Purchasing and Enabling Container Security Protection

Scenario

A container cluster consists of a set of nodes. The HSS container edition uses nodes as protection units and provides functions such as container firewall, container cluster protection, and container image security scanning, helping enterprises solve container environment problems that cannot be achieved by traditional security software. For details about the security protection functions, see Specifications of Different Editions.

This document uses a EulerOS 2.9 container node server as an example to describe how to purchase and enable container security protection.

Step 1: Purchase HSS Quota

Log in to the management console.
Click in the upper left corner and select the region and project.
Click in the upper left corner and choose Security & Compliance > Host Security Service. The HSS console is displayed.
In the upper right corner of the Dashboard page, click Buy HSS.
Set the parameters for buying HSS as prompted.
- Billing Mode: Select a billing mode as required. In this example, select Yearly/Monthly.
- Region: Select the region where the server is located. In this example, select CN-Hong Kong.
- Edition: Select Container.
- Quantity: Set this parameter based on the number of container nodes. In this example, set the quantity to 1.
- Specify other parameters as needed.
In the lower right corner of the page, click Next.
After confirming that the order, select I have read and agree to the Host Security Service Disclaimer.
Click Pay Now and complete the payment.
Click Back to Host Security Service Console.

Step 2: Install an Agent

Log in to the HSS console, in the navigation pane on the left, choose Installation & Configuration > Server Install & Config.
On the agent management tab, Click the value of Servers Without Agents area to filter the servers that have not installed agents.
In the Operation column of a server, click Install Agent.

Figure 1 Installing an agent
In the dialog box, click Copy to copy the command for installing the agent.
Remotely log in to the server where the agent is to be installed.
Run the copied installation command as user root to install the agent on the server.
If the command output shown in Installation completed is displayed, the agent is successfully installed.

Figure 2 Installation completed
Run the following command to check the runtime status of agent:
service hostguard status

If the command output shown in Agent running properly is displayed, the agent is running properly.

Figure 3 Agent running properly

Step 3: Enable Protection

In the navigation pane on the left, choose Asset Management > Containers & Quota.
In the Operation column of a server, click Enable Protection.
In the dialog box that is displayed, select the mode.
Set this parameter based on the edition of the purchased quota in Step 1: Purchase HSS Quota.
- Billing Mode: Select Yearly/Monthly.
- Edition: Select Container.
Confirm the information, read the Container Security Service Disclaimer, and select I have read and agree to the Container Security Service Disclaimer.
Click OK.
If the Protection Status of the target server is Protected, the protection is enabled successfully.

Figure 4 Viewing the protection status

Follow-Up Procedure

Enable server protection for container nodes.

HSS container edition provides some proactive functions for servers. These functions are not enabled or not completely enabled when container security protection is enabled. You can determine whether to use these functions based on your requirements, the following table Table 1 describes the functions.

**Table 1** Container node protection functions
Function	Description
Container image security scanning	The container image security scanning function scans for vulnerabilities and malicious files in images. You are advised to scan images periodically so that you can handle image security risks in a timely manner.
Ransomware Prevention	Ransomware is one of the biggest cybersecurity threats today. Ransomware can intrude a server, encrypt data, and ask for ransom, causing service interruption, data leakage, or data loss. Attackers may not unlock the data even after receiving the ransom. HSS provides static and dynamic ransomware prevention. You can periodically back up server data to reduce potential losses. Ransomware prevention is automatically enabled with the container edition. Deploy bait files on servers and automatically isolate suspicious encryption processes. You can modify the ransomware protection policy. You are also advised to enable backup so that you can restore data.
Application Protection	To protect your applications with RASP, you simply need to add probes to them, without having to modify application files.
Application Process Control	HSS can learn the characteristics of application processes on servers and manage their running. Suspicious and trusted processes are allowed to run, and alarms are generated for malicious processes.
Virus scanning and removal	The function uses the virus detection engine to scan virus files on the server. The scanned file types include executable files, compressed files, script files, documents, images, and audio and video files. You can perform quick scan and full-disk scan on the server as required. You can also customize scan tasks and handle detected virus files in a timely manner to enhance the virus defense capability of the service system.
Container Cluster Protection	HSS can check for non-compliance baseline issues, vulnerabilities, and malicious files when a container image is started and report alarms on or block container startup that has not been unauthorized or may incur high risks. You can configure container cluster protection policies to block images with vulnerabilities, malicious files, non-compliant baselines, or other threats, hardening cluster security.
Container Firewall	A container firewall controls and intercepts network traffic inside and outside a container cluster to prevent malicious access and attacks.