What is the baseline check feature and how do I use this feature? - Security Center

Viruses and attackers can exploit the defects in the security configurations of a server to intrude into the server to steal data or insert webshells. The baseline check feature checks the configurations of operating systems, databases, software, and containers of a server. Then, you can harden the security of your assets, reduce the risks of intrusion, and meet the security compliance requirements based on the check results. This topic describes the baseline check feature and how to use the feature.

Limits

Only users of Security Center Advanced, Enterprise, and Ultimate can enable and use the baseline check feature.
Security Center Enterprise and Ultimate support the following capabilities:
- The Ultimate edition supports all capabilities that are provided by the baseline check feature. The Enterprise edition does not support the baselines of the container security type.
- Quick fixing of the baseline risks that are detected on a Linux server based on the Alibaba Cloud standards or the Multi-Level Protection Scheme (MLPS) standards.
Security Center Advanced supports the following capabilities:
- Baseline checks based only on the default baseline check policy.
- Baselines of the weak password type.

Feature description

The baseline check feature allows you to configure different baseline check policies. You can use the policies to scan multiple servers at a time to detect risks in the configurations of operating systems, account permissions, databases, weak passwords, and MLPS compliance. The baseline check feature also provides suggestions about how to fix baseline risks and allows you to fix the risks with a few clicks. For more information about the supported baseline checks, see Baselines.

Terms

Term	Description
baseline	Baselines are the minimum requirements for security practices and compliance checks. The baseline check feature checks various configurations of operating systems, databases, and middleware, such as the configurations for weak passwords, account permissions, identity authentication, password policies, access control, security audit, and intrusion prevention.
weak password	A weak password can be easily deciphered or cracked by launching brute-force attacks. In most cases, a weak password has at least one of the following characteristics: The password contains less than eight characters. The password contains less than three types of characters. The password is found in the attacker's dictionary that is disclosed on the Internet or used by malicious software. A weak password is easy to crack. If attackers crack a weak password, the attackers can log on to the operating system, and then read and modify website code. Take note that weak passwords can cause your operating system and business to be vulnerable to attacks.

Policies

A policy is a collection of Security Center baseline check rules. A baseline check is performed based on a policy. Security Center provides the following types of baseline check policies: default baseline check, standard baseline check, and custom baseline check policies.

Policy type	Security Center edition	Baseline type	Scenario
Default baseline check policy	Advanced Enterprise Ultimate	The default baseline check policy includes more than 70 baselines. The following baseline types are supported: Windows baselines: Unauthorized access Best security practices Weak password Linux baselines: Unauthorized access Container security Best security practices Weak password Important Security Center Advanced supports only the baselines of the weak password type. Security Center Enterprise does not support the baselines of the container security type.	By default, Security Center performs baseline checks based on the default baseline check policy. You can modify only the start time and the servers to which the default baseline check policy is applied. After you purchase Security Center Advanced, Enterprise, or Ultimate, Security Center checks all the assets within your Alibaba Cloud account from 00:00 to 06:00 every two days or during the time range that you specify based on the default baseline check policy.
Standard baseline check policy	Enterprise Ultimate	A standard baseline check policy includes more than 120 baselines. The following baseline types are supported: Windows baselines: Unauthorized access MLPS compliance Best security practices Basic protective security practices Internationally agreed best practices for security Weak password Linux baselines: Unauthorized access MLPS compliance Best security practices Container security Internationally agreed best practices for security Weak password Important Security Center Enterprise does not support the baselines of the container security type.	Compared with the default baseline check policy, standard baseline check policies support more baseline types including MLPS compliance and internationally agreed best practices for security. For the baseline types that are supported by both the two types of policies, standard baseline check policies support more baselines. You can modify parameters of standard baseline check policies. You can also create standard baseline check policies based on your business requirements.
Custom baseline check policy	Enterprise Ultimate	A custom baseline check policy includes more than 50 baselines. The following custom baseline types are supported: Windows baselines: Windows custom baseline Linux baselines: CentOS Linux 7/8 custom baseline CentOS Linux 6 custom baseline Ubuntu custom security baseline check Redhat7/8 Custom Security Baseline Check	Custom baseline check policies are used to check whether risks exist in the configurations of your assets based on the custom baselines for operating systems. To adapt baseline check policies for your business, you can specify baseline check items in the policies for your assets and modify the parameters of some baselines.

Benefits

MLPS compliance
Checks existing configurations against MLPS level 2 and level 3 standards and internationally agreed best practices for security, and meets compliance and regulatory requirements. This helps enterprises build a security system that meets MLPS compliance requirements.
Comprehensive detection scope
Checks baseline configurations for weak passwords, unauthorized access, vulnerabilities, and configuration risks. The feature is available for more than 30 versions of operating systems and more than 20 types of databases and middleware.
Flexible policy configurations
Allows you to configure custom security policies, check intervals, and check scope. This helps you meet the security configuration requirements of various businesses.
Fixing solutions
Provides fixing solutions for risks that are detected on check items, which helps you quickly reinforce the security of your assets. The quick fixing capability helps you harden system baseline configurations and helps your system meet MLPS compliance requirements.

Step 1: Enable the baseline check feature

To use the baseline check feature, purchase Security Center Advanced, Enterprise, or Ultimate. Perform the following steps to purchase Security Center:
- If you did not purchase Security Center, go to the Security Center buy page to purchase Security Center Advanced, Enterprise, or Ultimate. For more information, see Purchase Security Center.
- If you use Security Center Basic or Anti-virus, perform the following steps:
  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. You can select China or Outside China.
  2. In the left-side navigation pane, choose Risk Governance > Baseline Check.
  3. Click Upgrade Now to purchase Security Center Advanced, Enterprise, or Ultimate.
Install the Security Center agent on the servers on which you want to run baseline checks. For more information, see Install the Security Center agent.
Note
When the system runs baseline checks based on the default baseline check policy, the system checks the servers on which the Security Center agent is installed and online. You can select the servers to which the default baseline check policy, a standard baseline check policy, or a custom baseline check policy is applied by using server groups.

Step 2: (Optional) Manage a baseline check policy

The default baseline check policy includes more than 70 baselines of specific baseline types. To best suit your business requirements, you can create other types of baseline check policies and configure baselines for the policies.

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose Risk Governance > Baseline Check.
In the upper-right corner of the Baseline Check page, click Policy Management.
On the Scan Policy tab of the Policy Management panel, create a baseline check policy based on your business requirements.

Manage a scan policy

On the Scan Policy tab, you can create standard and custom baseline check policies or update existing policies based on your business requirements.

Create a standard baseline check policy

You can create a standard baseline check policy to check the baseline configurations of your assets in a comprehensive manner. Security Center runs baseline checks on your assets based on the baseline check policy that you created.

Click Create Standard Policy.
In the Baseline Check Policy panel, configure the Policy Name, Schedule, Check Start Time, Baseline Category, and Baseline Name parameters.
For more information about baseline checks, see Baselines.
Note
You can modify the parameters of some custom baselines based on your business requirements.

Select the servers to which the baseline check policy is applied and click Ok.

Parameter

Description

Scan Method

The method for scanning servers. Valid values:

Group: Security Center scans servers by server group. You can select one or more server groups.
ECS: Security Center scans ECS instances. You can select some or all ECS instances across server groups.

Effective Server

The servers to which the baseline check policy is applied.

Note

By default, newly purchased servers belong to All Groups > Default. To apply the policy to newly purchased servers, you must select Default. For more information about how to create or modify a server group, see Manage servers.

Create a custom baseline check policy

You can create a custom baseline check policy to check whether risks exist in the configurations of your assets based on the custom baselines for operating systems.

Click Create Custom Policy.
In the Baseline Check Policy panel, configure the Policy Name, Schedule, and Check Start Time parameters. Then, configure the settings in the Baseline Name section.
For more information about baseline checks, see Baselines.

Select the servers to which the baseline check policy is applied and click Ok. The custom baseline check policy is created.

Parameter

Description

Scan Method

The method for scanning servers. Valid values:

Group: Security Center scans servers by server group. You can select one or more server groups.
ECS: Security Center scans ECS instances. You can select some or all ECS instances across server groups.

Effective Server

The servers to which the baseline check policy is applied.

Note

You can apply only one custom baseline check policy to the servers that belong to the same server group. If a server group is selected for an existing custom baseline check policy, you can no longer select the server group for the Effective Server parameter when you create a custom baseline check policy.
By default, newly purchased servers belong to All Groups > Default. To apply the policy to newly purchased servers, you must select Default. For more information about how to create or modify a server group, see Manage server groups, importance levels, and tags.

Update a baseline check policy
You can find a baseline check policy and click Edit or Delete in the Actions column to modify or delete the policy based on your business requirements.
Note
- After you delete a policy, you cannot restore the policy.
- You cannot delete the default baseline check policy or modify the baseline check items of the default baseline check policy. You can modify only the Check Start Time and Effective Server parameters of the default baseline check policy.
Configure a baseline check level
In the lower part of the Policy Management panel, you can configure a baseline check item level. Valid values: High, Medium, and Low. This configuration takes effect on all baseline check policies.

Add custom weak password rules

Security Center provides built-in weak password rules. You can also add custom weak password rules in the Security Center console based on your business requirements. To add custom weak password rules, you can go to the Policy Management panel, click the Custom Weak Password Rule tab, and then upload a file on the Upload File tab or generate weak passwords on the Custom Dictionary tab.

After you configure weak password check items in baseline check policies, Security Center checks whether weak passwords are configured for your assets based on your custom weak password rules.

Important

Before you upload a file, make sure that the following requirements are met:
- The size of the file cannot exceed 40 KB.
- Each line in the file contains only one weak password. Otherwise, Security Center cannot accurately detect weak passwords.
- The file contains up to 3,000 weak passwords.
- The custom weak password rules in the uploaded file overwrite all existing custom weak password rules.
You can use the custom dictionary to create custom weak password rules in Overwrite or Add mode.

Add custom weak password rules by uploading a file
Security Center checks whether weak passwords are configured for your assets based on the custom rules.
1. On the Upload File tab, click Download Template.
2. Configure weak password rules in the downloaded template based on your business requirements and save the template.
3. Click the Drag and Drop File to Upload section to upload the template.
Overwrite or add custom weak password rules by using the custom dictionary
1. On the Custom Dictionary tab, click Regenerate.
2. Configure the custom dictionary. The following table describes the parameters.
  Parameter
  Description
  Domain
  The domain name of your asset.
  Company name
  The name of your enterprise.
  Keyword
  The passwords that you want to add to the dictionary.
3. Click Generate Weak Password in Dictionary.
  You can view all weak passwords in the Weak Password in Dictionary section. You can add, modify, and remove weak passwords.
4. Use one of the following methods to complete the dictionary configuration:
  - Click Add and click OK to add the dictionary that you generated to the existing weak password rules.
  - Click Overwrite and click OK to overwrite all existing weak password rules with the dictionary that you generated.

Configure a baseline whitelist

If some baseline check items of a specific type do not pose security risks to all or specific servers, you can add the baseline check items to the baseline whitelist. After you add the baseline check items for the servers to the baseline whitelist, Security Center ignores the risks that are detected based on the baseline check items.

On the Baseline Whitelist tab, click Create Rule.
In the Create Baseline Whitelist Rule panel, configure the Check Item Type and Check Item parameters.
In the Rule Scope section, click the All Servers tab, or click the Specific Servers tab and select the servers that you want to manage.
Click Save.
Optional. On the Baseline Whitelist tab, find the rule that you want to manage and modify or delete the rule.
- Click Edit in the Actions column to modify the Rule Scope parameter. This operation allows you to remove a server from or add a server to the baseline whitelist.
- Click Delete in the Actions column to delete the rule and restore the baseline check on the servers that are specified in the rule.

Step 3: Run baseline checks based on a baseline check policy

The baseline check feature supports periodic and automatic checks and manual checks. The following list describes the check modes:

Periodic and automatic checks: periodic checks that automatically run based on the default, standard, or custom baseline check policy. Security Center runs comprehensive baseline checks from 00:00 to 06:00 every two days or during the time range that you specify based on the default baseline check policy.
Manual checks: If you have created or modified a custom baseline check policy, you can select it on the Baseline Check page, and click Check Now to start a manual check. Manual baseline checks allow you to scan for baseline risks in real time.

To immediately run a baseline check, perform the following steps:

On the Baseline Check Policy tab of the Baseline Check page, click the icon to the right of All Policies to view all existing baseline check policies. Then, select the baseline check policy that you want to use to immediately run a baseline check.
Click Check Now.
Move the pointer over Check Now. In the tooltip that appears, click View Progress to view the progress of the check.

Step 4: View the baseline check results and suggestions

Security Center displays baseline check results by baseline name and check item name. Security Center also provides suggestions for risk items.

In the upper part of the Baseline Check page, view the overall information about the baseline risks that are detected on your assets. The baseline risks are detected by using security baselines, compliance baselines, and custom baselines.
On the Baseline Check Policy tab, view the following information:
- Check results of all baseline check policies or a single baseline check policy
  In the policy overview section of the Baseline Check Policy tab, click the icon to view all baseline check policies, and select All Policies or a baseline check policy. The policy information, such as Checked Servers, Baselines, High Weak Password Risk, and Last Check Pass Rate, is displayed. By default, the Baseline Check Policy tab displays information about the Default policy.
  You can click the number below High Weak Password Risk to view all high weak password risks that are detected.
  Important
  - Weak password risks are of the High Risk severity. We recommend that you fix the high-risk items on which weak passwords are detected at the earliest opportunity. For more information about how to improve password security and change passwords in common systems, see Reinforce password security.
  - The following list describes the meaning of the color for the number below Last Check Pass Rate:
    Green: high pass rate of check items.
    Red: low pass rate of check items. We recommend that you go to the details of each check item and fix the detected baseline risks.
- List of baseline check results that are displayed by baseline name and suggestions
  1. In the list of baseline check results, click the name of a baseline to go to the baseline details panel. In the baseline details panel, view information such as affected assets, Passed Items, and Risk Item of the baseline.
  2. In the baseline details panel, find an affected asset and click View in the Actions column. In the Risk Item panel, view all baseline risks of the affected asset.
    Note
    If a check item is in the Passed state, no risk exists in the related configuration of the server.
    For example, you configure no password for a Redis database, which allows direct access to the Redis database. You also bind the Redis database to the IP address 127.0.0.1, which allows only access from the local host. In this case, the final result of the baseline check of the unauthorized access type is passed for the Redis database, and no related baseline risk is reported. You can choose whether to configure access control policies based on your business requirements.
  3. In the Risk Item panel, find the risk item whose details you want to view and click Details in the Actions column. In the message that appears, view information about the risk item, including Description, Check Tips, and Suggestions.
  4. Optional. Return to the baseline details panel. In the upper-right corner above the list of baseline check results, click the icon. In the Select Baseline Export Task dialog box, select an export method and click Export to export the list of the baseline check results.
    You can select one of the following export methods to export the weak passwords in the baseline check results:
    - Export Weak Password in Plaintext: exports the check results in which the weak passwords are in plaintext.
    - Mask and Export Weak Password: exports the check results after the weak passwords in the results are masked.
On the Risk Details tab that displays baseline check results by check item name, view suggestions for risk items.
In the upper part of the list of baseline check results, specify search conditions, such as the level, status, or type, to search for a check item. You can also enter the name of a check item in the search box to search for the check item.
Find the check item whose details you want to view and click Details in the Actions column. In the details panel, view the information about the check item, including Description, Suggestions, and Related Baselines. You can also view the list of affected assets.

Step 5: Handle baseline risks

On the Baseline Check page, handle baseline risks based on suggestions.

Handle baseline risks that are displayed by baseline name
In the list of baseline check results on the Baseline Check Policy tab, click the name of a baseline. In the panel that appears, find a server on which baseline risks are detected and click View in the Actions column. In the Risk Item panel, handle the baseline risks.
Handle baseline risks that are displayed by check item name
In the list of baseline check results on the Risk Details tab, find a check item based on which baseline risks are detected and click Details in the Actions column. In the risk item details panel, handle the baseline risks.

The following sections describe how to handle baseline risks that are displayed by baseline name:

Fix

Security Center allows you to fix only some baseline risks. You can go to the Risk Item panel to check whether the Fix button appears for a risk item.

If the Fix button does not appear, the baseline risk cannot be fixed in the Security Center console. You must log on to the server on which the baseline risk is detected to modify the configurations of the server. After you modify the configurations, you can verify whether the baseline risk is fixed.
In the Risk Item panel, you can find the risk item that you want to manage and click Details in the Actions column. On the page that appears, you can view Description, Check Tips, and Suggestions of the risk item.

If the Fix button appears, you can fix the baseline risk in the Security Center console.

In the Risk Item panel, find the check item based on which baseline risks are detected and click Fix in the Actions column.

In the Fix Risks for Assets dialog box, configure the parameters.

The following table describes the parameters.

Parameter	Description
Fixing Method	The method that you use to fix a baseline risk. Note The method varies based on the type of the baseline risk. You can configure this parameter based on your business requirements.
Batch Handle	Specifies whether to handle the same baseline risk for multiple assets at a time.
System Protection	Specifies whether to create snapshots to back up your system data. Warning Security Center may fail to fix baseline risks. If this issue occurs, your workload may be affected. Before you fix baseline risks, we recommend that you create a backup for your system. If Security Center fails to fix the risks, you can use the backup to roll back your system. This helps ensure that your workload runs as expected. Automatically Create Snapshot and Fix Risk: If you select this option, you must configure the Snapshot Name and Snapshot Retention Period parameters before you click Fix Now. Note You are charged for the snapshots that are created. You can click Snapshot billing to view the billing methods of the snapshot service. Skip Snapshot and Fix: If you do not want to create snapshots before you fix baseline risks, you can select this option and click Fix Now.

Click Fix Now.

Add to Whitelist

If you trust a check item whose status is Not Passed for a server, you can add the check item to the whitelist. Then, the alerts that are generated for the check item on the server are ignored.

Important

After you add a check item of a server to the whitelist, the corresponding baseline risks that are detected on the server are ignored.

For example, if a non-root account is used to log on to an instance and you confirm that such logons are required for normal workloads, you can add the risk item to the whitelist.

Add specific baseline check items to the whitelist for a single server
In the Risk Item panel of the server that you want to manage, find the baseline check item that you want to add to the whitelist and click Add to Whitelist in the Actions column. In the dialog box that appears, specify the reason for adding the baseline check item to the whitelist and click OK.
To add multiple baseline check items to the whitelist at a time, select the baseline check items that are in the Not Passed status and click Add to Whitelist in the lower-left corner.
Add specific baseline check items to the whitelist for all servers including newly added servers
On the Risk Details tab, find the baseline check item that you want to add to the whitelist and click Add to Whitelist in the Actions column. To add multiple baseline check items to the whitelist, select multiple baseline check items and click Add to Whitelist in the lower-left corner of the check item list.
Add some servers to the whitelist for a single baseline check item
On the Risk Details tab, find the baseline check item that you want to manage and click Details in the Actions column. In the check item details panel, select the servers that you want to add to the whitelist and click Add to Whitelist in the lower-left corner of the server list.

Verify

Check whether a baseline risk is fixed.

In the Risk Item panel, find the baseline check item that you want to manage and click Verify in the Actions column. Then, check whether the baseline risk on the server is fixed. If the verification is successful, the baseline risk is fixed, the number in the Risk Item column decreases, and the status of the risk item changes to Passed.

Note

If you do not perform manual verification, Security Center automatically checks whether the baseline risk is fixed based on the detection interval that is specified in your baseline check policy.

Rollback

Before you fix baseline risks for an ECS instance, we recommend that you create a snapshot for the ECS instance. This way, you can roll back the instance if a service interruption error occurs because the baseline risks fail to be fixed. To perform the rollback, you can find the instance in a baseline details panel and click Rollback in the Actions column. In the Rollback dialog box, select the snapshot that you created before you perform the fix and click OK. The configurations of the instance are rolled back based on the snapshot.

Remove from Whitelist

If you want a baseline check item in the whitelist to trigger alerts, you can remove the baseline check item from the whitelist or add the removed servers to the affected servers of the baseline check policy to which the baseline check item belongs. After you remove the baseline check item from the whitelist or add the removed servers to the affected servers of the baseline check policy to which the baseline check item belongs, the baseline check item triggers alerts.

To remove a baseline check item from the whitelist, find the baseline check item in the Risk Item panel and click Remove from Whitelist in the Actions column. In the Remove from Whitelist dialog box, click OK. To remove multiple baseline check items from the whitelist, select the baseline check items and click Remove from Whitelist in the lower-left corner.

Baselines

Baseline categories

Baseline category	Check standard and description	Involved operating system and service	Fixing description
Weak password	Checks whether weak passwords are configured for your assets by using a method other than brute-force logons. The method does not lock your account, which prevents your workloads from being interrupted. Note Security Center detects weak passwords by comparing the hash value that is read by the system with the hash value that is calculated based on the weak password dictionary. If you do not want to enable the system to read the hash value, you can remove the baseline that detects weak passwords from your baseline check policy.	Operating systems Linux and Windows Databases MySQL, Redis, SQL Server, MongoDB, PostgreSQL, and Oracle Applications Tomcat, FTP, rsync, Subversion (SVN), ActiveMQ, RabbitMQ, OpenVPN, JBoss 6, JBoss 7, Jenkins, OpenLDAP, VNC Server, and pptpd	You must fix the baseline risks at the earliest opportunity. This way, you can prevent weak passwords from being exposed on the Internet. If weak passwords are exposed on the Internet, your assets can be attacked, and data breaches can occur.
Unauthorized access	Checks whether unauthorized access is implemented. Checks whether unauthorized access risks exist in your services. This prevents intrusions and data breaches.	Memcached, Elasticsearch, Docker, CouchDB, ZooKeeper, Jenkins, Hadoop, Tomcat, Redis, JBoss, ActiveMQ, RabbitMQ, OpenLDAP, rsync, MongoDB, and PostgreSQL
Best security practices	Alibaba Cloud standards. Checks whether risks exist in the configurations based on the Alibaba Cloud standards of best security practices. The configurations involve account permissions, identity authentication, password policies, access control, security audit, and intrusion prevention.	Operating systems CentOS 6, CentOS 7, and CentOS 8 Red Hat Enterprise Linux (RHEL) 6, RHEL 7, and RHEL 8 Ubuntu 14, Ubuntu 16, Ubuntu 18, and Ubuntu 20 Debian Linux 8, Debian Linux 9, Debian Linux 10, Debian Linux 11, and Debian Linux 12 Alibaba Cloud Linux 2 and Alibaba Cloud Linux 3 Windows Server 2022 R2, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, and Windows Server 2008 R2 Rocky Linux 8 Alma Linux 8 SUSE Linux Enterprise Server (SLES) 15 Anolis 8 Kylin UOS TencentOS Databases MySQL, Redis, MongoDB, SQL Server, Oracle Database 11g, CouchDB, InfluxDB, and PostgreSQL Applications Tomcat, Internet Information Services (IIS), NGINX, Apache, Windows SMB, RabbitMQ, ActiveMQ, Elasticsearch, Jenkins, Hadoop, JBoss 6, JBoss 7, and Tomcat	We recommend that you fix the detected risks. Security Center can reinforce the security of your assets based on the standards of best security practices. This prevents attacks and malicious modifications to the configurations of your assets.
Container security	Alibaba Cloud standards. Checks whether the Kubernetes master nodes and nodes contain risks based on the Alibaba Cloud standards of best practices for container security.	Docker Kubernetes clusters
MLPS compliance	The standards of MLPS level 2 and MLPS level 3. Checks configurations based on the baselines for MLPS compliance for servers. The baseline checks meet the standards and requirements for a computing environment that are proposed by authoritative assessment organizations.	Operating systems CentOS 6, CentOS 7, and CentOS 8 RHEL 6, RHEL 7, and RHEL 8 Ubuntu 14, Ubuntu 16, Ubuntu 18, and Ubuntu 20 SLES 10, SLES 11, SLES 12, and SLES 15 Debian Linux 8, Debian Linux 9, Debian Linux 10, Debian Linux 11, and Debian Linux 12 Alibaba Cloud Linux 2 and Alibaba Cloud Linux 3 Windows Server 2022 R2, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, and Windows Server 2008 R2 Anolis 8 Kylin UOS Databases Redis, MongoDB, PostgreSQL, Oracle, MySQL, SQL Server, and Informix Applications WebSphere Application Server, JBoss 6, JBoss 7, NGINX, WebLogic, Bind, and IIS	We recommend that you fix the detected risks based on the compliance requirements for your business.
Internationally agreed best practices for security	Checks configurations based on the baselines for internationally agreed best practices for security for operating systems.	CentOS 6, CentOS 7, and CentOS 8 Ubuntu 14, Ubuntu 16, Ubuntu 18, and Ubuntu 20 Debian Linux 8, Debian Linux 9, and Debian Linux 10 Alibaba Cloud Linux 2 Windows Server 2022 R2, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, and Windows Server 2008 R2	We recommend that you fix the detected risks based on the compliance requirements for your business.
Custom baseline	Checks configurations based on custom baselines for CentOS Linux 7. You can specify or edit custom baselines in a custom baseline check policy based on your business requirements.	CentOS 7, CentOS 6, Windows Server 2022 R2, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, and Windows Server 2008 R2	We recommend that you fix the risks that are detected based on the custom baselines that you specify. Security Center can reinforce the security of your assets based on the standards of best security practices. This prevents attacks and malicious modifications to the configurations of your assets.

Baseline checks

The following table describes the default baseline checks that are provided by Security Center.

Windows baselines

Baseline category	Baseline name	Baseline description	Number of check items
Basic protective security practices	SQL Server Risk Permission Check	Checks permission risks for SQL Server.	1
Basic protective security practices	IIS Risk Permission Check	Checks permission risks for IIS.	1
Internationally agreed best practices for security	Windows Server 2008 R2 Internationally Agreed Best Practices for Security	Checks system configurations based on the check items in internationally agreed best practices for security. The baselines are suitable for enterprise users who have professional security requirements. The baselines include a variety of check items that you can use based on your business scenarios and requirements. You can reinforce the security of your system based on the check results.	274
	Windows Server 2012 R2 Internationally Agreed Best Practices for Security		275
	Windows Server 2016/2019 R2 Internationally Agreed Best Practices for Security		275
	Windows Server 2022 R2 Internationally Agreed Best Practices for Security		262
Unauthorized access	Unauthorized Access-Redis unauthorized access high exploit vulnerability risk(Windows version)	Checks Redis vulnerabilities that can be exploited by attackers to implement unauthorized access.	1
Unauthorized access	Unauthorized Access-LDAP unauthorized access high exploit vulnerability risk (Windows)	Checks Lightweight Directory Access Protocol (LDAP) vulnerabilities that can be exploited by attackers to implement unauthorized access.	1
MLPS compliance	MLPS Level 3 Compliance Baseline for Windows 2008 R2	Checks whether the configurations of Windows Server 2008 R2 are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 3) are used.	19
	MLPS Level 3 Compliance Baseline for Windows 2012 R2	Checks whether the configurations of Windows Server 2012 R2 are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 3) are used.	19
	MLPS Level 3 Compliance Baseline for Windows Server 2016/2019	Checks whether the configurations of Windows Server 2016 R2 or Windows Server 2019 R2 are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 3) are used.	19
	MLPS Level 3 Compliance Baseline for SQL Server	Checks whether the configurations of SQL Server are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 3) are used.	4
	MLPS Level 3 Compliance Baseline for IIS	Checks whether the configurations of Oracle are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 3) are used.	5
	MLPS Level 2 Compliance Baseline for Windows 2008 R2	Checks whether the configurations of Windows Server 2008 R2 are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 2) are used.	12
	MLPS Level 2 Compliance Baseline for Windows 2012 R2	Checks whether the configurations of Windows Server 2012 R2 are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 2) are used.	12
	MLPS Level 2 Compliance Baseline for Windows Server 2016/2019	Checks whether the configurations of Windows Server 2016 R2 or Windows Server 2019 R2 are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 2) are used.	12
Weak password	Weak password-Windows system login weak password baseline	Checks weak passwords that are used to log on to Windows Server operating systems. This baseline check provides more samples to detect common weak passwords and delivers better check performance than its early version.	1
	Weak password-Mysql DB login weak password baseline(Windows version)	Checks weak passwords that are used to log on to MySQL databases. This baseline check is suitable only for Windows operating systems.	1
	Weak password-SQL Server DB login weak password baseline	Checks weak passwords that are used to log on to Microsoft SQL Server databases.	1
	Weak password-Redis DB login weak password baseline(Windows version)	Checks weak passwords that are used to log on to Redis databases.	1
Best security practices	Alibaba Cloud Standard - Windows Server 2008 R2 Security Baseline Check	Checks whether the configurations of Windows Server 2008 R2 are compliant with the Alibaba Cloud standards of best security practices.	12
	Alibaba Cloud Standard - Windows 2012 R2 Security Baseline	Checks whether the configurations of Windows Server 2012 R2 are compliant with the Alibaba Cloud standards of best security practices.	12
	Alibaba Cloud Standard - Windows 2016/2019 Security Baseline	Checks whether the configurations of Windows Server 2016 and Windows Server 2019 are compliant with the Alibaba Cloud standards of best security practices.	12
	Alibaba Cloud Standard - Windows 2022 Security Baseline	Checks whether the configurations of Windows Server 2022 are compliant with the Alibaba Cloud standards of best security practices.	12
	Alibaba Cloud Standard-Redis Security Baseline Check (Windows version)	Checks whether the configurations of Redis databases are compliant with the Alibaba Cloud standards of best security practices. This baseline check is suitable only for Windows operating systems.	6
	Alibaba Cloud Standard-SQL Server Security Baseline Check	Checks whether the configurations of SQL Server 2012 are compliant with the Alibaba Cloud standards of best security practices.	17
	Alibaba Cloud Standard - IIS 8 Security Baseline Check	Checks whether the configurations of IIS 8 are compliant with the Alibaba Cloud standards of best security practices.	8
	Alibaba Cloud Standard - Apache Tomcat Security Baseline(on windows)	Checks whether the middleware configurations of Apache Tomcat are compliant with internationally agreed best practices for security and the Alibaba Cloud standards.	8
	Alibaba Cloud Standard - Windows SMB Security Baseline Check	Checks whether the configurations of Windows SMB are compliant with the Alibaba Cloud standards of best security practices.	2
Custom policy	Windows custom baseline	The custom template that contains all baseline check items related to Windows. You can select baseline check items and configure parameters for baseline check items by using the template. This helps best suit your business requirements.	63

Linux baselines

Baseline category	Baseline name	Baseline description	Number of check items
Internationally agreed best practices for security	Alibaba Cloud Linux 2/3 Internationally Agreed Best Practices for Security	Checks system configurations based on the check items in internationally agreed best practices for security. The baselines are suitable for enterprise users who have professional security requirements. The baselines include a variety of check items that you can use based on your business scenarios and requirements. You can reinforce the security of your system based on the check results.	176
	Rocky 8 Internationally Agreed Best Practices for Security		161
	CentOS Linux 6 LTS Internationally Agreed Best Practices for Security		194
	CentOS Linux 7 LTS Internationally Agreed Best Practices for Security		195
	CentOS Linux 8 LTS Internationally Agreed Best Practices for Security		162
	Debian Linux 8 Internationally Agreed Best Practices for Security		155
	Ubuntu 14 LTS Internationally Agreed Best Practices for Security		175
	Ubuntu 16/18/20 LTS Internationally Agreed Best Practices for Security		174
	Ubuntu 22 LTS Internationally Agreed Best Practices for Security		148
Unauthorized access	Influxdb unauthorized access high exploit vulnerability risk	Checks InfluxDB vulnerabilities that can be exploited by attackers to implement unauthorized access.	1
	Redis unauthorized access high exploit vulnerability risk	Checks Redis vulnerabilities that can be exploited by attackers to implement unauthorized access.	1
	Jboss unauthorized access high exploit vulnerability risk	Checks JBoss vulnerabilities that can be exploited by attackers to implement unauthorized access.	1
	ActiveMQ unauthorized access high exploit vulnerability risk	Checks ActiveMQ vulnerabilities that can be exploited by attackers to implement unauthorized access.	1
	RabbitMQ unauthorized access high exploit vulnerability risk	Checks RabbitMQ vulnerabilities that can be exploited by attackers to implement unauthorized access.	1
	OpenLDAP unauthorized access vulnerability baseline (Linux)	Checks OpenLDAP vulnerabilities that can be exploited by attackers to implement unauthorized access.	1
	Kubernetes-Apiserver unauthorized access to high-risk risks	Checks Kubernetes API server vulnerabilities that can be exploited by attackers to implement unauthorized access.	1
	rsync unauthorized access high exploit vulnerability risk	Checks rsync vulnerabilities that can be exploited by attackers to implement unauthorized access.	1
	Mongodb unauthorized access high exploit vulnerability risk	Checks MongoDB vulnerabilities that can be exploited by attackers to implement unauthorized access.	1
	Postgresql unauthorized access to high-risk risk baseline	Checks PostgreSQL vulnerabilities that can be exploited by attackers to implement unauthorized access.	1
	Jenkins unauthorized access high exploit vulnerability risk	Checks Jenkins vulnerabilities that can be exploited by attackers to implement unauthorized access.	1
	Hadoop unauthorized access high exploit vulnerability risk	Checks Apache Hadoop vulnerabilities that can be exploited by attackers to implement unauthorized access.	1
	CouchDB unauthorized access high exploit risk	Checks Apache CouchDB vulnerabilities that can be exploited by attackers to implement unauthorized access.	1
	ZooKeeper unauthorized access high exploit vulnerability risk	Checks Apache ZooKeeper vulnerabilities that can be exploited by attackers to implement unauthorized access.	1
	Docker unauthorized access high vulnerability risk	Checks Docker vulnerabilities that can be exploited by attackers to implement unauthorized access.	1
	Memcached unauthorized access high exploit vulnerability risk	Checks memcached vulnerabilities that can be exploited by attackers to implement unauthorized access.	1
	Elasticsearch unauthorized access high exploit vulnerability risk	Checks Elasticsearch vulnerabilities that can be exploited by attackers to implement unauthorized access.	1
MLPS compliance	MLPS Level 3 Compliance Baseline for SUSE 15	Checks whether the configurations of SLES 15 are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 3) are used.	18
	MLPS Level 3 Compliance Baseline for Alibaba Cloud Linux 3	Checks whether the configurations of Alibaba Cloud Linux 3 are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 3) are used.	19
	MLPS Level 3 Compliance Baseline for Alibaba Cloud Linux 2	Checks whether the configurations of Alibaba Cloud Linux 2 are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 3) are used.	19
	MLPS Level 3 Compliance Baseline for Bind	Checks whether the configurations of Bind are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 3) are used.	4
	MLPS Level 3 Compliance Baseline for CentOS Linux 6	Checks whether the configurations of CentOS Linux 6 are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 3) are used.	19
	MLPS Level 3 Compliance Baseline for CentOS Linux 7	Checks whether the configurations of CentOS Linux 7 are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 3) are used.	19
	MLPS Level 3 Compliance Baseline for CentOS Linux 8	Checks whether the configurations of CentOS Linux 8 are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 3) are used.	19
	MLPS Level 3 Compliance Baseline for Informix	Checks whether the configurations of Informix are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 3) are used.	6
	MLPS Level 3 Compliance Baseline for JBoss 6/7	Checks whether the configurations of JBoss 6 or JBoss 7 are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 3) are used.	5
	MLPS Level 3 Compliance Baseline for MongoDB	Checks whether the configurations of MongoDB are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 3) are used.	6
	MLPS Level 3 Compliance Baseline for MySQL	Checks whether the configurations of MySQL are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 3) are used.	5
	MLPS Level 3 Compliance Baseline for Nginx	Checks whether the configurations of NGINX are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 3) are used.	3
	MLPS Level 3 Compliance Baseline for Oracle	Checks whether the configurations of Oracle are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 3) are used.	12
	MLPS Level 3 Compliance Baseline for PostgreSQL	Checks whether the configurations of PostgreSQL are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 3) are used.	4
	MLPS Level 3 Compliance Baseline for Red Hat Linux 6	Checks whether the configurations of RHEL 6 are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 3) are used.	19
	MLPS Level 3 Compliance Baseline for Red Hat Linux 7	Checks whether the configurations of RHEL 7 are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 3) are used.	19
	MLPS Level 3 Compliance Baseline for Redis	Checks whether the configurations of Redis are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 3) are used.	4
	MLPS Level 3 Compliance Baseline for SUSE 10	Checks whether the configurations of SLES 10 are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 3) are used.	19
	MLPS Level 3 Compliance Baseline for SUSE 12	Checks whether the configurations of SLES 12 are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 3) are used.	19
	MLPS Level 3 Compliance Baseline for SUSE 11	Checks whether the configurations of SLES 11 are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 3) are used.	19
	MLPS Level 3 Compliance Baseline for Ubuntu 14	Checks whether the configurations of Ubuntu 14 are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 3) are used.	19
	MLPS Level 3 Compliance Baseline for Ubuntu 16/18/20	Checks whether the configurations of Ubuntu 16, Ubuntu 18, or Ubuntu 20 are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 3) are used.	19
	MLPS Level 3 Compliance Baseline for Ubuntu 22	Checks whether the configurations of Ubuntu 22 are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 3) are used.	19
	MLPS Level 3 Compliance Baseline for Websphere Application Server	Checks whether the configurations of WebSphere Application Server are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 3) are used.	7
	MLPS Level 3 Compliance Baseline for TongWeb	Checks whether the configurations of TongWeb are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 3) are used.	4
	MLPS Level 3 Compliance Baseline for WebLogic	Checks whether the configurations of WebLogic are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 3) are used.	5
	MLPS Level 2 Compliance Baseline for Alibaba Cloud Linux 2	Checks whether the configurations of Alibaba Cloud Linux 2 are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 2) are used.	15
	MLPS Level 2 Compliance Baseline for CentOS Linux 6	Checks whether the configurations of CentOS Linux 6 are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 2) are used.	15
	MLPS Level 2 Compliance Baseline for CentOS Linux 7	Checks whether the configurations of CentOS Linux 7 are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 2) are used.	15
	MLPS Level 2 Compliance Baseline for Debian Linux 8	Checks whether the configurations of Debian Linux 8 are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 2) are used.	12
	MLPS Level 2 Compliance Baseline for Red Hat Linux 7	Checks whether the configurations of RHEL 7 are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 2) are used.	15
	MLPS Level 2 Compliance Baseline for Ubuntu 16/18	Checks whether the configurations of Ubuntu 16 or Ubuntu 18 are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 2) are used.	19
	MLPS Level 3 Compliance Baseline for Debian Linux 8/9/10/11/12	Checks whether the configurations of Debian Linux 8, Debian Linux 9, Debian Linux 10, Debian Linux 11, or Debian Linux 12 are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 3) are used.	19
	MLPS Level 3 Compliance Baseline for Kylin	Checks whether the configurations of Kylin are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 3) are used.	19
	MLPS Level 3 Compliance Baseline for UOS	Checks whether the configurations of UOS are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 3) are used.	19
	MLPS Level 3 Compliance Baseline for Anolis 8	Checks whether the configurations of Anolis 8 are compliant with MLPS standards. The check items included in the baseline are benchmarked against the testing standards and requirements on secure computing environments proposed by authoritative assessment organizations. During benchmarking, the MLPS 2.0 standards (level 3) are used.	19
Weak password	Zabbix login weak password baseline	Checks weak passwords that are used to log on to Zabbix.	1
	ElasticSearch login weak password baseline	Checks weak passwords that are used to log on to Elasticsearch servers.	1
	Activemq login weak password baseline	Checks weak passwords that are used to log on to ActiveMQ.	1
	RabbitMQ login weak password baseline	Checks weak passwords that are used to log on to RabbitMQ.	1
	OpenVPN weak password detection in Linux system	Checks common weak passwords of OpenVPN accounts in Linux operating systems.	1
	Jboss 6/7 login weak password baseline	Checks weak passwords that are used to log on to JBoss 6 and JBoss 7.	1
	Jenkins login weak password baseline	Checks weak passwords that are used to log on to Jenkins. This baseline check provides more samples to detect common weak passwords and delivers better check performance than its early version.	1
	Proftpd login weak password baseline	Checks weak passwords that are used to log on to a new version of ProFTPD. This baseline check contains diversified samples of common weak passwords for better check performance.	1
	Weblogic 12c login weak password detection	Checks weak password for users of WebLogic Server 12c.	1
	Openldap login weak password baseline	Checks weak passwords that are used to log on to OpenLDAP.	1
	VncServer weak password check	Checks common weak passwords that are used to log on to the VNC service.	1
	pptpd login weak password baseline	Checks weak passwords that are used to log on to PPTP servers.	1
	Oracle login weak password detection	Checks weak passwords for users of Oracle databases.	1
	svn login weak password baseline	Checks weak passwords that are used to log on to SVN servers.	1
	rsync login weak password baseline	Checks weak passwords that are used to log on to rsync servers.	1
	MongoDB Weak Password baseline	Checks weak passwords for the MongoDB service. MongoDB 3.x and 4.x support this baseline check.	1
	PostgreSQL DB login weak password baseline	Checks weak passwords that are used to log on to PostgreSQL databases.	1
	Apache Tomcat Console weak password baseline	Checks weak passwords that are used to log on to the Apache Tomcat console. Apache Tomcat 7, 8, and 9 support this baseline check.	1
	Ftp login weak password baseline	Checks weak passwords that are used to log on to FTP servers and anonymous logons to FTP servers.	1
	Redis DB login weak password baseline	Checks weak passwords that are used to log on to Redis databases.	1
	Linux system login weak password baseline	Checks weak passwords that are used to log on to a new version of Linux systems. This baseline check contains diversified samples of common weak passwords for better check performance.	1
	Mysql database login weak password check (version 8.x is not supported)	Checks weak passwords that are used to log on to a new version of MySQL databases. This baseline check contains diversified samples of common weak passwords for better check performance.	1
	MongoDB Weak Password baseline(support version 2. X)	Checks weak passwords for users of the MongoDB service.	1
Container security	Unauthorized access - Risk of unauthorized access to the Redis container service	Checks whether the Redis service can be accessed without permissions. The system attempts to connect to the Redis service or reads the configuration file of the service during container runtime to perform the check.	1
	Unauthorized access - Risk of unauthorized access to the MongoDB container service	Checks whether the MongoDB service can be accessed without permissions. The system attempts to connect to the MongoDB service or reads the configuration file of the service during container runtime to perform the check.	1
	Unauthorized access - Risk of unauthorized access to the Jboss container service	Checks whether the JBoss service can be accessed without permissions. The system attempts to connect to the JBoss service or reads the configuration file of the service during container runtime to perform the check.	1
	Unauthorized access - Risk of unauthorized access to the ActiveMQ container service	Checks whether the ActiveMQ service can be accessed without permissions. The system attempts to connect to the ActiveMQ service or reads the configuration file of the service during container runtime to perform the check.	1
	Unauthorized access - Risk of unauthorized access to the Rsync container service	Checks whether the rsync service can be accessed without permissions. The system attempts to connect to the rsync service or reads the configuration file of the service during container runtime to perform the check.	1
	Unauthorized access - Risk of unauthorized access to the Memcached container service	Checks whether the Memcached service can be accessed without permissions. The system attempts to connect to the Memcached service or reads the configuration file of the service during container runtime to perform the check.	1
	Unauthorized access - Risk of unauthorized access to the RabbitMQ container service	Checks whether the RabbitMQ service can be accessed without permissions. The system attempts to connect to the RabbitMQ service or reads the configuration file of the service during container runtime to perform the check.	1
	Unauthorized access - Risk of unauthorized access to the ES container service	Checks whether the Elasticsearch service can be accessed without permissions. The system attempts to connect to the Elasticsearch service or reads the configuration file of the service during container runtime to perform the check.	1
	Unauthorized access - Risk of unauthorized access to the Jenkins container service	Checks whether the Jenkins service can be accessed without permissions. The system attempts to connect to the Jenkins service or reads the configuration file of the service during container runtime to perform the check.	1
	Kubernetes(ACK) Master Internationally Agreed Best Practices for Security	Checks system configurations based on the check items in internationally agreed best practices for security. The baselines are suitable for enterprise users who have professional security requirements. The baselines include a variety of check items that you can use based on your business scenarios and requirements. You can reinforce the security of your system based on the check results.	52
	Kubernetes(ACK) Node Internationally Agreed Best Practices for Security		9
	Weak Password-Proftpd container runtime weak password risk	Checks whether weak passwords are used during ProFTPD container runtime. The system reads files such as password configuration files to obtain authentication information and attempts to connect to the ProFTPD service from an on-premises machine. If the service is connected, the system compares the used password against the weak password dictionary to check whether a weak password is used during ProFTPD container runtime.	1
	Weak Password-Redis container runtime weak password risk	Checks whether weak passwords are used during Redis container runtime. The system reads files such as password configuration files to obtain authentication information and attempts to connect to the Redis service from an on-premises machine. If the service is connected, the system compares the used password against the weak password dictionary to check whether a weak password is used during Redis container runtime.	1
	Weak Password-MongoDB container runtime weak password risk	Checks whether weak passwords are used during MongoDB container runtime. The system reads files such as password configuration files to obtain authentication information and attempts to connect to the MongoDB service from an on-premises machine. If the service is connected, the system compares the used password against the weak password dictionary to check whether a weak password is used during MongoDB container runtime.	1
	Weak Password-Jboss container runtime weak password risk	Checks whether weak passwords are used during JBoss container runtime. The system reads files such as password configuration files to obtain authentication information and attempts to connect to the JBoss service from an on-premises machine. If the service is connected, the system compares the used password against the weak password dictionary to check whether a weak password is used during JBoss container runtime.	1
	Weak Password-ActiveMQ container runtime weak password risk	Checks whether weak passwords are used during ActiveMQ container runtime. The system reads files such as password configuration files to obtain authentication information and attempts to connect to the ActiveMQ service from an on-premises machine. If the service is connected, the system compares the used password against the weak password dictionary to check whether a weak password is used during ActiveMQ container runtime.	1
	Weak Password-Rsync container runtime weak password risk	Checks whether weak passwords are used during rsync container runtime. The system reads files such as password configuration files to obtain authentication information and attempts to connect to the rsync service from an on-premises machine. If the service is connected, the system compares the used password against the weak password dictionary to check whether a weak password is used during rsync container runtime.	1
	Weak Password-SVN container runtime weak password risk	Checks whether weak passwords are used during SVN container runtime. The system reads files such as password configuration files to obtain authentication information and attempts to connect to the SVN service from an on-premises machine. If the service is connected, the system compares the used password against the weak password dictionary to check whether a weak password is used during SVN container runtime.	1
	Weak Password-ES container runtime weak password risk	Checks whether weak passwords are used during Elasticsearch container runtime. The system reads files such as password configuration files to obtain authentication information and attempts to connect to the Elasticsearch service from an on-premises machine. If the service is connected, the system compares the used password against the weak password dictionary to check whether a weak password is used during Elasticsearch container runtime.	1
	Weak Password-Mysql container runtime weak password risk	Checks whether weak passwords are used during MySQL container runtime. The system reads files such as password configuration files to obtain authentication information and attempts to connect to the MySQL service from an on-premises machine. If the service is connected, the system compares the used password against the weak password dictionary to check whether a weak password is used during MySQL container runtime.	1
	Weak Password-Tomcat container runtime weak password risk	Checks whether weak passwords are used during Tomcat container runtime. The system reads files such as password configuration files to obtain authentication information and attempts to connect to the Tomcat service from an on-premises machine. If the service is connected, the system compares the used password against the weak password dictionary to check whether a weak password is used during Tomcat container runtime.	1
	Weak Password-Jenkins container runtime weak password risk	Checks whether weak passwords are used during Jenkins container runtime. The system reads files such as password configuration files to obtain authentication information and attempts to connect to the Jenkins service from an on-premises machine. If the service is connected, the system compares the used password against the weak password dictionary to check whether a weak password is used during Jenkins container runtime.	1
	Kubernetes(K8s) Pod Internationally Agreed Best Practices for Security (supports K8S Containerd pods)	Checks system configurations based on the check items in internationally agreed best practices for security. The baseline is suitable for enterprise users who have professional security requirements. The baseline includes a variety of check items that you can use based on your business scenarios and requirements. You can reinforce the security of your system based on the check results. This baseline check is suitable for Kubernetes pods.	12
	Kubernetes(ACK) Pods Internationally Agreed Best Practices for Security	Checks system configurations based on the check items in internationally agreed best practices for security. The baseline is suitable for enterprise users who have professional security requirements. The baseline includes a variety of check items that you can use based on your business scenarios and requirements. You can reinforce the security of your system based on the check results. This baseline check is suitable for Container Service for Kubernetes (ACK) pods.	7
	Kubernetes(ECI) Pod Internationally Agreed Best Practices for Security	Checks system configurations based on the check items in internationally agreed best practices for security. The baseline is suitable for enterprise users who have professional security requirements. The baseline includes a variety of check items that you can use based on your business scenarios and requirements. You can reinforce the security of your system based on the check results. This baseline check is suitable for Elastic Container Instance pods.	2
	Kubernetes(K8S) Master Internationally Agreed Best Practices for Security	Checks system configurations based on the check items in internationally agreed best practices for security. The baseline is suitable for enterprise users who have professional security requirements. The baseline includes a variety of check items that you can use based on your business scenarios and requirements. You can reinforce the security of your system based on the check results. This baseline check is suitable for Kubernetes master nodes.	55
	Kubernetes(K8S) Policy Internationally Agreed Best Practices for Security	Checks system configurations based on the check items in internationally agreed best practices for security. The baseline is suitable for enterprise users who have professional security requirements. The baseline includes a variety of check items that you can use based on your business scenarios and requirements. You can reinforce the security of your system based on the check results. This baseline check is suitable for Kubernetes nodes.	34
	Kubernetes(K8S) Worker Internationally Agreed Best Practices for Security	Checks system configurations based on the check items in internationally agreed best practices for security. The baseline is suitable for enterprise users who have professional security requirements. The baseline includes a variety of check items that you can use based on your business scenarios and requirements. You can reinforce the security of your system based on the check results. This baseline check is suitable for Kubernetes worker nodes.	16
	Dockerd Container Internationally Agreed Best Practices for Security	Checks system configurations based on the check items in internationally agreed best practices for security. The baselines are suitable for enterprise users who have professional security requirements. The baselines include a variety of check items that you can use based on your business scenarios and requirements. You can reinforce the security of your system based on the check results.	91
	Dockerd Host Internationally Agreed Best Practices for Security		25
	Containerd Container Internationally Agreed Best Practices for Security		25
	Containerd Host Internationally Agreed Best Practices for Security		22
Best security practices	Alibaba Cloud Standard - Alibaba Cloud Linux 2/3 Benchmark	Checks whether the configurations of Alibaba Cloud Linux 2 or Alibaba Cloud Linux 3 are compliant with the Alibaba Cloud standards of best security practices.	16
	Alibaba Cloud Standard - CentOS Linux 6 Security Baseline Check	Checks whether the configurations of CentOS Linux 6 are compliant with the Alibaba Cloud standards of best security practices.	15
	Alibaba Cloud Standard - CentOS Linux 7/8 Security Baseline Check	Checks whether the configurations of CentOS Linux 7 or CentOS Linux 8 are compliant with the Alibaba Cloud standards of best security practices.	15
	Alibaba Cloud Standard - Debian Linux 8/9/10/11/12 Security Baseline	Checks whether the configurations of Debian Linux 8, Debian Linux 9, Debian Linux 10, Debian Linux 11, or Debian Linux 12 are compliant with the Alibaba Cloud standards of best security practices.	15
	Alibaba Cloud Standard - Red Hat Enterprise Linux 6 Security Baseline Check	Checks whether the configurations of RHEL 6 are compliant with the Alibaba Cloud standards of best security practices.	15
	Alibaba Cloud Standard - Red Hat Enterprise Linux 7/8 Security Baseline Check	Checks whether the configurations of RHEL 7 or RHEL 8 are compliant with the Alibaba Cloud standards of best security practices.	15
	Alibaba Cloud Standard - Ubuntu Security Baseline	Checks whether the configurations of Ubuntu are compliant with the Alibaba Cloud standards of best security practices.	15
	Alibaba Cloud Standard - Memcached Security Baseline Check	Checks whether the configurations of Memcached are compliant with the Alibaba Cloud standards of best security practices.	5
	Alibaba Cloud Standard - MongoDB Security Baseline Check (Version 3.x)	Checks whether the configurations of MongoDB are compliant with the Alibaba Cloud standards of best security practices.	9
	Alibaba Cloud Standard - Mysql Security Baseline Check	Checks whether the configurations of MySQL are compliant with the Alibaba Cloud standards of best security practices. MySQL 5.1 to MySQL 5.7 support this baseline check.	12
	Alibaba Cloud Standard - Oracle Security Baseline Check	Checks whether the configurations of Oracle Database 11g are compliant with the Alibaba Cloud standards of best security practices.	14
	Alibaba Cloud Standard-PostgreSql Security Initialization Check	Checks whether the configurations of PostgreSQL are compliant with the Alibaba Cloud standards of best security practices.	11
	Alibaba Cloud Standard - Redis Security Baseline Check	Checks whether the configurations of Redis are compliant with the Alibaba Cloud standards of best security practices.	7
	Alibaba Cloud Standard - Anolis 7/8 Security Baseline Check	Checks whether the configurations of Anolis 7 or Anolis 8 are compliant with the Alibaba Cloud standards of best security practices.	16
	Alibaba Cloud Standard - Apache Security Baseline Check	Checks whether the middleware configurations of Apache are compliant with internationally agreed best practices for security and the Alibaba Cloud standards.	19
	Alibaba cloud standard - CouchDB security baseline check	Checks whether the configurations of Apache CouchDB are compliant with Alibaba Cloud standards.	5
	Alibaba Cloud Standard - ElasticSearch Security Baseline Check	Checks whether the configurations of Elasticsearch are compliant with the Alibaba Cloud standards of best security practices.	3
	Alibaba Cloud Standard - Hadoop Security Baseline Check	Checks whether the configurations of Apache Hadoop are compliant with the Alibaba Cloud standards of best security practices.	3
	Alibaba Cloud Standard - Influxdb Security Baseline Check	Checks whether the configurations of InfluxDB are compliant with the Alibaba Cloud standards of best security practices.	5
	Alibaba Cloud Standard -Jboss 6/7 Security Baseline	Checks whether the configurations of JBoss 6 or JBoss 7 are compliant with the Alibaba Cloud standards of best security practices.	11
	Alibaba Cloud Standard - Kibana Security Baseline Check	Checks whether the configurations of Kibana are compliant with the Alibaba Cloud standards of best security practices.	4
	Alibaba Cloud Standard - Kylin Security Baseline Check	Checks whether the configurations of Kylin are compliant with Alibaba Cloud standards.	15
	Alibaba Cloud Standard -Activemq Security Baseline	Checks whether the configurations of ActiveMQ are compliant with the Alibaba Cloud standards of best security practices.	7
	Alibaba Cloud Standard - Jenkins Security Baseline Check	Checks whether the configurations of Jenkins are compliant with the Alibaba Cloud standards of best security practices.	6
	Alibaba Cloud Standard - RabbitMQ Security Baseline	Checks whether the configurations of RabbitMQ are compliant with the Alibaba Cloud standards of best security practices.	4
	Alibaba Cloud Standard - Nginx Security Baseline Check	Checks whether the configurations of NGINX are compliant with the Alibaba Cloud standards of best security practices.	13
	Alibaba Cloud Standard - SUSE Linux 15 Security Baseline Check	Checks whether the configurations of SLES 15 are compliant with the Alibaba Cloud standards of best security practices.	15
	Alibaba Cloud Standard - Uos Security Baseline Check	Checks whether the configurations of UOS are compliant with the Alibaba Cloud standards of best security practices.	15
	Alibaba Cloud Standard -Zabbix Security Baseline	Checks whether the configurations of Zabbix are compliant with the Alibaba Cloud standards of best security practices.	6
	Alibaba Cloud Standard-Apache Tomcat Security Baseline	Checks whether the middleware configurations of Apache Tomcat are compliant with internationally agreed best practices for security and the Alibaba Cloud standards.	13
	Ping An Puhui standard - CentOS Linux 7 security baseline inspection	Checks whether the configurations of CentOS Linux 7 are compliant with the Ping An Puhui standards.	31
	Alibaba Cloud Standard-Kubernetes-Node Security Baseline Check	Checks whether the configurations of Kubernetes nodes are compliant with the Alibaba Cloud standards of best security practices.	7
	Alibaba Cloud Standard-Kubernetes-Master Security Baseline Check	Checks whether the configurations of Kubernetes master nodes are compliant with the Alibaba Cloud standards of best security practices.	18
	Alibaba Cloud Standard-Docker Host Security Baseline Check	Checks whether the configurations of Docker hosts are compliant with the Alibaba Cloud standards of best security practices.	10
	Alibaba Cloud standard-Docker container security baseline check (supports K8S Docker pods)	Checks whether the configurations of Docker containers are compliant with the Alibaba Cloud standards of best security practices.	8
	Ping An Puhui risk monitoring	Checks risks based on the Ping An Puhui standards.	7
	Alibaba Cloud Standard - SVN Security Baseline Check	Checks whether the configurations of SVN are compliant with the Alibaba Cloud standards of best security practices.	2
	Alibaba Cloud Standard - Alma Linux 8 Security Baseline Check	Checks whether the configurations of Alma Linux 8 are compliant with the Alibaba Cloud standards of best security practices.	16
	Alibaba Cloud Standard - Rocky Linux 8 Security Baseline Check	Checks whether the configurations of Rocky Linux 8 are compliant with the Alibaba Cloud standards of best security practices.	16
	Alibaba Cloud Standard-TencentOS Security Baseline Check	Checks whether the configurations of TencentOS are compliant with the Alibaba Cloud standards of best security practices.	16
Custom policy	CentOS Linux 7/8 custom baseline	The custom template that contains all baseline check items related to CentOS Linux 7 or CentOS Linux 8. You can select baseline check items and configure parameters for baseline check items by using the template. This helps best suit your business requirements.	53
	CentOS Linux 6 custom baseline	The custom template that contains all baseline check items related to CentOS Linux 6. You can select baseline check items and configure parameters for baseline check items by using the template. This helps best suit your business requirements.	47
	Ubuntu custom security baseline check	Checks whether the configurations of Ubuntu 14, Ubuntu 16, Ubuntu 18, and Ubuntu 20 are compliant with the Alibaba Cloud standards of best security practices.	62
	Redhat7/8 Custom Security Baseline Check	Checks the configurations of RHEL 7 or RHEL 8 based on custom parameters.	53

FAQ

Which edition of Security Center do I need if I want to use the baseline check feature?
The baseline check feature is a basic service of Security Center. Before you can use this feature, you must purchase a specific edition of Security Center. To use this feature, you must purchase Security Center Advanced or a higher edition. Security Center Advanced supports only the baselines of the weak password type. If you need to use the baselines of other types, such as MLPS compliance, container security, and internationally agreed best practices for security, you must purchase Security Center Enterprise or Ultimate. For more information, see Purchase Security Center.
What do I do if Security Center fails to verify a fixed baseline risk?
Security Center may fail to verify a fixed baseline risk because the Security Center agent is offline.
If the Security Center agent on your server is displayed as offline, Security Center fails to perform baseline checks. We recommend that you troubleshoot this issue to ensure that the Security Center agent on your server is online. For more information, see Troubleshoot why the Security Center agent is offline.
What are the differences between baselines and vulnerabilities?
Baselines are the minimum security requirements for system configurations and management. Baselines include service and application configurations, configurations for operating system components, permission settings, and system management rules. The baseline check feature of Security Center checks various security configurations of operating systems and services, such as the configurations for weak passwords, account permissions, identity authentication, password policies, access control, security audit, and intrusion prevention. The feature also provides suggestions on how to reinforce security based on detected baseline risks. For more information, see Baselines.
Vulnerabilities refer to flaws in operating system implementation or security policies. The flaws include defects that exist in the design of operating system software or applications, and errors that occur during the development of the software or applications. Attackers can exploit vulnerabilities to access and steal data on your servers or undermine the security of your servers. To protect your assets, we recommend that you fix detected vulnerabilities at the earliest opportunity. For more information, see Overview.
Baseline check is a basic feature of Security Center. Only users of the Advanced, Enterprise, and Ultimate editions can use this feature. Users of the Basic and Anti-virus editions must upgrade Security Center to the Advanced or Enterprise edition to use this feature. For more information about upgrades, see Upgrade and downgrade Security Center.

Parameter	Description
Domain	The domain name of your asset.
Company name	The name of your enterprise.
Keyword	The passwords that you want to add to the dictionary.

Limits

Feature description

Terms

baseline

weak password

Policies

Benefits

Step 1: Enable the baseline check feature

Step 2: (Optional) Manage a baseline check policy

Manage a scan policy

Create a standard baseline check policy

Create a custom baseline check policy

Update a baseline check policy

Configure a baseline check level

Add custom weak password rules

Add custom weak password rules by uploading a file

Overwrite or add custom weak password rules by using the custom dictionary

Configure a baseline whitelist

Step 3: Run baseline checks based on a baseline check policy

Step 4: View the baseline check results and suggestions

Step 5: Handle baseline risks

Fix

Add to Whitelist

Verify

Rollback

Remove from Whitelist

Baselines

Baseline categories

Baseline checks

Windows baselines

Linux baselines

FAQ

Which edition of Security Center do I need if I want to use the baseline check feature?

What do I do if Security Center fails to verify a fixed baseline risk?

What are the differences between baselines and vulnerabilities?