The baseline check feature checks the configurations of server operating systems, databases, software, and containers. The feature also provides descriptions of check results and suggestions on security hardening. You can use the feature to harden the security of your assets, reduce the risks of intrusion, and meet the requirements for security compliance.

Baselines

Baselines describe the minimum requirements for security practices and compliance checks. The baseline check feature checks various configurations of operating systems, databases, and middleware, such as the configurations for weak passwords, account permissions, identity authentication, password policies, access control, security audit, and intrusion prevention. Security Center can check baseline configurations for threats to ensure security. The threats include weak passwords, unauthorized access, vulnerabilities, and configuration risks. Security Center can also check baseline configurations against the standards for classified protection compliance or the Center for Internet Security (CIS) standards to ensure compliance. You can use Security Center to check baseline configurations for more than 30 common versions of operating systems and for more than 10 types of databases and middleware. This way, you can help your enterprise meet various compliance requirements.

Description

The baseline check feature checks various configurations of operating systems and services, such as the configurations for weak passwords, account permissions, identity authentication, password policies, access control, security audit, and intrusion prevention. The feature also provides check results and suggestions on handling detected risks. The services include databases, software, and containers. For more information, see Baselines.

Security Center automatically checks all the assets within your Alibaba Cloud account from 00:00 to 06:00 every two days based on the default baseline check policy. You can create custom baseline check policies. You can also create custom weak password dictionaries and specify baseline check levels. The check levels are high, medium, and low. For more information, see Create baseline check policies.

Limits

The baseline check feature is a value-added feature of Security Center. Only users of the Advanced, Enterprise, and Ultimate editions can purchase and enable the feature. If you use the Basic or Anti-virus edition, you must upgrade Security Center to the Advanced, Enterprise, or Ultimate edition before you can use the baseline check feature. For more information about how to upgrade Security Center, see Upgrade and downgrade Security Center.

The following table describes the types of baselines that are supported by each edition.
Type Basic edition Anti-virus edition Advanced edition Enterprise edition Ultimate edition
Weak password × ×
High risk exploit ×
Best security practice
Container security
Classified protection compliance
Custom baseline
Note
  • Users of Security Center Advanced can use only the default baseline check policy to run baseline checks. The users cannot create standard or custom baseline check policies.
  • Users of the Enterprise and Ultimate editions of Security Center can use all baselines that are provided by the baseline check feature. The users can create standard and custom baseline check policies. The users can also edit and delete the baseline check policies that they create. The default baseline check policy cannot be deleted. If the Enterprise or Ultimate edition of Security Center detects baseline risks on Linux servers based on the Alibaba Cloud standards and the Multi-Level Protection Scheme (MLPS) standards, Security Center automatically fixes the risks.

Baselines

Category Check standard and description Involved operating system and service Fixing description
Weak password Checks whether weak passwords are configured for your assets by using a method other than brute-force logons. The method does not lock your account, which prevents your workloads from being interrupted.
Note Security Center detects weak passwords by comparing the hash value that is read by the system with the hash value that is calculated based on the weak password dictionary. If you do not want to enable the system to read the hash value, you can remove the baseline that detects weak passwords from your baseline check policy.
  • Operating systems

    Linux and Windows

  • Databases

    MySQL, Redis, SQL Server, MongoDB, and PostgreSQL

  • Applications

    Tomcat, FTP, Rsync, and SVN

You must fix the baseline risks at the earliest opportunity. This way, you can prevent weak passwords from being exposed on the Internet. If weak passwords are exposed on the Internet, your assets can be attacked, and data breaches can occur.
High risk exploit
  • Baselines that are used to check for unauthorized access

    Check whether unauthorized access risks exist in your services. This prevents intrusions and data breaches.

  • Baselines that are used to check for other high configuration risks

    Check whether high risks exist in the configurations of your services. This prevents vulnerabilities such as remote file read and remote command execution.

Memcached, Elasticsearch, Docker, CouchDB, ZooKeeper, Jenkins, Hadoop, and Tomcat
Best security practice Alibaba Cloud standards

Check whether risks exist in the configurations based on the Alibaba Cloud standards of best security practices. The configurations involve account permissions, identity authentication, password policies, access control, security audit, and intrusion prevention.

  • Operating systems
    • CentOS 6, CentOS 7, and CentOS 8
    • Red Hat 6 and Red Hat 7
    • Ubuntu 12, Ubuntu 14, and Ubuntu 16
    • Debian 8
    • Alibaba Cloud Linux 2
    • Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019
  • Databases

    MySQL, Redis, MongoDB, SQL Server, and Oracle Database 11g

  • Applications

    Tomcat, IIS, NGINX, and Apache

We recommend that you fix the detected risks. Security Center can reinforce the security of your assets based on the standards of best security practices. This prevents attacks and malicious modifications to the configurations of your assets.
Container security Alibaba Cloud standards

Check whether the Kubernetes master nodes contain risks based on the Alibaba Cloud standards of best practices for container security.

  • Docker
  • Kubernetes cluster
Classified protection compliance
  • The standards of MLPS level 2 and MLPS level 3

    Check configurations based on the baselines for MLPS compliance for servers. The baseline checks meet the standards and requirements for computing environment that are proposed by authoritative assessment organizations.

  • CIS standards

    Check configurations based on the baselines for Center for Internet Security (CIS) compliance for operating systems.

  • Operating systems involved in MLPS compliance
    • CentOS 6, CentOS 7, and CentOS 8
    • Red Hat 6 and Red Hat 7
    • Ubuntu 12, Ubuntu 14, and Ubuntu 16
    • SUSE 10, SUSE 11, and SUSE 12
    • Debian 8
    • Alibaba Cloud Linux 2
    • Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019
  • Operating systems involved in CIS compliance
    • CentOS 6 and CentOS 7
    • Ubuntu 12, Ubuntu 14, and Ubuntu 16
    • Debian 8
    • Alibaba Cloud Linux 2
    • Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019
We recommend that you fix the detected risks based on the compliance requirements for your business.
Custom baseline Checks configurations based on custom baselines for CentOS Linux 7. You can specify or edit custom baselines in a custom baseline check policy based on your business requirements. CentOS 7 We recommend that you fix the risks that are detected based on the custom baselines that you specify. Security Center can reinforce the security of your assets based on the standards of best security practices. This prevents attacks and malicious modifications to the configurations of your assets.