Baseline Check Overview

What Is a Baseline Check?

Baselines specify the recommended security configurations for OSs, databases, middleware, and applications. They include the configurations of permissions, services, network, password security, and DJCP MLPS compliance.

HSS can check password complexity policies, common weak passwords, and other settings to detect insecure passwords and the configuration risks in systems and critical software. It also provides suggestions to help users correctly handle unsafe settings on servers.

Baseline Check Content

Check Item	Description	Supported HSS Edition
Baseline check	Check the unsafe Tomcat, Nginx, SSH login, and system configurations found by HSS. The configuration check standards include cloud security practices, DJCP MLPS compliance, and the general security standard. Cloud security practices: Based on Huawei Cloud's years of experience in cloud security practices, the service checks the security of systems and software in terms of account management, authentication and authorization, password policies, log management, service management, network configuration, and patch update. DJCP MLPS compliance: Check the security of systems and databases based on the DJCP Multi-Level Protection Scheme (MLPS) standard and the evaluation standards of authoritative organizations. General security standard: Based on China and international general security standards, check the security of the system and software from the perspectives of account management, password policy, authorization management, service management, configuration management, network management, and permission management. The following systems, databases, and applications can be checked: For Linux, Cloud security practices: Apache HTTP Server 2.4, Apache 2, ClickHouse 21.8, CentOS 7, Docker, Docker 18, EulerOS, Gauss, HCE 1.1, HCE 2.0, Kafka, MongoDB, MySQL 5.7, MySQL 5, Nginx, Nginx 1.17, openGauss, Redis, Redis 5.0, Redis 6.2, SSH, Tomcat, Tomcat 8, Tomcat 9, Zookeeper 3.6, Zookeeper 3.7, Kubernetes-Master, and Kubernetes-Node. DJCP MLPS compliance: Apache 2, MongoDB, MySQL 5, Nginx, Tomcat, CentOS 7, CentOS 8, Debian 9, Debian 10, Debian 11, Red Hat 6, Red Hat 7, Red Hat 8, Ubuntu12, Ubuntu14, Ubuntu16, Ubuntu18, SUSE 12, SUSE 15, HCE1.1, EulerOS, and Alma. General security standards: MySQL8-universal, HCE1.1-universal, Rocky8-universal, Rocky9-universal, AlmaLinux8-universal, OracleLinux6-universal, OracleLinux7-universal, Ubuntu22-universal, Ubuntu24-universal, Ubuntu20-universal, CentOS7-universal, CentOS8-universal, CentOS9-universal, SUSE15-universal, AliLinux2-universal, and AliLinux3-universal. NOTE: The MySQL baseline detection of Linux OS is based on the MySQL 5 security configuration specifications. If MySQL 8 is installed on your server, the following check items are not displayed in the detection results, because they are discarded in that version. The detection results are displayed only on the server whose MySQL version is 5. Rule: Do not set old_passwords to 1. Rule: Set secure_auth to 1 or ON. Rule: Do not set skip_secure_auth. Rule: Set log_warnings to 2. Rule: Configure the MySQL binlog clearing policy. Rule: The sql_mode parameter contains NO_AUTO_CREATE_USER. Rule: Use the MySQL audit plug-in. For Windows, Cloud security practices: Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2016 R2, Windows Server 2019 R2, Tomcat, Redis, Nginx, MySQL 5, MongoDB, and Apache 2 General security standard: Windows Server 2022 R2.	Enterprise, premium, WTP, and container editions
Password complexity policies	A password complexity policy specifies the rules that must be followed by user passwords to improve password security and prevent brute-force attacks. This feature checks the password complexity policies in Linux and provides suggestions to help users improve password security. Check items include: Password length: Check whether the password length required in the password complexity policy meets the security standard. Uppercase letters: Check whether the number of uppercase letters required in the password complexity policy meets the security standard. Lowercase letters: Check whether the number of lowercase letters required in the password complexity policy meets the security standard. Numeric characters: Check whether the number of numeric characters required in the password complexity policy meets the security standard. Special letters: Check whether the number of special characters required in the password complexity policy meets the security standard. For details about the password complexity policy check, see Defining a Rule to Check Password Complexity Policies.	All
Common weak passwords	A weak password can be easily cracked. Weak passwords defined in the common weak password library. You can check for the weak passwords used by accounts and remind users to change them. Common weak password detection has the following restrictions: Supported cryptographic algorithms: SHA-256, SHA-512, and Yescrypt Supported account types: Linux: MySQL, Tomcat, Redis, and system accounts Windows: system accounts For details about custom weak passwords, see Defining Weak Passwords.	All

Check Item

Description

Supported HSS Edition

Baseline check

Check the unsafe Tomcat, Nginx, SSH login, and system configurations found by HSS.

The configuration check standards include cloud security practices, DJCP MLPS compliance, and the general security standard.

Cloud security practices: Based on Huawei Cloud's years of experience in cloud security practices, the service checks the security of systems and software in terms of account management, authentication and authorization, password policies, log management, service management, network configuration, and patch update.
DJCP MLPS compliance: Check the security of systems and databases based on the DJCP Multi-Level Protection Scheme (MLPS) standard and the evaluation standards of authoritative organizations.
General security standard: Based on China and international general security standards, check the security of the system and software from the perspectives of account management, password policy, authorization management, service management, configuration management, network management, and permission management.

The following systems, databases, and applications can be checked:

For Linux,
- Cloud security practices: Apache HTTP Server 2.4, Apache 2, ClickHouse 21.8, CentOS 7, Docker, Docker 18, EulerOS, Gauss, HCE 1.1, HCE 2.0, Kafka, MongoDB, MySQL 5.7, MySQL 5, Nginx, Nginx 1.17, openGauss, Redis, Redis 5.0, Redis 6.2, SSH, Tomcat, Tomcat 8, Tomcat 9, Zookeeper 3.6, Zookeeper 3.7, Kubernetes-Master, and Kubernetes-Node.
- DJCP MLPS compliance: Apache 2, MongoDB, MySQL 5, Nginx, Tomcat, CentOS 7, CentOS 8, Debian 9, Debian 10, Debian 11, Red Hat 6, Red Hat 7, Red Hat 8, Ubuntu12, Ubuntu14, Ubuntu16, Ubuntu18, SUSE 12, SUSE 15, HCE1.1, EulerOS, and Alma.
- General security standards: MySQL8-universal, HCE1.1-universal, Rocky8-universal, Rocky9-universal, AlmaLinux8-universal, OracleLinux6-universal, OracleLinux7-universal, Ubuntu22-universal, Ubuntu24-universal, Ubuntu20-universal, CentOS7-universal, CentOS8-universal, CentOS9-universal, SUSE15-universal, AliLinux2-universal, and AliLinux3-universal.
NOTE:
The MySQL baseline detection of Linux OS is based on the MySQL 5 security configuration specifications. If MySQL 8 is installed on your server, the following check items are not displayed in the detection results, because they are discarded in that version. The detection results are displayed only on the server whose MySQL version is 5.
- Rule: Do not set old_passwords to 1.
- Rule: Set secure_auth to 1 or ON.
- Rule: Do not set skip_secure_auth.
- Rule: Set log_warnings to 2.
- Rule: Configure the MySQL binlog clearing policy.
- Rule: The sql_mode parameter contains NO_AUTO_CREATE_USER.
- Rule: Use the MySQL audit plug-in.
For Windows,
- Cloud security practices: Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2016 R2, Windows Server 2019 R2, Tomcat, Redis, Nginx, MySQL 5, MongoDB, and Apache 2
- General security standard: Windows Server 2022 R2.

Enterprise, premium, WTP, and container editions

Password complexity policies

A password complexity policy specifies the rules that must be followed by user passwords to improve password security and prevent brute-force attacks.

This feature checks the password complexity policies in Linux and provides suggestions to help users improve password security.

Check items include:

Password length: Check whether the password length required in the password complexity policy meets the security standard.
Uppercase letters: Check whether the number of uppercase letters required in the password complexity policy meets the security standard.
Lowercase letters: Check whether the number of lowercase letters required in the password complexity policy meets the security standard.
Numeric characters: Check whether the number of numeric characters required in the password complexity policy meets the security standard.
Special letters: Check whether the number of special characters required in the password complexity policy meets the security standard.

For details about the password complexity policy check, see Defining a Rule to Check Password Complexity Policies.

All

Common weak passwords

A weak password can be easily cracked.

Weak passwords defined in the common weak password library. You can check for the weak passwords used by accounts and remind users to change them.

Common weak password detection has the following restrictions:

Supported cryptographic algorithms: SHA-256, SHA-512, and Yescrypt
Supported account types:
- Linux: MySQL, Tomcat, Redis, and system accounts
- Windows: system accounts

For details about custom weak passwords, see Defining Weak Passwords.

All

Scenarios

Baseline compliance
Baseline checks are performed based on DJCP MLPS L2, DJCP MLPS L3, and international compliance security standards, helping companies build information systems that comply with related laws and regulations as well as industry standards.

Security audit
Periodically perform baseline checks on servers and containers to detect and rectify non-compliant system configurations in a timely manner, ensuring system security and reducing intrusion risks.

Usage Process

**Table 1** Usage process
No.	Operation	Description
1	Configuring a Baseline Check Policy	After HSS is enabled for a server, HSS automatically performs a baseline check on the server every day from 04:00 to 05:00 based on the default policy. If the default configuration does not meet your requirements, you can modify it or create a custom check policy.
2	Performing a Baseline Check	You can perform a check immediately or schedule it for later. Scheduled check: Baseline checks are automatically performed based on the default policy or your schedule. One-time manual check: You can manually start a baseline check to learn the server security status in real time.
3	Viewing and Handling Baseline Check Results	After the baseline check is complete, view and handle the baseline configuration risks in a timely manner.