Help Center/ Host Security Service/ User Guide/ Risk Management/ Baseline Inspection/ Performing Baseline Inspection
Updated on 2025-01-21 GMT+08:00
View PDF
Share

Performing Baseline Inspection

The baseline check supports automatic and manual baseline checks.

  • Automatic baseline check: checks server configurations and common weak passwords.
  • Manual baseline check: To view the real-time baseline risks of a specified server or detect the password complexity policy, you can manually perform a baseline check.

Automated Baseline Checks

HSS automatically performs a check for all server configurations and common weak passwords at 01:00 every day.

Premium edition, web tamper protection edition, and container edition allow you to customize the automatic detection period for configurations. For details, see Configuration Check.

Premium edition, web tamper protection edition, and container edition allow you to customize the automatic detection period for weak passwords. For details, see Weak Password Scan.

Manually Performing a Baseline Check

  1. Log in to the management console.
  2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > HSS.
  3. In the navigation pane on the left, choose Risk Management > Baseline Checks.

    If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.

    Figure 1 Baseline check overview

  4. (Optional) Create a manual baseline check policy.

    Before manually checking the baseline policy, you need to create a manual baseline check policy for the target server. If you have created a policy for the target server, skip this step.
    1. Click Policies in the upper right corner of the page.
    2. Click Create Policy and configure the policy information by referring to Table 1.
      To check baseline details, click Rule Details on the right of a baseline name. You can select check items as required.
      Figure 2 Creating a policy
      Table 1 Baseline policy parameters

      Parameter

      Description

      Example Value

      Policy

      Policy name

      default_linux_security_check_policy

      OS

      OS that will be checked.

      • Linux
      • Windows

      Linux

      Baseline

      Baseline used for a check. Check items are as follows:

      • For Linux,
        • Cloud security practices: Apache2, Docker, MongoDB, Redis, MySQL5, Nginx, Tomcat, SSH, vsftp, CentOS7, EulerOS, EulerOS_ext, Kubernetes-Node, Kubernetes-Master, HCE1.1, HCE2.0, and ZooKeeper 3.7.
        • DJCP MLPS compliance: Apache 2, MongoDB, MySQL 5, Nginx, Tomcat, CentOS 7, CentOS 8, Debian 9, Debian 10, Debian 11, Red Hat 6, Red Hat 7, Red Hat 8, Ubuntu 12, Ubuntu 14, Ubuntu 16, Ubuntu 18, Alma, SUSE 12, SUSE 15, and HCE 1.1
        • General security standards: MySQL8-universal, HCE1.1-universal, Rocky8-universal, Rocky9-universal, AlmaLinux8-universal, OracleLinux6-universal, OracleLinux7-universal, Ubuntu22-universal, CentOS9-universal, SUSE15-universal, AliLinux2-universal, and AliLinux3-universal.
        NOTE:

        The MySQL baseline detection of Linux OS is based on the MySQL 5 security configuration specifications. If MySQL 8 is installed on your server, the following check items are not displayed in the detection results, because they are discarded in that version. The detection results are displayed only on the server whose MySQL version is 5.

        • Rule: Do not set old_passwords to 1.
        • Rule: Set secure_auth to 1 or ON.
        • Rule: Do not set skip_secure_auth.
        • Rule: Set log_warnings to 2.
        • Rule: Configure the MySQL binlog clearing policy.
        • Rule: The sql_mode parameter contains NO_AUTO_CREATE_USER.
        • Rule: Use the MySQL audit plug-in.
      • For Windows,
        • Cloud security practices: MongoDB, Apache2, MySQL, Nginx, Redis, Tomcat, Windows_2008, Windows_2012, Windows_2016, Windows_2019, and SQL Server.
        • General security standard: Windows_2022-universal.

      Cloud security practices: Select all.

      DJCP MLPS: Select all.
    3. Confirm the information, click Next, and select the server to be associated with the application based on the server name, server ID, EIP, or private IP address.

    4. Confirm the information and click OK. The baseline policy will be displayed in the policy list.

  5. In the upper left corner of the Baseline Inspection page, select the target baseline inspection policy.

    Figure 3 Selecting the target baseline policy

  6. Click Scan in the upper right corner of the page.
  7. If the time displayed in the Last scanned area under the Baseline Check Policy is the actual check time, the check is complete.

    • After a manual check is performed, the button will display Scanning and be disabled. If the check time exceeds 30 minutes, the button will be automatically enabled again. If the time displayed in the Last scanned area becomes the current check time, it indicates the check has completed.
    • After the check is complete, you can view the check results and handling suggestions by referring to Viewing and Processing Baseline Check Results.

Parent Topic: Baseline Inspection