Updated on 2024-04-15 GMT+08:00

Image Baseline Check

Your private image repository is scanned for unsafe configurations and provides suggestions for modifying the configurations, helping you fight intrusions and meet compliance requirements.

Check Frequency

A comprehensive check is automatically performed by HSS in the early morning every day.

Prerequisites

Container protection has been enabled.

Constraints

Only configuration risks in Linux images can be detected.

Check Items

  • Accounts with duplicate names or UIDs
  • Non-root accounts whose UIDs are 0
  • Password check in code
  • Accounts with duplicate password hash values
  • Weak password hash algorithms
  • Ensuring that the account password is not empty.
  • Duplicate group names or GIDs
  • Non-privileged account incorrectly included in the privilege group
  • Old "+" entries in the /etc/passwd file
  • Old "+" entries in the /etc/shadow file
  • Old "+" entries in the /etc/group file
  • Ensuring all groups in the /etc/passwd file are in the /etc/group file
  • Unconfigured password validity period
  • Ensuring that the password change dates of all users are past dates.
  • Host trust relationship
  • Preset root-level trust relationship establishment
  • User root not in the group with GID 0
  • Members in the shadow group

Procedure

  1. Log in to the management console.
  2. In the upper left corner of the page, click , select a region, and choose Security > Host Security Service.
  3. In the navigation tree on the left, choose Prediction > Container Images.
  4. Click the Unsafe Settings tab to view the unsafe settings in the image.
  5. Click next to a check item to view its details and suggestions, and modify your unsafe settings accordingly.