Performing a Scheduled Baseline Check

Scenarios

SecMaster can check whether your assets have risks based on baseline check plans. By default, every three days SecMaster automatically performs a baseline check on related assets in the current region under your account from 00:00 to 06:00 in accordance with compliance pack Cloud Security Compliance Check 1.0. This function is enabled by default. So there are no manual actions required.

You can customize the automatic inspection period, time, and scope to create custom check plans.

This document describes how to create a custom baseline check plan.

Prerequisites

During a baseline check, some check items in the Huawei Cloud Security Configuration 3.0 compliance pack and all check items in the ISO/IEC 27002:2022 compliance pack rely on automatic alert conversion of SecMaster compliance baseline logs and Config audit baseline logs.

• Enabling the Config resource recorder: If the baseline check scope includes all check items in the ISO/IEC 27002:2022 compliance pack and some check items in the Huawei Cloud Security Configuration 3.0 compliance pack, you must enable the Config resource recorder on the Config console.
  • If the baseline check scope specifies certain accounts and only the current account is included, enable the Config resource recorder by referring to Configuring the Resource Recorder.
  • If the baseline check scope matches any of the following scenarios, enable the Config resource recorder by referring to Batch Configuring the Resource Recorder.
    • Scenario 1: The check scope includes all accounts.
    • Scenario 2: The check scope specifies certain accounts, and those accounts include one or more accounts other than the current account.
    • Scenario 3: The check scope specifies certain accounts, and those accounts include both the current account and other accounts.
• Cloud service access: If the baseline check includes all check items in the ISO/IEC 27002:2022 compliance pack and some check items in the Huawei Cloud Security Configuration 3.0 compliance pack, you need to integrate the following logs in SecMaster and enable automatic alert conversion:
  • Enable automatic alert conversion for compliance baseline logs in SecMaster. For details, see Enabling Log Access.
  • Enable automatic alert conversion for audit baseline logs in Config. For details, see Enabling Log Access.

Notes and Constraints

• A compliance pack can be added to only one check plan.
• SecMaster cannot execute check plans that include manual check items. So do not add compliance packs that include manual check items to a check plan. There are manual check items in DJCP 2.0 Level 3 Requirements, General Data Protection Regulation, PCI DSS, and NIST SP 800-53 compliance packs.
• The baseline inspection of compliance packs OS Configuration Baseline, Common Weak Password Detection, and Password Complexity Policy Detection are performed in HSS instead of SecMaster. However, you can view check results in SecMaster. If you need to perform HSS baseline inspection, go to the HSS console and complete the inspection. For details, see Performing Baseline Inspection on HSS.
• Auto check items in Cloud Security Compliance Check 1.0, Network Security, and Huawei Cloud Security Configuration 3.0 compliance packs are supported.
• The default check plan can be enabled or disabled only. No changes on its compliance packs or execution time can be made.

Procedure

1. Log in to the SecMaster console.
2. Click in the upper left corner of the management console and select a region or project.
3. In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.
   Figure 1 Workspace management page
   

4. In the navigation pane on the left, choose Risk Prevention > Baseline Inspection. On the displayed page, click the Security Standards tab. Then, click the Check Plan tab.
   Figure 2 Accessing the Check Plan tab
   

5. On the Check Plan tab, click Create Plan. The pane for creating a plan is displayed on the right.
6. Configure a check plan.

   Table 1 Parameters for creating a check plan

   Parameter		Description
   Basic Information	Name	Custom check plan name. It must meet the following requirements: The plan name can contain only letters, digits, underscores (_), and hyphens (-). Length: 1 to 255 characters.
   	Schedule	Select the check period and check triggering time from the drop-down list. Schedule: every day, every 3 days, every 7 days, every 15 days, or every 30 days Check start time: 00:00-06:00, 06:00-12:00, 12:00-18:00, or 18:00-24:00.
   	Log Source Account	Select the log source account. Only the operation account of the primary workspace can set the account range for baseline inspection. All accounts: If you select All accounts, the check plan is applied to the operations account and all service accounts managed by the operation account. Specify account: If you select Specify account and select some accounts, the check plan is applied to the selected service accounts managed by the operation account. The meanings of the operation account and service account are as follows: Operation accounts: An operations account, or parent account, is an account that can manage member accounts. An operations account can manage multiple service accounts. Service account: A service account is a member account, or child account, managed by an operations account. A service account (child account) can be managed by only one operations account.
   Select Compliance Pack		Select the compliance pack you plan to use.

7. Click OK.

   After the check plan is created, SecMaster performs cloud service baseline scanning at the specified time. You can choose Risk Prevention > Baseline Inspection to view the scan result.

Related Operations

You can view, edit, enable, disable, or delete a custom check plan. For details, see Managing Check Plans.