Baseline Check Overview

What Is a Baseline Check?

Baselines specify the recommended security configurations for OSs, databases, middleware, and applications. They include the configurations of permissions, services, network, password security, and DJCP MLPS compliance.

HSS can check password complexity policies, common weak passwords, and other settings to detect insecure passwords and the configuration risks in systems and critical software. It also provides suggestions to help users correctly handle unsafe settings on servers.

Baseline Check Content

Check Item	Description	Supported HSS Edition
Baseline check	Check the unsafe Tomcat, Nginx, SSH login, and system configurations found by HSS. The following systems, databases, and applications can be checked: For Linux, Cloud security practices: Apache 2, Docker, MongoDB, Redis, MySQL 5, Nginx, Tomcat, SSH, vsftp, CentOS 7, EulerOS, EulerOS_ext, Kubernetes-Node, Kubernetes-Master, HCE 1.1, HCE 2.0. DJCP MLPS compliance: Apache 2, MongoDB, MySQL 5, Nginx, Tomcat, CentOS 7, CentOS 8, Debian 9, Debian 10, Debian 11, Red Hat 6, Red Hat 7, Red Hat 8, Ubuntu12, Ubuntu14, Ubuntu16, Ubuntu18, SUSE 12, SUSE 15, HCE1.1, and Alma. General security standard: HCE 1.1 NOTE: The MySQL baseline detection of Linux OS is based on the MySQL 5 security configuration specifications. If MySQL 8 is installed on your server, the following check items are not displayed in the detection results, because they are discarded in that version. The detection results are displayed only on the server whose MySQL version is 5. Rule: Do not set old_passwords to 1. Rule: Set secure_auth to 1 or ON. Rule: Do not set skip_secure_auth. Rule: Set log_warnings to 2. Rule: Configure the MySQL binlog clearing policy. Rule: The sql_mode parameter contains NO_AUTO_CREATE_USER. Rule: Use the MySQL audit plug-in. For Windows, Cloud security practices: MongoDB, Apache2, MySQL, Nginx, Redis, Tomcat, Windows_2008, Windows_2012, Windows_2016, Windows_2019, and SQL Server.	Enterprise, premium, WTP, and container editions
Password complexity policies	Check whether your password complexity policy of Linux system account is proper and modify it based on suggestions provided by HSS, improving password security.	All
Common weak passwords	Weak passwords defined in the common weak password library. You can check for the weak passwords used by accounts and remind users to change them. Linux supports weak password detection for MySQL, FTP, Redis, and system accounts. Windows supports weak password detection for system accounts.	All

Check Item

Description

Supported HSS Edition

Baseline check

Check the unsafe Tomcat, Nginx, SSH login, and system configurations found by HSS.

The following systems, databases, and applications can be checked:

For Linux,
- Cloud security practices: Apache 2, Docker, MongoDB, Redis, MySQL 5, Nginx, Tomcat, SSH, vsftp, CentOS 7, EulerOS, EulerOS_ext, Kubernetes-Node, Kubernetes-Master, HCE 1.1, HCE 2.0.
- DJCP MLPS compliance: Apache 2, MongoDB, MySQL 5, Nginx, Tomcat, CentOS 7, CentOS 8, Debian 9, Debian 10, Debian 11, Red Hat 6, Red Hat 7, Red Hat 8, Ubuntu12, Ubuntu14, Ubuntu16, Ubuntu18, SUSE 12, SUSE 15, HCE1.1, and Alma.
- General security standard: HCE 1.1
NOTE:
The MySQL baseline detection of Linux OS is based on the MySQL 5 security configuration specifications. If MySQL 8 is installed on your server, the following check items are not displayed in the detection results, because they are discarded in that version. The detection results are displayed only on the server whose MySQL version is 5.
- Rule: Do not set old_passwords to 1.
- Rule: Set secure_auth to 1 or ON.
- Rule: Do not set skip_secure_auth.
- Rule: Set log_warnings to 2.
- Rule: Configure the MySQL binlog clearing policy.
- Rule: The sql_mode parameter contains NO_AUTO_CREATE_USER.
- Rule: Use the MySQL audit plug-in.
For Windows,
- Cloud security practices: MongoDB, Apache2, MySQL, Nginx, Redis, Tomcat, Windows_2008, Windows_2012, Windows_2016, Windows_2019, and SQL Server.

Enterprise, premium, WTP, and container editions

Password complexity policies

Check whether your password complexity policy of Linux system account is proper and modify it based on suggestions provided by HSS, improving password security.

All

Common weak passwords

Weak passwords defined in the common weak password library. You can check for the weak passwords used by accounts and remind users to change them.

Linux supports weak password detection for MySQL, FTP, Redis, and system accounts. Windows supports weak password detection for system accounts.

All

Usage Process

**Table 1** Usage process
No.	Operation	Description
1	Performing a Baseline Check	The baseline inspection supports automatic and manual baseline checks. Automatic baseline check: automatically performs a baseline check on all servers at 01:00 every day. The server configurations, password complexity policies, and common weak passwords are checked. The premium, WTP, and container editions allow you to customize the automatic configuration check period. For details, see Configuration Check. For HSS enterprise, premium, WTP, and container editions, you can customize weak passwords and configure the automatic scan period. For details, see Weak Password Detection. Manual baseline inspection: To view the real-time baseline risks of a specified server, you can manually perform a baseline inspection.
2	Viewing and processing baseline inspection results	After the baseline inspection is complete, you need to view and handle baseline configuration risks.