Help Center/ SecMaster/ Best Practices/ Using SecMaster to Enable Efficient Security Operations/ Step 3: Perform Security Self-Checks and Rectification/ Baseline Inspection
Updated on 2026-06-24 GMT+08:00
View PDF
Share

Baseline Inspection

In SecMaster baseline inspection, you can configure custom check plans to evaluate whether your service configurations contain security risks based on the plans you set. Currently, SecMaster provides the following compliance packs: Cloud Security Compliance Check 1.0, DJCP 2.0 Level 3 Requirements, Network Security, and Huawei Cloud Security Configuration.

Compliance packs Cloud Security Compliance Check 1.0 and Network Security are recommended.

SecMaster displays cloud service configuration check results by category, generates alerts for unsafe settings, and provides hardening suggestions and guidance.

Once all checks are completed, you can go to the check result details page, identify failed check items, and fix risks based on hardening suggestions provided by SecMaster. For systems participating in cybersecurity drills, you can use asset filters to identify all relevant assets and clear all associated risks. In addition, you can configure a check plan to scan and update results at a scheduled time every day.

Notes and Constraints

  • A compliance pack can be added to only one check plan.
  • SecMaster cannot execute check plans that include manual check items. So do not add compliance packs that include manual check items to a check plan. There are manual check items in DJCP 2.0 Level 3 Requirements, General Data Protection Regulation, PCI DSS, and NIST SP 800-53 compliance packs.
  • The baseline inspection of compliance packs OS Configuration Baseline, Common Weak Password Detection, and Password Complexity Policy Detection are performed in HSS instead of SecMaster. However, you can view check results in SecMaster. If you need to perform HSS baseline inspection, go to the HSS console and complete the inspection. For details, see Performing Baseline Inspection on HSS.
  • Auto check items in Cloud Security Compliance Check 1.0, Network Security, and Huawei Cloud Security Configuration 3.0 compliance packs are supported.
  • The default check plan can be enabled or disabled only. No changes on its compliance packs or execution time can be made.

Configuring a Baseline Inspection Plan

A check plan is a scheduled scan task that defines security standards to be applied and the time at which the task starts. SecMaster will automatically perform periodic checks on your assets based on the check plan you configure. This ensures that you can receive the results in a timely manner.

You are advised to configure a daily check plan based on the Network Security compliance pack.

  1. Log in to the SecMaster console.
  2. Go to the target workspace.
  3. In the navigation pane on the left, choose Risk Prevention > Baseline Inspection. On the displayed page, click the Security Standards tab. Then, click the Check Plan tab.

    Figure 1 Accessing the Check Plan tab

  4. On the Check Plan tab, click Create Plan. The pane for creating a plan is displayed on the right.
  5. On the page for creating a check plan, configure the check plan.

    Table 1 Parameters for creating a check plan

    Parameter

    Description

    Basic Information

    Name

    Custom plan name.

    Schedule

    How often and when you want the check to be performed. You are advised to set the check time to 00:00–06:00 every day.

    Select Compliance Pack

    Select Network Security.

  6. Click OK.

Starting an Immediate Full Baseline Check

  1. Log in to the SecMaster console.
  2. Go to the target workspace.
  3. In the navigation pane on the left, choose Risk Prevention > Baseline Inspection.

    Figure 2 Accessing the check result page

  4. On the check result page, click Check Now.
  5. Set the account range for baseline inspection. Note that this function is available only to the operations account of the primary workspace.

    1. On the Check Result page, click Check Now and select Scan Scope. The scan scope is the account for the baseline inspection.
      • All accounts: If you select All accounts, the baseline inspection is performed for the operations account and all service accounts managed by the operations account.
      • Specify account: If you select Specify account and select some accounts, the check plan is applied to the selected service accounts managed by the operations account.
    1. Click OK.
    1. Refresh the page and check the details next to Last checked to ensure that the latest scan result is displayed.

    Concepts

    • Operations account: An operations account, or parent account, is an account that can manage member accounts. An operations account can manage multiple service accounts.
    • Service account: A service account is a member account, or child account, managed by an operations account. A service account (child account) can be managed by only one operations account.
    • Primary workspace: The first workspace created by SecMaster is the primary workspace by default. The workspace is pinned on top of the Workspaces > Management page. You can also change the primary workspace. On the Workspaces > Management page, click next to the target workspace. On the workspace details page displayed, toggle on Primary workspace.

    If the workspace is not the primary workspace or the account is not an operations account, you cannot set the account range for baseline inspection. To start a check, you only need to click Check Now on the Check Result page and click OK in the displayed dialog box. Refresh the page and check the details next to Latest Checked to ensure that the latest check result is displayed.

Clearing Risks Detected by Baseline Checks

Baseline checks include manual and automatic check items. For automated check items, remediate any failed items using the provided hardening suggestions after the baseline scan completes. For manual check items, you need to check each item individually, remediate any failures, and submit the final results to SecMaster.

  • Automatic check items
    • Clearing risks and hardening security using a compliance pack
      1. On the check result page, view the risk status of subcheck items. If the check failed, click the name of the target subcheck item to go to its details page.
      2. Filter the check items marked as Failed and rectify the risks based on provided suggestions.
        If a reference link is provided in Suggestion, you can click the link to go to the corresponding page to handle the risk.
        Figure 3 Suggestions for failed checks
      3. After the remediation, click Check Now in the Operation column to verify.

    The following table lists the suggestions for clearing and hardening some key risk items.

    Table 2 Hardening suggestions

    Check Item

    Hardening Suggestion

    Security group inbound rules

    Inbound rules of security groups must meet the principle of least privilege.

    Unless required by your services, an inbound rule with any of the following configurations fails to meet the principle of least privilege requirements: The source IP address is set to 0.0.0.0/0 (high risk). The mask of public IP addresses is smaller than 32 (medium risk). The subnet mask of internal IP addresses is smaller than 24 (low risk).

    Agency permissions for project-level services

    Delete the Security Administrator and Tenant Administrator permissions from the IAM agency settings to improve account security.

    This is a high-risk operation. Exercise caution when performing this operation.

    Agency permissions for global services

    Delete the Security Administrator and Tenant Administrator permissions from the IAM agency settings to improve account security.

    This is a high-risk operation. Exercise caution when performing this operation.

    Administrator account AK/SK

    An access key (Access Key ID/Secret Access Key) is used as a long-term identity credential of an account.

    Anyone with access to this key pair would be able to manage IAM users or perform other critical operations. It is recommended that the AK/SK be disabled for the administrator because if the key was accidentally lost or disclosed, the security repercussions would be severe.

    Host weak password

    HSS provides baseline checks that can proactively check password complexity policies on servers and provides suggestions to help enhance password security.

    If hardening is required, modify the password based on provided suggestions to ensure that the password cannot be easily guessed.

    This is a high-risk operation. Exercise caution when performing this operation.

    Agency account

    By creating an agency, you can share your resources with another account, or delegate an individual or team to manage your resources. You do not need to share your security credentials (the password and access keys) with the delegated party. Instead, the delegated party can log in with its own account credentials and then switches the role to your account and manage your resources.

    Agencies created for individual accounts are not recommended as such agencies may be untrusted in the cloud service environment. You are advised to delete individual agency account.

    This is a high-risk operation. Exercise caution when performing this operation.

    High-risk open ports

    HSS can detect open ports on your servers so you can quickly know which assets on them are unsafe.

    If dangerous or unnecessary ports are found enabled, check whether they are mandatory for services, and disable them if they are not. For dangerous ports, you are advised to further check their program files, and delete or isolate their source files if necessary.

    This is a high-risk operation. Exercise caution when performing this operation.

    Sudo vulnerabilities on servers

    HSS can check and handle vulnerabilities in your Linux operating systems and the software (such as SSH, OpenSSL, Apache, and MySQL) you obtained from official sources and have not compiled.

    Fix Sudo vulnerabilities on the HSS vulnerability management page.

    OBS bucket server-side encryption

    With Object Storage Service (OBS) server-side encryption, data is encrypted on the server and then uploaded to OBS buckets. When you download encrypted data, it is decrypted on the server and then sent to you. Encrypting data on the server before storing it in OBS buckets improves security.

    Enable server-side encryption in OBS.

    Enabling of CTS

    Cloud Trace Service (CTS) records operations on any of the resources under your account. The records provided by CTS let you analyze how safe your system is, track any resource changes, perform compliance audits, or locate faults.

    Enable CTS and configure a tracker.
  • Manual check items
    1. On the baseline check result page, select the Network Security compliance pack and filter the standards that require manual checks.
    2. Click the name of the target subcheck item to go to its details page.
    3. View the check description and process and check whether the requirements are met.

      If a service resource is listed under the check item, follow the designated check process, remediate risks based on provided suggestions, and report the check result to SecMaster. If your environment meets the check item rules, report the result to SecMaster.

    4. After the check is complete, return to the check standard page and click Manual Check in the Operation column of the target check item.
    5. In the displayed dialog box, select the check result and click OK.