Viruses and attackers can exploit the defects in the security configurations of a server to intrude into the server to steal data or insert webshells. The baseline check feature checks the configurations of operating systems, databases, software, and containers of a server. Then, you can harden the security of your assets, reduce the risks of intrusion, and meet the requirements for security compliance based on the check results. This topic describes the baseline check feature and how to use the feature.
How the baseline check feature works
The baseline check feature allows you to configure different baseline check policies. You can use the policies to scan multiple servers at a time to detect risks in systems, accounts, permissions, databases, classified protection compliance configurations, and weak passwords. The baseline check feature also provides suggestions about how to fix baseline risks and allows you to fix the risks with a few clicks. For more information about the check items that are supported, see Baselines.
Policy overview
Policies include the baselines based on which Security Center performs baseline checks. Security Center provides the following types of baseline check policies: default baseline check, standard baseline check, and custom baseline check policies.
The following table describes the baseline types, number of baselines, Security Center editions, and use scenarios that are supported by different types of baseline check policies. The policies are default baseline check, standard baseline check, and custom baseline check policies.
Policy type | Security Center edition | Description | Scenario |
Default baseline check policy | Advanced, Enterprise, and Ultimate | The default baseline check policy includes more than 70 baseline check items. You can modify the start time of baseline checks and servers to which the default baseline check policy is applied. The following baseline types are supported:
Note Security Center Advanced supports only the baselines of the weak password type. | By default, Security Center perform baseline checks based on the default baseline check policy. After you purchase the Advanced, Enterprise, or Ultimate edition of Security Center, Security Center checks all the assets within your Alibaba Cloud account from 00:00 to 06:00 every two days or during the time range that you specify based on the default baseline check policy. The default baseline check policy supports only the following types of baselines: unauthorized access, best security practices, container security, and weak passwords. |
Standard baseline check policy | Enterprise and Ultimate | A standard baseline check policy includes more than 120 baseline check items. You can modify policy parameters. The following baseline types are supported:
| Compared with the default baseline check policy, standard baseline check policies support one more baseline type: classified protection compliance. For the baseline types that are supported by the two types of policies, standard baseline check policies support more baselines. In addition, you can modify policy parameters. You can create standard baseline check policies based on your business requirements. |
Custom baseline check policy | Enterprise and Ultimate | A custom baseline check policy can include more than 50 baseline check items. You can modify policy parameters and the parameters of some baselines. You can select custom baselines for operating systems. | Custom baseline check policies are used to check whether risks exist in the configurations of your assets based on the custom baselines for operating systems. You can create custom baseline check policies and modify the parameters of baselines based on your business requirements. |
Benefits
Classified protection compliance
Checks baseline against MLPS level 2 and level 3 standards and Center for Internet Security (CIS) standards, and meets compliance and regulatory requirements. This helps enterprises build a security system that meets the requirements for classified protection.
Comprehensive detection scope
Checks baseline configurations for weak passwords, unauthorized access, vulnerabilities, and configuration risks. The feature is available for more than 30 versions of operating systems and more than 20 types of databases and middleware.
Flexible policy configurations
Allows you to configure custom security policies, check interval, and check scope. This helps you meet the security configuration requirements of different businesses.
Fixing solution provided
Provides fixing solutions for risks that are detected on check items, which helps you quickly reinforce the security of your assets. The quick fixing capability helps you harden system baseline configurations and helps your system meet the requirements of classified protection.
Limits
Only users of Security Center Advanced, Enterprise, and Ultimate can enable and use the baseline check feature.
Only users of Security Center Enterprise and Ultimate can create standard and custom baseline check policies. Users of Security Center Advanced can run baseline checks only based on the default baseline check policy.
Security Center Advanced supports only the baselines of the weak password type. The Enterprise and Ultimate editions of Security Center support all baselines that are provided by the baseline check feature and allow you to fix the baseline risks that are detected on a Linux server based on the Alibaba Cloud standards or the Multi-Level Protection Scheme (MLPS) standards.
Step 1: (Optional) Create a baseline check policy
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose .
If you use the Basic or Anti-Virus edition of Security Center, click Upgrade Now to purchase the Advanced, Enterprise, or Ultimate edition.
In the upper-right corner of the Baseline Check page, click Manage Policies.
In the Manage Policies panel, create a baseline check policy based on your business requirements.
Create a standard baseline check policy
You can create a standard baseline check policy to check baseline configurations of your assets in a more comprehensive manner.
In the Manage Policies panel, click Add standard policy.
In the Check Policy panel, configure the following parameters and click Ok.
Parameter
Description
Policy Name
The name of the policy.
Schedule
The interval at which baseline checks are performed.
Detection time
The time range during which baseline checks are performed.
Check Items
The baselines that you want to use. For more information, see Baselines.
Scan Method
The method for scanning servers. Valid values:
Group: Security Center scans servers by server group. You can select one or more server groups.
ECS: Security Center scans ECS instances. You can select some ECS instances or all ECS instances across server groups.
Servers
The servers to which the baseline check policy is applied.
NoteBy default, newly purchased servers belong to . To apply the policy to newly purchased servers, you must select Default. For more information about how to add or modify a server group, see Manage Servers.
Security Center runs baseline checks on your assets based on the policy that you create.
Create a custom baseline check policy
You can create a custom baseline check policy to check whether risks exist in the configurations of your assets based on the custom baselines for operating systems.
In the Manage Policies panel, click Add custom policy.
In the Check Policy panel, configure the following parameters and click Ok.
Parameter
Description
Policy Name
The name of the policy.
Schedule
The interval at which baseline checks are performed.
Detection time
The time range during which baseline checks are performed.
Check Items
The baselines that you want to use. For more information, see Baselines.
NoteYou can modify the parameters of some custom baselines based on your business requirements.
Scan Method
The method for scanning servers. Valid values:
Group: Security Center scans servers by server group. You can select one or more server groups.
ECS: Security Center scans ECS instances. You can select some ECS instances or all ECS instances across server groups.
Servers
The servers to which the baseline check policy applies.
NoteYou can apply only one custom baseline check policy to the servers that belong to the same server group. If a server group is selected for an existing custom baseline check policy, you can no longer select the server group for the Servers parameter when you create a custom baseline check policy.
By default, newly purchased servers belong to . To apply the policy to newly purchased servers, you must select Default. For more information about how to add or modify a server group, see Manage server groups, importance levels, and tags.
You can also find a policy and click Edit or Delete in the Actions column to edit or delete the policy based on your business requirements.
NoteYou cannot restore a policy after you delete it.
You cannot delete the default baseline check policy or modify the baselines of the default baseline check policy. You can modify only the Detection time and Servers parameters of the default baseline check policy.
In the lower part of the Manage Policies panel, you can configure Baseline level. Valid values: High, Medium, and Low.
Optional. Security Center provides built-in detection rules for weak passwords. You can also create custom rules to detect weak passwords based on the built-in detection rules.
You can use one of the following methods to create custom rules:
Upload rules by using the weak password template
In the Manage Policies panel, find the Custom Weak Password Rules section and click Download.
Configure rules in the downloaded template based on your business requirements and save the template.
Click Import File to upload the template. Custom rules used to detect weak passwords are created.
Security Center checks whether weak passwords are configured for your assets based on the custom rules.
NoteBefore you upload the template, make sure that the following requirements are met:
The size of the file does not exceed 5 KB.
Each line in the file contains only one weak password. Otherwise, Security Center cannot accurately detect weak passwords.
The file contains no more than 2,000 weak passwords.
Create a custom dictionary of weak passwords.
In the Manage Policies panel, find the Custom Weak Password Rules section and click Custom weak password dictionary.
In the Custom weak password dictionary panel, configure the following parameters.
Parameter
Description
Domain
The domain name of your asset.
Company name
The name of your enterprise.
Keyword
The keyword based on which you want Security Center to generate possible weak passwords.
Weak password dictionary
You do not need to configure the parameters to enable this feature. The default value of this parameter is the possible weak passwords that Security Center generates based on Alibaba Cloud threat intelligence.
Click Generate and Import. The custom dictionary of weak passwords is created.
Security Center checks whether weak passwords are configured for your assets based on the created custom dictionary of weak passwords.
Step 2: Run baseline checks based on the policy
The baseline check feature supports periodic and automatic checks and manual checks. The following list describes the detection modes:
Periodic and automatic checks: periodic checks that run automatically based on the default, standard, or custom policy. Security Center runs comprehensive baseline checks from 00:00 to 06:00 every two days or during the time range that you specify based on the default baseline check policy.
Manual checks: If you have created or modified a custom policy, you can select it on the Baseline Check page, and click Check Now to start a manual check. Manual baseline checks allow you to scan for baseline risks in real time.
To immediately run a baseline check, perform the following operations:
On the Baseline Check Policy tab of the Baseline Check page, click the
icon next to All to display all available baseline check policies. Then, select the baseline check policy based on which you want to immediately run a baseline check. Click Check Now.
Move the pointer over Check Now. In the tooltip that appears, click View Progress to view the progress of the check.
Step 3: View baseline check results and handle baseline risks
After you complete a baseline check, you can view the baseline check results and handle baseline risks based on the results.
View baseline check results
Security Center displays baseline check results by baseline name and check item name. You can view the check results that are displayed by baseline name on the Baseline Check Policy tab. You can view the check results that are displayed by check item name on the Risk Details tab. You can view the following information:
Overall information about baseline check results
In the upper part of the Baseline Check page, you can view the overall information about baseline risks that are detected on your assets. The baseline risks are detected by using security baselines, compliance baselines, and custom baselines.
Check results of a baseline check policy
In the policy overview section of the Baseline Check Policy tab, you can click the
icon to show the drop-down list of baseline check policies, select a baseline check policy from the drop-down list, and view the information such as Checked Servers, Baselines, Weak Passwords, and Last Pass Rate to the right. 
Parameter
Description
Baseline Check Policy
The baseline check policy whose check results you want to view. You can select an existing baseline check policy from the drop-down list.
Checked Servers
The number of servers on which the baseline check runs based on the selected baseline check policy. The servers are specified in the baseline check policy.
Weak Passwords
The number of weak password risks that are detected based on the selected baseline check policy. You can click the number below Weak Passwords to view the list of weak password risks that are detected.
ImportantWeak password risks are of the High severity. We recommend that you fix the high-risk items on which weak passwords are detected at the earliest opportunity.
Last Pass Rate
The pass rate of the check items that are specified in the selected baseline check policy in the last baseline check. The following list describes the meaning of the color for the number below Last Pass Rate:
Green: high pass rate of check items.
Red: low pass rate of check items. We recommend that you go to the details of each check item and fix the detected baseline risks.
View the list of baseline check results and details of baseline risks that are displayed by baseline name
On the Baseline Check Policy tab, you can view detailed baseline check results in the list of baseline check results.
In the list of baseline check results, click the name of a baseline to go to the baseline details panel.
In the baseline details panel, you can view the information such as affected assets, Passed Items in the baseline, and At-Risk Items in the baseline.
In the baseline details panel, find an affected asset and click View in the Actions column. The At-Risk Items panel appears.
In the At-Risk Items panel, you can view all baseline risks that are detected on the asset.
In the At-Risk Items panel, find a risk item whose details you want to view and click Details in the Actions column. In the message that appears, you can view information about the risk item, including Description, Result, and Suggestion.
Optional. In the upper-right corner of the list of baseline check results, click the
icon. In the Select Baseline Export Task dialog box, select an export method and click Export to export the list of baseline check results. You can select one of the following export methods to export the result for the weak password baseline check:
Weak password plaintext export: exports plaintext.
Weak password desensitization export: exports the check result after the weak passwords in the result are masked.
View the list of baseline check results and details of baseline risks that are displayed by check item name
On the Risk Details tab, you can view the baseline check results that are displayed by check item name.
In the upper part of the list of baseline check results, you can specify search conditions, such as level, status, or type, to search for a check item. You can also enter the name of a check item in the search box to search for the check item.
Find the required check item and click Details in the Actions column. In the details panel, you can view information about the check item, including Description and Suggestions. You can also view the list of affected assets.
Handle baseline risks
On the Baseline Check page, handle baseline risks that are displayed by baseline name or check item name.
Handle baseline risks that are displayed by baseline name
In the list of baseline check results on the Baseline Check Policy tab, click the name of a baseline. In the panel that appears, find a server on which baseline risks are detected and click View in the Actions column. In the At-Risk Items panel, handle the baseline risks.
Handle baseline risks that are displayed by check item name
In the list of baseline check results on the Risk Details tab, find a check item based on which baseline risks are detected and click Details in the Actions column. In the details panel, handle the baseline risks.
You can select Repair or Whitelist to handle baseline risks.
Repair
Security Center allows you to fix only the baseline risks that are detected on a Linux server based on the Alibaba Cloud standards or the MLPS standards. If a baseline risk is detected on a Linux server based on the Alibaba Cloud standards or the MLPS standards, you can fix the baseline risk in the Security Center console. Otherwise, you must log on to the server to modify the configurations of the server on which the baseline risk is detected. After you modify the configurations, you can verify whether the baseline risk is fixed.
Fix baseline risks in the Security Center console
In the At-Risk Items panel, find the check item based on which baseline risks are detected and click Repair in the Actions column.
In the Fix Risks for Assets dialog box, configure the parameters.
The following table describes the parameters.
Parameter
Description
Fixing Method
The method that you use to fix a baseline risk.
NoteThe method varies based on the type of the baseline risk. You can configure this parameter based on your business requirements.
Batch Handle
Specifies whether to handle the same baseline risk for multiple assets at a time.
System Protection
Specifies whether to create snapshots for your system data.
WarningSecurity Center may fail to fix baseline risks. If this issue occurs, your business may be affected. Before you fix baseline risks, we recommend that you create a backup for your system. If Security Center fails to fix the risks, you can use the backup to roll back your system to a snapshot before you fix the risks. This helps ensure that your workload runs as expected.
Automatically Create Snapshot and Fix Risk: If you select this option, you must configure the Snapshot Name and Snapshot Retention Period parameters. Then, click Fix Now.
NoteYou are charged for the snapshots that are created. You can click Billing description to view the billing methods of the snapshot service.
Fix Vulnerability Without Creating Snapshot: If you do not want to create snapshots before you fix the baseline risks, you can click Fix Now.
Click Fix Now.
Log on to a server to fix baseline risks
In the At-Risk Items panel, find a risk item and click Details in the Actions column. In the message that appears, you can view the information about the risk item provided by Security Center. The information includes Description, Result, and Suggestion. Then, log on to the server on which the baseline risk is detected and modify the configurations that cause the baseline risk based on the information provided in Suggestion.
Whitelist
If you trust a check item whose status is Failed for a server, you can add the check item to the whitelist. Then, the alerts that are generated for the check item on the server are ignored.
NoteAfter you add a check item of a server to the whitelist, the corresponding baseline risks that are detected on the server are ignored.
Add check items that are displayed by baseline name to the whitelist
In the At-Risk Items panel, find the check item that you want to add to the whitelist and click Whitelist in the Actions column. In the Reason for Ignore dialog box, specify the reason for adding the check item to the whitelist and click OK.
To add multiple check items to the whitelist at a time, select the check items that are in the Failed state and click Whitelist in the lower-left corner.
Add a check item that is displayed by check item name to the whitelist
In the list of baseline check results, find the check item that you want to add to the whitelist and click Whitelist in the Actions column. In the Reason for Ignore dialog box, specify the reason for adding the check item to the whitelist and click OK.
If you want to remove specific servers from the affected servers of a check item, click Details in the Actions column of the check item. In the details panel, select the servers that you want to remove and click Whitelist.
Check whether a baseline risk is fixed.
In the At-Risk Items panel, find a check item and click Verify in the Actions column. Then, check whether the baseline risk on servers is fixed. If the baseline risk is fixed, the number of At-Risk Items decreases and the status of the check item changes to Passed.
NoteIf you do not perform manual verification, Security Center automatically checks whether the baseline risk is fixed based on the detection interval that is specified in your baseline check policy.
Rollback
If you want to fix baseline risks for an ECS instance, we recommend that you create a snapshot for the ECS instance before the fix. This way, you can roll back the instance if a service interruption error occurs because the baseline risks failed to be fixed. To perform the rollback, you can find the instance in a baseline details panel and click Rollback in the Actions column. In the Rollback dialog box, select the snapshot that you created before you perform the fix and click OK. The configurations of the instance are rolled back based on the snapshot.
Remove
If you want a check item in the whitelist to trigger alerts, you can remove the check item from the whitelist or add the removed servers to the affected servers of the baseline check policy to which the check item belong. After you remove a check item from the whitelist or add the removed servers to the affected servers of the baseline check policy to which the check item belong, the check item triggers alerts.
To remove a check item from the whitelist, find the check item in the At-Risk Items panel and click Remove in the Actions column. In the Cancel ignore operation dialog box, click OK. You can also remove multiple check items from the whitelist at a time. To remove multiple check items, select the check items and click Remove below the check item list.
Baselines
Baseline categories
Baseline category | Check standard and description | Involved operating system and service | Fixing description |
Weak password | Checks whether weak passwords are configured for your assets by using a method other than brute-force logons. The method does not lock your account, which prevents your workloads from being interrupted. Note Security Center detects weak passwords by comparing the hash value that is read by the system with the hash value that is calculated based on the weak password dictionary. If you do not want to enable the system to read the hash value, you can remove the baseline that detects weak passwords from your baseline check policy. |
| You must fix the baseline risks at the earliest opportunity. This way, you can prevent weak passwords from being exposed on the Internet. If weak passwords are exposed on the Internet, your assets can be attacked, and data breaches can occur. |
Unauthorized access | Baselines that are used to check for unauthorized access. Check whether unauthorized access risks exist in your services. This prevents intrusions and data breaches. | Memcached, Elasticsearch, Docker, CouchDB, ZooKeeper, Jenkins, Hadoop, Tomcat, Redis, JBoss, ActiveMQ, RabbitMQ, OpenLDAP, rsync, MongoDB, and PostgreSQL | |
Best security practices | Alibaba Cloud standards Check whether risks exist in the configurations based on the Alibaba Cloud standards of best security practices. The configurations involve account permissions, identity authentication, password policies, access control, security audit, and intrusion prevention. |
| We recommend that you fix the detected risks. Security Center can reinforce the security of your assets based on the standards of best security practices. This prevents attacks and malicious modifications to the configurations of your assets. |
Container security | Alibaba Cloud standards Check whether the Kubernetes master nodes contain risks based on the Alibaba Cloud standards of best practices for container security. |
| |
Classified protection compliance | The standards of MLPS level 2 and MLPS level 3 Check configurations based on the baselines for MLPS compliance for servers. The baseline checks meet the standards and requirements for computing environment that are proposed by authoritative assessment organizations. |
| We recommend that you fix the detected risks based on the compliance requirements for your business. |
CIS compliance | Check configurations based on the baselines for CIS compliance for operating systems. |
| We recommend that you fix the detected risks based on the compliance requirements for your business. |
Custom baseline | Checks configurations based on custom baselines for CentOS Linux 7. You can specify or edit custom baselines in a custom baseline check policy based on your business requirements. | CentOS 7, CentOS 6, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019 | We recommend that you fix the risks that are detected based on the custom baselines that you specify. Security Center can reinforce the security of your assets based on the standards of best security practices. This prevents attacks and malicious modifications to the configurations of your assets. |
Baseline checks
The following table describes the default baseline checks that are provided by Security Center.
Baseline category | Baseline name | Baseline description | Number of check items |
Weak password | Zabbix login weak password baseline | Checks weak passwords that are used to log on to Zabbix. | 1 |
Samba login weak password detection | Checks weak passwords for users of Samba databases. | 1 | |
ElasticSearch login weak password baseline | Checks weak passwords that are used to log on to Elasticsearch servers. | 1 | |
Activemq login weak password baseline | Checks weak passwords that are used to log on to ActiveMQ. | 1 | |
RabbitMQ login weak password baseline | Checks weak passwords that are used to log on to RabbitMQ. | 1 | |
OpenVPN weak password detection in Linux system | Checks common weak passwords of OpenVPN accounts in Linux operating systems. | 1 | |
Jboss6/7 login weak password baseline | Checks weak passwords that are used to log on to JBoss 6 and JBoss 7. | 1 | |
Jenkins login weak password baseline | Checks weak passwords that are used to log on to Jenkins. This baseline check provides more samples to detect weak passwords than its earlier version. | 1 | |
Proftpd login weak password baseline | Checks weak passwords that are used to log on to ProFTPD. This baseline check provides more samples to detect weak passwords than its earlier version. | 1 | |
Influxdb login weak password baseline | Checks weak passwords that are used to log on to InfluxDB databases. This baseline check provides more samples to detect weak passwords than its earlier version. | 1 | |
Weblogic 12c login weak password detection | Checks weak password for users of WebLogic Server 12c. | 1 | |
Openldap login weak password baseline | Checks weak passwords that are used to log on to OpenLDAP. | 1 | |
VncServer weak password check | Checks common weak passwords that are used to log on to the VNC service. | 1 | |
pptpd login weak password baseline | Checks weak passwords that are used to log on to PPTP servers. | 1 | |
Oracle login weak password detection | Checks weak passwords for users of Oracle databases. | 1 | |
svn login weak password baseline | Checks weak passwords that are used to log on to Subversion (SVN) servers. | 1 | |
rsync login weak password baseline | Checks weak passwords that are used to log on to rsync servers. | 1 | |
MongoDB Weak Password baseline | Checks weak passwords for the MongoDB service. MongoDB 3.x and 4.x support this baseline check. | 1 | |
PostgreSQL DB login weak password baseline | Checks weak passwords that are used to log on to PostgreSQL databases. | 1 | |
SQL Server DB login weak password baseline | Checks weak passwords that are used to log on to Microsoft SQL Server databases. | 1 | |
Mysql DB login weak password baseline(Windows version) | Checks weak passwords that are used to log on to MySQL databases. This baseline check is suitable only for Windows operating systems. | 1 | |
Apache Tomcat Console weak password baseline | Checks weak passwords that are used to log on to the Apache Tomcat console. Apache Tomcat 7, 8, and 9 support this baseline check. | 1 | |
Ftp login weak password baseline | Checks weak passwords that are used to log on to FTP servers and anonymous logons to FTP servers. | 1 | |
Redis DB login weak password baseline | Checks weak passwords that are used to log on to Redis databases. | 1 | |
Windows system login weak password baseline | Checks weak passwords that are used to log on to Windows Server operating systems. This baseline check provides more samples to detect weak passwords than its earlier version. | 1 | |
Linux system login weak password baseline | Checks weak passwords that are used to log on to Linux operating systems. This baseline check provides more samples to detect weak passwords than its earlier version. | 1 | |
Mysql DB login weak password baseline | Checks weak passwords that are used to log on to MySQL databases. This baseline check provides more samples to detect weak passwords than its earlier version. | 1 | |
MongoDB Weak Password baseline(support version 2. X) | Checks weak passwords for users of the MongoDB service. | 1 | |
Unauthorized access | Influxdb unauthorized access high exploit vulnerability risk | Checks InfluxDB vulnerabilities that can be exploited by attackers to implement unauthorized access. | 1 |
Redis unauthorized access high exploit vulnerability risk | Checks Redis vulnerabilities that can be exploited by attackers to implement unauthorized access. | 1 | |
Jboss unauthorized access high exploit vulnerability risk | Checks JBoss vulnerabilities that can be exploited by attackers to implement unauthorized access. | 1 | |
ActiveMQ unauthorized access high exploit vulnerability risk | Checks ActiveMQ vulnerabilities that can be exploited by attackers to implement unauthorized access. | 1 | |
RabbitMQ unauthorized access high exploit vulnerability risk | Checks RabbitMQ vulnerabilities that can be exploited by attackers to implement unauthorized access. | 1 | |
OpenLDAP unauthorized access vulnerability baseline (Linux) | Checks OpenLDAP vulnerabilities that can be exploited by attackers to implement unauthorized access. | 1 | |
Kubernetes-Apiserver unauthorized access to high-risk risks | Checks Kubernetes API server vulnerabilities that can be exploited by attackers to implement unauthorized access. | 1 | |
LDAP unauthorized access high exploit vulnerability risk (Windows) | Checks LDAP vulnerabilities that can be exploited by attackers to implement unauthorized access. | 1 | |
rsync unauthorized access high exploit vulnerability risk | Checks rsync vulnerabilities that can be exploited by attackers to implement unauthorized access. | 1 | |
Mongodb unauthorized access high exploit vulnerability risk | Checks MongoDB vulnerabilities that can be exploited by attackers to implement unauthorized access. | 1 | |
Postgresql unauthorized access to high-risk risk baseline | Checks PostgreSQL vulnerabilities that can be exploited by attackers to implement unauthorized access. | 1 | |
Jenkins unauthorized access high exploit vulnerability risk | Checks Jenkins vulnerabilities that can be exploited by attackers to implement unauthorized access. | 1 | |
Hadoop unauthorized access high exploit vulnerability risk | Checks Apache Hadoop vulnerabilities that can be exploited by attackers to implement unauthorized access. | 1 | |
CouchDB unauthorized access high exploit risk | Checks Apache CouchDB vulnerabilities that can be exploited by attackers to implement unauthorized access. | 1 | |
ZooKeeper unauthorized access high exploit vulnerability risk | Checks Apache ZooKeeper vulnerabilities that can be exploited by attackers to implement unauthorized access. | 1 | |
Docker unauthorized access high vulnerability risk | Checks Docker vulnerabilities that can be exploited by attackers to implement unauthorized access. | 1 | |
Memcached unauthorized access high exploit vulnerability risk | Checks memcached vulnerabilities that can be exploited by attackers to implement unauthorized access. | 1 | |
Elasticsearch unauthorized access high exploit vulnerability risk | Checks Elasticsearch vulnerabilities that can be exploited by attackers to implement unauthorized access. | 1 | |
Container security | CIS standard-Kubernetes(ACK) node security inspection inspection | Checks the baseline against the CIS standard. This standard is suitable for enterprise users who have professional security skills. This baseline check provides a variety of check rules, which allows you to reinforce the security of your system based on business scenarios and requirements. | 52 |
CIS standard-Kubernetes(ACK) Master node security inspection inspection | Checks the baseline against the CIS standard. This standard is suitable for enterprise users who have professional security skills. This baseline check provides a variety of check rules, which allows you to reinforce the security of your system based on business scenarios and requirements. | 8 | |
Alibaba Cloud Standard-Kubernetes-Node security baseline check | Checks the baseline against the Alibaba Cloud standard of best practices for Kubernetes Master. | 7 | |
Alibaba Cloud Standard-Kubernetes-Master security baseline check | Checks the baseline against the Alibaba Cloud standard of best practices for Kubernetes Master. | 18 | |
Alibaba Cloud Standard -DockerSecurity Baseline Check | Checks the baseline against the Alibaba Cloud standard of best practices for Docker. | 17 | |
Best security practice | Alibaba Cloud Linux/Aliyun Linux 2 Benchmark | Checks the baseline against the Alibaba Cloud standard of best practices for Alibaba Cloud Linux 2. | 15 |
Alibaba Cloud Standard - CentOS Linux 6 Security Baseline Check | Checks the baseline against the Alibaba Cloud standard of best practices for CentOS Linux 6. | 15 | |
Alibaba Cloud Standard - CentOS Linux 7/8 Security Baseline Check | Checks the baseline against the Alibaba Cloud standard of best practices for CentOS Linux 7 and CentOS Linux 8. | 15 | |
Alibaba Cloud Standard - Debian Linux 8/9/10 Security Baseline | Checks the baseline against the Alibaba Cloud standard of best practices for Debian Linux 8, Debian Linux 9, and Debian Linux 10. | 15 | |
Alibaba Cloud Standard - Red Hat Enterprise Linux 6 Security Baseline Check | Checks the baseline against the Alibaba Cloud standard of best practices for Red Hat Enterprise Linux (RHEL) 6. | 15 | |
Alibaba Cloud Standard - Red Hat Enterprise Linux 7/8 Security Baseline Check | Checks the baseline against the Alibaba Cloud standard of best practices for RHEL 7 and RHEL 8. | 15 | |
Alibaba Cloud Standard - Ubuntu Security Baseline | Checks the baseline against the Alibaba Cloud standard of best practices for Ubuntu. | 15 | |
Alibaba Cloud Standard - Windows Server 2008 R2 Security Baseline Check | Checks the baseline against the Alibaba Cloud standard of best practices for Windows Server 2008 R2. | 12 | |
Alibaba Cloud Standard - Windows 2012 R2 Security Baseline | Checks the baseline against the Alibaba Cloud standard of best practices for Windows Server 2012 R2. | 12 | |
Alibaba Cloud Standard - Windows 2016/2019 Security Baseline | Checks the baseline against the Alibaba Cloud standard of best practices for Windows Server 2016 and Windows Server 2019. | 12 | |
Alibaba Cloud Standard-SQL Server Security Baseline Check | Checks the baseline against the Alibaba Cloud standard of best practices for SQL Server 2012. | 17 | |
Alibaba Cloud Standard - Memcached Security Baseline Check | Checks the baseline against the Alibaba Cloud standard of best practices for memcached. | 5 | |
Alibaba Cloud Standard - MongoDB version 3.x Security Baseline Check | Checks the baseline against the Alibaba Cloud standard of best practices for MongoDB. | 9 | |
Alibaba Cloud Standard - Mysql Security Baseline Check | Checks the baseline against the Alibaba Cloud standard of best practices for MySQL. MySQL 5.1 to MySQL 5.7 support this baseline check. | 12 | |
Alibaba Cloud Standard - Oracle 11g Security Baseline Check | Checks the baseline against the Alibaba Cloud standard of best practices for Oracle Database 11g. | 14 | |
Alibaba Cloud Standard-PostgreSql Security Initialization Check | Checks the baseline against the Alibaba Cloud standard of best practices for PostgreSQL. | 11 | |
Alibaba Cloud Standard - Redis Security Baseline Check | Checks the baseline against the Alibaba Cloud standard of best practices for Redis. | 7 | |
Alibaba Cloud Standard - Anolis 8 Security Baseline Check | Checks the baseline against the Alibaba Cloud standard of best practices for Anolis 8. | 15 | |
Alibaba Cloud Standard - Apache Security Baseline Check | Checks the baseline of middleware against the standards of CIS and Alibaba Cloud. | 19 | |
Alibaba cloud standard - CouchDB security baseline check | Checks the baseline against the Alibaba Cloud standard for Apache CouchDB. | 5 | |
Alibaba Cloud Standard - ElasticSearch Security Baseline Check | Checks the baseline against the Alibaba Cloud standard of best practices for Elasticsearch. | 3 | |
Alibaba Cloud Standard - Hadoop Security Baseline Check | Checks the baseline against the Alibaba Cloud standard of best practices for Apache Hadoop. | 3 | |
Alibaba Cloud Standard - IIS 8 Security Baseline Check | Checks the baseline against the Alibaba Cloud standard of best practices for Internet Information Services (IIS) 8. | 8 | |
Alibaba Cloud Standard - Influxdb Security Baseline Check | Checks the baseline against the Alibaba Cloud standard of best practices for InfluxDB. | 5 | |
Alibaba Cloud Standard -Jboss6/7 Security Baseline | Checks the baseline against the Alibaba Cloud standard of best practices for JBoss 6 and JBoss 7. | 11 | |
Alibaba Cloud Standard - Kibana Security Baseline Check | Checks the baseline against the Alibaba Cloud standard of best practices for Kibana. | 4 | |
Alibaba Cloud Standard - Kylin Security Baseline Check | Checks the baseline against the Alibaba Cloud standard for Kylin. | 15 | |
Alibaba Cloud Standard -Activemq Security Baseline | Checks the baseline against the Alibaba Cloud standard of best practices for ActiveMQ. | 7 | |
Alibaba Cloud Standard - Jenkins Security Baseline Check | Checks the baseline against the Alibaba Cloud standard of best practices for Jenkins. | 6 | |
Alibaba Cloud Standard - RabbitMQ Security Baseline | Checks the baseline against the Alibaba Cloud standard of best practices for RabbitMQ. | 4 | |
Alibaba Cloud Standard - Nginx Security Baseline Check | Checks the baseline against the Alibaba Cloud standard of best practices for NGINX. | 13 | |
Alibaba Cloud Standard - Windows SMB Security Baseline Check | Checks the baseline against the Alibaba Cloud standard of best practices for Windows SMB. | 2 | |
Alibaba Cloud Standard - SUSE Linux 15 Security Baseline Check | Checks the baseline against the Alibaba Cloud standard of best practices for SUSE Linux 15. | 15 | |
Alibaba Cloud Standard - Apache Tomcat Security Baseline(on windows) | Checks the baseline of middleware against the standards of CIS and Alibaba Cloud. | 8 | |
Alibaba Cloud Standard - Uos Security Baseline Check | Checks the baseline against the Alibaba Cloud standard of best practices for UOS. | 15 | |
Alibaba Cloud Standard - Zabbix Security Baseline | Checks the baseline against the Alibaba Cloud standard of best practices for Zabbix. | 6 | |
Alibaba Cloud Standard-Apache Tomcat Security Baseline | Checks the baseline of middleware against the standards of CIS and Alibaba Cloud. | 13 | |
CIS compliance | Alibaba Cloud Linux/Aliyun Linux 2 CIS Benchmark | Checks the baseline against the CIS standard. This standard is suitable for enterprise users who have professional security skills. This baseline check provides a variety of check rules, which allows you to reinforce the security of your system based on business scenarios and requirements. | 178 |
CIS CentOS Linux 6 LTS Benchmark | Checks the baseline against the CIS standard. This standard is suitable for enterprise users who have professional security skills. This baseline check provides a variety of check rules, which allows you to reinforce the security of your system based on business scenarios and requirements. | 196 | |
CIS CentOS Linux 7 LTS Benchmark | Checks the baseline against the CIS standard. This standard is suitable for enterprise users who have professional security skills. This baseline check provides a variety of check rules, which allows you to reinforce the security of your system based on business scenarios and requirements. | 197 | |
CIS CentOS Linux 8 LTS Benchmark | Checks the baseline against the CIS standard. This standard is suitable for enterprise users who have professional security skills. This baseline check provides a variety of check rules, which allows you to reinforce the security of your system based on business scenarios and requirements. | 164 | |
CIS Debian Linux 8 Benchmark | Checks the baseline against the CIS standard. This standard is suitable for enterprise users who have professional security skills. This baseline check provides a variety of check rules, which allows you to reinforce the security of your system based on business scenarios and requirements. | 155 | |
CIS Ubuntu Linux 14 LTS Benchmark | Checks the baseline against the CIS standard. This standard is suitable for enterprise users who have professional security skills. This baseline check provides a variety of check rules, which allows you to reinforce the security of your system based on business scenarios and requirements. | 177 | |
CIS Ubuntu Linux 16/18/20 LTS Benchmark | Checks the baseline against the CIS standard. This standard is suitable for enterprise users who have professional security skills. This baseline check provides a variety of check rules, which allows you to reinforce the security of your system based on business scenarios and requirements. | 176 | |
CIS Microsoft Windows Server 2008 R2 Benchmark | Checks the baseline against the CIS standard. This standard is suitable for enterprise users who have professional security skills. This baseline check provides a variety of check rules, which allows you to reinforce the security of your system based on business scenarios and requirements. | 274 | |
CIS Microsoft Windows Server 2012 R2 Benchmark | Checks the baseline against the CIS standard. This standard is suitable for enterprise users who have professional security skills. This baseline check provides a variety of check rules, which allows you to reinforce the security of your system based on business scenarios and requirements. | 275 | |
CIS Microsoft Windows Server 2016/2019 R2 Benchmark | Checks the baseline against the CIS standard. This standard is suitable for enterprise users who have professional security skills. This baseline check provides a variety of check rules, which allows you to reinforce the security of your system based on business scenarios and requirements. | 275 | |
Operating systems involved in MLPS compliance | SUSE Linux 15 Baseline for China classified protection of cybersecurity-Level III | Checks the baseline against the standard of MLPS 2.0 level 3 for SUSE Linux Enterprise Server 15. This checks whether your asset environments comply with the classified protection requirements. | 18 |
Alibaba Cloud Linux 3 Baseline for China classified protection of cybersecurity-Level III | Checks the baseline against the standard of MLPS 2.0 level 3 for Alibaba Cloud Linux 3. This checks whether your asset environments comply with the classified protection requirements. | 19 | |
Alibaba Cloud Linux/Aliyun Linux 2 Baseline for China classified protection of cybersecurity-Level III | Checks the baseline against the standard of MLPS 2.0 level 3 for Alibaba Cloud Linux 2. This checks whether your asset environments comply with the classified protection requirements. | 19 | |
China's Level 3 Protection of Cybersecurity - Bind Compliance Baseline Check | Checks the baseline against the standard of MLPS 2.0 level 3 for Bind. This checks whether your asset environments comply with the classified protection requirements. | 4 | |
CentOS Linux 6 Baseline for China classified protection of cybersecurity-Level III | Checks the baseline against the standard of MLPS 2.0 level 3 for CentOS Linux 6. This checks whether your asset environments comply with the classified protection requirements. | 19 | |
CentOS Linux 7 Baseline for China classified protection of cybersecurity-Level III | Checks the baseline against the standard of MLPS 2.0 level 3 for CentOS Linux 7. This checks whether your asset environments comply with the classified protection requirements. | 19 | |
CentOS Linux 8 Baseline for China classified protection of cybersecurity - Level III | Checks the baseline against the standard of MLPS 2.0 level 3 for CentOS Linux 8. This checks whether your asset environments comply with the classified protection requirements. | 19 | |
IIS Baseline for China classified protection of cybersecurity-Level III | Checks the baseline against the standard of MLPS 2.0 level 3 for Oracle. This checks whether your asset environments comply with the classified protection requirements. | 5 | |
China's Level 3 Protection of Cybersecurity - Informix Compliance Baseline Check | Checks the baseline against the standard of MLPS 2.0 level 3 for Informix. This checks whether your asset environments comply with the classified protection requirements. | 6 | |
China's Level 3 Protection of Cybersecurity - Jboss6/7 Compliance Baseline Check | Checks the baseline against the standard of MLPS 2.0 level 3 for JBoss 6 or JBoss 7. This checks whether your asset environments comply with the classified protection requirements. | 5 | |
MongoDB Baseline for China classified protection of cybersecurity-Level III | Checks the baseline against the standard of MLPS 2.0 level 3 for MongoDB. This checks whether your asset environments comply with the classified protection requirements. | 6 | |
China's Level 3 Protection of Cybersecurity -SQL Server Compliance Baseline Check | Checks the baseline against the standard of MLPS 2.0 level 3 for SQL Server. This checks whether your asset environments comply with the classified protection requirements. | 4 | |
Equal Guarantee Level 3-MySql Compliance Baseline Check | Checks the baseline against the standard of MLPS 2.0 level 3 for MySQL. This checks whether your asset environments comply with the classified protection requirements. | 5 | |
Equal Guarantee Level 3-Nginx Compliance Baseline Check | Checks the baseline against the standard of MLPS 2.0 level 3 for NGINX. This checks whether your asset environments comply with the classified protection requirements. | 3 | |
China's Level 3 Protection of Cybersecurity - Oracle Compliance Baseline Check | Checks the baseline against the standard of MLPS 2.0 level 3 for Oracle. This checks whether your asset environments comply with the classified protection requirements. | 12 | |
Level 3-PostgreSql compliance baseline check | Checks the baseline against the standard of MLPS 2.0 level 3 for PostgreSQL. This checks whether your asset environments comply with the classified protection requirements. | 4 | |
China's Level 3 Protection of Cybersecurity - Red Hat Enterprise Linux 6 Compliance Baseline Check | Checks the baseline against the standard of MLPS 2.0 level 3 for Red Hat Enterprise Linux 6. This checks whether your asset environments comply with the classified protection requirements. | 19 | |
China's Level 3 Protection of Cybersecurity - Red Hat Enterprise Linux 7 Compliance Baseline Check | Checks the baseline against the standard of MLPS 2.0 level 3 for Red Hat Enterprise Linux 7. This checks whether your asset environments comply with the classified protection requirements. | 19 | |
Redis Baseline for China classified protection of cybersecurity-Level III | Checks the baseline against the standard of MLPS 2.0 level 3 for Redis. This checks whether your asset environments comply with the classified protection requirements. | 4 | |
SUSE Linux 10 Baseline for China classified protection of cybersecurity-Level III | Checks the baseline against the standard of MLPS 2.0 level 3 for SUSE Linux Enterprise Server 10. This checks whether your asset environments comply with the classified protection requirements. | 19 | |
SUSE Linux 12 Baseline for China classified protection of cybersecurity-Level III | Checks the baseline against the standard of MLPS 2.0 level 3 for SUSE Linux Enterprise Server 12. This checks whether your asset environments comply with the classified protection requirements. | 19 | |
SUSE Linux 11 Baseline for China classified protection of cybersecurity-Level III | Checks the baseline against the standard of MLPS 2.0 level 3 for SUSE Linux Enterprise Server 11. This checks whether your asset environments comply with the classified protection requirements. | 19 | |
Ubuntu 14 Baseline for China classified protection of cybersecurity-Level III | Checks the baseline against the standard of MLPS 2.0 level 3 for Ubuntu 14. This checks whether your asset environments comply with the classified protection requirements. | 19 | |
Waiting for Level 3-Ubuntu 16/18/20 compliance regulations inspection | Checks the baseline against the standard of MLPS 2.0 level 3 for Ubuntu 16, Ubuntu 18, and Ubuntu 20. This checks whether your asset environments comply with the classified protection requirements. | 19 | |
China's Level 3 Protection of Cybersecurity - Websphere Application Server Compliance Baseline Check | Checks the baseline against the standard of Multi-Level Protection Scheme (MLPS) 2.0 level 3 for WebSphere Application Server. This checks whether your asset environments comply with the classified protection requirements. | 7 | |
Weblogic Baseline for China classified protection of cybersecurity-Level III | Checks the baseline against the standard of MLPS 2.0 level 3 for Oracle WebLogic Server. This checks whether your asset environments comply with the classified protection requirements. | 5 | |
China's Level 3 Protection of Cybersecurity - Windows Server 2008 R2 Compliance Baseline Check | Checks the baseline against the standard of MLPS 2.0 level 3 for Windows Server 2008 R2. This checks whether your asset environments comply with the classified protection requirements. | 19 | |
Windows 2012 R2 Baseline for China classified protection of cybersecurity-Level III | Checks the baseline against the standard of MLPS 2.0 level 3 for Windows Server 2012 R2. This checks whether your asset environments comply with the classified protection requirements. | 19 | |
Windows 2016/2019 Baseline for China classified protection of cybersecurity-Level III | Checks the baseline against the standard of MLPS 2.0 level 3 for Windows Server 2016 R2 and 2019 R2. This checks whether your asset environments comply with the classified protection requirements. | 19 | |
Alibaba Cloud Linux/Aliyun Linux 2 Baseline for China classified protection of cybersecurity-Level II | Checks the baseline against the standard of MLPS 2.0 level 2 for Alibaba Cloud Linux 2. This checks whether your asset environments comply with the classified protection requirements. | 15 | |
CentOS Linux 6 Baseline for China classified protection of cybersecurity-Level II | Checks the baseline against the standard of MLPS 2.0 level 2 for CentOS Linux 6. This checks whether your asset environments comply with the classified protection requirements. | 15 | |
CentOS Linux 7 Baseline for China classified protection of cybersecurity-Level II | Checks the baseline against the standard of MLPS 2.0 level 2 for CentOS Linux 7. This checks whether your asset environments comply with the classified protection requirements. | 15 | |
Debian Linux 8 Baseline for China classified protection of cybersecurity-Level II | Checks the baseline against the standard of MLPS 2.0 level 2 for Debian Linux 8. This checks whether your asset environments comply with the classified protection requirements. | 12 | |
Redhat Linux 7 Baseline for China classified protection of cybersecurity-Level II | Checks the baseline against the standard of MLPS 2.0 level 2 for Red Hat Enterprise Linux 7. This checks whether your asset environments comply with the classified protection requirements. | 15 | |
Linux Ubuntu 16/18 Baseline for China classified protection of cybersecurity-Level II | Checks the baseline against the standard of MLPS 2.0 level 2 for Ubuntu 16 and Ubuntu 18. This checks whether your asset environments comply with the classified protection requirements. | 19 | |
Windows 2008 R2 Baseline for China classified protection of cybersecurity-Level II | Checks the baseline against the standard of MLPS 2.0 level 2 for Windows Server 2008 R2. This checks whether your asset environments comply with the classified protection requirements. | 12 | |
Windows 2012 R2 Baseline for China classified protection of cybersecurity-Level II | Checks the baseline against the standard of MLPS 2.0 level 2 for Windows Server 2012 R2. This checks whether your asset environments comply with the classified protection requirements. | 12 | |
Windows 2016/2019 Baseline for China classified protection of cybersecurity-Level II | Checks the baseline against the standard of MLPS 2.0 level 2 for Windows Server 2016 R2 and 2019 R2. This checks whether your asset environments comply with the classified protection requirements. | 12 | |
Debian Linux 8/9/10 Baseline for China classified protection of cybersecurity-Level III | Checks the baseline against the standard of MLPS 2.0 level 3 for Debian Linux 8, Debian Linux 9, and Debian Linux 10. This checks whether your asset environments comply with the classified protection requirements. | 19 | |
China's Level 3 Protection of Cybersecurity - Kylin Compliance Baseline Check | Checks the baseline against the standard of MLPS 2.0 level 3 for Kylin. This checks whether your asset environments comply with the classified protection requirements. | 19 | |
China's Level 3 Protection of Cybersecurity - uos Compliance Baseline Check | Checks the baseline against the standard of MLPS 2.0 level 3 for UOS. This checks whether your asset environments comply with the classified protection requirements. | 19 | |
China's Level 3 Protection of Cybersecurity - Anolis 8 Compliance Baseline Check | Checks the baseline against the standard of MLPS 2.0 level 3 for Anolis 8. This checks whether your asset environments comply with the classified protection requirements. | 19 | |
Custom baseline | Alibaba cloud standard Ubuntu custom security baseline check | Checks the custom baseline against the Alibaba Cloud standard of best practices for Ubuntu 14, Ubuntu 16, Ubuntu 18, and Ubuntu 20. | 62 |
Windows custom baseline | The custom template that contains all baseline check items related to Windows. You can select baseline check items and configure parameters for baseline check items by using the template. This helps best suit your business requirements. | 63 | |
CentOS Linux 6 custom baseline | The custom template that contains all baseline check items related to CentOS Linux 6. You can select baseline check items and configure parameters for baseline check items by using the template. This helps best suit your business requirements. | 47 | |
CentOS Linux 7/8 custom baseline | The custom template that contains all baseline check items related to CentOS Linux 7 and CentOS Linux 8. You can select baseline check items and configure parameters for baseline check items by using the template. This helps best suit your business requirements. | 53 |