Viruses and attackers can exploit the defects in the security configurations of a server to intrude into the server to steal data or insert webshells. The baseline check feature checks the configurations of operating systems, databases, software, and containers of a server. Then, you can harden the security of your assets, reduce the risks of intrusion, and meet the security compliance requirements based on the check results. This topic describes the baseline check feature and how to use the feature.
Limits
Only users of Security Center Advanced, Enterprise, and Ultimate can enable and use the baseline check feature.
Security Center Enterprise and Ultimate support the following capabilities:
The Ultimate edition supports all capabilities that are provided by the baseline check feature. The Enterprise edition does not support the baselines of the container security type.
Quick fixing of the baseline risks that are detected on a Linux server based on the Alibaba Cloud standards or the Multi-Level Protection Scheme (MLPS) standards.
Security Center Advanced supports the following capabilities:
Baseline checks based only on the default baseline check policy.
Baselines of the weak password type.
Feature description
The baseline check feature allows you to configure different baseline check policies. You can use the policies to scan multiple servers at a time to detect risks in the configurations of operating systems, account permissions, databases, weak passwords, and MLPS compliance. The baseline check feature also provides suggestions about how to fix baseline risks and allows you to fix the risks with a few clicks. For more information about the supported baseline checks, see Baselines.
Terms
Term | Description |
baseline | Baselines are the minimum requirements for security practices and compliance checks. The baseline check feature checks various configurations of operating systems, databases, and middleware, such as the configurations for weak passwords, account permissions, identity authentication, password policies, access control, security audit, and intrusion prevention. |
weak password | A weak password can be easily deciphered or cracked by launching brute-force attacks. In most cases, a weak password has at least one of the following characteristics: The password contains less than eight characters. The password contains less than three types of characters. The password is found in the attacker's dictionary that is disclosed on the Internet or used by malicious software. A weak password is easy to crack. If attackers crack a weak password, the attackers can log on to the operating system, and then read and modify website code. Take note that weak passwords can cause your operating system and business to be vulnerable to attacks. |
Policies
A policy is a collection of Security Center baseline check rules. A baseline check is performed based on a policy. Security Center provides the following types of baseline check policies: default baseline check, standard baseline check, and custom baseline check policies.
Policy type | Security Center edition | Baseline type | Scenario |
Default baseline check policy |
| The default baseline check policy includes more than 70 baselines. The following baseline types are supported:
Important
| By default, Security Center performs baseline checks based on the default baseline check policy. You can modify only the start time and the servers to which the default baseline check policy is applied. After you purchase Security Center Advanced, Enterprise, or Ultimate, Security Center checks all the assets within your Alibaba Cloud account from 00:00 to 06:00 every two days or during the time range that you specify based on the default baseline check policy. |
Standard baseline check policy |
| A standard baseline check policy includes more than 120 baselines. The following baseline types are supported:
Important Security Center Enterprise does not support the baselines of the container security type. | Compared with the default baseline check policy, standard baseline check policies support more baseline types including MLPS compliance and internationally agreed best practices for security. For the baseline types that are supported by both the two types of policies, standard baseline check policies support more baselines. You can modify parameters of standard baseline check policies. You can also create standard baseline check policies based on your business requirements. |
Custom baseline check policy |
| A custom baseline check policy includes more than 50 baselines. The following custom baseline types are supported:
| Custom baseline check policies are used to check whether risks exist in the configurations of your assets based on the custom baselines for operating systems. To adapt baseline check policies for your business, you can specify baseline check items in the policies for your assets and modify the parameters of some baselines. |
Benefits
MLPS compliance
Checks existing configurations against MLPS level 2 and level 3 standards and internationally agreed best practices for security, and meets compliance and regulatory requirements. This helps enterprises build a security system that meets MLPS compliance requirements.
Comprehensive detection scope
Checks baseline configurations for weak passwords, unauthorized access, vulnerabilities, and configuration risks. The feature is available for more than 30 versions of operating systems and more than 20 types of databases and middleware.
Flexible policy configurations
Allows you to configure custom security policies, check intervals, and check scope. This helps you meet the security configuration requirements of various businesses.
Fixing solutions
Provides fixing solutions for risks that are detected on check items, which helps you quickly reinforce the security of your assets. The quick fixing capability helps you harden system baseline configurations and helps your system meet MLPS compliance requirements.
Step 1: Enable the baseline check feature
To use the baseline check feature, purchase Security Center Advanced, Enterprise, or Ultimate. Perform the following steps to purchase Security Center:
If you did not purchase Security Center, go to the Security Center buy page to purchase Security Center Advanced, Enterprise, or Ultimate. For more information, see Purchase Security Center.
If you use Security Center Basic or Anti-virus, perform the following steps:
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. You can select China or Outside China.
In the left-side navigation pane, choose .
Click Upgrade Now to purchase Security Center Advanced, Enterprise, or Ultimate.
Install the Security Center agent on the servers on which you want to run baseline checks. For more information, see Install the Security Center agent.
NoteWhen the system runs baseline checks based on the default baseline check policy, the system checks the servers on which the Security Center agent is installed and online. You can select the servers to which the default baseline check policy, a standard baseline check policy, or a custom baseline check policy is applied by using server groups.
Step 2: (Optional) Manage a baseline check policy
The default baseline check policy includes more than 70 baselines of specific baseline types. To best suit your business requirements, you can create other types of baseline check policies and configure baselines for the policies.
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose .
In the upper-right corner of the Baseline Check page, click Policy Management.
On the Scan Policy tab of the Policy Management panel, create a baseline check policy based on your business requirements.
Manage a scan policy
On the Scan Policy tab, you can create standard and custom baseline check policies or update existing policies based on your business requirements.
Create a standard baseline check policy
You can create a standard baseline check policy to check the baseline configurations of your assets in a comprehensive manner. Security Center runs baseline checks on your assets based on the baseline check policy that you created.
Click Create Standard Policy.
In the Baseline Check Policy panel, configure the Policy Name, Schedule, Check Start Time, Baseline Category, and Baseline Name parameters.
For more information about baseline checks, see Baselines.
NoteYou can modify the parameters of some custom baselines based on your business requirements.
Select the servers to which the baseline check policy is applied and click Ok.
Parameter
Description
Scan Method
The method for scanning servers. Valid values:
Group: Security Center scans servers by server group. You can select one or more server groups.
ECS: Security Center scans ECS instances. You can select some or all ECS instances across server groups.
Effective Server
The servers to which the baseline check policy is applied.
NoteBy default, newly purchased servers belong to Manage servers.
. To apply the policy to newly purchased servers, you must select Default. For more information about how to create or modify a server group, see
Create a custom baseline check policy
You can create a custom baseline check policy to check whether risks exist in the configurations of your assets based on the custom baselines for operating systems.
Click Create Custom Policy.
In the Baseline Check Policy panel, configure the Policy Name, Schedule, and Check Start Time parameters. Then, configure the settings in the Baseline Name section.
For more information about baseline checks, see Baselines.
Select the servers to which the baseline check policy is applied and click Ok. The custom baseline check policy is created.
Parameter
Description
Scan Method
The method for scanning servers. Valid values:
Group: Security Center scans servers by server group. You can select one or more server groups.
ECS: Security Center scans ECS instances. You can select some or all ECS instances across server groups.
Effective Server
The servers to which the baseline check policy is applied.
NoteYou can apply only one custom baseline check policy to the servers that belong to the same server group. If a server group is selected for an existing custom baseline check policy, you can no longer select the server group for the Effective Server parameter when you create a custom baseline check policy.
By default, newly purchased servers belong to Manage server groups, importance levels, and tags.
. To apply the policy to newly purchased servers, you must select Default. For more information about how to create or modify a server group, see
Update a baseline check policy
You can find a baseline check policy and click Edit or Delete in the Actions column to modify or delete the policy based on your business requirements.
NoteAfter you delete a policy, you cannot restore the policy.
You cannot delete the default baseline check policy or modify the baseline check items of the default baseline check policy. You can modify only the Check Start Time and Effective Server parameters of the default baseline check policy.
Configure a baseline check level
In the lower part of the Policy Management panel, you can configure a baseline check item level. Valid values: High, Medium, and Low. This configuration takes effect on all baseline check policies.
Add custom weak password rules
Security Center provides built-in weak password rules. You can also add custom weak password rules in the Security Center console based on your business requirements. To add custom weak password rules, you can go to the Policy Management panel, click the Custom Weak Password Rule tab, and then upload a file on the Upload File tab or generate weak passwords on the Custom Dictionary tab.
After you configure weak password check items in baseline check policies, Security Center checks whether weak passwords are configured for your assets based on your custom weak password rules.
Before you upload a file, make sure that the following requirements are met:
The size of the file cannot exceed 40 KB.
Each line in the file contains only one weak password. Otherwise, Security Center cannot accurately detect weak passwords.
The file contains up to 3,000 weak passwords.
The custom weak password rules in the uploaded file overwrite all existing custom weak password rules.
You can use the custom dictionary to create custom weak password rules in Overwrite or Add mode.
Add custom weak password rules by uploading a file
Security Center checks whether weak passwords are configured for your assets based on the custom rules.
On the Upload File tab, click Download Template.
Configure weak password rules in the downloaded template based on your business requirements and save the template.
Click the Drag and Drop File to Upload section to upload the template.
Overwrite or add custom weak password rules by using the custom dictionary
On the Custom Dictionary tab, click Regenerate.
Configure the custom dictionary. The following table describes the parameters.
Parameter
Description
Domain
The domain name of your asset.
Company name
The name of your enterprise.
Keyword
The passwords that you want to add to the dictionary.
Click Generate Weak Password in Dictionary.
You can view all weak passwords in the Weak Password in Dictionary section. You can add, modify, and remove weak passwords.
Use one of the following methods to complete the dictionary configuration:
Click Add and click OK to add the dictionary that you generated to the existing weak password rules.
Click Overwrite and click OK to overwrite all existing weak password rules with the dictionary that you generated.
Configure a baseline whitelist
If some baseline check items of a specific type do not pose security risks to all or specific servers, you can add the baseline check items to the baseline whitelist. After you add the baseline check items for the servers to the baseline whitelist, Security Center ignores the risks that are detected based on the baseline check items.
On the Baseline Whitelist tab, click Create Rule.
In the Create Baseline Whitelist Rule panel, configure the Check Item Type and Check Item parameters.
In the Rule Scope section, click the All Servers tab, or click the Specific Servers tab and select the servers that you want to manage.
Click Save.
Optional. On the Baseline Whitelist tab, find the rule that you want to manage and modify or delete the rule.
Click Edit in the Actions column to modify the Rule Scope parameter. This operation allows you to remove a server from or add a server to the baseline whitelist.
Click Delete in the Actions column to delete the rule and restore the baseline check on the servers that are specified in the rule.
Step 3: Run baseline checks based on a baseline check policy
The baseline check feature supports periodic and automatic checks and manual checks. The following list describes the check modes:
Periodic and automatic checks: periodic checks that automatically run based on the default, standard, or custom baseline check policy. Security Center runs comprehensive baseline checks from 00:00 to 06:00 every two days or during the time range that you specify based on the default baseline check policy.
Manual checks: If you have created or modified a custom baseline check policy, you can select it on the Baseline Check page, and click Check Now to start a manual check. Manual baseline checks allow you to scan for baseline risks in real time.
To immediately run a baseline check, perform the following steps:
(Recommended) On the Risk Details tab:
Click Scan Now on the right side of the check item statistics section.
In the Scan By Policy panel, select the target policy and click Scan in the Actions column to perform a baseline check.
On the Baseline Check Policy tab:
On the Baseline Check Policy tab of the Baseline Check page, click the icon to the right of All Policies to view all existing baseline check policies. Then, select the baseline check policy that you want to use to immediately run a baseline check.
Click Check Now.
Move the pointer over Check Now. In the tooltip that appears, click View Progress to view the progress of the check.
Step 4: View the baseline check results and suggestions
Security Center displays baseline check results by baseline name and check item name. Security Center also provides suggestions for risk items.
In the upper part of the Baseline Check page, view the overall information about the baseline risks that are detected on your assets. The baseline risks are detected by using security baselines, compliance baselines, and custom baselines. Both the passed items and those with identified risks are shown.
On the Baseline Check Policy tab, view the following information:
Check results of all baseline check policies or a single baseline check policy
In the policy overview section of the Baseline Check Policy tab, click the icon to view all baseline check policies, and select All Policies or a baseline check policy. The policy information, such as Checked Servers, Baselines, High Weak Password Risk, and Last Check Pass Rate, is displayed. By default, the Baseline Check Policy tab displays information about the Default policy.
You can click the number below High Weak Password Risk to view all high weak password risks that are detected.
ImportantWeak password risks are of the High Risk severity. We recommend that you fix the high-risk items on which weak passwords are detected at the earliest opportunity. For more information about how to improve password security and change passwords in common systems, see Reinforce password security.
The following list describes the meaning of the color for the number below Last Check Pass Rate:
Green: high pass rate of check items.
Red: low pass rate of check items. We recommend that you go to the details of each check item and fix the detected baseline risks.
List of baseline check results that are displayed by baseline name and suggestions
In the list of baseline check results, click the name of a baseline to go to the baseline details panel. In the baseline details panel, view information such as affected assets, Passed Items, and Risk Item of the baseline.
In the baseline details panel, find an affected asset and click View in the Actions column. In the Risk Item panel, view all baseline risks of the affected asset.
NoteIf a check item is in the Passed state, no risk exists in the related configuration of the server.
For example, you configure no password for a Redis database, which allows direct access to the Redis database. You also bind the Redis database to the IP address 127.0.0.1, which allows only access from the local host. In this case, the final result of the baseline check of the unauthorized access type is passed for the Redis database, and no related baseline risk is reported. You can choose whether to configure access control policies based on your business requirements.
In the Risk Item panel, find the risk item whose details you want to view and click Details in the Actions column. In the message that appears, view information about the risk item, including Description, Check Tips, and Suggestions.
Optional. Return to the baseline details panel. In the upper-right corner above the list of baseline check results, click the icon. In the Select Baseline Export Task dialog box, select an export method and click Export to export the list of the baseline check results.
You can select one of the following export methods to export the weak passwords in the baseline check results:
Export Weak Password in Plaintext: exports the check results in which the weak passwords are in plaintext.
Mask and Export Weak Password: exports the check results after the weak passwords in the results are masked.
On the Risk Details tab that displays baseline check results by check item name, view suggestions for risk items.
View the failed and handled check items.
In the Check Item Statistics section, click the numbers under Failed or Total Check Items Handled to see the specific items that failed or were handled.
NoteOnly the failed items from the past 30 days are available, while the handled items are retained for 365 days. Released assets are excluded from the statistics.
View detailed information about the target check items and suggestions for addressing risk items.
In the upper part of the list of baseline check results, specify search conditions, such as the level, status, or type, to search for a check item. You can also enter the name of a check item in the search box to search for the check item.
Find the check item whose details you want to view and click Details in the Actions column. In the details panel, view the information about the check item, including Description, Suggestions, and Related Baselines. You can also view the list of affected assets.
Step 5: Handle baseline risks
On the Baseline Check page, handle baseline risks based on suggestions.
Handle baseline risks that are displayed by baseline name
In the list of baseline check results on the Baseline Check Policy tab, click the name of a baseline. In the panel that appears, find a server on which baseline risks are detected and click View in the Actions column. In the Risk Item panel, handle the baseline risks.
Handle baseline risks that are displayed by check item name
In the list of baseline check results on the Risk Details tab, find a check item based on which baseline risks are detected and click Details in the Actions column. In the risk item details panel, handle the baseline risks.
The following sections describe how to handle baseline risks that are displayed by baseline name:
Fix
Security Center allows you to fix only some baseline risks. You can go to the Risk Item panel to check whether the Fix button appears for a risk item.
If the Fix button does not appear, the baseline risk cannot be fixed in the Security Center console. You must log on to the server on which the baseline risk is detected to modify the configurations of the server. After you modify the configurations, you can verify whether the baseline risk is fixed.
In the Risk Item panel, you can find the risk item that you want to manage and click Details in the Actions column. On the page that appears, you can view Description, Check Tips, and Suggestions of the risk item.
If the Fix button appears, you can fix the baseline risk in the Security Center console.
In the Risk Item panel, find the check item based on which baseline risks are detected and click Fix in the Actions column.
In the Fix Risks for Assets dialog box, configure the parameters.
The following table describes the parameters.
Parameter
Description
Fixing Method
The method that you use to fix a baseline risk.
NoteThe method varies based on the type of the baseline risk. You can configure this parameter based on your business requirements.
Batch Handle
Specifies whether to handle the same baseline risk for multiple assets at a time.
System Protection
Specifies whether to create snapshots to back up your system data.
WarningSecurity Center may fail to fix baseline risks. If this issue occurs, your workload may be affected. Before you fix baseline risks, we recommend that you create a backup for your system. If Security Center fails to fix the risks, you can use the backup to roll back your system. This helps ensure that your workload runs as expected.
Automatically Create Snapshot and Fix Risk: If you select this option, you must configure the Snapshot Name and Snapshot Retention Period parameters before you click Fix Now.
NoteYou are charged for the snapshots that are created. You can click Snapshot billing to view the billing methods of the snapshot service.
Skip Snapshot and Fix: If you do not want to create snapshots before you fix baseline risks, you can select this option and click Fix Now.
Click Fix Now.
Add to Whitelist
If you trust a check item whose status is Not Passed for a server, you can add the check item to the whitelist. Then, the alerts that are generated for the check item on the server are ignored.
After you add a check item of a server to the whitelist, the corresponding baseline risks that are detected on the server are ignored.
For example, if a non-root account is used to log on to an instance and you confirm that such logons are required for normal workloads, you can add the risk item to the whitelist.
Add specific baseline check items to the whitelist for a single server
In the Risk Item panel of the server that you want to manage, find the baseline check item that you want to add to the whitelist and click Add to Whitelist in the Actions column. In the dialog box that appears, specify the reason for adding the baseline check item to the whitelist and click OK.
To add multiple baseline check items to the whitelist at a time, select the baseline check items that are in the Not Passed status and click Add to Whitelist in the lower-left corner.
Add specific baseline check items to the whitelist for all servers including newly added servers
On the Risk Details tab, find the baseline check item that you want to add to the whitelist and click Add to Whitelist in the Actions column. To add multiple baseline check items to the whitelist, select multiple baseline check items and click Add to Whitelist in the lower-left corner of the check item list.
Add some servers to the whitelist for a single baseline check item
On the Risk Details tab, find the baseline check item that you want to manage and click Details in the Actions column. In the check item details panel, select the servers that you want to add to the whitelist and click Add to Whitelist in the lower-left corner of the server list.
Verify
Check whether a baseline risk is fixed.
In the Risk Item panel, find the baseline check item that you want to manage and click Verify in the Actions column. Then, check whether the baseline risk on the server is fixed. If the verification is successful, the baseline risk is fixed, the number in the Risk Item column decreases, and the status of the risk item changes to Passed.
If you do not perform manual verification, Security Center automatically checks whether the baseline risk is fixed based on the detection interval that is specified in your baseline check policy.
Rollback
Before you fix baseline risks for an ECS instance, we recommend that you create a snapshot for the ECS instance. This way, you can roll back the instance if a service interruption error occurs because the baseline risks fail to be fixed. To perform the rollback, you can find the instance in a baseline details panel and click Rollback in the Actions column. In the Rollback dialog box, select the snapshot that you created before you perform the fix and click OK. The configurations of the instance are rolled back based on the snapshot.
Remove from Whitelist
If you want a baseline check item in the whitelist to trigger alerts, you can remove the baseline check item from the whitelist or add the removed servers to the affected servers of the baseline check policy to which the baseline check item belongs. After you remove the baseline check item from the whitelist or add the removed servers to the affected servers of the baseline check policy to which the baseline check item belongs, the baseline check item triggers alerts.
To remove a baseline check item from the whitelist, find the baseline check item in the Risk Item panel and click Remove from Whitelist in the Actions column. In the Remove from Whitelist dialog box, click OK. To remove multiple baseline check items from the whitelist, select the baseline check items and click Remove from Whitelist in the lower-left corner.
Baselines
Baseline categories
Baseline category | Check standard and description | Involved operating system and service | Fixing description |
Weak password | Checks whether weak passwords are configured for your assets by using a method other than brute-force logons. The method does not lock your account, which prevents your workloads from being interrupted. Note Security Center detects weak passwords by comparing the hash value that is read by the system with the hash value that is calculated based on the weak password dictionary. If you do not want to enable the system to read the hash value, you can remove the baseline that detects weak passwords from your baseline check policy. |
| You must fix the baseline risks at the earliest opportunity. This way, you can prevent weak passwords from being exposed on the Internet. If weak passwords are exposed on the Internet, your assets can be attacked, and data breaches can occur. |
Unauthorized access | Checks whether unauthorized access is implemented. Checks whether unauthorized access risks exist in your services. This prevents intrusions and data breaches. | Memcached, Elasticsearch, Docker, CouchDB, ZooKeeper, Jenkins, Hadoop, Tomcat, Redis, JBoss, ActiveMQ, RabbitMQ, OpenLDAP, rsync, MongoDB, and PostgreSQL | |
Best security practices | Alibaba Cloud standards. Checks whether risks exist in the configurations based on the Alibaba Cloud standards of best security practices. The configurations involve account permissions, identity authentication, password policies, access control, security audit, and intrusion prevention. |
| We recommend that you fix the detected risks. Security Center can reinforce the security of your assets based on the standards of best security practices. This prevents attacks and malicious modifications to the configurations of your assets. |
Container security | Alibaba Cloud standards. Checks whether the Kubernetes master nodes and nodes contain risks based on the Alibaba Cloud standards of best practices for container security. |
| |
MLPS compliance | The standards of MLPS level 2 and MLPS level 3. Checks configurations based on the baselines for MLPS compliance for servers. The baseline checks meet the standards and requirements for a computing environment that are proposed by authoritative assessment organizations. |
| We recommend that you fix the detected risks based on the compliance requirements for your business. |
Internationally agreed best practices for security | Checks configurations based on the baselines for internationally agreed best practices for security for operating systems. |
| We recommend that you fix the detected risks based on the compliance requirements for your business. |
Custom baseline | Checks configurations based on custom baselines for CentOS Linux 7. You can specify or edit custom baselines in a custom baseline check policy based on your business requirements. | CentOS 7, CentOS 6, Windows Server 2022 R2, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, and Windows Server 2008 R2 | We recommend that you fix the risks that are detected based on the custom baselines that you specify. Security Center can reinforce the security of your assets based on the standards of best security practices. This prevents attacks and malicious modifications to the configurations of your assets. |
Baseline checks
The following table describes the default baseline checks that are provided by Security Center.
Windows baselines
Linux baselines
FAQ
Which edition of Security Center do I need if I want to use the baseline check feature?
What do I do if Security Center fails to verify a fixed baseline risk?
What are the differences between baselines and vulnerabilities?