Security Baseline Check
The security baseline check automatically detects risk points in the system, middleware, database, and account configurations on your servers and provides repair suggestions for the identified issues.
Detection Principle
The detection mechanism works by deploying the installed client Agent on the machine system to check the corresponding application configurations, environment settings, and specific parameters. Using the loaded configuration rule files, security risk detection is performed locally. Different detection items use different rules to check for risk characteristics. When a risk rule is triggered, a risk point is highlighted and repair suggestions are provided.
Detection Cycle
- The plugin will immediately scan and detect each time it starts or restarts, with the default scanning occurring every 12 hours.
- After clearing risks, the system will rescan the same risk within 12 hours. If the risk is fixed, the alert will be automatically deleted.
Detection Items
| Category | Detection Item | Description | Corresponding Version |
|---|---|---|---|
| System | Weak Account Password | Checks if the login account password for Linux system is a weak password | V3.0 |
| System | Non-root Privileged Account | Checks if there are non-root accounts with root privileges in the Linux system | V3.0 |
| Application | Insecure SSH Protocol Version | Checks if an insecure SSH protocol version is used | V3.0 |
| Application | Allows SSH Empty Password Login | Checks if SSH allows login with an empty password | V3.0 |
| Application | Nginx Running with High Privileges | Checks if Nginx is running with root privileges | V3.0 |
| Application | Apache Running with High Privileges | Checks if Apache HTTPD is running with root privileges | V3.0 |
| Application | PHP Version Information Disclosure | Checks if PHP configuration discloses version information | V3.0 |
| Application | Dangerous PHP Executable Functions | Checks if dangerous executable functions are disabled in PHP configuration | V3.0 |
| Application | Java Environment Vulnerabilities | Checks for risks in Java environment variables and configurations (e.g., Apache Log4J vulnerability) | V3.0 |
| Database | MySQL Running with High Privileges | Checks if MySQL is running with root privileges | V3.0 |
| Database | Mongodb Validation Disabled | Checks if password validation is enabled in Mongodb configuration | V3.0 |
| Middleware | Redis Password Validation Disabled | Checks if password validation is enabled for Redis service | V3.0 |
| Database | Mongodb Validation Not Enabled | Checks if Mongodb validation is disabled, which may allow risky default settings | V3.0 |
| Database | Mongodb Listening Address Risk | Avoid setting Mongodb to listen on all addresses unnecessarily to prevent exposure to the public network | V3.0 |
| Application | Tomcat Account Not Disabled | Modify Tomcat configuration to remove or disable accounts for backend login if unnecessary | V3.0 |
| Application | Tomcat Running with High Privileges | Modify Tomcat process permissions to avoid running the service with high privileges | V3.0 |
| Application | Tomcat Sample Packages Not Deleted | Delete sample packages under Tomcat Web directory to avoid leaking sensitive information | V3.0 |
| Application | Tomcat Directory Listing Allowed | Disable directory listing in Tomcat to avoid information leakage | V3.0 |
| Application | Tomcat Auto Deployment Not Disabled | Avoid enabling auto deployment unless necessary to prevent hacking | V3.0 |
| Application | Tomcat JMX Remote Not Disabled | Avoid enabling JMX remote deployment unless necessary to prevent hacking | V3.0 |
| Application | Caddy Running with High Privileges | Modify Caddy process permissions to avoid running the service with high privileges | V3.0 |
| Application | Hadoop Access Validation Not Enabled | Checks if access validation is disabled in Hadoop configuration | V3.0 |
| Application | Apache Rewrite Configuration Enabled | Checks if the rewrite configuration is enabled in Apache, which could lead to risky default settings | V3.0 |
| Application | Hadoop ResourceManager Public Exposure | Avoid exposing the Hadoop backend service interface on a public network unless necessary | V3.0 |
| Application | Nginx Directory Traversal Due to Misconfiguration | Checks if Nginx misconfiguration could lead to directory traversal | V3.0 |
| Application | Nginx Directory Traversal Due to Misconfiguration | Checks if Nginx misconfiguration could lead to directory traversal | V3.0 |
| Application | Nginx CRLF Injection Due to Misconfiguration | Checks if Nginx misconfiguration could lead to CRLF injection | V3.0 |