View baseline check results and risk hardening suggestions and handle them - Security Center

After completing baseline checks, Security Center displays the results by baseline and check item. You can view fixing suggestions and promptly address any risky configurations to strengthen system security.

View check results and suggestions

Follow these steps to view risk details, identifying which items need attention and the related server information.

Log on to the Security Center console. In the upper-left corner, select the region where the assets to be protected are located: China or Outside China.
On the Risk Governance > CSPM page, click the Baseline Risks tab.
On the Risk Details tab, view risks and fixing suggestions by check item name.
- Expand the Pass Rate section to view the pass rate of baselines. Hover over the pass rate line to view the counts of high-risk (red), medium-risk (orange), low-risk (yellow), and failed (gray) check items.
- In the Check Item Statistics section, click the number under Failed or Total Check Items Handled to display the corresponding check items in the list below.
  Note
  Failed check items include data from the last 30 days, while total handled check items cover the last 365 days, excluding released assets.
- View details and suggestions for target check items.
  Use the search component above the list to filter target check items by risk level, status, and type, or enter the check item name to search.
  Click Actions > Details for a target check item to see the Description, Suggestions, Related Baselines, and the list of affected assets in the details panel.
On the Baseline Check Policy tab, view risks and fixing suggestions by baseline name.
- Check the results of all baseline check policies or a specific policy
  In the policy overview section of the Baseline Check Policy tab, click the icon to view all baseline check policies, and select All Policies or a specific policy. The policy information, such as Checked Servers, Baselines, High Weak Password Risk, and Last Check Pass Rate, is displayed. By default, the Baseline Check Policy tab shows information about the Default policy.
  You can click the number below High Weak Password Risk to view all detected high weak password risks.
  Important
  - Weak password risks are of High Risk severity. We recommend fixing these high-risk items as soon as possible. For guidance on improving password security and changing passwords in common systems, see Reinforce password security.
  - The color indicators for the number below Last Check Pass Rate have the following meanings:
    Green: high pass rate of check items.
    Red: low pass rate of check items. We recommend reviewing the details of each check item and addressing the detected baseline risks.
- List of baseline check results displayed by baseline name and suggestions
  1. In the list of baseline check results, click the baseline name to open the details panel. Here, you can view affected assets, Passed Items, and Risk Item for that baseline.
  2. In the baseline details panel, find an affected asset and click View in the Actions column. In the Risk Item panel, view all baseline risks of the affected asset.
    Note
    If a check item is Passed, no risks exist in the server's configuration.
    For example, if you configure no password for a Redis database but bind it to the IP address 127.0.0.1, access is restricted to the local host. In this case, the baseline check for unauthorized access passes, and no related baseline risks are reported. You can decide whether to implement access control policies based on your business requirements.
  3. In the Risk Item panel, locate the risk item you want to view and click Details in the Actions column. A message will appear, displaying information about the risk item, including Description, Check Tips, and Suggestions.
  4. Optional. Return to the baseline details panel. In the upper-right corner above the list of baseline check results, click the icon. In the Select Baseline Export Task dialog box, select an export method and Export the baseline check results.
    You can select one of the following export methods to export the weak passwords in the baseline check results:
    - Export Weak Password in Plaintext: exports the check results in which the weak passwords are in plaintext.
    - Mask and Export Weak Password: exports the check results after the weak passwords in the results are masked.

Handle failed check items

As described above, you can handle baseline risks by check item on the Risk Details tab, or by baseline on the Baseline Check Policy tab.

The following example shows how to handle baseline risks by baseline, using the Suggestions provided in the Risk Item panel.

After viewing failed check items in the Risk Item panel, you can choose from the following operations in the Actions column to handle the corresponding risk items:

Fix risk items

Security Center allows you to fix only some baseline risks. In the Risk Item panel, check for the Fix button for each risk item.

If the Fix button does not appear, the baseline risk cannot be fixed in the Security Center console. You must log on to the server with the detected baseline risk to modify its configurations. After making changes, Verify if the baseline risk is resolved.

If the Fix button appears, you can fix the baseline risk in the Security Center console.

In the Risk Item panel, click Fix in the Actions column for the target check item.

In the Fix Risks for Assets dialog box, configure the following parameters and click Fix Now.

The parameters are described as follows:

Parameter	Description
Fixing Method	The method that you use to fix a baseline risk. Note The method varies based on the type of baseline risk. You can configure this parameter based on your needs.
Batch Handle	Specifies whether to handle the same baseline risk for multiple assets at a time.
System Protection	Specifies whether to create snapshots to back up your system data. Warning Security Center may fail to fix baseline risks, which can impact your workload. Before attempting to fix these risks, we recommend creating a backup of your system. If Security Center fails to resolve the risks, you can use the backup to restore your system to a previous snapshot, ensuring your workload runs smoothly. Automatically Create Snapshot and Fix Risk: If you select this option, you must configure the Snapshot Name and Snapshot Retention Period parameters before you click Fix Now. Note You are charged for the snapshots that are created. You can click Snapshot billing to view the billing methods of the snapshot service. Skip Snapshot and Fix: If you do not want to create snapshots before you fix baseline risks, you can select this option and click Fix Now.

Rollback

Before fixing baseline risks for an ECS instance, we recommend creating a snapshot of the instance. This allows you to roll back the instance if a service interruption occurs due to unsuccessful risk resolution. To perform the rollback, locate the instance in the baseline details panel and click Rollback in the Actions column. In the Rollback dialog box, select the snapshot you created and click OK.

The configurations of the instance will be restored based on the snapshot.

Configure whitelist

If you trust a check item with a status of Not Passed for a server, you can add it to the whitelist. This will cause any alerts generated for that check item on the server to be ignored.

Important

After adding a check item for a server to the whitelist, the corresponding baseline risks detected on that server will be ignored.

For example, if a non-root account is used to log in to an instance and you confirm that this is necessary for normal workloads, you can add the risk item to the whitelist.

In the Risk Item panel of the server to manage, find the baseline check item you want to whitelist and click Add to Whitelist in the Actions column. In the dialog box that appears, specify the reason for adding the baseline check item to the whitelist and click OK.

To add multiple baseline check items to the whitelist, select the check items in Not Passed status and click Add to Whitelist in the lower-left corner.

You can also whitelist check items for multiple assets on the Risk Details tab:

Whitelist specified check items for all assets
On the Risk Details tab, find the baseline check item that you want to add to the whitelist and click Add to Whitelist in the Actions column. To whitelist multiple items, select them and click Add to Whitelist in the lower-left corner of the check item list.
Whitelist specific assets for a single check item
On the Risk Details tab, find the desired check item and click Details in the Actions column. In the details panel, select the servers you want to whitelist and click Add to Whitelist in the lower-left corner of the server list.

Remove from whitelist

To make a baseline check item trigger alerts again, you can remove it from the whitelist or add the previously removed servers back to the affected servers of the associated baseline check policy. Once you remove the check item from the whitelist or add the servers back, alerts will be triggered.

To remove a baseline check item from the whitelist, find it in the Risk Item panel and click Remove from Whitelist in the Actions column. In the dialog box that appears, click OK. To remove multiple check items, select them and click Remove from Whitelist in the lower-left corner.

Verify the handling results.
In the Risk Item panel, find the baseline check item that you want to manage and click Verify in the Actions column. Then, check whether the baseline risk on the server is fixed. If the verification is successful, the baseline risk is fixed, the number in the Risk Item column decreases, and the status of the risk item changes to Passed.
Note
Without manual verification, Security Center will automatically check if the baseline risk is fixed according to the detection interval specified in your baseline check policy.