

If you have any question, join the DingTalk group whose ID is 58255008752 to seek technical support.

FAQ

Does security baseline check affect database performance?

No. The detection process employs a lightweight data collection agent. Scans are automatically delayed during peak business hours to minimize disruption.