Overview

SecMaster can scan cloud services for risks in key configuration items, report scan results by category, generate alerts for incidents, and provide hardening suggestions and guidelines.

SecMaster can check your cloud services for unsafe configurations based on preconfigured compliance packs, including Cloud Security Compliance Check 1.0, DJCP 2.0 Level 3 Requirements, Network Security, General Data Protection Regulation, OS Configuration Baseline, Huawei Cloud Security Configuration, Common Weak Password Detection, Password Complexity Policy Detection, PCI DSS, and NIST SP 800-53. In addition, you can add custom check items and compliance packs to meet your own needs.

**Table 1** SecMaster built-in compliance packs
Compliance Pack	Description	Applicable Region	Category	Domain
Cloud Security Compliance Check 1.0	This compliance pack automates the assessment of your data security posture across four key areas: identity and access management, infrastructure security, data protection, and backup integrity. It helps you efficiently identify data security issues.	Global	Industry standards	Network security
DJCP 2.0 Level 3 Requirements	This compliance pack provides check items and guidelines to help you evaluate your data security management. It also suggests improvements based the level 3 requirements of China's national standard GB/T 22239-2019 information security technology — Baseline for classified protection of cybersecurity.	China	National standards	Network security
Network Security	This compliance pack offers automated security checks aligned with international best practices. It enables cloud customers to identify threats and risks across key assets—including cloud servers, web applications, object storage, and data security centers—enhancing overall network security capabilities.	Global	Industry standards	Network security
Huawei Cloud Security Configuration	This compliance pack automates security configuration checks for IAM, monitoring, compute (container and cloud server), network, storage, and data services against cloud security benchmarks, helping you establish and maintain a secure cloud foundation.	Global	Industry standards	Network security
GDPR	The General Data Protection Regulation (GDPR) is a comprehensive data privacy law established by the European Union to safeguard individuals' personal data and ensure its secure processing. It mandates that all organizations processing EU citizens' personal data must ensure transparent, lawful, and secure data processing practices.	European Union	Regional laws	Data protection
OS Configuration Baseline	This compliance pack checks password complexity policies, common weak passwords, and configurations. It can detect insecure password configurations and risky configurations in key software on servers, and provide rectification suggestions for detected risks, helping you correctly handle risky configurations on servers.	Global	Industry standards	Operating systems (OSs)
Common Weak Password Detection	This check compares passwords used by accounts with common weak passwords defined in a library and reminds users to change detected weak passwords.	Global	Industry standards	Operating systems (OSs)
Password Complexity Policy Detection	A password complexity policy specifies the rules that user passwords must comply with to improve password security and defend against brute-force attacks. This feature checks the password complexity policies in Linux and provides suggestions to help improve password security.	Global	Industry standards	Operating systems (OSs)
PCI-DSS	The Payment Card Industry Data Security Standard (PCI DSS) is a global security standard jointly formulated by five major payment card brands (Visa, Mastercard, American Express, Discover, and JCB) to protect payment card data and prevent data leaks and frauds.	Global	Industry standards	Data security
NIST SP 800-53	NIST SP 800-53 provides a comprehensive security control framework for organizations to identify, assess, and manage information security risks.	Global	Industry standards	Data security

Limitations and Constraints

Only SecMaster professional edition supports OS Configuration Baseline, Common Weak Password Detection, Password Complexity Policy Detection compliance packs. Before using these packs, you need to enable HSS baseline log access and Automatically converts alarms for HSS baseline logs in SecMaster. The procedure is as follows:
1. In the navigation pane on the left in the target workspace, choose Log Audit > Cloud Service Access.
2. Locate the HSS baseline row in the Host Security Service, click in the Automatically converts alarms column. Click Save. In the displayed dialog box, click OK. For more details, see Enabling Log Access.
Baseline inspection for OS Configuration Baseline, Common Weak Password Detection, and Password Complexity Policy Detection compliance packs are performed in HSS instead of SecMaster. However, you can view check results in SecMaster. If you need to perform HSS baseline inspection, go to the HSS console and complete the inspection. For details, see Performing Baseline Inspection on HSS.

Baseline Check Methods

Automated baseline checks
By default, SecMaster checks assets associated with the Cloud Security Compliance Check 1.0 compliance pack in the current region of your account every three days from 00:00 to 06:00.

The default check plan only allows you to enable or disable automatic baseline checks.
Scheduled custom baseline checks
You can customize the automatic check period, time, and scope. You can also customize the check items that can be automated in Cloud Security Compliance Check 1.0, Network Security, and Huawei Cloud Security Configuration. For details about how to perform a baseline inspection, see Performing a Scheduled Baseline Check.
Immediate baseline checks
You can start all security standards or a specific check plan to detect violations in real time.

You can set the auto check items in the compliance packs. For check items that support only manual check, the system generates check items whose check results are To be checked. You need to perform a manual check offline and then report the check results to the SecMaster console.

For details about immediate baseline checks, see Starting an Immediate Baseline Check.
- You can start all compliance packs in use to detect violations against automatic check items.
- You can start a check plan to detect violations against check items in the compliance pack configured in the check plan.
- You can select one or more check items and start them at once.
Manual baseline checks
There are some manual check items included in baseline inspection. After you finish a manual check, report the check results to SecMaster. The pass rate is calculated based on results from both manual and automatic checks. For automatic check items, you can manually start specific checks.

All check items in DJCP 2.0 Level 3 Requirements and General Data Protection Regulation, PCI-DSS, and NIST SP 800-53 are manual. Some check items in Cloud Security Compliance Check 1.0, Huawei Cloud Security Configuration, and Network Security are manual.

For details about manual checks, see Performing a Manual Baseline Check.

Usage Process

The process of using baseline inspection is as follows.

**Table 2** Process
No.	Operation	Description
0	(Optional) Enabling SecMaster access to HSS baseline logs in Host Security Service.	This operation is required only when SecMaster professional edition is in use and the OS Configuration Baseline, Common Weak Password Detection, and Password Complexity Policy Detection compliance packs are enabled. For details about how to enable compliance packs, see Editing, Enabling, Disabling, or Deleting a Compliance Pack. In the navigation pane of the target workspace, choose Log Audit > Cloud Service Access. On the displayed page, click next to HSS baseline and the button in the Automatically converts alarms column, and click Save. In the dialog box displayed, click OK. For details, see Enabling Log Access.
1	Conducting a Scheduled Baseline Inspection	SecMaster uses the default check plan to check all assets. Default plan: SecMaster checks your assets under your account in the current region every three days from 00:00 to 06:00 based on Cloud Security Compliance Check 1.0. Custom plans: SecMaster performs baseline inspections based on the compliance packs and time you specify in the custom check plans.
2	Starting an Immediate Baseline Check	The baseline inspection supports periodic and immediate checks. Periodic check: The system automatically executes the default check plan or the check plans you configure. Immediate check: You can add or modify a custom check plan and start the check plan immediately. In this way, you can check whether the servers have certain unsafe configurations in real time.
3	Viewing Baseline Inspection Results	You can view the baseline inspection results after each manual check or automated check. You can quickly learn affected assets and details about the baseline inspection items.
4	Handling Baseline Inspection Results	You can handle risky items based on the rectification suggestions. Viewing the Handling Suggestions for Risk Items: Rectify the risky check items based on the check result. Check Result Feedback: For manual check items you performed offline, report check results to SecMaster. The pass rate is calculated based on results from both manual and automatic checks. Importing Check Results: Import offline check results to the SecMaster baseline inspection page. Exporting Check Results: Export the online check results to your local PC.