This topic provides answers to some frequently asked questions about baseline check.
Which edition of Security Center do I need to use baseline check?
Purchase the Advanced, Enterprise, or Ultimate Edition of Security Center to access baseline check for free. Each edition supports different baseline check items:
Advanced: Supports only the default policy and weak password baselines.
Enterprise and Ultimate: Both support all check policies. The Enterprise edition does not include container security check items, while the Ultimate edition supports all check items. Both editions enable quick fixing of baseline risks detected on a Linux server based on Alibaba Cloud standards or the Multi-Level Protection Scheme (MLPS) standards.
For users of the Anti-virus edition and those with a value-added plan, you can enable baseline checks by purchasing the cloud security posture management (CSPM) feature. After purchasing CSPM, you will have access to all baseline check items.
For more information, see Activate baseline check.
What should I do if Security Center fails to verify a fixed baseline risk?
Security Center may fail to verify a fixed baseline risk because the Security Center agent is offline.
If the agent is offline, we recommend that you troubleshoot why the Security Center agent is offline.
What are the differences between baselines and vulnerabilities?
Baselines define the minimum security requirements for system configurations and management, including service and application configurations, operating system settings, permission settings, and system management rules.
The baseline check feature of Security Center assesses various security configurations, including weak passwords, account permissions, identity authentication, password policies, access control, security audits, and intrusion prevention. It also provides recommendations for reinforcing security based on detected baseline risks.
Vulnerabilities are flaws in the operating systems or security policies. They include design defects in software or applications and errors occurring during development. Attackers can exploit these flaws to access, steal, or damage your system data.
We recommend fixing detected vulnerabilities as soon as possible to protect your assets.
Why does the check item "Make sure that each user has a unique user ID, does not use simple passwords, and changes the password periodically" still fail after the one-click fix and verification?
Cause: During the one-click fix, two relevant items were not selected for fixing as shown in the figure below. As a result, the two items remain unfixed, leading to the check item's failure.
Solution: If your assets use non-password login methods, you cannot perform a one-click fix with Security Center. After ensuring that other configuration items are fixed, you can configure a whitelist policy for this check item on those assets.
Why does the check item "Assign an account and permissions for each user" fail?
Problem: The Status of the check item "Assign an account and permissions for each user" is Not Passed.
The host configuration, including
homedirectory permissions, number of users, andumaskvalue, is shown in the following figure. This configuration aligns with the fixing suggestions for the "Assign an account and permissions for each user" check item.
Solution: Run the following commands to confirm the
umaskvalue and the number of accounts, excluding the administrator account, detected by the baseline check.grep umask /etc/bashrc |grep -v '#'|awk -F ' ' '{print $2}'|sort -r|head -1 grep umask /etc/profile |grep -v '#'|awk -F ' ' '{print $2}'|sort -r|head -1 cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7!="/bin/false"&&$7!="/sbin/nologin"&&$7!="/usr/sbin/nologin"&&$6!="/var/lib/libuuid"&&$6!="") { print $6 }' |wc -lAs shown in the figure below, the baseline check detects 2 accounts other than the administrator account, which does not comply with the fixing suggestions for this check item.
To resolve this, add a non-administrator user on the host as per the fixing suggestions, then verify this check item again in Security Center.
Why do I receive the "illegal auth" error when creating a baseline check policy?
The following table describes possible causes and solutions:
Cause | Solution |
When you enable the baseline check feature, the new order may not take effect immediately, preventing you from creating a baseline check policy. | Try again later. |
The Security Center instance you are using has expired, preventing the configuration of baseline check policies. |
[MLPS compliance] Why does the prompt "Unwanted system services, default sharing, and high-risk ports should be turned off" appear in the Windows baseline check for MLPS Level 2?
Problem: Some users may block specific ports using firewalls or security groups, yet still receive the "Unwanted system services, default sharing, and high-risk ports should be turned off" prompt during the Windows baseline check for MLPS Level 2.
Cause: The services corresponding to the specific ports remain active, leading the baseline check to detect these open ports and their associated services.
Solution: Log on to your instance and disable the services for the following ports. The example below uses the Windows 10 (64-bit) operating system.
Port 135
Press Windows+R, enter dcomcnfg, and click OK to open the Component Service dialog box.
In the left navigation bar, click , right-click, and then click Properties.
In the dialog box that appears, click the Default Properties tab, and clear Enable Distributed COM on this computer (E).
Click the Default Protocols tab, select Connection-based TCP/IP, and click Remove.
Click OK.
Ports 136, 137, and 138
Press Windows+S, enter Control Panel in the search box, and then click Control Panel.
In the Control Panel dialog box, click Network and Internet.
Click Network and Sharing Center, and click the connected network.
In the dialog box that appears, click Properties.
In the dialog box that appears, clear File and Printer Sharing for Microsoft Networks and Client for Microsoft Networks.
Click OK, and close the dialog boxes that you opened.
Port 139
Press Windows+S, enter Control Panel in the search box, and then click Control Panel.
In the Control Panel dialog box, click Network and Internet.
Click Network and Sharing Center, and click Change adapter settings on the left.
In the dialog box that appears, right-click the network that you are using (for example, Ethernet), and click Properties.
In the dialog box that appears, double-click Internet Protocol Version 4 (TCP/IPv4).
In the dialog box that appears, click Advanced, and switch to the WINS tab.
Select Disable NetBIOS over TCP/IP, and click OK.
Click OK again, and then close all dialog boxes.
Port 445
Press Windows+R, enter regedit, and click OK to open the Registry Editor dialog box.
In the left navigation bar, click , and right-click Parameters.
Click , enter SMBDeviceEnabled as the Value name, and then double-click the new value name.
In the dialog box that appears, enter 0 as the Value data, click OK, and close the Registry Editor.
Press Windows+R, and enter services.msc to open the Services management dialog box.
Find and double-click the Server service. In the dialog box that appears, select Disabled for Startup type, set Service status to Stopped, and click Apply. Close the dialog box.