# alinux-security
Part of **ALINUX**
> đź’ˇ **Path Selection**: This skill is one implementation path for [Configure system security policies and compliance baselines](../../intent/alinux-configure-compliance/SKILL.md). If you're unsure which path to take, check the routing skill first.
# Alibaba Cloud Linux Security and Compliance Console Guide
## Operations Overview
| Operation | Console Entry | Prerequisites | Description |
|------|-----------|---------|------|
| Implement Security Best Practices | Console > Security > Best Practices | - Alibaba Cloud account created
- RAM user management permissions
- VPC and security groups configured | Apply identity, network, data, and audit best practices to harden your cloud environment. |
| Configure System Security Policy | Console > ECS > Instances > Security Groups | - ECS instance created
- RAM role or primary account permissions
- SSH client installed | Configure firewall rules via security groups to restrict network access to essential ports only. |
| Configure Baseline Check Policy | Risk Management > Baseline Check | - Cloud Security Center purchased
- Baseline check feature enabled | Set up automated compliance scans for Alibaba Cloud Linux 3 based on MLPS Level 3 standards. |
| Configure Access Control | Console > Cloud Products > Access Control > Configure Rules | - Relevant cloud product activated
- Administrator or security configuration permissions | Use built-in features like IP blacklists, anti-leeching, and tagging for fine-grained resource access control. |
| Subscribe to CVE Announcements | Website > Alibaba Cloud Linux > Security Advisories | - Chrome or Edge browser with extension support
- Internet access to Alibaba Cloud mirrors | Subscribe to Alibaba Cloud Linux 2 CVE updates via RSS feed using browser plugins. |
## Step-by-Step Instructions
### Implement Security Best Practices
**Navigation**: Console > Security > Best Practices
**Prerequisites**:
- Alibaba Cloud account created
- RAM user management permissions
- VPC and security groups configured
1. Log in to the Alibaba Cloud console
- Element: **** (button) — top-right corner
- Notes: Use your primary account credentials.
2. Navigate to the RAM console for user and permission management
- Element: **RAM** (link) — left navigation panel
- Notes: Only the primary account can access RAM features.
3. Create a new RAM user and assign appropriate permission policies
- Element: **** (button) — user management page
- Notes: Follow the principle of least privilege when assigning policies.
4. Configure an instance RAM role to replace AccessKey usage
- Element: **** (tab) — instance details page
- Notes: Reduces risk of credential leakage.
5. Set inbound security group rules to allow only necessary ports
- Element: **** (tab) — network and security panel
- Notes: Avoid using 0.0.0.0/0 as the source; restrict to trusted IPs.
6. Enable ActionTrail to log all API calls and console operations
- Element: **** (link) — Security Center
- Notes: Essential for security auditing and incident investigation.
### Configure System Security Policy
**Navigation**: Console > ECS > Instances > Security Groups
**Prerequisites**:
- ECS instance created
- RAM role or primary account permissions
- SSH client installed
1. Go to the ECS console and select your target instance
- Element: **** (link) — left navigation panel
2. Click the **Security Groups** tab on the instance details page
- Element: **** (tab) — top tab bar
3. Click **Add Security Group Rule**
- Element: **** (button) — above the security group list
- Notes: Only open essential ports such as 22 (SSH) or 80 (HTTP).
4. In the rule configuration form, set protocol to TCP, port range to 22, and source to a trusted IP range
- Element: **** (dropdown) — rule configuration form
- Notes: You can select “Custom IP” to enter a specific source address.
| Parameter | Type | Required | Options/Values | Description |
|-----------|------|----------|----------------|-------------|
| dropdown | Yes | TCP, UDP, ICMP | Specifies the allowed network protocol |
| text_input | Yes | — | Port number(s) to allow (e.g., 22 for SSH) |
| text_input | Yes | — | IP range allowed to connect; default is 0.0.0.0/0 (not recommended) |
| radio | Yes | , | Determines whether traffic matching this rule is permitted |
### Configure Baseline Check Policy
**Navigation**: Risk Management > Baseline Check
**Prerequisites**:
- Cloud Security Center purchased
- Baseline check feature enabled
1. In the left navigation pane, select **Risk Management > Baseline Check**
- Element: **** (menu) — left navigation panel
2. Click **Policy Management** in the upper-right corner of the Baseline Check page
- Element: **** (button) — top-right
3. In the Policy Management panel, click the **Add Standard Policy** tab
- Element: **** (button) — policy management panel
4. Complete the policy configuration and click **Confirm**
- Element: **** (button) — baseline check policy panel
- Notes: Configure policy name, detection cycle, start time, baseline name, and target servers.
5. At the bottom of the Policy Management panel, select both **** and **** severity levels
- Element: **** (checkbox) — bottom of policy panel
- Notes: Ensure both high and medium risk levels are checked.
6. In the Baseline Check Policy dropdown, select your newly created policy
- Element: **Alibaba Cloud Linux 3** (dropdown) — baseline check policy area
7. Click **Run Now** to start an immediate scan
- Element: **** (button) — baseline check policy area
- Notes: You can monitor progress or view details by clicking the progress indicator.
8. After completion, click the baseline name in the results list
- Element: **-Alibaba Cloud Linux 3** (link) — baseline check results list
9. View detailed results in the compliance panel
- Element: **-Alibaba Cloud Linux 3** (tab) — baseline check panel
| Parameter | Type | Required | Options/Values | Description |
|-----------|------|----------|----------------|-------------|
| text_input | Yes | — | Name to identify the policy (e.g., Alibaba Cloud Linux 3) |
| dropdown | Yes | 1, 3, 7, 30 | Frequency of baseline checks |
| dropdown | Yes | 00:00~06:00, 06:00~12:00, 12:00~18:00, 18:00~24:00 | Time window when checks begin |
| menucascade | Yes | > -Alibaba Cloud Linux 3 | Select the compliance standard to apply |
| dropdown | Yes | Asset group to which the policy applies |
### Configure Access Control
**Navigation**: Console > Cloud Products > Access Control > Configure Rules
**Prerequisites**:
- Relevant cloud product activated
- Administrator or security configuration permissions
1. Enter the cloud product console
- Element: **** (link) — top navigation bar
2. Select your target cloud product and go to **Access Control** settings
- Element: **** (menu) — left navigation panel
3. Enable the **Source IP Blacklist** feature as needed
- Element: **IP** (tab) — access control settings page
- Notes: Supports multiple IPs or CIDR blocks.
4. Configure anti-leeching rules by specifying allowed referrer domains
- Element: **** (tab) — access control settings page
- Notes: Wildcards like *.example.com are supported.
5. Add tags to resources for classification and management
- Element: **** (tab) — access control settings page
- Notes: You can create new tags or use existing ones.
| Parameter | Type | Required | Options/Values | Description |
|-----------|------|----------|----------------|-------------|
| IP | text_input | No | — | Source IP or CIDR block to allow/block |
| text_input | No | — | Referrer domains allowed to access resources; supports wildcards |
| text_input | Yes | — | Name for the tag used in resource categorization |
### Subscribe to CVE Announcements
**Navigation**: Website > Alibaba Cloud Linux > Security Advisories
**Prerequisites**:
- Google Chrome or Microsoft Edge browser with extension support
- Internet access to Alibaba Cloud Linux mirrors
1. Open Chrome Web Store and search for 'RSS Feed Reader'
- Element: **Chrome Web Store** (link) — upper-left corner
2. Enter "rss feed reader" in the search box
- Element: **search box** (text_input) — upper-left of Chrome Web Store
3. Click the highly rated **RSS Feed Reader** plugin from results
- Element: **RSS Feed Reader** (link) — search results
- Notes: Two may appear; choose the one with higher rating.
4. Click **Add to Chrome**, then **Add extension**
- Element: **Add to Chrome** (button) — plugin details page
- Notes: Button changes to “Remove from Chrome” after installation.
5. Visit the Alibaba Cloud Linux 2 CVE updates page
- Element: **Alibaba Cloud Linux 2 CVE updates** (link) — page content
6. Click the **RSS icon** in the upper-right corner
- Element: **RSS icon** (icon) — upper-right corner
7. Click **Subscribe** in the dialog
- Element: **Subscribe** (button) — dialog box
- Notes: Button changes to “Following” after success.
8. Click the **RSS Feed Reader plug-in icon** in Chrome’s toolbar
- Element: **RSS Feed Reader plug-in icon** (button) — upper-right corner
9. Click **Alibaba Cloud Linux 2.1903 Security Advisories** to view updates
- Element: **Alibaba Cloud Linux 2.1903 Security Advisories** (link) — RSS dropdown
- Notes: Shows ID, affected packages, severity, and publication date.
10. For Edge users: Open **Edge Add-ons** page
- Element: **Edge Add-ons** (link) — upper-left
11. Search for "RSS Feed Reader" in Edge Add-ons
- Element: **search box** (text_input) — upper-left
12. Click **Get** for **Feeder - RSS Feed Reader**
- Element: **Get** (button) — search results
13. Click **Add extension** in confirmation dialog
- Element: **Add extension** (button) — dialog box
14. Visit the Alibaba Cloud Linux 2 CVE page in Edge
- Element: **Alibaba Cloud Linux 2 CVE updates** (link) — page content
15. Click the **RSS icon** in upper-right
- Element: **RSS icon** (icon) — upper-right
16. Click **Follow** at the top of the page
- Element: **Follow** (button) — top of page
- Notes: Changes to “Manage settings” after following.
17. Pin the Feeder plugin to the toolbar
- Element: **show icon (eye-shaped)** (button) — right side of Extensions panel
- Notes: Enables quick access via toolbar icon.
18. Click the **RSS Feed Reader plug-in icon** in Edge
- Element: **RSS Feed Reader plug-in icon** (button) — upper-right
19. Click **Alibaba Cloud Linux 2.1903 Security Advisories** to view advisories
- Element: **Alibaba Cloud Linux 2.1903 Security Advisories** (link) — RSS dropdown
- Notes: Sorted by time; includes filters and sort options.
## FAQ
Q: Where can I configure security group rules for my ECS instance?
A: Go to the ECS console, select your instance, and click the **** (Security Groups) tab. Then click **** to add new rules.
Q: Can I modify a baseline check policy after it's created?
A: Yes. Return to **Risk Management > Baseline Check**, open ****, and edit the existing policy.
Q: Do I need to pay to use the baseline check feature?
A: Yes. Baseline checks are part of Cloud Security Center and are billed per execution. There is no free tier—refer to Cloud Security Center pricing documentation.
Q: What permissions are required to manage RAM users?
A: Only the Alibaba Cloud primary account or users granted full RAM management permissions can create and manage RAM users.
Q: Why don’t I see the RSS icon on the CVE page?
A: The RSS icon appears only if your browser supports feeds or has an RSS reader extension installed. Install an RSS Feed Reader plugin first.
## Pricing & Billing
### Billing Model
Baseline check is billed per request (per execution). Other features like security groups, RAM, and access control are free as part of core cloud services.
### Price Reference
- Baseline Check: Billed per scan execution
- Other functions: No additional charge
### Free Tier
- No free quota for baseline checks
- Core security features (security groups, RAM, IP blacklists, tagging) are provided at no extra cost
### Billing Notes
- ActionTrail logs are billed based on volume; clean old logs to control costs
- Baseline checks incur a fee each time they run—even manual “Run Now” clicks
- Advanced protections (e.g., WAF, DDoS) require separate service activation and billing