策略授权参考
本章节介绍HSS策略授权场景下支持的策略授权项。
支持的授权项
策略包含系统策略和自定义策略,如果系统策略不满足授权要求,管理员可以创建自定义策略,并通过给用户组授予自定义策略来进行精细的访问控制。策略支持的操作与API相对应,授权项列表说明如下:
- 权限:允许或拒绝某项操作。
- 对应API接口:自定义策略实际调用的API接口。
- 授权项:自定义策略中支持的Action,在自定义策略中的Action中写入授权项,可以实现授权项对应的权限功能。
- 依赖的授权项:部分Action存在对其他Action的依赖,需要将依赖的Action同时写入授权项,才能实现对应的权限功能。
- IAM项目(Project)/企业项目(Enterprise Project):自定义策略的授权范围,包括IAM项目与企业项目。授权范围如果同时支持IAM项目和企业项目,表示此授权项对应的自定义策略,可以在IAM和企业管理两个服务中给用户组授权并生效。如果仅支持IAM项目,不支持企业项目,表示仅能在IAM中给用户组授权并生效,如果在企业管理中授权,则该自定义策略不生效。管理员可以在授权项列表中查看授权项是否支持IAM项目或企业项目,“√”表示支持,“×”表示暂不支持。关于IAM项目与企业项目的区别,详情请参见:IAM与企业管理的区别。
HSS的支持自定义策略授权项如下所示:
授权列表,包含HSS对应的授权项,如查询主机安全防护列表、云服务器开启或关闭防护、手动检测等。
授权列表
|
权限 |
对应API接口 |
授权项(Action) |
依赖的授权项 |
IAM项目(Project) |
企业项目(Enterprise Project) |
|---|---|---|---|---|---|
|
创建服务器组 |
POST /v5/{project_id}/host-management/groups |
hss:hostGroup:set |
无 |
√ |
√ |
|
解除已拦截IP |
PUT /v5/{project_id}/event/blocked-ip |
hss:accountCrack:unblock |
无 |
√ |
√ |
|
查询HSS存储库绑定的备份策略信息 |
GET /v5/{project_id}/backup/policy |
hss:antiransomware:list |
无 |
√ |
√ |
|
查询容器节点列表 |
GET /v5/{project_id}/container/nodes |
hss:containers:list |
无 |
√ |
√ |
|
查询服务器组列表 |
GET /v5/{project_id}/host-management/groups |
hss:hostGroup:get |
无 |
√ |
√ |
|
查询策略组列表 |
GET /v5/{project_id}/policy/groups |
hss:policy:get |
无 |
√ |
√ |
|
查询防护策略列表 |
GET /v5/{project_id}/ransomware/protection/policy |
hss:antiransomware:list |
无 |
√ |
√ |
|
查询主机静态网页防篡改防护动态 |
GET /v5/{project_id}/webtamper/static/protect-history |
hss:wtpReports:list |
无 |
√ |
√ |
|
查询主机动态网页防篡改防护动态 |
GET /v5/{project_id}/webtamper/rasp/protect-history |
hss:wtpReports:list |
无 |
√ |
√ |
|
查询防护列表 |
GET /v5/{project_id}/webtamper/hosts |
hss:wtpHosts:list |
vpc:ports:list |
√ |
√ |
|
开启关闭网页防篡改防护 |
POST /v5/{project_id}/webtamper/static/status |
hss:wtpProtect:switch |
无 |
√ |
√ |
|
开启/关闭动态网页防篡改防护 |
POST /v5/{project_id}/webtamper/rasp/status |
hss:wtpProtect:switch |
无 |
√ |
√ |
|
开启勒索病毒防护 |
POST /v5/{project_id}/ransomware/protection/open |
hss:antiransomware:set |
无 |
√ |
√ |
|
关闭勒索病毒防护 |
POST /v5/{project_id}/ransomware/protection/close |
hss:antiransomware:set |
无 |
√ |
√ |
|
修改存储库绑定的备份策略 |
PUT /v5/{project_id}/backup/policy |
hss:antiransomware:set |
无 |
√ |
√ |
|
修改防护策略 |
PUT /v5/{project_id}/ransomware/protection/policy |
hss:antiransomware:set |
无 |
√ |
√ |
|
统计资产信息,账号、端口、进程等 |
GET /v5/{project_id}/asset/statistics |
hss:assets:list |
无 |
√ |
√ |
|
获取软件信息的历史变动记录 |
GET /v5/{project_id}/asset/app/change-history |
hss:softwares:list |
无 |
√ |
√ |
|
查询软件的服务器列表 |
GET /v5/{project_id}/asset/apps |
hss:softwares:list |
无 |
√ |
√ |
|
查询软件列表 |
GET /v5/{project_id}/asset/app/statistics |
hss:softwares:list |
无 |
√ |
√ |
|
获取自启动项的历史变动记录 |
GET /v5/{project_id}/asset/auto-launch/change-history |
hss:assets:list |
无 |
√ |
√ |
|
查询自启动项的服务列表 |
GET /v5/{project_id}/asset/auto-launchs |
hss:launch:list |
无 |
√ |
√ |
|
查询自启动项信息 |
GET /v5/{project_id}/asset/auto-launch/statistics |
hss:launch:list |
无 |
√ |
√ |
|
查询指定中间件的服务器列表 |
GET /v5/{project_id}/asset/midwares/detail |
hss:assets:list |
无 |
√ |
√ |
|
查询单服务器的开放端口列表 |
GET /v5/{project_id}/asset/ports |
hss:ports:list |
无 |
√ |
√ |
|
查询开放端口统计信息 |
GET /v5/{project_id}/asset/port/statistics |
hss:ports:list |
无 |
√ |
√ |
|
查询进程列表 |
GET /v5/{project_id}/asset/process/statistics |
hss:processes:list |
无 |
√ |
√ |
|
获取账户变动历史信息 |
GET /v5/{project_id}/asset/user/change-history |
hss:accounts:list |
无 |
√ |
√ |
|
查询账号的服务器列表 |
GET /v5/{project_id}/asset/users |
hss:accounts:list |
无 |
√ |
√ |
|
查询账号信息列表 |
GET /v5/{project_id}/asset/user/statistics |
hss:accounts:list |
无 |
√ |
√ |
|
对未通过的配置检查项进行忽略/取消忽略/修复/验证操作 |
POST /v5/{project_id}/baseline/check-rule/action |
hss:configDetects:operate |
无 |
√ |
√ |
|
查询配置检查项检测报告 |
GET /v5/{project_id}/baseline/check-rule/detail |
hss:configDetects:list |
无 |
√ |
√ |
|
查询指定安全配置项的检查结果 |
GET /v5/{project_id}/baseline/risk-config/{check_name}/detail |
hss:configDetects:list |
无 |
√ |
√ |
|
查询口令复杂度策略检测报告 |
GET /v5/{project_id}/baseline/password-complexity |
hss:complexityPolicy:list |
无 |
√ |
√ |
|
查询指定安全配置项的检查项列表 |
GET /v5/{project_id}/baseline/risk-config/{check_name}/check-rules |
hss:configDetects:list |
无 |
√ |
√ |
|
查询指定安全配置项的受影响服务器列表 |
GET /v5/{project_id}/baseline/risk-config/{check_name}/hosts |
hss:riskConfigHost:list |
无 |
√ |
√ |
|
查询租户的服务器安全配置检测结果列表 |
GET /v5/{project_id}/baseline/risk-configs |
hss:configDetects:list |
无 |
√ |
√ |
|
查询弱口令检测结果列表 |
GET /v5/{project_id}/baseline/weak-password-users |
hss:weakPwds:list |
无 |
√ |
√ |
|
处理告警事件 |
POST /v5/{project_id}/event/operate |
hss:event:set |
无 |
√ |
√ |
|
恢复已隔离文件 |
PUT /v5/{project_id}/event/isolated-file |
hss:event:set |
无 |
√ |
√ |
|
查询告警白名单列表 |
GET /v5/{project_id}/event/white-list/alarm |
hss:event:get |
无 |
√ |
√ |
|
查询已拦截IP列表 |
GET /v5/{project_id}/event/blocked-ip |
hss:accountCrack:list |
无 |
√ |
√ |
|
查询已隔离文件列表 |
GET /v5/{project_id}/event/isolated-file |
hss:event:get |
无 |
√ |
√ |
|
查入侵事件列表 |
GET /v5/{project_id}/event/events |
hss:event:get |
无 |
√ |
√ |
|
编辑服务器组 |
PUT /v5/{project_id}/host-management/groups |
hss:hostGroup:set |
无 |
√ |
√ |
|
删除服务器组 |
DELETE /v5/{project_id}/host-management/groups |
hss:hostGroup:set |
无 |
√ |
√ |
|
查询云服务器列表 |
GET /v5/{project_id}/host-management/hosts |
hss:hosts:list |
vpc:ports:list;eip:publicIps:list |
√ |
√ |
|
切换防护状态 |
POST /v5/{project_id}/host-management/protection |
hss:hosts:switchVersion |
无 |
√ |
√ |
|
部署策略 |
POST /v5/{project_id}/policy/deploy |
hss:policy:set |
无 |
√ |
√ |
|
批量创建标签 |
POST /v5/{project_id}/{resource_type}/{resource_id}/tags/create |
hss:quotas:set |
无 |
√ |
√ |
|
删除资源标签 |
DELETE /v5/{project_id}/{resource_type}/{resource_id}/tags/{key} |
hss:quotas:set |
无 |
√ |
√ |
|
查询配额信息 |
GET /v5/{project_id}/billing/quotas |
hss:quotas:get |
无 |
√ |
√ |
|
查询配额详情 |
GET /v5/{project_id}/billing/quotas-detail |
hss:quotas:get |
无 |
√ |
√ |
|
修改漏洞的状态 |
PUT /v5/{project_id}/vulnerability/status |
hss:vuls:set |
无 |
√ |
√ |
|
查询单个漏洞影响的云服务器信息 |
GET /v5/{project_id}/vulnerability/hosts |
hss:vuls:list |
无 |
√ |
√ |
|
查询漏洞列表 |
GET /v5/{project_id}/vulnerability/vulnerabilities |
hss:vuls:list |
无 |
√ |
√ |
|
查询勒索防护服务器列表 |
GET /v5/{project_id}/ransomware/server |
hss:antiransomware:list |
无 |
√ |
√ |
|
查询漏洞管理统计数据 |
GET /v5/{project_id}/vulnerability/statistics |
hss:vuls:list |
无 |
√ |
√ |
|
查询镜像安全配置检测结果列表 |
GET /v5/{project_id}/image/baseline/risk-configs |
hss:image:list |
无 |
√ |
√ |
|
查询镜像配置检查项检测报告 |
GET /v5/{project_id}/image/baseline/check-rule/detail |
hss:image:list |
无 |
√ |
√ |
|
查询单台服务器漏洞信息 |
GET /v5/{project_id}/vulnerability/host/{host_id} |
hss:vuls:list |
无 |
√ |
√ |
|
查询swr镜像仓库镜像列表 |
GET /v5/{project_id}/image/swr-repository |
hss:images:list |
无 |
√ |
√ |
|
镜像仓库镜像批量扫描 |
POST /v5/{project_id}/image/batch-scan |
hss:images:set |
无 |
√ |
√ |
|
查询镜像的漏洞信息 |
GET /v5/{project_id}/image/{image_id}/vulnerabilities |
hss:images:list |
无 |
√ |
√ |
|
查询漏洞对应cve信息 |
GET /v5/{project_id}/image/vulnerability/{vul_id}/cve |
hss:images:list |
无 |
√ |
√ |
|
查询镜像指定安全配置项的检查项列表 |
GET /v5/{project_id}/image/baseline/risk-configs/{check_name}/rules |
hss:images:list |
无 |
√ |
√ |
|
从SWR服务同步镜像列表 |
POST /v5/{project_id}/image/synchronize |
hss:images:set |
无 |
√ |
√ |
|
查询漏洞扫描策略 |
GET /v5/{project_id}/vulnerability/scan-policy |
hss:vuls:list |
无 |
√ |
√ |
|
修改漏洞扫描策略 |
PUT /v5/{project_id}/vulnerability/scan-policy |
hss:vuls:set |
无 |
√ |
√ |
|
资产指纹-进程-服务器列表 |
GET /v5/{project_id}/asset/processes/detail |
hss:processes:list |
无 |
√ |
√ |
|
资产指纹-端口-服务器列表 |
GET /v5/{project_id}/asset/ports/detail |
hss:ports:list |
无 |
√ |
√ |
|
创建漏洞扫描任务 |
POST /v5/{project_id}/vulnerability/scan-task |
hss:hosts:manualDetect |
无 |
√ |
√ |
|
查询漏洞扫描任务列表 |
GET /v5/{project_id}/vulnerability/scan-tasks |
hss:vuls:list |
无 |
√ |
√ |
|
查询漏洞扫描任务对应的主机列表 |
GET /v5/{project_id}/vulnerability/scan-task/{task_id}/hosts |
hss:vuls:list |
无 |
√ |
√ |
