Modifying WTP Configuration

Scenarios

You can modify configuration after WTP is enabled.

You can perform the following operations:

Manage protected directories: Add, modify, or delete protected directories.
Configure scheduled protection: Configure when to enable and disable static WTP. While WTP is disabled, you can update and release web pages. This feature is optional.
Enable and disable dynamic WTP: Enable dynamic WTP to protect Tomcat web pages on Linux servers. It can detect and block the tampering with dynamic data, such as database data, in real time. Currently, dynamic WTP can protect Tomcat applications using JDK 8, JDK 11, and JDK 17.
Configure privileged processes: After static WTP is enabled, the files and folders in protected directories are set to read-only and cannot be modified. You can configure privileged processes to modify them. This feature is compatible with Linux and Windows. For Linux, only the distributions using kernel versions 5.10 or later are supported.

Modifying WTP Settings

Log in to the management console.
Click in the upper left corner of the page, select a region, and choose Security & Compliance > Host Security Service to go to the HSS management console.
In the navigation pane, choose Server Protection > Web Tamper Protection.

Figure 1 Web tamper protection
In the Operation column of a server, click Edit.

On the Edit page, modify the WTP configuration.

Manage protected directories

You can add, modify, and delete protected directories.

Modify a protected directory
On the Edit page, you can modify excluded file types and protection modes. To modify the directory, excluded subdirectories, excluded file paths, and local backup paths of a protected directory, click Edit in its Operation column. For details, see Table 1.
Delete a protected directory
If a directory no longer needs protection, click Delete in its Operation column.
Add a protected directory
Click Add Protected Directory. In the dialog box that is displayed, enter directory information and click OK. For details, see Table 1.

**Table 1** Protected directory parameters
Parameter	Description	Example Value
Protected Directory	WTP supports static and dynamic web page protection. Static WTP protects specified directories by locking files in the web file directory in the drive to prevent attackers from modifying the files. Therefore, when configuring a protection policy, you need to specify the directories to be protected. After a directory is protected, the files and folders in the directory will become read-only. The requirements for adding a protected directory are as follows: For Linux, It cannot start with a space, end with a slash (/), or contain semi-colons (;). Up to 256 characters are allowed. A server can have up to 50 protected directories. The folder levels of a protected directory cannot exceed 100. The total folders in protected directories cannot exceed 900,000. For Windows, Up to 256 characters are allowed. The directory name cannot start with a space or end with a backslash (\). It cannot contain the following characters: ;/?"<>\| A server can have up to 50 protected directories. Do not add network directories as protected directories.* The reasons are as follows: Inefficient detection A network directory usually contains a large number of files and may reach hundreds of terabytes, severely slowing down a scan. Network bandwidth consumption Accessing a network directory consumes network bandwidth. A large-scale scan may fully occupy the network bandwidth and affect your workloads. For example, the access speed may slow down and the network latency may increase.	Linux: /etc/lesuo Windows: d:\web
Excluded Subdirectory (Optional)	If a protected directory contains subdirectories that do not need to be protected, you can exclude the subdirectories. The requirements for adding a subdirectory are as follows: Enter a subdirectory name or the relative subdirectory path under a protected directory. If you enter a subdirectory name, all subdirectories that match the name will be excluded, regardless of their levels. A subdirectory name or path cannot start or end with a slash (/) and can contain up to 256 characters. Up to 10 subdirectories can be added. Use semicolons (;) to separate multiple subdirectories.	Linux: data/cache or cache Windows: web\test or test
Excluded File Path (Optional)	This item is available only for Linux servers. If a protected directory contains files that do not need to be protected, exclude the files. The requirements for adding excluded file paths are as follows: Enter a file name or the relative file path under a protected directory. If you enter a file name, all files that match the name will be excluded, regardless of their levels. A file name or path cannot start or end with a slash (/), and can contain up to 256 characters. Up to 50 files can be added. Use semicolons (;) to separate multiple files.	data/ma.txt or ma.txt
Local Backup Path	This item is available only for Linux servers. Set a local backup path for a protected directory. After WTP is enabled, files in the protected directory are automatically backed up to the local backup path. Once the system detects that a file in the protected directory is tampered with, it immediately uses the local backup to restore the tampered file. The requirements for adding local backup paths are as follows: A local backup path cannot contain semicolons (;), start with a space, or end with a slash (/). Up to 256 characters are allowed. Key system directories are a main attack target and cannot be used as backup paths, including but not limited to /etc/, /bin/, /var/spool/, /usr/bin/, /usr/sbin/, /sbin/, /usr/lib/, /lib/, /lib64/, /usr/lib64/, and their subdirectories. Local backup rule description: The local backup path must be valid and cannot overlap with the protected directory path. Excluded subdirectories and types of files are not backed up. Generally, the backup completes within 10 minutes. The actual duration depends on the size of files in the protected directory.	/backup
Excluded File Type	If a protected directory contains files of certain types that do not need to be protected, exclude these file types, for example, logs. You can exclude any type of files. To record the running status of servers in real time, exclude the log files in the protected directory. You can set high permission requirements for log read and write, so that attackers cannot view or tamper with log files.	log
Type	Action taken when file tampering is detected. Alarm: Only alarms are reported. Block: An alarm is reported, and the file is restored to the status before being tampered with.	Block

Configure scheduled protection

Configure when to enable and disable static WTP. While WTP is disabled, you can update and release web pages. Exercise caution when you configure this parameter, because files will not be protected in those periods.

: Scheduled protection is enabled.

: Scheduled protection is enabled. You need to configure Unprotected Time Range and Unprotected Days of a Week. For details, see Table 2.

**Table 2** Scheduled protection parameters
Parameter	Description	Example Value
Unprotected Time Range	A time range when WTP is disabled within a day, for example, 10:05 to 15:35. Requirements: A time range must be at least 5 minutes. Time ranges (except for those starting at 00:00 or ending at 23:59) cannot overlap and must have at least a 5-minute interval. All time ranges are subject to the system time of the server.	10:05-15:35
Unprotected Days of a Week	Static WTP is automatically disabled on specified days of a week, for example, Wednesday and Thursday.	Wednesday

Enable and disable dynamic WTP
Enable dynamic WTP to protect Tomcat web pages on Linux servers. It can detect and block the tampering with dynamic data, such as database data, in real time.
- : Dynamic WTP is disabled.
- : Dynamic WTP is enabled. You need to configure the Tomcat bin directory, for example, /usr/workspace/apache-tomcat-8.5.15/bin. The setenv.sh script will be put in the bin directory to configure the startup parameters of the anti-tamper program.

Configure privileged processes

A privileged process is a process authorized to modify a protected directory.

: Privileged processes are disabled.

: Privileged processes are enabled. You need to configure Process File Path and Trust Subprocess. For details, see Table 3.

**Table 3** Privileged process parameters
Parameter	Description	Example Value
Process File Path	Set one or multiple complete file paths of privileged processes. Example: Linux: /Path/Software.type Windows: C:\Path\Software.type Put each privileged process file path on a separate line. Up to 10 privileged processes are allowed.	/Path/Software.type
Trust Subprocess	If Trust Subprocess is enabled, HSS will trust all the subprocesses up to five levels deep in the subdirectories of specified directories, and allow the subprocesses to modify protected directories. Subprocesses can modify protected directories.	Enabled

Confirm the settings. On the Edit page, click OK.

After dynamic WTP is enabled for a server, restart Tomcat to apply this setting.
Verify the change.
- Protected Directory
  In the Protected Directories column of a server, click the number view details.
  
  If the information about the protected directory is correct and the Protection Status is Protected, the directory is successfully added or modified.
  
  If the deleted protected directory is not displayed in the list, its deletion is successful.
- Scheduled protection
  Modify the web page in the specified unprotected period. If it can be modified, the scheduled protection is configured successfully.
- Dynamic WTP
  If the dynamic WTP status is , it is enabled.
- Privileged process
  If the web page can be modified through a privileged process, the process is successfully configured.