Viewing a Policy Group

You can group policies and servers to batch apply policies to servers and containers, easily adapting to business scenarios.

Constraints

The enterprise, premium, WTP, or container edition is enabled.

Before You Start

When you enable the enterprise edition, the tenant-side policy group of this edition (including weak password and website shell detection policies) takes effect for all your servers.
When you enable the premium edition separately, or enabled the premium edition included with the WTP edition, the tenant-side policy group of this edition takes effect.
To create your own policy group, you can copy the tenant-side policy group and add or remove policies in the copy.

Policy List

Policy Name	Action	Supported OS	Enterprise Edition	Premium Edition	WTP Edition	CGS Edition
Asset Discovery	Scan and display all software in one place, including software name, path, and major applications, helping you identify abnormal assets.	Linux and Windows	×	√	√	√
AV Detection	Check server assets and report, isolate, and kill the detected viruses. The generated alarms are displayed under Detection > Alarms > Server Alarms > Event Types > Malware. After AV detection is enabled, the resource usage is as follows: The CPU usage does not exceed 40% of a single vCPU. The actual CPU usage depends on the server status.	Windows	√	√	√	×
Configuration Check	Check the unsafe Tomcat, Nginx, and SSH login configurations found by HSS.	Linux and Windows	×	√	√	√
Container Information Collection	Collect information about all containers on a server, including ports and directories, and report alarms for risky information.	Linux	×	×	×	√
Weak Password Detection	Change weak passwords to stronger ones based on HSS scan results and suggestions.	Linux	√	√	√	√
Cluster Intrusion Detection	Detect container high-privilege changes, creation in key information, and virus intrusion.	Linux	×	×	×	√
Container escape	Check for and generate alarms on container escapes.	Linux	×	×	×	√
Web Shell Detection	Scan web directories on servers for web shells.	Linux and Windows	√	√	√	√
Container File Monitoring	Detect file access that violates security policies. Security O&M personnel can check whether hackers are intruding and tampering with sensitive files.	Linux	×	×	×	√
Container Process Whitelist	Check for process startups that violate security policies.	Linux	×	×	×	√
Suspicious Image Behaviors	Configure the blacklist and whitelist and customize permissions to ignore abnormal behaviors or report alarms.	Linux	×	×	×	√
HIPS Detection	Check registries, files, and processes, and report alarms for operations such as abnormal changes.	Windows	√	√	√	√
File Protection	Check the files in the Linux OS, applications, and other components to detect tampering.	Linux	√	√	√	√
Login Security Check	Detect brute-force attacks on SSH, FTP, and MySQL accounts. If the number of brute-force attacks (consecutive incorrect password attempts) from an IP address reaches 5 within 30 seconds, the IP address will be blocked. By default, suspicious SSH attackers are blocked for 12 hours. Other types of suspicious attackers are blocked for 24 hours. You can check whether the IP address is trustworthy based on its attack type and how many times it has been blocked. You can manually unblock the IP addresses you trust.	Linux and Windows	√	√	√	√
Malicious File Detection	Reverse shell: Monitor user process behaviors in real time to detect reverse shells caused by invalid connections. Detect actions on abnormal shells, including moving, copying, and deleting shell files, and modifying the access permissions and hard links of the files.	Linux	√	√	√	√
Port Scan Detection	Detect scanning or sniffing on specified ports and report alarms.	Linux	×	√	√	√
Abnormal process behaviors	All the running processes on all your servers are monitored for you. You can create a process whitelist to ignore alarms on trusted processes, and can receive alarms on unauthorized process behavior and intrusions.	Linux	×	√	√	√
Root privilege escalation	Detect the root privilege escalation for files in the current system.	Linux	√	√	√	√
Real-time Process	Monitor the executed commands in real time and generates alarms if high-risk commands are detected.	Linux and Windows	√	√	√	√
Rootkit Detection	Detect server assets and report alarms for suspicious kernel modules, files, and folders.	Linux	√	√	√	√
Self-protection	Protect HSS files, processes, and software from malicious programs, which may uninstall HSS agents, tamper with HSS files, or stop HSS processes. Self-protection depends on antivirus detection, HIPS detection, and ransomware protection. It takes effect only when more than one of the three functions are enabled. Enabling the self-protection policy has the following impacts: The HSS agent cannot be uninstalled on the control panel of a server, but can be uninstalled on the HSS console. HSS process cannot be terminated. In the agent installation path C:\Program Files\HostGuard, you can only access the log and data directories (and the upgrade directory, if your agent has been upgraded).	Windows	×	√	√	×

Checking the Policy Group List

Log in to the management console.
In the upper left corner of the page, click , select a region, and choose Security > Host Security Service.

In the navigation tree on the left, choose Security Operations > Policies to check the displayed policy groups. For more information, see Table 1.

tenant_linux_container_default_policy_group is the default Linux policy group of the container edition. This policy group can only be viewed, and cannot be copied or deleted.
tenant_linux_enterprise_default_policy_group is the default Linux policy group of the enterprise edition. This policy group can only be viewed, and cannot be copied or deleted.
tenant_windows_enterprise_default_policy_group is the default Windows policy group of the enterprise edition. This policy group can only be viewed, and cannot be copied or deleted.
tenant_linux_premium_default_policy_group is the default Linux policy group of the premium edition. You can create a policy group by copying this default group and modify the copy.
tenant_windows_premium_default_policy_group is the default Windows policy group of the premium edition. You can create a policy group by copying this default group and modify the copy.
wtp_ServerName is a WTP edition policy group. It is generated by default when WTP is enabled for a server.
To refresh the list, click in the upper right corner.
To view details about the servers associated with a policy group, click the number in the Servers column of the group.

**Table 1** Policy group parameters
Parameter	Description
Policy Group	Name of a policy group
ID	Unique ID of a policy group
Description	Description of a policy group
Supported Version	HSS version supported by the policy group.
OS	OS supported by the policy.
Servers	Number of servers associated with the policy

Click the name of a policy group to check policy details, including the names, statuses, function categories, OS type of the policies.
- All policies in the group tenant_enterprise_policy_group are enabled by default.
- You can click Enable or Disable in the Operation column of a policy to control what to check.
To view the detailed information about a policy, click the name of the policy.

For details about how to modify a policy, see Modifying a Policy.