Security Center allows you to create baseline check policies. You can run baseline checks on your assets to detect baseline risks based on baseline check policies. This topic describes how to create baseline check policies.

Prerequisites

You have purchased the Advanced, Enterprise, or Ultimate edition of Security Center. Only these editions support the baseline check feature.
Note If you use the Basic or Anti-virus edition, you must upgrade Security Center to the Advanced, Enterprise, or Ultimate edition before you can use the baseline check feature.

Background information

After you enable the baseline check feature, Security Center checks all the assets within your Alibaba Cloud account from 00:00 to 06:00 every two days based on the default baseline check policy. You can click Edit in the Actions column in the right area of Default in the Manage Policies panel of the Baseline Check page to go to the Check Policy panel. In the Check Policy panel, you can view the baselines that are included in the default baseline check policy in the Check Items section.

If the default baseline check policy cannot meet your requirements for baseline checks, you can click Add standard policy and Add custom policy to create standard and custom baseline check policies. In this case, you can specify the baselines that are not included in the default baseline check policy.
Note Only users of the Enterprise and Ultimate editions can create standard and custom baseline check policies. Users of Security Center Advanced can run baseline checks only based on the default baseline check policy.
The following table describes the baseline types, number of baselines, Security Center editions, and use scenarios that are supported by different types of baseline check policies. The policies are default baseline check, standard baseline check, and custom baseline check policies.
Policy Security Center edition Baseline type Number of baselines Modification Use scenario
Default baseline check policy Advanced, Enterprise, and Ultimate
  • High risk exploit
  • Container security
  • Best security practices
  • Weak password
Greater than or equal to 70 Not supported. The default baseline check policy provided by Security Center is used to check whether risks exist in the configurations of your assets based on the following types of baselines: high risk exploit, container security, best security practice, and weak password.
Standard baseline check policy Enterprise and Ultimate
  • High risk exploit
  • Container security
  • Classified protection compliance
  • Best security practices
  • Weak password
Greater than or equal to 120 You can modify policy parameters. Compared with the default baseline check policy, standard baseline check policies support one more baseline type: classified protection compliance. For the baseline types that are supported by the two types of policies, standard baseline check policies support more baselines. In addition, you can modify policy parameters. You can create standard baseline check policies based on your business requirements. For more information, see Create a standard baseline check policy.
Custom baseline check policy Enterprise and Ultimate Custom baselines for operating systems Greater than or equal to 50 You can modify policy parameters. You can also modify the parameters of some baselines. Custom baseline check policies are used to check whether risks exist in the configurations of your assets based on the custom baselines for operating systems. You can create custom baseline check policies and modify the parameters of baselines based on your business requirements. For more information, see Create a custom baseline check policy.

Security Center provides default rules to detect weak passwords based on Alibaba Cloud threat intelligence. Weak password You can also create custom rules to detect weak passwords based on your business requirements. For more information, see Create custom rules to detect weak passwords.

Create a standard baseline check policy

Compared with the default baseline check policy, standard baseline check policies support one more baseline type: classified protection compliance. For the baseline types that are supported by the two types of policies, standard baseline check policies support more baselines. In addition, you can modify policy parameters. You can create a standard baseline check policy to check baseline configurations of your assets in a more comprehensive manner.

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Baseline Check.
  3. In the upper-right corner of the Baseline Check page, click Manage Policies.
  4. In the Manage Policies panel, click Add standard policy.
  5. In the Check Policy panel, configure the parameters.
    The following table describes the parameters.
    Parameter Description
    Policy Name The name of the policy.
    Schedule The interval at which baseline checks are performed. Valid values: 1 day, 3 Day(s), 7 Day(s), and 30 Day(s).
    Detection time The time range during which baseline checks are performed. Valid values: 00:00 - 06:00, 06:00 - 12:00, 12:00 - 18:00, and 18:00 - 24:00.
    Check Items The baselines that you want to use. For more information, see Baselines.
    Servers The server groups on which you want to run baseline checks based on the policy.
    Note By default, newly purchased servers belong to All Groups > Default.To apply the policy to newly purchased servers, you must select Default. For more information about how to add or modify a server group, see Manage asset groups.
  6. Click Ok. The standard baseline check policy is created.
    Security Center runs baseline checks on your assets based on the policy that you create.

Create custom rules to detect weak passwords

You can create custom rules based on the default rules that are provided by Security Center to detect weak passwords. You can use custom rules to better meet your business requirements and detect weak passwords in a more comprehensive manner.

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Baseline Check.
  3. In the upper-right corner of the Baseline Check page, click Manage Policies.
  4. In the Custom Weak Password Rules section, create custom rules to detect weak passwords.
    You can use one of the following methods to create custom rules:
    • Upload rules by using the weak password template.
      1. Click Download next to Template.
      2. Configure rules in the downloaded template based on your business requirements and save the template.
      3. Click Import File to upload the template. Custom rules to detect weak passwords are created.
        Security Center checks whether weak passwords are configured for your assets based on the custom rules.
        Note Before you upload the template, make sure that the following requirements are met:
        • The size of the file does not exceed 5 KB.
        • Each line in the file contains only one weak password. Otherwise, Security Center cannot accurately detect weak passwords.
        • The file contains up to 2,000 weak passwords.
    • Create a custom dictionary of weak passwords.
      1. Click Custom weak password dictionary next to Weak password.
      2. In the Custom weak password dictionary panel, configure the parameters.
        Parameter Description
        Domain The domain name of your asset.
        Company name The name of your enterprise.
        Keyword The passwords that you want to add to the dictionary.
        Weak password dictionary You do not need to configure this parameter. This weak password dictionary is provided by Security Center based on Alibaba Cloud threat intelligence.
      3. Click Generate and Import. The custom dictionary of weak passwords is created.

        Security Center checks whether weak passwords are configured for your assets based on the created custom dictionary of weak passwords.

Create a custom baseline check policy

You can create a custom baseline check policy to check whether risks exist in the configurations of your assets based on the custom baselines for operating systems.

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Baseline Check.
  3. In the upper-right corner of the Baseline Check page, click Manage Policies.
  4. In the Manage Policies panel, click Add custom policy.
  5. In the Check Policy panel, configure the parameters. Custom baseline check policy
    The following table describes the parameters.
    Parameter Description
    Policy Name The name of the policy.
    Schedule The interval at which baseline checks are performed. Valid values: 1 day, 3 Day(s), 7 Day(s), and 30 Day(s).
    Detection time The time range during which baseline checks are performed. Valid values: 00:00 - 06:00, 06:00 - 12:00, 12:00 - 18:00, and 18:00 - 24:00.
    Check Items The baselines that you want to use. For more information, see Baselines.
    Note You can modify the parameters of some custom baselines based on your business requirements.
    Servers The server groups on which you want to run baseline checks based on the policy.
    Note
    • You can apply only one custom baseline check policy to the servers that belong to the same server group. If a server group is selected for a custom baseline check policy, you can no longer select the server group for the Servers parameter when you create a custom baseline check policy.
    • By default, newly purchased servers belong to All Groups > Default. To apply the policy to newly purchased servers, you must select Default. For more information about how to add or modify a server group, see Manage asset groups.
  6. Click Ok. The custom baseline check policy is created.
    Security Center runs baseline checks on your assets based on the policy that you create.

Manage a baseline check policy

After you create a baseline check policy, you can configure Baseline level based on your business requirements. You can also click Edit or Delete to modify or delete a baseline check policy.
  • In the lower part of the Manage Policies panel, you can configure Baseline level. Valid values: High, Medium, and Low. Baseline level
  • In the Manage Policies panel, you can click Edit or Delete in the Actions column for a policy to modify or delete the policy.
    Note You cannot restore a policy after you delete it.
  • In the Manage Policies panel, you can find the default baseline check policy and click Edit in the Actions column to modify the server groups to which the policy is applied.
    Note You cannot delete the default baseline check policy or modify the baselines of the default baseline check policy. You can only modify the server groups to which the default baseline check policy is applied.
    Modify the default baseline check policy

Operations

After you create a baseline check policy, you can use Security Center to check whether risks exist in your assets based on the baseline check policy. For more information, see Run a baseline check.