Help Center/ Host Security Service/ FAQs/ Detection & Response/ Why Doesn't HSS Generate Alarms for Some Web Shell Files?
Updated on 2024-09-25 GMT+08:00

Why Doesn't HSS Generate Alarms for Some Web Shell Files?

Symptom

HSS does not report alarms for some web shell files.

Possible Causes

The default handle usage of the HSS is 30% of the maximum handles on the server. If the number of user files exceeds the upper limit of the handles scanned by HSS, HSS will be unable to check all the web shell files. As a result, no alarm is reported for unchecked files.

Solution

  1. Log in to the server.
  2. Create the check_inotify.sh file. Copy and save the following content to the file:

    #!/bin/bash
    
    # Enable the floating-point number comparison mode of Bash.
    shopt -s globstar nullglob
    
    # Obtain the value of sysctl fs.inotify.max_user_watches.
    max_user_watches=$(sysctl -n fs.inotify.max_user_watches)
    
    # Calculate the value multiplied by 30%.
    threshold=$(echo "$max_user_watches * 0.3" | awk '{print int($1)}')
    
    # Calculate the number of files in the /opt/app directory.
    app_files_count=$(find /opt/app -type f | wc -l)
    
    # Compare and output the result.
    if [[ "$app_files_count" -gt "$threshold" ]]; then
      echo "Current value of fs.inotify.max_user_watches: $max_user_watches"
    echo "Number of files in the /opt/app directory: $app_files_count"
      echo "Handle usage problem exists."
    else
      echo "Current value of fs.inotify.max_user_watches: $max_user_watches"
    echo "Number of files in the /opt/app directory: $app_files_count"
      echo "There are no handle usage problems."
    fi

  3. Run the following command to execute the check_inotify.sh file:

    chmod +x check_inotify.sh./check_inotify.sh

    If the command output shows Handle usage problem exists, in the upper right corner of the Huawei Cloud console, choose Service Tickets > Create Service Ticket and submit a service ticket to contact technical support.