Cloud Workload Protection Platform Interpretation Of Host Security Classified Protection Assessment-Practical Tutorial-Help & Documentation-Tencent Cloud

Interpretation Of Classified Protection Standard
Tencent Cloud Workload Protection (CWPP) product complies with the main standards of the level protection 2.0 system. According to the "Basic Requirements for Cybersecurity Level Protection" (GB/T 22239-2019), Tencent CWPP (limited to the Professional and Ultimate editions with purchased log analysis) meets the security requirements of level three and below:
No
Classified Protection Standard Section
Classified Protection Standard Serial Number
Classified Protection Standard Content
Corresponding Feature Description
1
Security area boundary—Boundary Protection
8.1.3.1 c)
It should be able to check and limit unauthorized connections from internal users to the public network.
CWPP supports detecting and intercepting unauthorized malicious outbound connections from Cloud Virtual Machines to external malicious domain names and IP addresses.
2
Security boundary - Intrusion prevention
8.1.3.3 a)
It should detect, prevent, or limit network attacks initiated from outside at key network nodes.
CWPP supports detecting and blocking brute force attacks, detecting common network attacks, and one-click vulnerability defense for some vulnerabilities.
3
Security boundary - Intrusion prevention
8.1.3.3 b)
Network attacks initiated from inside should be detected, prevented, or limited at key network nodes.
CWPP can detect outbound connections and attack behaviors at the system layer and application layer of CVM, and send alarms for abnormal process and command behaviors.
4
Security boundary - Intrusion prevention
8.1.3.3 c)
Technical measures should be taken to analyze network behaviors, achieving analysis of network attacks, especially new types of network attacks.
CWPP supports analysis based on security data from hosts, networks, and cloud platforms, enabling detection and alarms for new attacks such as mining, ransomware, Trojans, and worms.
5
Security boundary - Intrusion prevention
8.1.3.3 d)
When an attack is detected, record the source IP, attack type, attack purpose, and attack time. An alarm should be provided in the event of a serious intrusion event.
When CWPP detects a brute force attack, it records the source IP, source location, attacked server IP/name, port, protocol, username, time, cracking status, blocking status, and sends an alarm.
6
Security boundary - Security audit
8.1.3.5 b)
Audit records should include the date and time of the event, user, event type, whether the event was successful, and other audit-related information.
CWPP supports server login audit, recording information including source IP, source location, server IP/name, login username, login time, status, and risk level.
7
Secure computing environment - Identity authentication
8.1.4.1 a)
Users logging in should be identified and authenticated. Identifiers should be unique, and authentication information should meet complexity requirements and be periodically replaced.
CWPP baseline check capability supports regular security checks on cloud service customer login configurations and password complexity, provides warnings for risk items, and offers security advice.
8
Secure computing environment - Identity authentication
8.1.4.1 b)
The login failure processing feature should be enabled, and measures such as ending session, limiting the number of unauthorized login attempts, and automatically exiting when the login connection times out should be configured and enabled.
CWPP supports host login failure defense configuration, allowing flexible configuration of rules to lock users after multiple login failures within a certain time period.
9
Secure computing environment - Identity authentication
8.1.4.1 c)
Necessary measures should be taken to prevent authentication info from being eavesdropped during network transmission when performing remote management.
CWPP supports checks for improper remote management configurations, such as a baseline check prohibiting the use of telnet.
10
Secure computing environment - Access control
8.1.4.2 b)
The default account should be renamed or deleted, and the default password of the default account should be modified.
CWPP supports account permission configuration checks. Asset management supports displaying all login accounts, supports default weak password security checks, and provides alarms and remediation suggestions when risks are detected.
11
Secure computing environment - Access control
8.1.4.2 c)
Redundant or expired accounts should be deleted or disabled in a timely manner to avoid the existence of shared accounts.
CWPP supports security configuration checks for CVM accounts. Asset management supports displaying all login accounts, provides alarms for abnormal account login IPs, and supports alerts to avoid the existence of shared accounts.
12
Secure computing environment - Security audit
8.1.4.3 a)
Security audit should be enabled, covering each user, auditing important user behaviors and significant security events.
CWPP supports recording cloud server account login operations, as well as auditing high-risk commands and high-risk operations.
13
Secure computing environment - Security audit
8.1.4.3 b)
Audit records should include the date and time of the event, user, event type, whether the event was successful, and other audit-related information.
CWPP log records include host IP, host instance ID, account, source IP, destination IP, process ID, port, event type, occurrence time, action policy, etc.
14
Secure computing environment - Security audit
8.1.4.3 c)
Audit records should be protected, regularly backed up, and prevented from unexpected deletion, modification, or overwrite.
The host security product supports a log audit storage feature, which can store log data for at least 6 months. Different tenants use completely independent log spaces, and log data has a multi-replica backup mechanism.
15
Secure computing environment - Intrusion prevention
8.1.4.4 b)
Unnecessary system services, Default Sharing, and high-risk ports should be closed.
CWPP asset management supports unified control of services, processes, and open ports running on cloud servers.
16
Secure computing environment - Intrusion prevention
8.1.4.4 c)
Management terminals accessed via the network should be restricted by setting terminal access methods or network address ranges.
CWPP supports adding allowlists for host login IP addresses. Logins from non-allowlisted users will be blocked. Combined with security groups, it enables cloud network management and restriction.
17
Secure computing environment - Intrusion prevention
8.1.4.4 e)
It should be able to detect potential known vulnerabilities and fix them promptly after thorough testing and evaluation.
CWPP supports detecting Linux software vulnerabilities, Windows system vulnerabilities, Web-CMS vulnerabilities, application vulnerabilities, and emergency vulnerabilities, assessing risk levels, and providing remediation suggestions.
18
Secure computing environment - Intrusion prevention
8.1.4.4 f)
It should be able to detect intrusions on critical nodes and provide alarms when serious intrusion events occur.
CWPP supports detecting intrusions on critical nodes, including malicious files, abnormal logins, password cracking, malicious requests, high-risk commands, rebound shell, local privilege escalation, file tampering, and other threats, providing alarms and some proactive blocking capabilities.
19
Secure computing environment - Malicious code prevention
8.1.4.5
Technical measures to prevent malicious code attacks or proactive immune verify trustworthiness mechanisms should be used to promptly identify and effectively block intrusions and viruses.
CWPP supports malicious file scanning and killing, real-time monitoring of Trojans, viruses, and automatic isolation.
20
Security Management Center - Security Management
8.1.5.3 a)
Security administrators should undergo identity authentication, be allowed to perform security management operations only through specific commands or operation interfaces, and these operations should be audited.
CWPP supports security management operations on cloud resources through the console, and can audit login behaviors and high-risk commands.
21
Security Management Center - Security Management
8.1.5.3 b)
Security policies in the system should be configured by security administrators, including setting security parameters, uniformly marking Subjects and objects, authorizing Subjects, and configuring trusted verification policies.
CWPP supports configuring security policies in the host system through the console.
22
Security Management Center - Centralized Control
8.1.5.3 e)
Centralized management should be conducted for security policies, malicious code, patch upgrades, and other security-related matters.
CWPP supports centralized management of vulnerabilities, malicious code detection, and isolation for host security.
Cybersecurity Classified Protection Compliance Service Baseline Policy
Tencent Cloud CWPP by default provides the Cybersecurity Classified Protection Compliance Baseline Policy, supporting periodic detection and one-click detection of baseline detection items. It helps understand the baseline pass rate and risk situation, provides risk levels and remediation suggestions for baselines and detection items, aiding in quick rectification to meet compliance requirements. The following are the supported detection items for Cybersecurity Classified Protection Compliance:
Baseline Categorization
Baseline Name
Number Of Included Check Items
Classified Protection Level 2
Level-2 Cybersecurity Classified Protection - CentOS 6 Security Baseline Check
16
﻿
Level-2 Cybersecurity Classified Protection - CentOS 7 Security Baseline Check
18
﻿
Level-2 Cybersecurity Classified Protection - CentOS 8 Security Baseline Check
16
﻿
Level-2 Cybersecurity Classified Protection - Ubuntu 14 Security Baseline Check
19
﻿
Level-2 Cybersecurity Classified Protection - Ubuntu 16 Security Baseline Check
19
﻿
Level-2 Cybersecurity Classified Protection - Ubuntu 18 Security Baseline Check
21
﻿
Level-2 Cybersecurity Classified Protection - Ubuntu 20 Security Baseline Check
29
Classified Protection Level 3
Level-3 Cybersecurity Classified Protection - CentOS 6 Security Baseline Check
27
﻿
Level-3 Cybersecurity Classified Protection - CentOS 7 Security Baseline Check
31
﻿
Level-3 Cybersecurity Classified Protection - CentOS 8 Security Baseline Check
36
﻿
Level-3 Cybersecurity Classified Protection - Ubuntu 14 Security Baseline Check
35
﻿
Level-3 Cybersecurity Classified Protection - Ubuntu 16 Security Baseline Check
33
﻿
Level-3 Cybersecurity Classified Protection - Ubuntu 18 Security Baseline Check
40
﻿
Level-3 Cybersecurity Classified Protection - Ubuntu 20 Security Baseline Check
48
﻿
Level-3 Cybersecurity Classified Protection - Windows 2008 Security Baseline Check
19
﻿
Level-3 Cybersecurity Classified Protection - Windows 2012 Security Baseline Check
19
﻿
Level-3 Cybersecurity Classified Protection - Windows 2016 Security Baseline Check
19
﻿

No	Classified Protection Standard Section	Classified Protection Standard Serial Number	Classified Protection Standard Content	Corresponding Feature Description
1	Security area boundary—Boundary Protection	8.1.3.1 c)	It should be able to check and limit unauthorized connections from internal users to the public network.	CWPP supports detecting and intercepting unauthorized malicious outbound connections from Cloud Virtual Machines to external malicious domain names and IP addresses.
2	Security boundary - Intrusion prevention	8.1.3.3 a)	It should detect, prevent, or limit network attacks initiated from outside at key network nodes.	CWPP supports detecting and blocking brute force attacks, detecting common network attacks, and one-click vulnerability defense for some vulnerabilities.
3	Security boundary - Intrusion prevention	8.1.3.3 b)	Network attacks initiated from inside should be detected, prevented, or limited at key network nodes.	CWPP can detect outbound connections and attack behaviors at the system layer and application layer of CVM, and send alarms for abnormal process and command behaviors.
4	Security boundary - Intrusion prevention	8.1.3.3 c)	Technical measures should be taken to analyze network behaviors, achieving analysis of network attacks, especially new types of network attacks.	CWPP supports analysis based on security data from hosts, networks, and cloud platforms, enabling detection and alarms for new attacks such as mining, ransomware, Trojans, and worms.
5	Security boundary - Intrusion prevention	8.1.3.3 d)	When an attack is detected, record the source IP, attack type, attack purpose, and attack time. An alarm should be provided in the event of a serious intrusion event.	When CWPP detects a brute force attack, it records the source IP, source location, attacked server IP/name, port, protocol, username, time, cracking status, blocking status, and sends an alarm.
6	Security boundary - Security audit	8.1.3.5 b)	Audit records should include the date and time of the event, user, event type, whether the event was successful, and other audit-related information.	CWPP supports server login audit, recording information including source IP, source location, server IP/name, login username, login time, status, and risk level.
7	Secure computing environment - Identity authentication	8.1.4.1 a)	Users logging in should be identified and authenticated. Identifiers should be unique, and authentication information should meet complexity requirements and be periodically replaced.	CWPP baseline check capability supports regular security checks on cloud service customer login configurations and password complexity, provides warnings for risk items, and offers security advice.
8	Secure computing environment - Identity authentication	8.1.4.1 b)	The login failure processing feature should be enabled, and measures such as ending session, limiting the number of unauthorized login attempts, and automatically exiting when the login connection times out should be configured and enabled.	CWPP supports host login failure defense configuration, allowing flexible configuration of rules to lock users after multiple login failures within a certain time period.
9	Secure computing environment - Identity authentication	8.1.4.1 c)	Necessary measures should be taken to prevent authentication info from being eavesdropped during network transmission when performing remote management.	CWPP supports checks for improper remote management configurations, such as a baseline check prohibiting the use of telnet.
10	Secure computing environment - Access control	8.1.4.2 b)	The default account should be renamed or deleted, and the default password of the default account should be modified.	CWPP supports account permission configuration checks. Asset management supports displaying all login accounts, supports default weak password security checks, and provides alarms and remediation suggestions when risks are detected.
11	Secure computing environment - Access control	8.1.4.2 c)	Redundant or expired accounts should be deleted or disabled in a timely manner to avoid the existence of shared accounts.	CWPP supports security configuration checks for CVM accounts. Asset management supports displaying all login accounts, provides alarms for abnormal account login IPs, and supports alerts to avoid the existence of shared accounts.
12	Secure computing environment - Security audit	8.1.4.3 a)	Security audit should be enabled, covering each user, auditing important user behaviors and significant security events.	CWPP supports recording cloud server account login operations, as well as auditing high-risk commands and high-risk operations.
13	Secure computing environment - Security audit	8.1.4.3 b)	Audit records should include the date and time of the event, user, event type, whether the event was successful, and other audit-related information.	CWPP log records include host IP, host instance ID, account, source IP, destination IP, process ID, port, event type, occurrence time, action policy, etc.
14	Secure computing environment - Security audit	8.1.4.3 c)	Audit records should be protected, regularly backed up, and prevented from unexpected deletion, modification, or overwrite.	The host security product supports a log audit storage feature, which can store log data for at least 6 months. Different tenants use completely independent log spaces, and log data has a multi-replica backup mechanism.
15	Secure computing environment - Intrusion prevention	8.1.4.4 b)	Unnecessary system services, Default Sharing, and high-risk ports should be closed.	CWPP asset management supports unified control of services, processes, and open ports running on cloud servers.
16	Secure computing environment - Intrusion prevention	8.1.4.4 c)	Management terminals accessed via the network should be restricted by setting terminal access methods or network address ranges.	CWPP supports adding allowlists for host login IP addresses. Logins from non-allowlisted users will be blocked. Combined with security groups, it enables cloud network management and restriction.
17	Secure computing environment - Intrusion prevention	8.1.4.4 e)	It should be able to detect potential known vulnerabilities and fix them promptly after thorough testing and evaluation.	CWPP supports detecting Linux software vulnerabilities, Windows system vulnerabilities, Web-CMS vulnerabilities, application vulnerabilities, and emergency vulnerabilities, assessing risk levels, and providing remediation suggestions.
18	Secure computing environment - Intrusion prevention	8.1.4.4 f)	It should be able to detect intrusions on critical nodes and provide alarms when serious intrusion events occur.	CWPP supports detecting intrusions on critical nodes, including malicious files, abnormal logins, password cracking, malicious requests, high-risk commands, rebound shell, local privilege escalation, file tampering, and other threats, providing alarms and some proactive blocking capabilities.
19	Secure computing environment - Malicious code prevention	8.1.4.5	Technical measures to prevent malicious code attacks or proactive immune verify trustworthiness mechanisms should be used to promptly identify and effectively block intrusions and viruses.	CWPP supports malicious file scanning and killing, real-time monitoring of Trojans, viruses, and automatic isolation.
20	Security Management Center - Security Management	8.1.5.3 a)	Security administrators should undergo identity authentication, be allowed to perform security management operations only through specific commands or operation interfaces, and these operations should be audited.	CWPP supports security management operations on cloud resources through the console, and can audit login behaviors and high-risk commands.
21	Security Management Center - Security Management	8.1.5.3 b)	Security policies in the system should be configured by security administrators, including setting security parameters, uniformly marking Subjects and objects, authorizing Subjects, and configuring trusted verification policies.	CWPP supports configuring security policies in the host system through the console.
22	Security Management Center - Centralized Control	8.1.5.3 e)	Centralized management should be conducted for security policies, malicious code, patch upgrades, and other security-related matters.	CWPP supports centralized management of vulnerabilities, malicious code detection, and isolation for host security.

Baseline Categorization	Baseline Name	Number Of Included Check Items
Classified Protection Level 2	Level-2 Cybersecurity Classified Protection - CentOS 6 Security Baseline Check	16
		Level-2 Cybersecurity Classified Protection - CentOS 7 Security Baseline Check	18
		Level-2 Cybersecurity Classified Protection - CentOS 8 Security Baseline Check	16
		Level-2 Cybersecurity Classified Protection - Ubuntu 14 Security Baseline Check	19
		Level-2 Cybersecurity Classified Protection - Ubuntu 16 Security Baseline Check	19
		Level-2 Cybersecurity Classified Protection - Ubuntu 18 Security Baseline Check	21
		Level-2 Cybersecurity Classified Protection - Ubuntu 20 Security Baseline Check	29
Classified Protection Level 3	Level-3 Cybersecurity Classified Protection - CentOS 6 Security Baseline Check	27
		Level-3 Cybersecurity Classified Protection - CentOS 7 Security Baseline Check	31
		Level-3 Cybersecurity Classified Protection - CentOS 8 Security Baseline Check	36
		Level-3 Cybersecurity Classified Protection - Ubuntu 14 Security Baseline Check	35
		Level-3 Cybersecurity Classified Protection - Ubuntu 16 Security Baseline Check	33
		Level-3 Cybersecurity Classified Protection - Ubuntu 18 Security Baseline Check	40
		Level-3 Cybersecurity Classified Protection - Ubuntu 20 Security Baseline Check	48
		Level-3 Cybersecurity Classified Protection - Windows 2008 Security Baseline Check	19
		Level-3 Cybersecurity Classified Protection - Windows 2012 Security Baseline Check	19
		Level-3 Cybersecurity Classified Protection - Windows 2016 Security Baseline Check	19

Interpretation Of Host Security Classified Protection Assessment

On this page:

Interpretation Of Classified Protection Standard

Cybersecurity Classified Protection Compliance Service Baseline Policy