A
security baseline is the documented, approved, hardened configuration for a system type — the secure starting point all instances should match.
Deviation from baseline = configuration drift = security risk. CIS Benchmarks and DISA STIGs provide pre-built baselines. Automated tools (Ansible, Puppet, Chef) enforce baselines continuously.