Security Center allows you to create baseline check policies. You can run baseline checks on your assets to detect baseline risks based on baseline check policies. This topic describes how to create and manage baseline check policies. This topic also describes how to run baseline checks based on the policies.

Background information

After you enable the baseline check feature, Security Center checks all the assets within your Alibaba Cloud account from 00:00 to 06:00 every two days based on the default baseline check policy. You can find the default baseline check policy and click Edit in the Actions column in the Manage Policies panel of the Baseline Check page to go to the Check Policy panel. In the Check Policy panel, you can view the baselines that are included in the default baseline check policy in the Check Items section.

If the default baseline check policy cannot meet your requirements for baseline checks, you can click Add standard policy and Add custom policy to create standard and custom baseline check policies. In this case, you can specify the baselines that are not included in the default baseline check policy.
Note Only users of the Enterprise and Ultimate editions can create standard and custom baseline check policies. Users of Security Center Advanced can run baseline checks only based on the default baseline check policy.
The following table describes the baseline types, number of baselines, Security Center editions, and use scenarios that are supported by different types of baseline check policies. The policies are default baseline check, standard baseline check, and custom baseline check policies.
Policy type Security Center edition Baseline type Number of baselines Modification Use scenario
Default baseline check policy Advanced, Enterprise, and Ultimate
  • Unauthorized access
  • Container security
  • Best security practices
  • Weak password
Note Security Center Advanced supports only the baselines of the weak password type.
Greater than or equal to 70 Not supported. The default baseline check policy provided by Security Center is used to check whether risks exist in the configurations of your assets based on the following types of baselines: unauthorized access, container security, best security practices, and weak password.
Standard baseline check policy Enterprise and Ultimate
  • Unauthorized access
  • Container security
  • Classified protection compliance
  • Best security practices
  • Weak password
Greater than or equal to 120 You can modify policy parameters. Compared with the default baseline check policy, standard baseline check policies support one more baseline type: classified protection compliance. For the baseline types that are supported by the two types of policies, standard baseline check policies support more baselines. In addition, you can modify policy parameters. You can create standard baseline check policies based on your business requirements.
Custom baseline check policy Enterprise and Ultimate Custom baselines for operating systems Greater than or equal to 50 You can modify policy parameters. You can also modify the parameters of some baselines. Custom baseline check policies are used to check whether risks exist in the configurations of your assets based on the custom baselines for operating systems. You can create custom baseline check policies and modify the parameters of baselines based on your business requirements.

Security Center provides default rules to detect weak passwords based on Alibaba Cloud threat intelligence. You can also create custom rules to detect weak passwords based on your business requirements.

Create a baseline check policy

  1. Log on to the Security Center console.In the left-side navigation pane, choose Risk Management > Baseline Check.
  2. In the upper-right corner of the Baseline Check page, click Manage Policies. In the Manage Policies panel, create a baseline check policy based on your business requirements.
    • Create a standard baseline check policy

      Compared with the default baseline check policy, standard baseline check policies support one more baseline type: classified protection compliance. For the baseline types that are supported by the two types of policies, standard baseline check policies support more baselines. In addition, you can modify policy parameters. You can create a standard baseline check policy to check baseline configurations of your assets in a more comprehensive manner.

      1. In the Manage Policies panel, click Add standard policy.
      2. In the Check Policy panel, configure the following parameters and click Ok.
        Parameter Description
        Policy Name The name of the policy.
        Schedule The interval at which baseline checks are performed.
        Detection time The time range during which baseline checks are performed.
        Check Items The baselines that you want to use. For more information, see Baselines.
        Servers The server groups on which you want to run baseline checks based on the policy.
        Note By default, newly purchased servers belong to All Groups > Default. To apply the policy to newly purchased servers, you must select Default. For more information about how to add or modify a server group, see View server information.

      Security Center runs baseline checks on your assets based on the policy that you create.

    • Create custom rules to detect weak passwords

      You can create custom rules based on the default rules that are provided by Security Center to detect weak passwords. You can use custom rules to better meet your business requirements and detect weak passwords in a more comprehensive manner.

      In the Custom Weak Password Rules section of the Manage Policies panel, you can create custom rules to detect weak passwords.

      You can use one of the following methods to create custom rules:

      • Upload rules by using the weak password template.
        1. Click Download next to Template.
        2. Configure rules in the downloaded template based on your business requirements and save the template.
        3. Click Import File to upload the template. Custom rules to detect weak passwords are created.
          Security Center checks whether weak passwords are configured for your assets based on the custom rules.
          Note Before you upload the template, make sure that the following requirements are met:
          • The size of the file does not exceed 5 KB.
          • Each line in the file contains only one weak password. Otherwise, Security Center cannot accurately detect weak passwords.
          • The file contains no more than 2,000 weak passwords.
      • Create a custom dictionary of weak passwords.
        1. Click Custom weak password dictionary next to Weak password.
        2. In the Custom weak password dictionary panel, configure the following parameters.
          Parameter Description
          Domain The domain name of your asset.
          Company name The name of your enterprise.
          Keyword The keyword based on which you want Security Center to generate possible weak passwords.
          Weak password dictionary You do not need to configure this parameter. The value of this parameter is the possible weak passwords that Security Center generates based on Alibaba Cloud threat intelligence.
        3. Click Generate and Import. The custom dictionary of weak passwords is created.

          Security Center checks whether weak passwords are configured for your assets based on the created custom dictionary of weak passwords.

    • Create a custom baseline check policy

      You can create a custom baseline check policy to check whether risks exist in the configurations of your assets based on the custom baselines for operating systems.

      1. In the Manage Policies panel, click Add custom policy.
      2. In the Check Policy panel, configure the following parameters and click Ok.
        Parameter Description
        Policy Name The name of the policy.
        Schedule The interval at which baseline checks are performed.
        Detection time The time range during which baseline checks are performed.
        Check Items The baselines that you want to use. For more information, see Baselines.
        Note You can modify the parameters of some custom baselines based on your business requirements.
        Servers The server groups on which you want to run baseline checks based on the policy.
        Note
        • You can apply only one custom baseline check policy to the servers that belong to the same server group. If a server group is selected for an existing custom baseline check policy, you can no longer select the server group for the Servers parameter when you create a custom baseline check policy.
        • By default, newly purchased servers belong to All Groups > Default. To apply the policy to newly purchased servers, you must select Default.

Manage a baseline check policy

After you create a baseline check policy, you can configure Baseline level based on your business requirements. You can also click Edit or Delete to modify or delete a baseline check policy.
  • In the lower part of the Manage Policies panel, you can configure Baseline level. Valid values: High, Medium, and Low.
  • In the Manage Policies panel, you can click Edit or Delete in the Actions column for a policy to modify or delete the policy.
    Note You cannot restore a policy after you delete it.
  • In the Manage Policies panel, you can find the default baseline check policy and click Edit in the Actions column to change the server groups to which the policy is applied.
    Note You cannot delete the default baseline check policy or modify the baselines of the default baseline check policy. You can only change the server groups to which the default baseline check policy is applied.

Run baseline checks based on a baseline check policy

The baseline check feature supports periodic and automatic checks and manual checks.

Baseline check type Description
Periodic and automatic check Security Center automatically runs periodic checks based on the default baseline check policy or custom baseline check policies. Security Center runs a baseline check from 00:00 to 06:00 every two days based on the default baseline check policy to check all assets within your Alibaba Cloud account.
Manual check If you have created or modified a custom baseline check policy, you can select the policy on the Baseline Check page and click Check Now to start a manual check. Manual checks allow you to scan for baseline risks in your servers in real time.
  1. Log on to the Security Center console.In the left-side navigation pane, choose Risk Management > Baseline Check.
  2. On the Baseline Check Policy tab, click the Triangle icon icon to display all available baseline check policies, select the baseline check policy based on which you want to immediately run a baseline check, and then click Check Now.