Baseline risk check

Updated at:
Copy as MD

When you need to meet classified protection compliance requirements, troubleshoot system configuration risks, or detect weak passwords, you can use the baseline risk check feature to perform security checks on server operating systems, databases, middleware, and container configurations. This topic describes the basic information, usage, and common risk item remediation plans for this feature.

Editions and billing

Paid editions of Security Center support the baseline risk check feature.

Edition

Description

Billing

Anti-Virus edition and Value-added Service

To use all features of baseline risk check, you must enable the paid cloud security posture management (CSPM) feature. Using check items consumes CSPM quotas.

If you enable the paid cloud security posture management feature, see Paid usage of CSPM for billing details.

Advanced edition and Enterprise edition

  • The Advanced edition only supports weak password check items.

  • The Enterprise edition does not support container security check items.

  • To use all baseline risk check items, you must upgrade to the Ultimate edition.

No additional fees required.

Ultimate edition

Supports all baseline risk check items.

No additional fees required.

Benefits

  • Classified protection compliance

    Supports MLPS Level 2, MLPS Level 3, and internationally recognized security best practice baselines to meet various compliance and regulatory requirements.

  • Comprehensive detection

    Supports weak password detection, unauthorized access detection, known insecure configuration detection, and configuration red-line inspection, covering more than 30 system versions and over 20 types of databases and middleware.

  • Flexible configuration

    Supports custom security policies, check cycles, and check scopes to meet the security configuration needs of different businesses.

  • Detailed remediation plans

    Check items provide remediation suggestions and support one-click fixes to quickly complete baseline hardening and meet classified protection requirements.

Workflow

  1. Enable the feature: Purchase the Enterprise or Ultimate edition, or enable the paid cloud security posture management (CSPM) feature, to use all check items. See Enable the baseline risk check feature.

  2. Install the agent: Install the Security Center agent on your servers. The console automatically synchronizes asset information every minute. For installation steps, see Install the agent. To check non-Alibaba Cloud servers, first connect the assets to Security Center. See Add multi-cloud assets.

  3. Configure check policies: The default policy includes only some baseline types. You can configure more check items and policies based on your business needs. See Configure check policies.

  4. Run checks: Select a policy and run it manually, or wait for the system to automatically scan based on the policy schedule. See Run baseline check policies.

  5. View results: View the risky check items, affected assets, and remediation suggestions in the console. See View baseline check results and suggestions.

  6. Remediate and verify: Remediate risks based on the suggestions and complete verification to confirm that the check items show as Passed. See Handle failed baseline risk items.

Feature description

The baseline check feature uses different check policies to batch-scan servers and identify risks in systems, account permissions, databases, weak passwords, and classified protection compliance configurations. It provides remediation suggestions and one-click fixes. For details about check content, see Baseline check content.

Key concepts

Term

Description

Baseline

A baseline refers to security configuration red-line standards for operating systems, databases, and middleware based on best practices and compliance requirements. Checks cover weak passwords, account permissions, identity authentication, password policies, access control, security audits, and intrusion prevention.

Weak password

A weak password is a password that can be easily guessed or brute-forced. It typically includes simple passwords shorter than 8 characters or with fewer than 3 character types, as well as passwords from publicly available or malware-based hacker dictionaries. Weak passwords are easy to crack. If obtained by attackers, they can be used to directly log in to systems, read or even modify website code. Using weak passwords exposes systems and services to significant risk.

Baseline policies

A policy is a collection of baseline check rules and is the basic unit for running baseline checks. Security Center provides three policy types: default policy, standard policy, and custom policy.

Policy type

Supported baseline check item types

Application scenarios

Default policy

Supports the following baseline types:

  • Windows baselines: unauthorized access, best security practices, weak passwords, etc.

  • Linux baselines: unauthorized access, container security, best security practices, weak passwords, etc.

The system default baseline check policy. You can only edit the check time and target servers. After purchasing the Advanced, Enterprise, or Ultimate edition, the system checks all assets under your Alibaba Cloud account every other day between 00:00 and 06:00 (or a time you specify).

Standard policy

Supports the following baseline types:

  • Windows baselines: unauthorized access, MLPS compliance, best security practices, basic protection security practices, internationally recognized security best practices, weak passwords, etc.

  • Linux baselines: unauthorized access, MLPS compliance, best security practices, container security, internationally recognized security best practices, weak passwords, etc.

Compared with the default policy, adds MLPS compliance and internationally recognized security best practices check types, and allows editing of all policy configuration items.

You can configure baseline check policies based on your business scenarios.

Custom policy

Supports the following custom OS baseline types:

  • Windows baselines: Windows custom baseline

  • Linux baselines: CentOS Linux 7/8 custom baseline, CentOS Linux 6 custom baseline, Ubuntu custom security baseline check, and Red Hat 7/8 custom security baseline check.

Checks for risks in asset configurations against custom OS baselines.

You can customize check items and modify some baseline parameters to better align with your business scenarios.

Supported servers

Security Center supports baseline checks for servers with an installed agent and normal status. When setting up a policy, you can select the scope through server groups. See Install the agent and Manage servers for server onboarding methods.

Risk levels

Security Center classifies risks based on the severity and application scenarios of risk types.

Risk level

Baseline category

Description

Remediation

High

  • Weak password

  • Unauthorized access

This baseline risk type poses an intrusion risk and is classified as High.

Requires urgent remediation. Prevent weak passwords from being exposed to the Internet, which could lead to system intrusions or data breaches.

  • Best security practices

  • Container security

Although no intrusion risk exists, this is a configuration red-line inspection and is classified as High risk.

Important security hardening items. Remediate promptly. Hardening based on best security practices reduces the risk of configuration weaknesses being exploited and configuration change risks.

Custom baseline

Relates to customer-specific security events. This is a configuration red-line inspection and is classified as High risk.

User-defined security hardening items. Remediation is recommended. Hardening based on best security practices reduces the risk of configuration weaknesses being exploited and configuration change risks.

Medium

  • MLPS compliance

  • Internationally recognized security best practices

Compliance risks are checked and remediated based on whether compliance is required. No intrusion risk exists and this is not a configuration red-line inspection, so it is classified as Medium risk.

Remediate based on whether your business has compliance requirements.

Remediation methods

Security Center provides remediation suggestions for at-risk check items to harden system security.

  • Manual remediation: Log on to the affected server, modify the corresponding configurations, and then click Verify in Security Center.

  • One-click remediation: Security Center supports one-click fixes for some baseline check items. Whether a check item supports this is determined by whether the risk item panel shows a Fix button. See Fix risk items.

Baseline check content

Baseline categories

Baseline category

Check standards and content

Covered systems and services

Remediation urgency

Weak password

Uses non-brute-force methods to detect weak passwords. Avoids account lockouts from brute-force attacks that could affect normal business operations.

Note

Weak password detection compares hash values read from the system against hashes computed from a weak password dictionary. To avoid hash value reading, remove the weak password baseline from your baseline check policy.

  • Operating system

    Linux, Windows

  • Database

    MySQL, Redis, SQL Server, MongoDB, PostgreSQL, Oracle

  • Application

    Tomcat, FTP, Rsync, SVN, ActiveMQ, RabbitMQ, OpenVPN, Jboss 6/7, Jenkins, OpenLDAP, VNC Server, pptpd

Requires urgent remediation. Prevent weak passwords from being exposed to the Internet, which could lead to system intrusions or data breaches.

Unauthorized access

Unauthorized access baseline. Detects whether services have unauthorized access risks to prevent intrusions or data breaches.

Memcached, Elasticsearch, Docker, CouchDB, ZooKeeper, Jenkins, Hadoop, Tomcat, Redis, Jboss, ActiveMQ, RabbitMQ, OpenLDAP, rsync, MongoDB, PostgreSQL

Best security practices

Alibaba Cloud standard

Based on Alibaba Cloud best security practice standards, detects security configuration risks in account permissions, identity authentication, password policies, access control, security audits, and intrusion prevention.

  • Operating system

    • CentOS 6, 7, 8

    • Red Hat 6, 7, 8

    • Ubuntu 14, 16, 18, 20

    • Debian 8, 9, 10, 11, 12

    • Alibaba Cloud Linux 2, 3

    • Windows Server 2022, 2012 R2, 2016, 2019, 2008 R2

    • Rocky Linux 8

    • AlmaLinux 8

    • SUSE Linux 15

    • Anolis 8

    • Kylin

    • UOS

    • TencentOS

  • Database

    MySQL, Redis, MongoDB, SQL Server, Oracle 11g, CouchDB, InfluxDB, PostgreSQL

  • Application

    Tomcat, IIS, Nginx, Apache, Windows SMB, RabbitMQ, ActiveMQ, Elasticsearch, Jenkins, Hadoop, Jboss 6/7, Tomcat

Important security hardening items. Remediation is recommended. Hardening based on best security practices reduces the risk of configuration weaknesses being exploited and configuration change risks.

Container security

Alibaba Cloud standard

Based on Alibaba Cloud container best security practices, checks Kubernetes master and node configuration risks.

  • Docker

  • Kubernetes cluster

MLPS compliance

MLPS Level 2 and Level 3 compliance

Based on server security MLPS baselines, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

  • Operating system

    • CentOS 6, 7, 8

    • Red Hat 6, 7, 8

    • Ubuntu 14, 16, 18, 20

    • SUSE 10, 11, 12, 15

    • Debian 8, 9, 10, 11, 12

    • Alibaba Cloud Linux 2, 3

    • Windows Server 2022, 2012 R2, 2016, 2019, 2008 R2

    • Anolis 8

    • Kylin

    • UOS

  • Database

    Redis, MongoDB, PostgreSQL, Oracle, MySQL, SQL Server, Informix

  • Application

    WebSphere Application Server, Jboss 6/7, Nginx, WebLogic, BIND, IIS

Remediate based on whether your business has compliance requirements.

Internationally recognized security best practices

Operating system security baseline checks based on internationally recognized security best practices.

  • CentOS 6, 7, 8

  • Ubuntu 14, 16, 18, 20

  • Alibaba Cloud Linux 2

  • Windows Server 2022, 2012 R2, 2016, 2019, 2008 R2

Remediate based on whether your business has compliance requirements.

Custom baseline

Supports CentOS Linux 7 custom baselines. You can edit check items in the baseline check policy to define custom security hardening items.

CentOS 7, CentOS 6, Windows Server 2022, 2012 R2, 2016, 2019, 2008 R2

User-defined security hardening items. Remediation is recommended. Hardening based on best security practices reduces the risk of configuration weaknesses being exploited and configuration change risks.

Baseline check items

The following table lists the baseline check items provided by Security Center.

Windows baselines

Baseline category

Baseline name

Baseline description

Number of check items

Basic protection security practices

SQL Server risky permission check

SQL Server risky permission check.

1

IIS risky permission check

IIS risky permission check.

1

Internationally recognized security best practices

Windows Server 2008 R2 internationally recognized security best practices baseline

Designed for enterprise users with professional security expertise. You can harden your system based on your business scenarios and security requirements.

274

Windows Server 2012 R2 internationally recognized security best practices baseline

275

Windows Server 2016/2019 internationally recognized security best practices baseline

275

Windows Server 2022 internationally recognized security best practices baseline

262

Unauthorized access

Unauthorized access - Redis unauthorized access high-risk (Windows)

Redis unauthorized access high-risk baseline.

1

Unauthorized access - LDAP unauthorized access high-risk (Windows environment)

LDAP unauthorized access high-risk baseline.

1

MLPS compliance

MLPS Level 3 - Windows 2008 R2 compliance baseline

Windows 2008 R2 MLPS compliance baseline check, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

19

MLPS Level 3 - Windows 2012 R2 compliance baseline

Windows 2012 R2 MLPS compliance baseline check, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

19

MLPS Level 3 - Windows 2016/2019 compliance baseline

Windows 2016/2019 MLPS compliance baseline check, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

19

MLPS Level 3 - SQL Server compliance baseline

SQL Server MLPS compliance baseline check, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

4

MLPS Level 3 - IIS compliance baseline

IIS MLPS compliance baseline check, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

5

MLPS Level 2 - Windows 2008 R2 compliance baseline

Windows 2008 R2 MLPS compliance baseline check, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

12

MLPS Level 2 - Windows 2012 R2 compliance baseline

Windows 2012 R2 MLPS compliance baseline check, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

12

MLPS Level 2 - Windows 2016/2019 compliance baseline

Windows 2016/2019 MLPS compliance baseline check, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

12

Weak password

Weak password - Windows system login weak password check

Weak password detection baseline.

1

Weak password - MySQL database login weak password check (Windows)

Windows MySQL database login account weak password detection baseline.

1

Weak password - SQL Server database login weak password check

Microsoft SQL Server database login account weak password detection baseline.

1

Weak password - Redis database login weak password check (Windows)

Redis database login weak password detection baseline.

1

Best security practices

Alibaba Cloud standard - Windows 2008 R2 security baseline check

Alibaba Cloud Windows 2008 R2 baseline standard.

12

Alibaba Cloud standard - Windows 2012 R2 security baseline check

Alibaba Cloud Windows 2012 R2 baseline check.

12

Alibaba Cloud standard - Windows 2016/2019 security baseline check

Alibaba Cloud Windows Server 2016 and Windows Server 2019 baseline check.

12

Alibaba Cloud standard - Windows Server 2022 security baseline check

Alibaba Cloud Windows Server 2022 baseline standard.

12

Alibaba Cloud standard - Redis security baseline check (Windows)

Alibaba Cloud Redis (Windows) baseline standard.

6

Alibaba Cloud standard - SQL Server security baseline check

Alibaba Cloud SQL Server 2012 security baseline check.

17

Alibaba Cloud standard - IIS 8 security baseline check

Alibaba Cloud Internet Information Services 8 baseline standard.

8

Alibaba Cloud standard - Apache Tomcat security baseline check (Windows environment)

Middleware-level baseline detection based on internationally recognized security best practices and Alibaba Cloud baseline standards.

8

Alibaba Cloud standard - Windows SMB security baseline check

Alibaba Cloud Windows SMB baseline standard.

2

Custom policy

Windows custom baseline

Full Windows custom baseline template. You can select check items and configure check item parameters through the template to meet custom baseline requirements.

63

Linux baselines

Baseline category

Baseline name

Baseline description

Number of check items

Internationally recognized security best practices

Alibaba Cloud Linux 2/3 internationally recognized security best practices baseline

Internationally recognized security best practices baselines are designed for enterprise users with professional security expertise. You can selectively harden your system based on the rich set of check items provided, according to your business scenarios and security requirements.

176

Rocky 8 internationally recognized security best practices baseline

161

CentOS Linux 6 internationally recognized security best practices baseline

194

CentOS Linux 7 internationally recognized security best practices baseline

195

CentOS Linux 8 internationally recognized security best practices baseline

162

Debian Linux 8 internationally recognized security best practices baseline

155

Ubuntu 14 internationally recognized security best practices baseline

175

Ubuntu 16/18/20 internationally recognized security best practices baseline

174

Ubuntu 22 internationally recognized security best practices baseline

148

Unauthorized access

InfluxDB unauthorized access high-risk

InfluxDB unauthorized access high-risk baseline.

1

Redis unauthorized access high-risk

Redis unauthorized access high-risk baseline.

1

Jboss unauthorized access high-risk

Jboss unauthorized access high-risk baseline.

1

ActiveMQ unauthorized access high-risk

ActiveMQ unauthorized access high-risk baseline.

1

RabbitMQ unauthorized access high-risk

RabbitMQ unauthorized access high-risk baseline.

1

OpenLDAP unauthorized access high-risk (Linux environment)

OpenLDAP unauthorized access vulnerability baseline.

1

Rsync unauthorized access high-risk

Rsync unauthorized access vulnerability baseline.

1

MongoDB unauthorized access high-risk

MongoDB unauthorized access high-risk baseline.

1

PostgreSQL unauthorized access high-risk baseline

PostgreSQL unauthorized access high-risk baseline.

1

Jenkins unauthorized access high-risk

Jenkins unauthorized access high-risk baseline.

1

Hadoop unauthorized access high-risk

Hadoop unauthorized access high-risk baseline.

1

CouchDB unauthorized access high-risk

CouchDB unauthorized access high-risk exploitation baseline.

1

ZooKeeper unauthorized access high-risk

ZooKeeper unauthorized access high-risk baseline.

1

Memcached unauthorized access high-risk

Memcached unauthorized access high-risk baseline.

1

Elasticsearch unauthorized access high-risk

Elasticsearch unauthorized access high-risk baseline.

1

MLPS compliance

MLPS Level 3 - SUSE 15 compliance baseline

SUSE 15 MLPS compliance baseline check, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

18

MLPS Level 3 - Alibaba Cloud Linux 3 compliance baseline

Alibaba Cloud Linux 3 MLPS compliance baseline check, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

19

MLPS Level 3 - Alibaba Cloud Linux 2 compliance baseline check

Alibaba Cloud Linux 2 MLPS compliance baseline check, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

19

MLPS Level 3 - BIND compliance baseline

BIND MLPS compliance baseline check, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

4

MLPS Level 3 - CentOS Linux 6 compliance baseline

CentOS Linux 6 MLPS compliance baseline check, supporting China's MLPS 2.0 Level 3 standard, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

19

MLPS Level 3 - CentOS Linux 7 compliance baseline

CentOS Linux 7 MLPS compliance baseline check, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

19

MLPS Level 3 - CentOS Linux 8 compliance baseline

CentOS Linux 8 MLPS compliance baseline check, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

19

MLPS Level 3 - Informix compliance baseline

Informix MLPS compliance baseline check, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

6

MLPS Level 3 - Jboss 6/7 compliance baseline

Jboss 6/7 MLPS compliance baseline check, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

5

MLPS Level 3 - MongoDB compliance baseline

MongoDB MLPS compliance baseline check, supporting China's MLPS 2.0 Level 3 standard, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

6

MLPS Level 3 - MySQL compliance baseline

MySQL MLPS compliance baseline check, supporting China's MLPS 2.0 Level 3 standard, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

5

MLPS Level 3 - Nginx compliance baseline

Nginx MLPS compliance baseline check, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

3

MLPS Level 3 - Oracle compliance baseline

Oracle MLPS compliance baseline check, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

12

MLPS Level 3 - PostgreSQL compliance baseline

PostgreSQL MLPS compliance baseline check, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

4

MLPS Level 3 - Red Hat Linux 6 compliance baseline

Red Hat Linux 6 MLPS compliance baseline check, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

19

MLPS Level 3 - Red Hat Linux 7 compliance baseline

Red Hat Linux 7 MLPS compliance baseline check, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

19

MLPS Level 3 - Redis compliance baseline

Redis MLPS compliance baseline check, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

4

MLPS Level 3 - SUSE 10 compliance baseline

SUSE 10 MLPS compliance baseline check, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

19

MLPS Level 3 - SUSE 12 compliance baseline

SUSE 12 MLPS compliance baseline check, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

19

MLPS Level 3 - SUSE 11 compliance baseline

SUSE 11 MLPS compliance baseline check, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

19

MLPS Level 3 - Ubuntu 14 compliance baseline

Ubuntu 14 MLPS compliance baseline check, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

19

MLPS Level 3 - Ubuntu 16/18/20 compliance baseline

Ubuntu 16/18/20 MLPS compliance baseline check, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

19

MLPS Level 3 - Ubuntu 22 compliance baseline

Ubuntu 22 MLPS compliance baseline check, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

19

MLPS Level 3 - WebSphere Application Server compliance baseline

WebSphere Application Server MLPS compliance baseline check, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

7

MLPS Level 3 - TongWeb compliance baseline

TongWeb MLPS compliance baseline check, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

4

MLPS Level 3 - WebLogic compliance baseline

WebLogic MLPS compliance baseline check, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

5

MLPS Level 2 - Alibaba Cloud Linux 2 compliance baseline

Alibaba Cloud Linux 2 MLPS compliance baseline check, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

15

MLPS Level 2 - CentOS Linux 6 compliance baseline

CentOS Linux 6 MLPS compliance baseline check, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

15

MLPS Level 2 - CentOS Linux 7 compliance baseline

CentOS Linux 7 MLPS compliance baseline check, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

15

MLPS Level 2 - Debian Linux 8 compliance baseline

Debian Linux 8 MLPS compliance baseline check, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

12

MLPS Level 2 - Red Hat Linux 7 compliance baseline

Red Hat Linux 7 MLPS compliance baseline check, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

15

MLPS Level 2 - Ubuntu 16/18 compliance baseline

Ubuntu 16/18 MLPS compliance baseline check, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

19

MLPS Level 3 - Debian Linux 8/9/10/11/12 compliance baseline

Debian Linux 8/9/10/11/12 MLPS compliance baseline check, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

19

MLPS Level 3 - Kylin compliance baseline

Kylin MLPS compliance baseline check, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

19

MLPS Level 3 - UOS compliance baseline

UOS MLPS compliance baseline check, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

19

MLPS Level 3 - Anolis 8 compliance baseline

Anolis 8 MLPS compliance baseline check, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements.

19

Weak password

Zabbix login weak password check

Zabbix login weak password detection baseline.

1

Elasticsearch service login weak password check

Elasticsearch server login weak password detection baseline.

1

ActiveMQ login weak password check

ActiveMQ login weak password check.

1

RabbitMQ login weak password check

RabbitMQ login weak password check.

1

Linux system OpenVPN weak password detection

Detects common weak passwords for Linux system OpenVPN accounts.

1

Jboss 6/7 login weak password check

Jboss 6/7 login weak password detection baseline.

1

Jenkins login weak password check

Weak password detection baseline.

1

ProFTPD login weak password check

Weak password detection baseline.

1

WebLogic 12c login weak password detection

Checks whether WebLogic 12c users have weak password risks.

1

OpenLDAP login weak password check

OpenLDAP login account weak password detection baseline.

1

VNC Server weak password check

Detects common weak passwords for VNC server login accounts.

1

PPTPD service login weak password check

PPTP server login weak password detection baseline.

1

Oracle login weak password detection

Checks whether Oracle database users have weak password risks.

1

SVN service login weak password check

SVN server login weak password detection baseline.

1

Rsync service login weak password check

Rsync server login weak password detection baseline.

1

MongoDB login weak password detection

Checks whether MongoDB services have weak password risks. Supports versions 3.x and 4.x.

1

PostgreSQL database login weak password check

PostgreSQL database login account weak password detection baseline.

1

Apache Tomcat console weak password check

Apache Tomcat console login weak password check. Supports Tomcat 7, 8, and 9.

1

FTP login weak password check

Checks whether FTP services have login weak passwords or allow anonymous login.

1

Redis database login weak password check

Redis database login weak password detection baseline.

1

Linux system login weak password check

Weak password detection baseline.

1

MySQL database login weak password check (does not support version 8.x)

Weak password detection baseline.

1

MongoDB login weak password detection (supports version 2.x)

Checks whether MongoDB services have weak password users.

1

Container security

Unauthorized access - Redis container runtime unauthorized access risk

Detects whether unauthorized access to the Redis service is possible at container runtime by attempting to connect or read configuration files.

1

Unauthorized access - MongoDB container runtime unauthorized access risk

Detects whether unauthorized access to MongoDB is possible at container runtime by attempting to connect or read configuration files.

1

Unauthorized access - Jboss container runtime unauthorized access risk

Detects whether unauthorized access to the Jboss service is possible at container runtime by attempting to connect or read configuration files.

1

Unauthorized access - ActiveMQ container runtime unauthorized access risk

Detects whether unauthorized access to the ActiveMQ service is possible at container runtime by attempting to connect or read configuration files.

1

Unauthorized access - Rsync container runtime unauthorized access risk

Detects whether unauthorized access to the Rsync service is possible at container runtime by attempting to connect or read configuration files.

1

Unauthorized access - Memcached container runtime unauthorized access risk

Detects whether unauthorized access to the Memcached service is possible at container runtime by attempting to connect or read configuration files.

1

Unauthorized access - RabbitMQ container runtime unauthorized access risk

Detects whether unauthorized access to the RabbitMQ service is possible at container runtime by attempting to connect or read configuration files.

1

Unauthorized access - Elasticsearch container runtime unauthorized access risk

Detects whether unauthorized access to the Elasticsearch service is possible at container runtime by attempting to connect or read configuration files.

1

Unauthorized access - Jenkins container runtime unauthorized access risk

Detects whether unauthorized access to the Jenkins service is possible at container runtime by attempting to connect or read configuration files.

1

Kubernetes (ACK) master internationally recognized security best practices

Designed for enterprise users with professional security expertise. You can harden your system based on your business scenarios and security requirements.

52

Kubernetes (ACK) node internationally recognized security best practices

9

Weak password - ProFTPD container runtime weak password risk

Reads configuration files to obtain authentication information and attempts local connections using a weak password dictionary to check whether the ProFTPD container runtime uses weak passwords.

1

Weak password - Redis container runtime weak password risk

Reads configuration files to obtain authentication information and attempts local connections using a weak password dictionary to check whether the Redis container runtime uses weak passwords.

1

Weak password - MongoDB container runtime weak password risk

Reads configuration files to obtain authentication information and attempts local connections using a weak password dictionary to check whether the MongoDB container runtime uses weak passwords.

1

Weak password - Jboss container runtime weak password risk

Reads configuration files to obtain authentication information and attempts local connections using a weak password dictionary to check whether the Jboss container runtime uses weak passwords.

1

Weak password - ActiveMQ container runtime weak password risk

Reads configuration files to obtain authentication information and attempts local connections using a weak password dictionary to check whether the ActiveMQ container runtime uses weak passwords.

1

Weak password - Rsync container runtime weak password risk

Reads configuration files to obtain authentication information and attempts local connections using a weak password dictionary to check whether the Rsync container runtime uses weak passwords.

1

Weak password - SVN container runtime weak password risk

Reads configuration files to obtain authentication information and attempts local connections using a weak password dictionary to check whether the SVN container runtime uses weak passwords.

1

Weak password - Elasticsearch container runtime weak password risk

Reads configuration files to obtain authentication information and attempts local connections using a weak password dictionary to check whether the Elasticsearch container runtime uses weak passwords.

1

Weak password - MySQL container runtime weak password risk

Reads configuration files to obtain authentication information and attempts local connections using a weak password dictionary to check whether the MySQL service uses weak passwords at container runtime.

1

Weak password - Tomcat container runtime weak password risk

Reads configuration files to obtain authentication information and attempts local connections using a weak password dictionary to check whether the Tomcat container runtime uses weak passwords.

1

Weak password - Jenkins container runtime weak password risk

Reads configuration files to obtain authentication information and attempts local connections using a weak password dictionary to check whether the Jenkins container runtime uses weak passwords.

1

Alibaba Cloud standard - Docker container component security baseline

Alibaba Cloud Docker container baseline standard.

8

Alibaba Cloud standard - Kubernetes node security baseline check

Alibaba Cloud Kubernetes baseline detection.

7

Alibaba Cloud standard - Kubernetes master security baseline check

Alibaba Cloud Kubernetes baseline detection.

18

Alibaba Cloud standard - Docker host security baseline check

Alibaba Cloud Docker host baseline standard.

10

Docker unauthorized access high-risk

Docker unauthorized access high-risk baseline.

1

Kubernetes API Server unauthorized access high-risk

Kubernetes API Server unauthorized access high-risk baseline.

1

Kubernetes (K8s) Pod internationally recognized security best practices

Kubernetes (K8s) Pod node security baseline standard.

12

Kubernetes (ACK) Pod internationally recognized security best practices

Kubernetes (ACK) Pod node security baseline standard.

7

Kubernetes (ECI) Pod internationally recognized security best practices

Kubernetes (ECI) Pod node security baseline standard.

2

Kubernetes (K8s) master internationally recognized security best practices

Kubernetes (K8s) master node security baseline standard.

55

Kubernetes (K8s) security policy - internationally recognized security best practices

Kubernetes (K8s) node security baseline standard.

34

Kubernetes (K8s) worker internationally recognized security best practices

Kubernetes (K8s) worker node security baseline standard.

16

Dockerd container - internationally recognized security best practices baseline

Designed for enterprise users with professional security expertise. You can harden your system based on your business scenarios and security requirements.

91

Dockerd host - internationally recognized security best practices baseline

25

Containerd container - internationally recognized security best practices

25

Containerd host - internationally recognized security best practices

22

Best security practices

Alibaba Cloud standard - Alibaba Cloud Linux 2/3 security baseline

Alibaba Cloud Alibaba Cloud Linux 2/3 baseline standard.

16

Alibaba Cloud standard - CentOS Linux 6 security baseline check

Alibaba Cloud CentOS Linux 6 baseline standard.

15

Alibaba Cloud standard - CentOS Linux 7/8 security baseline check

Alibaba Cloud CentOS Linux 7/8 baseline standard.

15

Alibaba Cloud standard - Debian Linux 8/9/10/11/12 security baseline check

Alibaba Cloud Debian Linux 8/9/10/11/12 baseline check standard.

15

Alibaba Cloud standard - Red Hat Linux 6 security baseline check

Alibaba Cloud Red Hat Linux 6 baseline standard.

15

Alibaba Cloud standard - Red Hat Linux 7/8 security baseline check

Alibaba Cloud Red Hat Linux 7/8 baseline standard.

15

Alibaba Cloud standard - Ubuntu security baseline check

Alibaba Cloud Ubuntu baseline check.

15

Alibaba Cloud standard - Memcached security baseline check

Alibaba Cloud Memcached baseline standard.

5

Alibaba Cloud standard - MongoDB security baseline check (supports version 3.x)

Alibaba Cloud MongoDB baseline standard.

9

Alibaba Cloud standard - MySQL security baseline check

Alibaba Cloud MySQL baseline standard. Supported versions: MySQL 5.1 to MySQL 5.7.

12

Alibaba Cloud standard - Oracle security baseline check

Alibaba Cloud Oracle 11g baseline standard.

14

Alibaba Cloud standard - PostgreSQL security baseline check

Alibaba Cloud PostgreSQL baseline standard.

11

Alibaba Cloud standard - Redis security baseline check

Alibaba Cloud Redis baseline standard.

7

Alibaba Cloud standard - Anolis 7/8 security baseline check

Alibaba Cloud Anolis 7/8 baseline standard.

16

Alibaba Cloud standard - Apache security baseline check

Middleware-level baseline detection based on internationally recognized security best practices and Alibaba Cloud baseline standards.

19

Alibaba Cloud standard - CouchDB security baseline check

Alibaba Cloud standard - CouchDB security baseline check.

5

Alibaba Cloud standard - Elasticsearch security baseline check

Alibaba Cloud Elasticsearch baseline standard.

3

Alibaba Cloud standard - Hadoop security baseline check

Alibaba Cloud Hadoop security baseline check.

3

Alibaba Cloud standard - InfluxDB security baseline check

Alibaba Cloud InfluxDB baseline standard.

5

Alibaba Cloud standard - Jboss 6/7 security baseline check

Alibaba Cloud Jboss 6/7 security baseline check.

11

Alibaba Cloud standard - Kibana security baseline check

Alibaba Cloud Kibana baseline standard.

4

Alibaba Cloud standard - Kylin security baseline check

Alibaba Cloud standard - Kylin security baseline check.

15

Alibaba Cloud standard - ActiveMQ security baseline check

Alibaba Cloud ActiveMQ security baseline check.

7

Alibaba Cloud standard - Jenkins security baseline check

Alibaba Cloud Jenkins baseline standard.

6

Alibaba Cloud standard - RabbitMQ security baseline check

Alibaba Cloud RabbitMQ security baseline check.

4

Alibaba Cloud standard - Nginx security baseline check

Alibaba Cloud Nginx baseline check.

13

Alibaba Cloud standard - SUSE Linux 15 security baseline check

Alibaba Cloud SUSE Linux 15 baseline standard.

15

Alibaba Cloud standard - UOS security baseline check

Alibaba Cloud UOS baseline standard.

15

Alibaba Cloud standard - Zabbix security baseline check

Alibaba Cloud Zabbix security baseline check.

6

Alibaba Cloud standard - Apache Tomcat security baseline check

Middleware-level baseline detection based on internationally recognized security best practices and Alibaba Cloud baseline standards.

13

Pingan Puhui standard - CentOS Linux 7 security baseline check

Based on Pingan Puhui CentOS Linux 7 baseline standard.

31

Pingan Puhui risk monitoring

Based on Pingan Puhui risk monitoring baseline standard.

7

Alibaba Cloud standard - SVN security baseline check

Alibaba Cloud SVN baseline standard.

2

Alibaba Cloud standard - AlmaLinux 8 security baseline check

Alibaba Cloud AlmaLinux 8 baseline standard.

16

Alibaba Cloud standard - Rocky Linux 8 security baseline check

Alibaba Cloud Rocky Linux 8 baseline standard.

16

Alibaba Cloud standard - TencentOS security baseline check

Alibaba Cloud TencentOS baseline standard.

16

Custom policy

CentOS Linux 7/8 custom security baseline check

Full CentOS Linux 7/8 custom baseline template. You can select check items and configure check item parameters through the template to meet custom baseline requirements.

53

CentOS Linux 6 custom baseline

Full CentOS Linux 6 custom baseline template. You can select check items and configure check item parameters through the template to meet custom baseline requirements.

47

Ubuntu custom security baseline check

Alibaba Cloud Ubuntu 14/16/18/20 custom baseline standard.

62

Red Hat 7/8 custom security baseline check

Red Hat 7/8 custom security baseline check.

53

Password security best practices

The baseline check feature can detect weak password risks. After discovering weak passwords, you can reference the following best practices to configure password complexity policies and improve server security.

Password complexity requirements

Secure passwords should meet the following requirements:

  • At least 8 characters in length. 12 or more characters are recommended.

  • Contains at least three character types: uppercase letters (A-Z), lowercase letters (a-z), digits (0-9), and special characters (such as !@#$%^&*).

  • Avoid using personal information such as usernames, birthdays, or phone numbers as passwords. Avoid common dictionary passwords (such as admin123, password, etc.).

  • Use different passwords for different systems and services. Avoid reusing the same password across multiple locations.

Linux system password policy configuration

In Linux systems, you can configure password complexity policies by modifying the PAM (Pluggable Authentication Modules) configuration:

  1. Edit the PAM password configuration. For CentOS/Red Hat, edit the /etc/security/pwquality.conf file, or use the authconfig command:

    authconfig --passminlen=8 --passminclass=3 --update

  2. Configure password expiration policies by editing the /etc/login.defs file and setting the following parameters:

    • PASS_MAX_DAYS: Maximum number of days a password can be used. 90 days is recommended.

    • PASS_MIN_DAYS: Minimum number of days between password changes. 0 days is recommended.

    • PASS_WARN_AGE: Number of days to warn before password expiration. 7 days is recommended.

  3. To change a password, use the passwd command:

    passwd username

Note

PAM configuration methods may vary across Linux distributions. Adjust based on your actual environment. Before modifying password policies, ensure that existing business operations will not be affected.

Windows system password policy configuration

In Windows systems, you can configure password complexity through Local Security Policy or Group Policy:

  1. Open Local Security Policy (run secpol.msc).

  2. Navigate to Account Policies > Password Policy.

  3. Configure the following policy items:

    • Password must meet complexity requirements: Set to Enabled.

    • Minimum password length: Set to 8 characters or more.

    • Maximum password age: Set to 90 days.

    • Minimum password age: Set to 0 days.

    • Enforce password history: Set to 5 or more to prevent users from reusing old passwords.

Note

If the server is domain-joined, the password policy is managed uniformly by the domain controller. Configure Group Policy Objects (GPO) on the domain controller.

General security recommendations

  • Regularly change server passwords and service passwords for various services to reduce the risk of password leaks.

  • For SSH remote login, it is recommended to use key-based authentication instead of password-based authentication.

  • Use the Security Center baseline check feature to periodically scan for weak passwords and promptly identify and remediate password security risks.

  • If a weak password alert is detected, change to a strong password that meets complexity requirements as soon as possible and check for any anomalous login activity.

FAQ