The baseline check feature checks the configurations of server operating systems, databases, software, and containers. The feature also provides descriptions of check results and suggestions on security hardening. You can use the feature to harden the security of your assets, reduce the risks of intrusion, and meet the requirements for security compliance.
Baselines
Baselines describe the minimum requirements for security practices and compliance checks. The baseline check feature checks various configurations of operating systems, databases, and middleware, such as the configurations for weak passwords, account permissions, identity authentication, password policies, access control, security audit, and intrusion prevention. Security Center can check baseline configurations for threats to ensure security. The threats include weak passwords, unauthorized access, vulnerabilities, and configuration risks. Security Center can also check baseline configurations against the standards for classified protection compliance or the Center for Internet Security (CIS) standards to ensure compliance. You can use Security Center to check baseline configurations for more than 30 common versions of operating systems and for more than 10 types of databases and middleware. This way, you can help your enterprise meet various compliance requirements.
Description
The baseline check feature checks various configurations of operating systems and services, such as the configurations for weak passwords, account permissions, identity authentication, password policies, access control, security audit, and intrusion prevention. The feature also provides check results and suggestions on handling detected risks. The services include databases, software, and containers. For more information, see Baselines.
Security Center automatically checks all the assets within your Alibaba Cloud account from 00:00 to 06:00 every two days based on the default baseline check policy. You can create custom baseline check policies. You can also create custom weak password dictionaries and specify baseline check levels. The check levels are high, medium, and low. For more information, see Create baseline check policies.
Limits
The baseline check feature is a value-added feature of Security Center. Only users of the Advanced, Enterprise, and Ultimate editions can purchase and enable the feature. If you use the Basic or Anti-virus edition, you must upgrade Security Center to the Advanced, Enterprise, or Ultimate edition before you can use the baseline check feature. For more information about how to upgrade Security Center, see Upgrade and downgrade Security Center.
Type | Basic edition | Anti-virus edition | Advanced edition | Enterprise edition | Ultimate edition |
---|---|---|---|---|---|
Weak password | × | × | √ | √ | √ |
High risk exploit | × | ||||
Best security practice | |||||
Container security | |||||
Classified protection compliance | |||||
Custom baseline |
- Users of Security Center Advanced can use only the default baseline check policy to run baseline checks. The users cannot create standard or custom baseline check policies.
- Users of the Enterprise and Ultimate editions of Security Center can use all baselines that are provided by the baseline check feature. The users can create standard and custom baseline check policies. The users can also edit and delete the baseline check policies that they create. The default baseline check policy cannot be deleted. If the Enterprise or Ultimate edition of Security Center detects baseline risks on Linux servers based on the Alibaba Cloud standards and the Multi-Level Protection Scheme (MLPS) standards, Security Center automatically fixes the risks.
Baselines
Category | Check standard and description | Involved operating system and service | Fixing description |
---|---|---|---|
Weak password | Checks whether weak passwords are configured for your assets by using a method other
than brute-force logons. The method does not lock your account, which prevents your
workloads from being interrupted.
Note Security Center detects weak passwords by comparing the hash value that is read by
the system with the hash value that is calculated based on the weak password dictionary.
If you do not want to enable the system to read the hash value, you can remove the
baseline that detects weak passwords from your baseline check policy.
|
|
You must fix the baseline risks at the earliest opportunity. This way, you can prevent weak passwords from being exposed on the Internet. If weak passwords are exposed on the Internet, your assets can be attacked, and data breaches can occur. |
High risk exploit |
|
Memcached, Elasticsearch, Docker, CouchDB, ZooKeeper, Jenkins, Hadoop, and Tomcat | |
Best security practice | Alibaba Cloud standards
Check whether risks exist in the configurations based on the Alibaba Cloud standards of best security practices. The configurations involve account permissions, identity authentication, password policies, access control, security audit, and intrusion prevention. |
|
We recommend that you fix the detected risks. Security Center can reinforce the security of your assets based on the standards of best security practices. This prevents attacks and malicious modifications to the configurations of your assets. |
Container security | Alibaba Cloud standards
Check whether the Kubernetes master nodes contain risks based on the Alibaba Cloud standards of best practices for container security. |
|
|
Classified protection compliance |
|
|
We recommend that you fix the detected risks based on the compliance requirements for your business. |
Custom baseline | Checks configurations based on custom baselines for CentOS Linux 7. You can specify or edit custom baselines in a custom baseline check policy based on your business requirements. | CentOS 7 | We recommend that you fix the risks that are detected based on the custom baselines that you specify. Security Center can reinforce the security of your assets based on the standards of best security practices. This prevents attacks and malicious modifications to the configurations of your assets. |