Policy Management Overview
HSS has preconfigured protection policies for each edition. When you enable protection for your servers and containers, HSS automatically binds them to the protection policies of the corresponding HSS edition. Policies describes the protection policies of different HSS editions.
If asset management, baseline inspection, intrusion detection, or other policies do not meet your server protection requirements, you can modify these policies as needed. For details, see Configuring Policies.
If you have different protection requirements on the servers protected by the premium or container editions, you can create a custom policy group to deploy different protection policies on them. For details, see Creating a Custom Policy Group.
Function Type |
Policy |
Action |
Supported OS |
Professional Edition |
Enterprise Edition |
Premium Edition |
WTP Edition |
Container Edition |
---|---|---|---|---|---|---|---|---|
Assets |
Asset discovery |
Scan and display all software in one place, including software name, path, and major applications, helping you identify abnormal assets. |
Linux and Windows |
× |
× |
√ |
√ |
√ |
Baseline Inspection |
Weak password detection |
Change weak passwords to stronger ones based on HSS scan results and suggestions. |
Linux |
√ |
√ |
√ |
√ |
√ |
Container information collection |
Collect information about all containers on a server, including ports and directories, and report alarms for risky information. |
Linux |
× |
× |
× |
× |
√ |
|
Configuration check |
Check the unsafe Tomcat, Nginx, and SSH login configurations found by HSS. |
Linux and Windows |
× |
× |
√ |
√ |
√ |
|
Intrusions |
AV detection |
Check server assets and report, isolate, and kill the detected viruses. The generated alarms are displayed under .After AV detection is enabled, the resource usage is as follows: The CPU usage does not exceed 40% of a single vCPU. The actual CPU usage depends on the server status. |
Windows |
√ |
√ |
√ |
√ |
× |
Cluster intrusion detection |
Detect container high-privilege changes, creation in key information, and virus intrusion. |
Linux |
× |
× |
× |
× |
√ |
|
Container escape |
Check for and generate alarms on container escapes. |
Linux |
× |
× |
× |
× |
√ |
|
Container information module |
You can configure a trusted container whitelist based on the container name, organization name to which the image belongs, and namespace. The container whitelist does not detect or generate alarms. |
Linux |
× |
× |
× |
× |
√ |
|
Web shell detection |
Scan web directories on servers for web shells. |
Linux and Windows |
√ |
√ |
√ |
√ |
√ |
|
Container file monitoring |
Detect file access that violates security policies. Security O&M personnel can check whether hackers are intruding and tampering with sensitive files. |
Linux |
× |
× |
× |
× |
√ |
|
Container process whitelist |
Check for process startups that violate security policies. |
Linux |
× |
× |
× |
× |
√ |
|
Suspicious image behaviors |
Configure the blacklist and whitelist and customize permissions to ignore abnormal behaviors or report alarms. |
Linux |
× |
× |
× |
× |
√ |
|
HIPS detection |
Check registries, files, and processes, and report alarms for operations such as abnormal changes. |
Linux and Windows |
× |
√ |
√ |
√ |
√ |
|
File protection |
Check the files in the Linux OS, applications, and other components to detect tampering. |
Linux |
√ |
√ |
√ |
√ |
√ |
|
Login security check |
Detect brute-force attacks on SSH, FTP, and MySQL accounts. If the number of brute-force attacks (consecutive incorrect password attempts) from an IP address reaches 5 within 30 seconds, the IP address will be blocked. By default, suspicious SSH attackers are blocked for 12 hours. Other types of suspicious attackers are blocked for 24 hours. You can check whether the IP address is trustworthy based on its attack type and how many times it has been blocked. You can manually unblock the IP addresses you trust. |
Linux and Windows |
√ |
√ |
√ |
√ |
√ |
|
Malicious file detection |
|
Linux |
√ |
√ |
√ |
√ |
√ |
|
Port scan detection |
Detect scanning or sniffing on specified ports and report alarms. |
Linux |
× |
× |
√ |
√ |
√ |
|
Abnormal process behaviors |
All the running processes on all your servers are monitored for you. You can create a process whitelist to ignore alarms on trusted processes, and can receive alarms on unauthorized process behavior and intrusions. |
Linux |
√ |
× |
√ |
√ |
√ |
|
Root privilege escalation |
Detect the root privilege escalation for files in the current system. |
Linux |
√ |
√ |
√ |
√ |
√ |
|
Real-time process |
Monitor the executed commands in real time and generate alarms if high-risk commands are detected. |
Linux and Windows |
√ |
√ |
√ |
√ |
√ |
|
Rootkit detection |
Detect server assets and report alarms for suspicious kernel modules, files, and folders. |
Linux |
√ |
√ |
√ |
√ |
√ |
|
Self-protection |
Windows self-protection |
Prevent malicious programs from uninstalling the agent, tampering with HSS files, or stopping HSS processes.
NOTE:
|
Windows |
× |
× |
√ |
√ |
× |
Linux self-protection |
Prevent malicious programs from stopping HSS processes or uninstalling HSS agents.
NOTE:
|
Linux |
× |
× |
√ |
√ |
× |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.