Baseline Check Overview

What Is a Baseline Check?

Baselines specify the recommended security configurations for OSs, databases, middleware, and applications. They include the configurations of permissions, services, network, password security, and DJCP MLPS compliance.

HSS can check password complexity policies, common weak passwords, and other settings to detect insecure passwords and the configuration risks in systems and critical software. It also provides suggestions to help users correctly handle unsafe settings on servers.

Baseline Check Content

Check Item	Description	Supported HSS Edition
Baseline check	Check the unsafe Tomcat, Nginx, SSH login, and system configurations found by HSS. The configuration check standards include cloud security practices, DJCP MLPS compliance, and the general security standard. Cloud security practices: Based on Huawei Cloud's years of experience in cloud security practices, the service checks the security of systems and software in terms of account management, authentication and authorization, password policies, log management, service management, network configuration, and patch update. DJCP MLPS compliance: Check the security of systems and databases based on the DJCP Multi-Level Protection Scheme (MLPS) standard and the evaluation standards of authoritative organizations. General security standard: Based on China and international general security standards, check the security of the system and software from the perspectives of account management, password policy, authorization management, service management, configuration management, network management, and permission management. The following systems, databases, and applications can be checked: For Linux, Cloud security practices: Apache 2, Docker, MongoDB, Redis, MySQL 5, Nginx, Tomcat, SSH, vsftp, CentOS 7, EulerOS, EulerOS_ext, Kubernetes-Node, Kubernetes-Master, HCE 1.1, HCE 2.0. DJCP MLPS compliance: Apache 2, MongoDB, MySQL 5, Nginx, Tomcat, CentOS 7, CentOS 8, Debian 9, Debian 10, Debian 11, Red Hat 6, Red Hat 7, Red Hat 8, Ubuntu12, Ubuntu14, Ubuntu16, Ubuntu18, SUSE 12, SUSE 15, HCE1.1, EulerOS, and Alma. General security standard: HCE 1.1 NOTE: The MySQL baseline detection of Linux OS is based on the MySQL 5 security configuration specifications. If MySQL 8 is installed on your server, the following check items are not displayed in the detection results, because they are discarded in that version. The detection results are displayed only on the server whose MySQL version is 5. Rule: Do not set old_passwords to 1. Rule: Set secure_auth to 1 or ON. Rule: Do not set skip_secure_auth. Rule: Set log_warnings to 2. Rule: Configure the MySQL binlog clearing policy. Rule: The sql_mode parameter contains NO_AUTO_CREATE_USER. Rule: Use the MySQL audit plug-in. For Windows, Cloud security practices: MongoDB, Apache2, MySQL, Nginx, Redis, Tomcat, Windows_2008, Windows_2012, Windows_2016, Windows_2019, and SQL Server. General security standard: Windows Server 2022 R2.	Enterprise, premium, WTP, and container editions
Password complexity policies	A password complexity policy specifies the rules that must be followed by user passwords to improve password security and prevent brute-force attacks. This feature checks the password complexity policies in Linux and provides suggestions to help users improve password security. Check items include: Password length: Check whether the password length required in the password complexity policy meets the security standard. Uppercase letters: Check whether the number of uppercase letters required in the password complexity policy meets the security standard. Lowercase letters: Check whether the number of lowercase letters required in the password complexity policy meets the security standard. Numeric characters: Check whether the number of numeric characters required in the password complexity policy meets the security standard. Special letters: Check whether the number of special characters required in the password complexity policy meets the security standard.	All
Common weak passwords	A weak password can be easily cracked. Weak passwords defined in the common weak password library. You can check for the weak passwords used by accounts and remind users to change them. Common weak password detection has the following restrictions: Supported cryptographic algorithms: SHA-256, SHA-512, and Yescrypt Supported account types: Linux: MySQL, FTP, Redis, and system accounts Windows: system accounts	All

Check Item

Description

Supported HSS Edition

Baseline check

Check the unsafe Tomcat, Nginx, SSH login, and system configurations found by HSS.

The configuration check standards include cloud security practices, DJCP MLPS compliance, and the general security standard.

Cloud security practices: Based on Huawei Cloud's years of experience in cloud security practices, the service checks the security of systems and software in terms of account management, authentication and authorization, password policies, log management, service management, network configuration, and patch update.
DJCP MLPS compliance: Check the security of systems and databases based on the DJCP Multi-Level Protection Scheme (MLPS) standard and the evaluation standards of authoritative organizations.
General security standard: Based on China and international general security standards, check the security of the system and software from the perspectives of account management, password policy, authorization management, service management, configuration management, network management, and permission management.

The following systems, databases, and applications can be checked:

For Linux,
- Cloud security practices: Apache 2, Docker, MongoDB, Redis, MySQL 5, Nginx, Tomcat, SSH, vsftp, CentOS 7, EulerOS, EulerOS_ext, Kubernetes-Node, Kubernetes-Master, HCE 1.1, HCE 2.0.
- DJCP MLPS compliance: Apache 2, MongoDB, MySQL 5, Nginx, Tomcat, CentOS 7, CentOS 8, Debian 9, Debian 10, Debian 11, Red Hat 6, Red Hat 7, Red Hat 8, Ubuntu12, Ubuntu14, Ubuntu16, Ubuntu18, SUSE 12, SUSE 15, HCE1.1, EulerOS, and Alma.
- General security standard: HCE 1.1
NOTE:
The MySQL baseline detection of Linux OS is based on the MySQL 5 security configuration specifications. If MySQL 8 is installed on your server, the following check items are not displayed in the detection results, because they are discarded in that version. The detection results are displayed only on the server whose MySQL version is 5.
- Rule: Do not set old_passwords to 1.
- Rule: Set secure_auth to 1 or ON.
- Rule: Do not set skip_secure_auth.
- Rule: Set log_warnings to 2.
- Rule: Configure the MySQL binlog clearing policy.
- Rule: The sql_mode parameter contains NO_AUTO_CREATE_USER.
- Rule: Use the MySQL audit plug-in.
For Windows,
- Cloud security practices: MongoDB, Apache2, MySQL, Nginx, Redis, Tomcat, Windows_2008, Windows_2012, Windows_2016, Windows_2019, and SQL Server.
- General security standard: Windows Server 2022 R2.

Enterprise, premium, WTP, and container editions

Password complexity policies

A password complexity policy specifies the rules that must be followed by user passwords to improve password security and prevent brute-force attacks.

This feature checks the password complexity policies in Linux and provides suggestions to help users improve password security.

Check items include:

Password length: Check whether the password length required in the password complexity policy meets the security standard.
Uppercase letters: Check whether the number of uppercase letters required in the password complexity policy meets the security standard.
Lowercase letters: Check whether the number of lowercase letters required in the password complexity policy meets the security standard.
Numeric characters: Check whether the number of numeric characters required in the password complexity policy meets the security standard.
Special letters: Check whether the number of special characters required in the password complexity policy meets the security standard.

All

Common weak passwords

A weak password can be easily cracked.

Weak passwords defined in the common weak password library. You can check for the weak passwords used by accounts and remind users to change them.

Common weak password detection has the following restrictions:

Supported cryptographic algorithms: SHA-256, SHA-512, and Yescrypt
Supported account types:
- Linux: MySQL, FTP, Redis, and system accounts
- Windows: system accounts

All

Scenarios

Baseline compliance
Baseline checks are performed based on DJCP MLPS L2, DJCP MLPS L3, and international compliance security standards, helping companies build information systems that comply with related laws and regulations as well as industry standards.

Security audit
Periodically perform baseline checks on servers and containers to detect and rectify non-compliant system configurations in a timely manner, ensuring system security and reducing intrusion risks.

Usage Process

**Table 1** Usage process
No.	Operation	Description
1	Performing a Baseline Check	The baseline inspection supports automatic and manual baseline checks. Automatic baseline check: HSS automatically performs a baseline check on all servers at 01:00 every day. The server configurations, password complexity policies, and common weak passwords are checked. The premium, WTP, and container editions allow you to customize the automatic configuration check period. For details, see Configuration Check. For HSS professional, enterprise, premium, WTP, and container editions, you can customize weak passwords, enable or disable the password complexity check policy (for Linux only), and configure the automatic scan period. For details, see Weak Password Detection. Manual baseline inspection: To view the real-time baseline risks of a specified server, you can manually perform a baseline inspection.
2	Viewing and processing baseline inspection results	After the baseline inspection is complete, you need to view and handle baseline configuration risks.