Baseline check

The baseline check feature scans server OS, database, software, and container configurations for security risks. Use the results to harden your systems, reduce intrusion risk, and meet compliance requirements.

Editions and billing

The baseline check feature is available for paid editions of Security Center.

Edition	Description	Billing
Anti-virus edition and value-added service	To use all baseline check items, you must purchase and enable the paid cloud security posture management (CSPM) service. Using check items consumes the CSPM quota.	If you purchase the paid cloud security posture management service, see Paid usage of CSPM for billing details.
Advanced edition and Enterprise edition	The Advanced edition only supports weak password baselines. The Enterprise edition does not support container security baselines. To use all baseline check items, you must upgrade to the Ultimate edition.	No additional fees apply.
Ultimate edition	Supports all baseline check items.	No additional fees apply.

Benefits

MLPS compliance

Checks configurations against MLPS Level 2/3 standards and international security best practices to help meet regulatory requirements.
Comprehensive detection coverage

Detects weak passwords, unauthorized access, vulnerabilities, and configuration risks. Covers more than 30 operating system versions and over 20 types of databases and middleware.
Flexible policy configuration

Customize security policies, check intervals, and scopes to meet the unique security requirements of your workloads.
Detailed remediation solutions

Each check item includes a remediation solution. One-click remediation lets you harden baselines and meet MLPS requirements.

Workflow

All baseline check items are available with the Enterprise or Ultimate edition, or the paid CSPM feature. use all baseline check items.
After you install the Security Center agent on a server that requires baseline checks, the Security Center console automatically synchronizes the server's asset information every minute. To check non-Alibaba Cloud servers, first add them to Security Center.
The default policy covers a limited set of baseline types. To add more check items, Set check policies.
You can run a policy manually or let Security Center scan automatically on schedule. run a check policy.
Scan results list risky check items, affected assets, and remediation suggestions. View check results and fixing suggestions.
Fix risky configurations based on the suggestions and verify that each check item passes. Fix and verify.

How it works

Baseline check policies let you batch-scan servers for risks in system configurations, account permissions, databases, weak passwords, and MLPS compliance. Each risk includes remediation suggestions and may support one-click fix. Baseline check items.

Key concepts

Term	Description
baseline	A baseline defines security configuration standards for operating systems, databases, and middleware based on best practices and compliance requirements. Checks cover weak passwords, account permissions, identity authentication, password policies, access control, security audits, and intrusion prevention.
weak password	A weak password is easy to guess or crack through brute-force attacks — typically shorter than eight characters, containing fewer than three character types, or found in publicly available hacker dictionaries or malware. Weak passwords allow attackers to access your system and read or modify data.

Baseline policies

A policy is a collection of baseline check rules and the basic unit for running checks. Security Center provides three policy types: default, standard, and custom.

Policy type	Supported types	Use case
Default policy	This policy includes multiple baseline check items and supports the following baseline types: Windows baselines: unauthorized access, best security practices, weak password, etc. Linux baselines: unauthorized access, container security, best security practices, weak password, etc.	The default policy runs automatically after you purchase the Advanced, Enterprise, or Ultimate edition. You can only edit the start time and target servers. It checks all assets every other day between 00:00 and 06:00, or during a time range that you specify.
Standard policy	This policy includes multiple baseline check items and supports the following baseline types: Windows baselines: unauthorized access, MLPS compliance, best security practices, basic protection practices, internationally agreed security best practices, weak password, etc. Linux baselines: unauthorized access, MLPS compliance, best security practices, container security, internationally agreed security best practices, weak password, etc.	Compared with the default policy, the standard policy adds MLPS compliance and international best practices check types, includes more check items, and allows full policy configuration.
Custom policy	This policy includes multiple baseline check items and supports the following custom OS baseline types: Windows baselines: Windows custom baseline Linux baselines: CentOS Linux 7/8 custom baseline, CentOS Linux 6 custom baseline, Ubuntu custom security baseline check, and Redhat 7/8 custom security baseline check.	Checks asset configurations based on custom operating system baselines. You can configure check items and modify the parameters of some baselines to meet your business requirements.

Supported servers

Security Center checks servers with an active agent. The default policy checks all eligible servers. When you set up a default, standard, or custom policy, use server groups to select targets. To add servers, Install the agent or Manage servers.

Risk assessment

Security Center classifies risks based on their severity and category.

Risk level	Baseline category	Description	Remediation
High	weak password Unauthorized	These risks are classified as High because they pose a direct intrusion threat.	Remediate these risks immediately to prevent system intrusions or data leaks.
	best security practices container security	Although this type does not pose a direct intrusion risk, it is classified as High because it relates to critical configuration standards.	Fix these important hardening items promptly. Adhering to best practices reduces the risk of attacks that exploit configuration weaknesses and unauthorized changes.
	Custom baseline	This type relates to your organization's specific security events and critical configurations, and is therefore classified as High.	Fix these user-defined hardening items. Adhering to custom baselines reduces the risk of configuration weaknesses and unauthorized changes.
Medium	MLPS compliance internationally agreed security best practices	These risks relate to compliance requirements, not direct intrusion threats or critical configurations, and are therefore classified as Medium.	Remediate these risks based on your organization's compliance requirements.

Remediation

Security Center provides hardening suggestions for identified risks to enhance security, reduce intrusion risk, and meet compliance requirements.

Manual remediation: You must log on to the affected server, modify the relevant configurations, and then verify the result in Security Center.
one-click fix: Some baseline check items support one-click fixes. For those items, the Fix button appears in the risk details panel. Click it to resolve the baseline risk directly from the console. Fix risk items.

Baseline checks

Baseline categories

Category	Description	Scope	Guidance
Weak password	Detects weak passwords using a non-brute-force method that avoids account lockouts and service disruption. Note Weak password detection compares the hash value read from the system against a dictionary of weak password hashes. If you prefer not to have hash values read, you can remove the weak password baseline from your baseline check policy.	Operating system Linux, Windows Database MySQL, Redis, SQL Server, MongoDB, PostgreSQL, Oracle Application Tomcat, FTP, Rsync, Subversion (SVN), ActiveMQ, RabbitMQ, OpenVPN, Jboss 6/7, Jenkins, OpenLDAP, VNC Server, pptpd	Requires immediate remediation. This helps prevent system intrusions or data breaches that can result from these vulnerabilities.
Unauthorized access	Checks services for unauthorized access risks to prevent system intrusions and data breaches.	Memcached, Elasticsearch, Docker, CouchDB, ZooKeeper, Jenkins, Hadoop, Tomcat, Redis, Jboss, ActiveMQ, RabbitMQ, OpenLDAP, rsync, MongoDB, PostgreSQL
Best security practice	Alibaba Cloud standard Checks for security configuration risks based on the Alibaba Cloud standard for best security practice. These checks cover account permission, identity authentication, password policy, access control, security audit, and intrusion prevention.	Operating system CentOS 6, 7, 8 Red Hat Enterprise Linux (RHEL) 6, 7, 8 Ubuntu 14, 16, 18, 20 Debian 8, 9, 10, 11, 12 Alibaba Cloud Linux 2, 3 Windows Server 2022, 2012 R2, 2016, 2019, 2008 R2 Rocky Linux 8 AlmaLinux 8 SUSE Linux Enterprise Server (SLES) 15 Anolis 8 Kylin UOS TencentOS Database MySQL, Redis, MongoDB, SQL Server, Oracle Database 11g, CouchDB, InfluxDB, PostgreSQL Application Tomcat, Internet Information Services (IIS), Nginx, Apache, Windows SMB, RabbitMQ, ActiveMQ, Elasticsearch, Jenkins, Hadoop, Jboss 6/7	Remediation is recommended for these important security hardening items. Following best security practice helps reduce the risk of attacks that exploit configuration weaknesses or unauthorized changes.
Container security	Alibaba Cloud standard Checks Kubernetes master and worker nodes for configuration risks based on the Alibaba Cloud standard for container security.	Docker Kubernetes cluster
MLPS compliance	MLPS Level 2 and Level 3 compliance Performs checks based on MLPS security baselines for servers. These baselines align with the computing environment standards from authoritative evaluation organizations.	Operating system CentOS 6, 7, 8 Red Hat Enterprise Linux (RHEL) 6, 7, 8 Ubuntu 14, 16, 18, 20 SUSE Linux Enterprise Server (SLES) 10, 11, 12, 15 Debian 8, 9, 10, 11, 12 Alibaba Cloud Linux 2, 3 Windows Server 2022, 2012 R2, 2016, 2019, 2008 R2 Anolis 8 Kylin UOS Database Redis, MongoDB, PostgreSQL, Oracle, MySQL, SQL Server, Informix Application WebSphere Application Server, Jboss 6/7, Nginx, WebLogic, BIND, IIS	Remediate based on your business's compliance requirements.
International security best practice	Performs operating system security baseline checks based on international security best practice.	CentOS 6, 7, 8 Ubuntu 14, 16, 18, 20 Debian 8, 9, 10 Alibaba Cloud Linux 2 Windows Server 2022, 2012 R2, 2016, 2019, 2008 R2	Remediate based on your business's compliance requirements.
Custom baseline	You can define custom security hardening rules by editing check items in a baseline check policy. Custom baselines are supported for various operating systems.	CentOS 7, CentOS 6, Windows Server 2022, 2012 R2, 2016, 2019, 2008 R2	Remediation is recommended for these user-defined security hardening items. Following your custom standards helps reduce the risk of configuration weaknesses and unauthorized changes.

Baseline checks

The following table lists the default baseline checks available in Security Center.

Windows baselines

Baseline category	Baseline name	Description	Check items
Basic security practices	SQL Server Permission Risk Check	Checks for permission risks in SQL Server.	1
Basic security practices	IIS Permission Risk Check	Checks for permission risks in IIS.	1
International security best practices	Windows Server 2008 R2 International Security Best Practices	This baseline provides comprehensive configuration checks based on international security best practices. It enables enterprise users with high security requirements to harden systems according to specific business and security needs.	274
	Windows Server 2012 R2 International Security Best Practices		275
	Windows Server 2016/2019 International Security Best Practices		275
	Windows Server 2022 International Security Best Practices		262
Unauthorized access	Unauthorized Access - Redis High-Risk Vulnerability (Windows)	Detects high-risk unauthorized access vulnerabilities in Redis.	1
Unauthorized access	Unauthorized Access - LDAP High-Risk Vulnerability (Windows)	Detects high-risk unauthorized access vulnerabilities in LDAP.	1
MLPS compliance	MLPS Level 3 Compliance Baseline for Windows 2008 R2	Verifies that your Windows Server 2008 R2 configurations comply with China's MLPS 2.0 Level 3 standard. These checks are based on security requirements for computing environments from authoritative assessment organizations.	19
	MLPS Level 3 Compliance Baseline for Windows 2012 R2	Verifies that your Windows Server 2012 R2 configurations comply with China's MLPS 2.0 Level 3 standard. These checks are based on security requirements for computing environments from authoritative assessment organizations.	19
	MLPS Level 3 Compliance Baseline for Windows Server 2016/2019	Verifies that your Windows Server 2016/2019 configurations comply with China's MLPS 2.0 Level 3 standard. These checks are based on security requirements for computing environments from authoritative assessment organizations.	19
	MLPS Level 3 Compliance Baseline for SQL Server	Verifies that your SQL Server configurations comply with China's MLPS 2.0 Level 3 standard. These checks are based on security requirements for computing environments from authoritative assessment organizations.	4
	MLPS Level 3 Compliance Baseline for IIS	Verifies that your IIS configurations comply with China's MLPS 2.0 Level 3 standard. These checks are based on security requirements for computing environments from authoritative assessment organizations.	5
	MLPS Level 2 Compliance Baseline for Windows 2008 R2	Verifies that your Windows Server 2008 R2 configurations comply with China's MLPS 2.0 Level 2 standard. These checks are based on security requirements for computing environments from authoritative assessment organizations.	12
	MLPS Level 2 Compliance Baseline for Windows 2012 R2	Verifies that your Windows Server 2012 R2 configurations comply with China's MLPS 2.0 Level 2 standard. These checks are based on security requirements for computing environments from authoritative assessment organizations.	12
	MLPS Level 2 Compliance Baseline for Windows Server 2016/2019	Verifies that your Windows Server 2016/2019 configurations comply with China's MLPS 2.0 Level 2 standard. These checks are based on security requirements for computing environments from authoritative assessment organizations.	12
Weak password	Weak password - Windows system login	Detects weak login passwords on Windows Server systems. This updated baseline uses an expanded dictionary of common weak passwords and provides improved detection performance.	1
	Weak password - MySQL database login (Windows)	Detects weak login passwords for MySQL databases on Windows.	1
	Weak password - SQL Server database login	Detects weak login passwords for Microsoft SQL Server databases.	1
	Weak password - Redis database login (Windows)	Detects weak login passwords for Redis databases.	1
Best security practices	Alibaba Cloud Standard - Windows Server 2008 R2 Security Baseline	Verifies that your Windows Server 2008 R2 configurations align with Alibaba Cloud best security practices.	12
	Alibaba Cloud Standard - Windows 2012 R2 Security Baseline	Verifies that your Windows Server 2012 R2 configurations align with Alibaba Cloud best security practices.	12
	Alibaba Cloud Standard - Windows 2016/2019 Security Baseline	Verifies that your Windows Server 2016 and Windows Server 2019 configurations align with Alibaba Cloud best security practices.	12
	Alibaba Cloud Standard - Windows 2022 Security Baseline	Verifies that your Windows Server 2022 configurations align with Alibaba Cloud best security practices.	12
	Alibaba Cloud Standard - Redis Security Baseline (Windows)	Verifies that your Redis configurations on Windows align with Alibaba Cloud best security practices.	6
	Alibaba Cloud Standard - SQL Server Security Baseline	Verifies that your SQL Server 2012 configurations align with Alibaba Cloud best security practices.	17
	Alibaba Cloud Standard - IIS 8 Security Baseline	Verifies that your Internet Information Services (IIS) 8 configurations align with Alibaba Cloud best security practices.	8
	Alibaba Cloud Standard - Apache Tomcat Security Baseline (Windows)	Checks middleware configurations against international security best practices and Alibaba Cloud standards.	8
	Alibaba Cloud Standard - Windows SMB Security Baseline	Verifies that your Windows Server Message Block (SMB) configurations align with Alibaba Cloud best security practices.	2
Custom policy	Windows custom baseline	This template helps you create a custom Windows baseline. Select check items and configure parameters to meet your specific security requirements.	63

Linux baselines

Category	Baseline	Description	Checks
Internationally Agreed Best Practices for Security	Alibaba Cloud Linux 2/3 Internationally Agreed Best Practices for Security	This baseline offers comprehensive configuration checks based on international best security practices. It is designed for enterprise users and enables targeted security hardening tailored to specific business scenarios.	176
	Rocky 8 Internationally Agreed Best Practices for Security		161
	CentOS Linux 6 LTS Internationally Agreed Best Practices for Security		194
	CentOS Linux 7 LTS Internationally Agreed Best Practices for Security		195
	CentOS Linux 8 LTS Internationally Agreed Best Practices for Security		162
	Debian Linux 8 Internationally Agreed Best Practices for Security		155
	Ubuntu 14 LTS Internationally Agreed Best Practices for Security		175
	Ubuntu 16/18/20 LTS Internationally Agreed Best Practices for Security		174
	Ubuntu 22 LTS Internationally Agreed Best Practices for Security		148
Unauthorized access	InfluxDB unauthorized access high-risk vulnerability	Detects high-risk unauthorized access vulnerabilities in InfluxDB.	1
	Redis unauthorized access high-risk vulnerability	Detects high-risk unauthorized access vulnerabilities in Redis.	1
	JBoss unauthorized access high-risk vulnerability	Detects high-risk unauthorized access vulnerabilities in JBoss.	1
	ActiveMQ unauthorized access high-risk vulnerability	Detects high-risk unauthorized access vulnerabilities in ActiveMQ.	1
	RabbitMQ unauthorized access high-risk vulnerability	Detects high-risk unauthorized access vulnerabilities in RabbitMQ.	1
	OpenLDAP unauthorized access vulnerability baseline (Linux)	Detects unauthorized access vulnerabilities in OpenLDAP.	1
	rsync unauthorized access high-risk vulnerability	Detects unauthorized access vulnerabilities in rsync.	1
	MongoDB unauthorized access high-risk vulnerability	Detects high-risk unauthorized access vulnerabilities in MongoDB.	1
	PostgreSQL unauthorized access high-risk vulnerability	Detects high-risk unauthorized access vulnerabilities in PostgreSQL.	1
	Jenkins unauthorized access high-risk vulnerability	Detects high-risk unauthorized access vulnerabilities in Jenkins.	1
	Hadoop unauthorized access high-risk vulnerability	Detects high-risk unauthorized access vulnerabilities in Hadoop.	1
	CouchDB unauthorized access high-risk vulnerability	Detects high-risk unauthorized access vulnerabilities in CouchDB.	1
	ZooKeeper unauthorized access high-risk vulnerability	Detects high-risk unauthorized access vulnerabilities in ZooKeeper.	1
	Memcached unauthorized access high-risk vulnerability	Detects high-risk unauthorized access vulnerabilities in Memcached.	1
	Elasticsearch unauthorized access high-risk vulnerability	Detects high-risk unauthorized access vulnerabilities in Elasticsearch.	1
MLPS Compliance	MLPS Level 3 Compliance Baseline for SUSE 15	Validates that SUSE 15 configurations meet China's MLPS 2.0 Level 3 requirements, benchmarked against standards from authoritative assessment organizations.	18
	MLPS Level 3 Compliance Baseline for Alibaba Cloud Linux 3	Validates that Alibaba Cloud Linux 3 configurations meet China's MLPS 2.0 Level 3 requirements, benchmarked against standards from authoritative assessment organizations.	19
	MLPS Level 3 Compliance Baseline for Alibaba Cloud Linux 2	Validates that Alibaba Cloud Linux 2 configurations meet China's MLPS 2.0 Level 3 requirements, benchmarked against standards from authoritative assessment organizations.	19
	MLPS Level 3 Compliance Baseline for Bind	Validates that Bind configurations meet China's MLPS 2.0 Level 3 requirements, benchmarked against standards from authoritative assessment organizations.	4
	MLPS Level 3 Compliance Baseline for CentOS Linux 6	Validates that CentOS Linux 6 configurations meet China's MLPS 2.0 Level 3 requirements, benchmarked against standards from authoritative assessment organizations.	19
	MLPS Level 3 Compliance Baseline for CentOS Linux 7	Validates that CentOS Linux 7 configurations meet China's MLPS 2.0 Level 3 requirements, benchmarked against standards from authoritative assessment organizations.	19
	MLPS Level 3 Compliance Baseline for CentOS Linux 8	Validates that CentOS Linux 8 configurations meet China's MLPS 2.0 Level 3 requirements, benchmarked against standards from authoritative assessment organizations.	19
	MLPS Level 3 Compliance Baseline for Informix	Validates that Informix configurations meet China's MLPS 2.0 Level 3 requirements, benchmarked against standards from authoritative assessment organizations.	6
	MLPS Level 3 Compliance Baseline for JBoss 6/7	Validates that JBoss 6/7 configurations meet China's MLPS 2.0 Level 3 requirements, benchmarked against standards from authoritative assessment organizations.	5
	MLPS Level 3 Compliance Baseline for MongoDB	Validates that MongoDB configurations meet China's MLPS 2.0 Level 3 requirements, benchmarked against standards from authoritative assessment organizations.	6
	MLPS Level 3 Compliance Baseline for MySQL	Validates that MySQL configurations meet China's MLPS 2.0 Level 3 requirements, benchmarked against standards from authoritative assessment organizations.	5
	MLPS Level 3 Compliance Baseline for Nginx	Validates that Nginx configurations meet China's MLPS 2.0 Level 3 requirements, benchmarked against standards from authoritative assessment organizations.	3
	MLPS Level 3 Compliance Baseline for Oracle	Validates that Oracle configurations meet China's MLPS 2.0 Level 3 requirements, benchmarked against standards from authoritative assessment organizations.	12
	MLPS Level 3 Compliance Baseline for PostgreSQL	Validates that PostgreSQL configurations meet China's MLPS 2.0 Level 3 requirements, benchmarked against standards from authoritative assessment organizations.	4
	MLPS Level 3 Compliance Baseline for Red Hat Enterprise Linux (RHEL) 6	Validates that Red Hat Enterprise Linux (RHEL) 6 configurations meet China's MLPS 2.0 Level 3 requirements, benchmarked against standards from authoritative assessment organizations.	19
	MLPS Level 3 Compliance Baseline for Red Hat Enterprise Linux (RHEL) 7	Validates that Red Hat Enterprise Linux (RHEL) 7 configurations meet China's MLPS 2.0 Level 3 requirements, benchmarked against standards from authoritative assessment organizations.	19
	MLPS Level 3 Compliance Baseline for Redis	Validates that Redis configurations meet China's MLPS 2.0 Level 3 requirements, benchmarked against standards from authoritative assessment organizations.	4
	MLPS Level 3 Compliance Baseline for SUSE 10	Validates that SUSE 10 configurations meet China's MLPS 2.0 Level 3 requirements, benchmarked against standards from authoritative assessment organizations.	19
	MLPS Level 3 Compliance Baseline for SUSE 12	Validates that SUSE 12 configurations meet China's MLPS 2.0 Level 3 requirements, benchmarked against standards from authoritative assessment organizations.	19
	MLPS Level 3 Compliance Baseline for SUSE 11	Validates that SUSE 11 configurations meet China's MLPS 2.0 Level 3 requirements, benchmarked against standards from authoritative assessment organizations.	19
	MLPS Level 3 Compliance Baseline for Ubuntu 14	Validates that Ubuntu 14 configurations meet China's MLPS 2.0 Level 3 requirements, benchmarked against standards from authoritative assessment organizations.	19
	MLPS Level 3 Compliance Baseline for Ubuntu 16/18/20	Validates that Ubuntu 16/18/20 configurations meet China's MLPS 2.0 Level 3 requirements, benchmarked against standards from authoritative assessment organizations.	19
	MLPS Level 3 Compliance Baseline for Ubuntu 22	Validates that Ubuntu 22 configurations meet China's MLPS 2.0 Level 3 requirements, benchmarked against standards from authoritative assessment organizations.	19
	MLPS Level 3 Compliance Baseline for WebSphere Application Server	Validates that WebSphere Application Server configurations meet China's MLPS 2.0 Level 3 requirements, benchmarked against standards from authoritative assessment organizations.	7
	MLPS Level 3 Compliance Baseline for TongWeb	Validates that TongWeb configurations meet China's MLPS 2.0 Level 3 requirements, benchmarked against standards from authoritative assessment organizations.	4
	MLPS Level 3 Compliance Baseline for WebLogic	Validates that WebLogic configurations meet China's MLPS 2.0 Level 3 requirements, benchmarked against standards from authoritative assessment organizations.	5
	MLPS Level 2 Compliance Baseline for Alibaba Cloud Linux 2	Validates that Alibaba Cloud Linux 2 configurations meet China's MLPS 2.0 Level 2 requirements, benchmarked against standards from authoritative assessment organizations.	15
	MLPS Level 2 Compliance Baseline for CentOS Linux 6	Validates that CentOS Linux 6 configurations meet China's MLPS 2.0 Level 2 requirements, benchmarked against standards from authoritative assessment organizations.	15
	MLPS Level 2 Compliance Baseline for CentOS Linux 7	Validates that CentOS Linux 7 configurations meet China's MLPS 2.0 Level 2 requirements, benchmarked against standards from authoritative assessment organizations.	15
	MLPS Level 2 Compliance Baseline for Debian Linux 8	Validates that Debian Linux 8 configurations meet China's MLPS 2.0 Level 2 requirements, benchmarked against standards from authoritative assessment organizations.	12
	MLPS Level 2 Compliance Baseline for Red Hat Enterprise Linux (RHEL) 7	Validates that Red Hat Enterprise Linux (RHEL) 7 configurations meet China's MLPS 2.0 Level 2 requirements, benchmarked against standards from authoritative assessment organizations.	15
	MLPS Level 2 Compliance Baseline for Ubuntu 16/18	Validates that Ubuntu 16/18 configurations meet China's MLPS 2.0 Level 2 requirements, benchmarked against standards from authoritative assessment organizations.	19
	MLPS Level 3 Compliance Baseline for Debian Linux 8/9/10/11/12	Validates that Debian Linux 8/9/10/11/12 configurations meet China's MLPS 2.0 Level 3 requirements, benchmarked against standards from authoritative assessment organizations.	19
	MLPS Level 3 Compliance Baseline for Kylin	Validates that Kylin configurations meet China's MLPS 2.0 Level 3 requirements, benchmarked against standards from authoritative assessment organizations.	19
	MLPS Level 3 Compliance Baseline for UOS	Validates that UOS configurations meet China's MLPS 2.0 Level 3 requirements, benchmarked against standards from authoritative assessment organizations.	19
	MLPS Level 3 Compliance Baseline for Anolis 8	Validates that Anolis 8 configurations meet China's MLPS 2.0 Level 3 requirements, benchmarked against standards from authoritative assessment organizations.	19
Weak password	Zabbix login weak password baseline	Detects weak login passwords in Zabbix.	1
	Elasticsearch login weak password baseline	Detects weak login passwords on Elasticsearch servers.	1
	ActiveMQ login weak password baseline	Detects weak login passwords in ActiveMQ.	1
	RabbitMQ login weak password baseline	Detects weak login passwords in RabbitMQ.	1
	OpenVPN weak password detection on Linux systems	Detects common weak passwords for OpenVPN accounts on Linux systems.	1
	JBoss 6/7 login weak password baseline	Detects weak login passwords in JBoss 6/7.	1
	Jenkins login weak password baseline	Detects weak login passwords for Jenkins accounts. This updated baseline offers enhanced detection with an expanded weak password dictionary.	1
	ProFTPD login weak password baseline	Detects weak login passwords for ProFTPD accounts. This updated baseline offers enhanced detection with an expanded weak password dictionary.	1
	WebLogic 12c login weak password detection	Detects weak passwords for WebLogic 12c users.	1
	OpenLDAP login weak password baseline	Detects weak login passwords for OpenLDAP accounts.	1
	VNC server weak password check	Detects common weak passwords for VNC server login accounts.	1
	PPTPD login weak password baseline	Detects weak login passwords on PPTP servers.	1
	Oracle login weak password detection	Detects weak passwords for Oracle database users.	1
	SVN login weak password baseline	Detects weak login passwords on SVN servers.	1
	rsync login weak password baseline	Detects weak login passwords on rsync servers.	1
	MongoDB weak password baseline	Detects weak passwords for the MongoDB service. This baseline supports MongoDB 3.x and 4.x.	1
	PostgreSQL DB login weak password baseline	Detects weak login passwords for PostgreSQL database accounts.	1
	Apache Tomcat Console weak password baseline	Detects weak login passwords for the Apache Tomcat console. This baseline supports Tomcat 7, 8, and 9.	1
	FTP login weak password baseline	Checks for weak passwords and anonymous logins for the FTP service.	1
	Redis DB login weak password baseline	Detects weak login passwords for Redis databases.	1
	Linux system login weak password baseline	Detects weak login passwords for Linux system accounts. This updated baseline offers enhanced detection with an expanded weak password dictionary.	1
	MySQL DB login weak password check (version 8.x is not supported)	Detects weak login passwords for MySQL database accounts. This updated baseline offers enhanced detection with an expanded weak password dictionary.	1
	MongoDB weak password baseline (supports version 2.x)	Detects weak passwords for the MongoDB service. This baseline supports MongoDB 2.x.	1
Container security	Unauthorized access: Risk of unauthorized access to the Redis container service	Detects unauthorized access to the Redis service at container runtime by attempting to connect or read its configuration file.	1
	Unauthorized access: Risk of unauthorized access to the MongoDB container service	Detects unauthorized access to the MongoDB service at container runtime by attempting to connect or read its configuration file.	1
	Unauthorized access: Risk of unauthorized access to the JBoss container service	Detects unauthorized access to the JBoss service at container runtime by attempting to connect or read its configuration file.	1
	Unauthorized access: Risk of unauthorized access to the ActiveMQ container service	Detects unauthorized access to the ActiveMQ service at container runtime by attempting to connect or read its configuration file.	1
	Unauthorized access: Risk of unauthorized access to the rsync container service	Detects unauthorized access to the rsync service at container runtime by attempting to connect or read its configuration file.	1
	Unauthorized access: Risk of unauthorized access to the Memcached container service	Detects unauthorized access to the Memcached service at container runtime by attempting to connect or read its configuration file.	1
	Unauthorized access: Risk of unauthorized access to the RabbitMQ container service	Detects unauthorized access to the RabbitMQ service at container runtime by attempting to connect or read its configuration file.	1
	Unauthorized access: Risk of unauthorized access to the Elasticsearch container service	Detects unauthorized access to the Elasticsearch service at container runtime by attempting to connect or read its configuration file.	1
	Unauthorized access: Risk of unauthorized access to the Jenkins container service	Detects unauthorized access to the Jenkins service at container runtime by attempting to connect or read its configuration file.	1
	Container Service for Kubernetes (ACK) Master Internationally Agreed Best Practices for Security	This baseline offers comprehensive configuration checks based on international best security practices. It is designed for enterprise users and enables targeted security hardening tailored to specific business scenarios.	52
	Container Service for Kubernetes (ACK) Worker Node Internationally Agreed Best Practices for Security		9
	Weak password: ProFTPD container runtime weak password risk	Detects weak passwords in ProFTPD at container runtime. It gets authentication details from configuration files and attempts a local connection using a weak password dictionary.	1
	Weak password: Redis container runtime weak password risk	Detects weak passwords in Redis at container runtime. It gets authentication details from configuration files and attempts a local connection using a weak password dictionary.	1
	Weak password: MongoDB container runtime weak password risk	Detects weak passwords in MongoDB at container runtime. It gets authentication details from configuration files and attempts a local connection using a weak password dictionary.	1
	Weak password: JBoss container runtime weak password risk	Detects weak passwords in JBoss at container runtime. It gets authentication details from configuration files and attempts a local connection using a weak password dictionary.	1
	Weak password: ActiveMQ container runtime weak password risk	Detects weak passwords in ActiveMQ at container runtime. It gets authentication details from configuration files and attempts a local connection using a weak password dictionary.	1
	Weak password: rsync container runtime weak password risk	Detects weak passwords in rsync at container runtime. It gets authentication details from configuration files and attempts a local connection using a weak password dictionary.	1
	Weak password: SVN container runtime weak password risk	Detects weak passwords in SVN at container runtime. It gets authentication details from configuration files and attempts a local connection using a weak password dictionary.	1
	Weak password: Elasticsearch container runtime weak password risk	Detects weak passwords in Elasticsearch at container runtime. It gets authentication details from configuration files and attempts a local connection using a weak password dictionary.	1
	Weak password: MySQL container runtime weak password risk	Detects weak passwords in the MySQL service at container runtime. It gets authentication details from configuration files and attempts a local connection using a weak password dictionary.	1
	Weak password: Tomcat container runtime weak password risk	Detects weak passwords in Tomcat at container runtime. It gets authentication details from configuration files and attempts a local connection using a weak password dictionary.	1
	Weak password: Jenkins container runtime weak password risk	Detects weak passwords in Jenkins at container runtime. It gets authentication details from configuration files and attempts a local connection using a weak password dictionary.	1
	Alibaba Cloud Standard - Docker container security baseline check (supports K8s Docker pods)	Validates that your Docker container configurations align with Alibaba Cloud best security practices.	8
	Alibaba Cloud Standard - Kubernetes Worker Node Security Baseline Check	Validates that your Kubernetes configurations align with Alibaba Cloud best security practices.	7
	Alibaba Cloud Standard - Kubernetes Master Security Baseline Check	Validates that your Kubernetes configurations align with Alibaba Cloud best security practices.	18
	Alibaba Cloud Standard - Docker Host Security Baseline Check	Validates that your Docker host configurations align with Alibaba Cloud best security practices.	10
	Docker unauthorized access high-risk vulnerability	A baseline for detecting high-risk vulnerabilities related to unauthorized access in Docker.	1
	Kubernetes API server unauthorized access high-risk vulnerability	A baseline for detecting high-risk vulnerabilities related to unauthorized access in the Kubernetes API server.	1
	Kubernetes (K8s) Pod Internationally Agreed Best Practices for Security (supports K8s Containerd pods)	This baseline provides security hardening guidance for Kubernetes (K8s) pods based on international best security practices. It offers extensive check items for enterprise users to apply according to their business scenarios.	12
	Container Service for Kubernetes (ACK) Pods Internationally Agreed Best Practices for Security	This baseline provides security hardening guidance for Container Service for Kubernetes (ACK) pods based on international best security practices. It offers extensive check items for enterprise users to apply according to their business scenarios.	7
	Elastic Container Instance (ECI) Pod Internationally Agreed Best Practices for Security	This baseline provides security hardening guidance for Elastic Container Instance (ECI) pods based on international best security practices. It offers extensive check items for enterprise users to apply according to their business scenarios.	2
	Kubernetes (K8s) Master Internationally Agreed Best Practices for Security	This baseline provides security hardening guidance for Kubernetes (K8s) master nodes based on international best security practices. It is designed for enterprise users with high security standards, offering a rich set of check rules to apply based on specific business scenarios and security needs.	55
	Kubernetes (K8s) Policy Internationally Agreed Best Practices for Security	This baseline provides security hardening guidance for Kubernetes (K8s) policies based on international best security practices. It is designed for enterprise users with high security standards, offering a rich set of check rules to apply based on specific business scenarios and security needs.	34
	Kubernetes (K8s) Worker Internationally Agreed Best Practices for Security	This baseline provides security hardening guidance for Kubernetes (K8s) worker nodes based on international best security practices. It is designed for enterprise users with high security standards, offering a rich set of check rules to apply based on specific business scenarios and security needs.	16
	Dockerd Container Internationally Agreed Best Practices for Security	This baseline offers comprehensive configuration checks based on international best security practices. It is designed for enterprise users and enables targeted security hardening tailored to specific business scenarios.	91
	Dockerd Host Internationally Agreed Best Practices for Security		25
	Containerd Container Internationally Agreed Best Practices for Security		25
	Containerd Host Internationally Agreed Best Practices for Security		22
Best Security Practices	Alibaba Cloud Standard - Alibaba Cloud Linux 2/3 Benchmark	Checks if your Alibaba Cloud Linux 2/3 configurations align with Alibaba Cloud best security practices.	16
	Alibaba Cloud Standard - CentOS Linux 6 Security Baseline Check	Checks if your CentOS Linux 6 configurations align with Alibaba Cloud best security practices.	15
	Alibaba Cloud Standard - CentOS Linux 7/8 Security Baseline Check	Checks if your CentOS Linux 7/8 configurations align with Alibaba Cloud best security practices.	15
	Alibaba Cloud Standard - Debian Linux 8/9/10/11/12 Security Baseline	Checks if your Debian Linux 8/9/10/11/12 configurations align with Alibaba Cloud best security practices.	15
	Alibaba Cloud Standard - Red Hat Enterprise Linux (RHEL) 6 Security Baseline Check	Checks if your Red Hat Enterprise Linux (RHEL) 6 configurations align with Alibaba Cloud best security practices.	15
	Alibaba Cloud Standard - Red Hat Enterprise Linux (RHEL) 7/8 Security Baseline Check	Checks if your Red Hat Enterprise Linux (RHEL) 7/8 configurations align with Alibaba Cloud best security practices.	15
	Alibaba Cloud Standard - Ubuntu Security Baseline	Checks if your Ubuntu configurations align with Alibaba Cloud best security practices.	15
	Alibaba Cloud Standard - Memcached Security Baseline Check	Checks if your Memcached configurations align with Alibaba Cloud best security practices.	5
	Alibaba Cloud Standard - MongoDB Security Baseline Check (Version 3.x)	Checks if your MongoDB configurations align with Alibaba Cloud best security practices.	9
	Alibaba Cloud Standard - MySQL Security Baseline Check	Checks if your MySQL configurations align with Alibaba Cloud best security practices. This baseline supports MySQL 5.1 to 5.7.	12
	Alibaba Cloud Standard - Oracle Security Baseline Check	Checks if your Oracle 11g configurations align with Alibaba Cloud best security practices.	14
	Alibaba Cloud Standard - PostgreSQL Security Initialization Check	Checks if your PostgreSQL configurations align with Alibaba Cloud best security practices.	11
	Alibaba Cloud Standard - Redis Security Baseline Check	Checks if your Redis configurations align with Alibaba Cloud best security practices.	7
	Alibaba Cloud Standard - Anolis 7/8 Security Baseline Check	Checks if your Anolis 7/8 configurations align with Alibaba Cloud best security practices.	16
	Alibaba Cloud Standard - Apache Security Baseline Check	Checks middleware configurations against international security best practices and Alibaba Cloud standards.	19
	Alibaba Cloud Standard - CouchDB Security Baseline Check	Checks if your CouchDB configurations align with Alibaba Cloud security standards.	5
	Alibaba Cloud Standard - Elasticsearch Security Baseline Check	Checks if your Elasticsearch configurations align with Alibaba Cloud best security practices.	3
	Alibaba Cloud Standard - Hadoop Security Baseline Check	Checks if your Hadoop configurations align with Alibaba Cloud best security practices.	3
	Alibaba Cloud Standard - InfluxDB Security Baseline Check	Checks if your InfluxDB configurations align with Alibaba Cloud best security practices.	5
	Alibaba Cloud Standard - JBoss 6/7 Security Baseline	Checks if your JBoss 6/7 configurations align with Alibaba Cloud best security practices.	11
	Alibaba Cloud Standard - Kibana Security Baseline Check	Checks if your Kibana configurations align with Alibaba Cloud best security practices.	4
	Alibaba Cloud Standard - Kylin Security Baseline Check	Checks if your Kylin configurations align with Alibaba Cloud security standards.	15
	Alibaba Cloud Standard - ActiveMQ Security Baseline	Checks if your ActiveMQ configurations align with Alibaba Cloud best security practices.	7
	Alibaba Cloud Standard - Jenkins Security Baseline Check	Checks if your Jenkins configurations align with Alibaba Cloud best security practices.	6
	Alibaba Cloud Standard - RabbitMQ Security Baseline	Checks if your RabbitMQ configurations align with Alibaba Cloud best security practices.	4
	Alibaba Cloud Standard - Nginx Security Baseline Check	Checks if your Nginx configurations align with Alibaba Cloud best security practices.	13
	Alibaba Cloud Standard - SUSE Linux 15 Security Baseline Check	Checks if your SUSE Linux 15 configurations align with Alibaba Cloud best security practices.	15
	Alibaba Cloud Standard - UOS Security Baseline Check	Checks if your UOS configurations align with Alibaba Cloud best security practices.	15
	Alibaba Cloud Standard - Zabbix Security Baseline	Checks if your Zabbix configurations align with Alibaba Cloud best security practices.	6
	Alibaba Cloud Standard - Apache Tomcat Security Baseline	Checks middleware configurations against international security best practices and Alibaba Cloud standards.	13
	Ping An Puhui Standard - CentOS Linux 7 Security Baseline Check	Checks if your CentOS Linux 7 configurations align with Ping An Puhui standards.	31
	Ping An Puhui Risk Monitoring	Monitors risks based on Ping An Puhui standards.	7
	Alibaba Cloud Standard - SVN Security Baseline Check	Checks if your SVN configurations align with Alibaba Cloud best security practices.	2
	Alibaba Cloud Standard - AlmaLinux 8 Security Baseline Check	Checks if your AlmaLinux 8 configurations align with Alibaba Cloud best security practices.	16
	Alibaba Cloud Standard - Rocky Linux 8 Security Baseline Check	Checks if your Rocky Linux 8 configurations align with Alibaba Cloud best security practices.	16
	Alibaba Cloud Standard - TencentOS Security Baseline Check	Checks if your TencentOS configurations align with Alibaba Cloud best security practices.	16
Custom policy	CentOS Linux 7/8 custom baseline	Provides a template for creating custom CentOS Linux 7/8 baselines. You can select and configure check items to meet your security requirements.	53
	CentOS Linux 6 custom baseline	Provides a template for creating a custom CentOS Linux 6 baseline. You can select and configure check items to meet your security requirements.	47
	Ubuntu custom security baseline check	A custom baseline for Ubuntu 14/16/18/20 based on Alibaba Cloud best security practices.	62
	Red Hat Enterprise Linux (RHEL) 7/8 Custom Security Baseline Check	A custom baseline check for Red Hat Enterprise Linux (RHEL) 7/8.	53

Editions and billing

Benefits

Workflow

How it works

Key concepts

Baseline policies

Supported servers

Risk assessment

Remediation

Baseline checks

Baseline categories

Baseline checks

Windows baselines

Linux baselines

FAQ