Baseline risk check
When you need to meet classified protection compliance requirements, troubleshoot system configuration risks, or detect weak passwords, you can use the baseline risk check feature to perform security checks on server operating systems, databases, middleware, and container configurations. This topic describes the basic information, usage, and common risk item remediation plans for this feature.
Editions and billing
Paid editions of Security Center support the baseline risk check feature.
Edition | Description | Billing |
Anti-Virus edition and Value-added Service | To use all features of baseline risk check, you must enable the paid cloud security posture management (CSPM) feature. Using check items consumes CSPM quotas. | If you enable the paid cloud security posture management feature, see Paid usage of CSPM for billing details. |
Advanced edition and Enterprise edition |
| No additional fees required. |
Ultimate edition | Supports all baseline risk check items. | No additional fees required. |
Benefits
Classified protection compliance
Supports MLPS Level 2, MLPS Level 3, and internationally recognized security best practice baselines to meet various compliance and regulatory requirements.
Comprehensive detection
Supports weak password detection, unauthorized access detection, known insecure configuration detection, and configuration red-line inspection, covering more than 30 system versions and over 20 types of databases and middleware.
Flexible configuration
Supports custom security policies, check cycles, and check scopes to meet the security configuration needs of different businesses.
Detailed remediation plans
Check items provide remediation suggestions and support one-click fixes to quickly complete baseline hardening and meet classified protection requirements.
Workflow
Enable the feature: Purchase the Enterprise or Ultimate edition, or enable the paid cloud security posture management (CSPM) feature, to use all check items. See Enable the baseline risk check feature.
Install the agent: Install the Security Center agent on your servers. The console automatically synchronizes asset information every minute. For installation steps, see Install the agent. To check non-Alibaba Cloud servers, first connect the assets to Security Center. See Add multi-cloud assets.
Configure check policies: The default policy includes only some baseline types. You can configure more check items and policies based on your business needs. See Configure check policies.
Run checks: Select a policy and run it manually, or wait for the system to automatically scan based on the policy schedule. See Run baseline check policies.
View results: View the risky check items, affected assets, and remediation suggestions in the console. See View baseline check results and suggestions.
Remediate and verify: Remediate risks based on the suggestions and complete verification to confirm that the check items show as Passed. See Handle failed baseline risk items.
Feature description
The baseline check feature uses different check policies to batch-scan servers and identify risks in systems, account permissions, databases, weak passwords, and classified protection compliance configurations. It provides remediation suggestions and one-click fixes. For details about check content, see Baseline check content.
Key concepts
Term | Description |
Baseline | A baseline refers to security configuration red-line standards for operating systems, databases, and middleware based on best practices and compliance requirements. Checks cover weak passwords, account permissions, identity authentication, password policies, access control, security audits, and intrusion prevention. |
Weak password | A weak password is a password that can be easily guessed or brute-forced. It typically includes simple passwords shorter than 8 characters or with fewer than 3 character types, as well as passwords from publicly available or malware-based hacker dictionaries. Weak passwords are easy to crack. If obtained by attackers, they can be used to directly log in to systems, read or even modify website code. Using weak passwords exposes systems and services to significant risk. |
Baseline policies
A policy is a collection of baseline check rules and is the basic unit for running baseline checks. Security Center provides three policy types: default policy, standard policy, and custom policy.
Policy type | Supported baseline check item types | Application scenarios |
Default policy | Supports the following baseline types:
| The system default baseline check policy. You can only edit the check time and target servers. After purchasing the Advanced, Enterprise, or Ultimate edition, the system checks all assets under your Alibaba Cloud account every other day between 00:00 and 06:00 (or a time you specify). |
Standard policy | Supports the following baseline types:
| Compared with the default policy, adds MLPS compliance and internationally recognized security best practices check types, and allows editing of all policy configuration items. You can configure baseline check policies based on your business scenarios. |
Custom policy | Supports the following custom OS baseline types:
| Checks for risks in asset configurations against custom OS baselines. You can customize check items and modify some baseline parameters to better align with your business scenarios. |
Supported servers
Security Center supports baseline checks for servers with an installed agent and normal status. When setting up a policy, you can select the scope through server groups. See Install the agent and Manage servers for server onboarding methods.
Risk levels
Security Center classifies risks based on the severity and application scenarios of risk types.
Risk level | Baseline category | Description | Remediation |
High |
| This baseline risk type poses an intrusion risk and is classified as High. | Requires urgent remediation. Prevent weak passwords from being exposed to the Internet, which could lead to system intrusions or data breaches. |
| Although no intrusion risk exists, this is a configuration red-line inspection and is classified as High risk. | Important security hardening items. Remediate promptly. Hardening based on best security practices reduces the risk of configuration weaknesses being exploited and configuration change risks. | |
Custom baseline | Relates to customer-specific security events. This is a configuration red-line inspection and is classified as High risk. | User-defined security hardening items. Remediation is recommended. Hardening based on best security practices reduces the risk of configuration weaknesses being exploited and configuration change risks. | |
Medium |
| Compliance risks are checked and remediated based on whether compliance is required. No intrusion risk exists and this is not a configuration red-line inspection, so it is classified as Medium risk. | Remediate based on whether your business has compliance requirements. |
Remediation methods
Security Center provides remediation suggestions for at-risk check items to harden system security.
Manual remediation: Log on to the affected server, modify the corresponding configurations, and then click Verify in Security Center.
One-click remediation: Security Center supports one-click fixes for some baseline check items. Whether a check item supports this is determined by whether the risk item panel shows a Fix button. See Fix risk items.
Baseline check content
Baseline categories
Baseline category | Check standards and content | Covered systems and services | Remediation urgency |
Weak password | Uses non-brute-force methods to detect weak passwords. Avoids account lockouts from brute-force attacks that could affect normal business operations. Note Weak password detection compares hash values read from the system against hashes computed from a weak password dictionary. To avoid hash value reading, remove the weak password baseline from your baseline check policy. |
| Requires urgent remediation. Prevent weak passwords from being exposed to the Internet, which could lead to system intrusions or data breaches. |
Unauthorized access | Unauthorized access baseline. Detects whether services have unauthorized access risks to prevent intrusions or data breaches. | Memcached, Elasticsearch, Docker, CouchDB, ZooKeeper, Jenkins, Hadoop, Tomcat, Redis, Jboss, ActiveMQ, RabbitMQ, OpenLDAP, rsync, MongoDB, PostgreSQL | |
Best security practices | Alibaba Cloud standard Based on Alibaba Cloud best security practice standards, detects security configuration risks in account permissions, identity authentication, password policies, access control, security audits, and intrusion prevention. |
| Important security hardening items. Remediation is recommended. Hardening based on best security practices reduces the risk of configuration weaknesses being exploited and configuration change risks. |
Container security | Alibaba Cloud standard Based on Alibaba Cloud container best security practices, checks Kubernetes master and node configuration risks. |
| |
MLPS compliance | MLPS Level 2 and Level 3 compliance Based on server security MLPS baselines, aligned with authoritative evaluation organization security computing environment evaluation standards and requirements. |
| Remediate based on whether your business has compliance requirements. |
Internationally recognized security best practices | Operating system security baseline checks based on internationally recognized security best practices. |
| Remediate based on whether your business has compliance requirements. |
Custom baseline | Supports CentOS Linux 7 custom baselines. You can edit check items in the baseline check policy to define custom security hardening items. | CentOS 7, CentOS 6, Windows Server 2022, 2012 R2, 2016, 2019, 2008 R2 | User-defined security hardening items. Remediation is recommended. Hardening based on best security practices reduces the risk of configuration weaknesses being exploited and configuration change risks. |
Baseline check items
The following table lists the baseline check items provided by Security Center.
Password security best practices
The baseline check feature can detect weak password risks. After discovering weak passwords, you can reference the following best practices to configure password complexity policies and improve server security.
Password complexity requirements
Secure passwords should meet the following requirements:
At least 8 characters in length. 12 or more characters are recommended.
Contains at least three character types: uppercase letters (A-Z), lowercase letters (a-z), digits (0-9), and special characters (such as !@#$%^&*).
Avoid using personal information such as usernames, birthdays, or phone numbers as passwords. Avoid common dictionary passwords (such as admin123, password, etc.).
Use different passwords for different systems and services. Avoid reusing the same password across multiple locations.
Linux system password policy configuration
In Linux systems, you can configure password complexity policies by modifying the PAM (Pluggable Authentication Modules) configuration:
Edit the PAM password configuration. For CentOS/Red Hat, edit the
/etc/security/pwquality.conffile, or use theauthconfigcommand:authconfig --passminlen=8 --passminclass=3 --updateConfigure password expiration policies by editing the
/etc/login.defsfile and setting the following parameters:PASS_MAX_DAYS: Maximum number of days a password can be used. 90 days is recommended.PASS_MIN_DAYS: Minimum number of days between password changes. 0 days is recommended.PASS_WARN_AGE: Number of days to warn before password expiration. 7 days is recommended.
To change a password, use the
passwdcommand:passwd username
PAM configuration methods may vary across Linux distributions. Adjust based on your actual environment. Before modifying password policies, ensure that existing business operations will not be affected.
Windows system password policy configuration
In Windows systems, you can configure password complexity through Local Security Policy or Group Policy:
Open
Local Security Policy(runsecpol.msc).Navigate to
Account Policies>Password Policy.Configure the following policy items:
Password must meet complexity requirements: Set to
Enabled.Minimum password length: Set to 8 characters or more.
Maximum password age: Set to 90 days.
Minimum password age: Set to 0 days.
Enforce password history: Set to 5 or more to prevent users from reusing old passwords.
If the server is domain-joined, the password policy is managed uniformly by the domain controller. Configure Group Policy Objects (GPO) on the domain controller.
General security recommendations
Regularly change server passwords and service passwords for various services to reduce the risk of password leaks.
For SSH remote login, it is recommended to use key-based authentication instead of password-based authentication.
Use the Security Center baseline check feature to periodically scan for weak passwords and promptly identify and remediate password security risks.
If a weak password alert is detected, change to a strong password that meets complexity requirements as soon as possible and check for any anomalous login activity.