--- Title: Configure compliance URL Source: https://company-skill.com/p/alinux/alinux-configure-compliance Language: en Description: You want to either proactively configure security controls (like Security Groups, RAM permissions, and compliance baselines) or reactively fix specific vulnerabilities (such as CVEs requiring kernel… --- # Configure compliance Part of **Alibaba Cloud Linux**. Route queries via `POST https://company-skill.com/api/route`. ## What You Want to Do You want to either proactively configure security controls (like Security Groups, RAM permissions, and compliance baselines) or reactively fix specific vulnerabilities (such as CVEs requiring kernel hotfixes or module disabling) on Alibaba Cloud Linux. **Typical User Questions**: - How to apply security best practices on Alibaba Cloud Linux? - How to patch known vulnerabilities like CVE-2021-33909? ## Decision Tree Pick the best path for your situation: - **If** you need to configure **Alibaba Cloud Linux 3等保合规检查** or **等保三级-Alibaba Cloud Linux 3合规基线检查** via GUI → Use (go to *alinux/alinux-security*) - **If** you must remediate a specific kernel vulnerability using commands like `yum install -y kernel-hotfix` or `lsmod | grep algif_aead` → Use (go to *alinux/alinux-security*) - **If** your system shows symptoms of CVEs involving the **algif_aead module** or requires **kpatch**-based live patching → Use (go to *alinux/alinux-security*) - **Otherwise (default)** → Start with **** if you're setting up preventive controls like **Security Groups** and **RAM** policies without immediate vulnerability symptoms. ## Path Comparison | Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill | |------|----------|------------|---------------|------------|----------|-------------| | Console / Dashboard | medium | No | No | Baseline check is billed per scan execution; other features like security groups, RAM, and access control are free | `alinux/guide/alinux-security` | | MLPS 2.0 | high | Yes | No | Requires root access and exact kernel version matching for hotfixes like kernel-hotfix-5928799 | `alinux/troubleshooting/alinux-security` | ## Path Details ### Path 1: Console / Dashboard **Brief Description**: This path uses the Alibaba Cloud Management Console to configure security policies including **Security Groups**, **RAM** access control, and **Alibaba Cloud Linux 3等保合规检查**. It enables periodic scanning via **等保三级-Alibaba Cloud Linux 3合规基线检查** and supports subscribing to CVE announcements through browser extensions. **Key technical facts**: - Billing: Baseline check is billed per scan execution; other features like security groups, RAM, and access control are free **When to Use**: - User needs to configure MLPS 2.0 Level 3 compliance baseline checks via GUI - Administrator wants to set up security groups and RAM access control without writing code - Team requires periodic compliance scanning with configurable detection cycles and time windows - User prefers browser-based workflow for subscribing to CVE announcements **When NOT to Use**: - Immediate kernel vulnerability remediation is required (use troubleshooting path) - System hardening must be scripted or automated (this path is manual-only) - User lacks Cloud Security Center Enterprise Edition (baseline checks will fail with 403 error) - Root-level CLI access is needed for low-level kernel parameter tuning **Known Limitations**: - Baseline checks require Cloud Security Center Enterprise Edition and incur per-scan fees - Security group configuration only allows essential ports (e.g., 22, 80) and requires manual IP restriction - RAM user creation and permission assignment must follow principle of least privilege manually - CVE subscription requires third-party RSS reader browser extensions - No automation support — all steps require manual console navigation and form filling ### Path 2: Console / Dashboard **Best For**: MLPS 2.0 **Brief Description**: This path uses command-line tools to remediate specific kernel vulnerabilities such as those requiring **kernel-hotfix-5928799**, disable dangerous modules like the **algif_aead module** (verified via `lsmod | grep algif_aead`), and harden systems for **MLPS 2.0 Level 3** compliance. It leverages **kpatch** for live patching without reboot. **Key technical facts**: - Auth method: Root or sudo privileges required for system hardening and module manipulation **When to Use**: - System exhibits symptoms of known CVEs (e.g., kernel panic, privilege escalation) - Immediate online remediation is needed without rebooting (via kpatch/livepatch) - User must disable specific kernel modules (e.g., algif_aead, AF_ALG) to mitigate vulnerabilities - Compliance failure requires verification of kernel parameters (e.g., user namespaces hardening) **When NOT to Use**: - User lacks CLI access or root privileges - Goal is proactive policy setup rather than reactive vulnerability fixing - Team requires automated, repeatable compliance enforcement (this path is manual CLI) - No Cloud Security Center Enterprise Edition available for MLPS 2.0 validation **Known Limitations**: - Requires root access and deep Linux system administration knowledge - Hotfix installation is version-specific and requires exact kernel version matching - Module disabling (e.g., algif_aead) may break dependent workloads if not assessed first - MLPS 2.0 Level 3 compliance checks fail with 403 error without Enterprise Edition - No GUI support — all operations must be performed via CLI commands ## FAQ Q: Which path should I start with? A: Start with **** if you’re building a new secure environment or lack active vulnerability symptoms. Only choose the troubleshooting path if you’ve confirmed a specific CVE or failed a compliance scan. Q: What if I need to disable the **algif_aead module** but used the guide path? A: You’ll hit a dead end — the guide path offers no CLI access or module control. You must switch to the troubleshooting path to run `lsmod | grep algif_aead` and apply mitigations. Q: What if I don’t have Cloud Security Center Enterprise Edition but try to run **等保三级-Alibaba Cloud Linux 3合规基线检查**? A: The baseline check will fail with a 403 error in both paths — Enterprise Edition is mandatory for **MLPS 2.0 Level 3** validation. Q: Can I automate **Alibaba Cloud Linux 3等保合规检查** using scripts? A: No — the guide path is entirely manual console navigation. If you need automation, neither path currently supports it; consider infrastructure-as-code outside these workflows. Q: What happens if I apply `yum install -y kernel-hotfix` without verifying my kernel version? A: The hotfix may fail to install or cause instability — the troubleshooting path requires exact version matching (check with `uname -r` first). Q: Is **RAM** configuration possible in the troubleshooting path? A: No — **RAM** and **Security Groups** are managed exclusively via the console in the guide path. The troubleshooting path focuses solely on OS/kernel-level fixes. Q: What if I configure **Security Groups** but selected the troubleshooting path? A: You’ll be unable to manage Security Groups — they are only configurable via the console in the guide path. Q: What if I lack Cloud Security Center Enterprise Edition but selected the guide path for **Alibaba Cloud Linux 3等保合规检查**? A: The compliance baseline check will fail with a 403 error — Enterprise Edition is required. ## Related queries configure system security, harden alibaba cloud linux, apply security best practices, set up MLPS 2.0 compliance, configure user namespace security, subscribe to CVE alerts, patch CVE-2021-33909, fix system integrity errors, configure access control for cloud resources, alibaba cloud linux security --- Part of [Alibaba Cloud Linux](https://company-skill.com/p/alinux.md) · https://company-skill.com/llms.txt