Modifying a Policy
You can modify policies in a policy group.
Modifications on a policy take effect only in the group it belongs to.
Accessing the Policies Page
- In the upper left corner of the page, select a region, click , and choose .
- In the navigation pane, choose Security Operations > Policies.
Assets
- In the policy group list, click the name of the group that contains the required policy.
- Click Assets.
- In the Policy Settings area, modify the settings as required, as shown in Figure 1. For more information, see Table 1.
Table 1 Assets parameters Parameter
Description
Scan Time
Time point when scans are performed. It can be accurate to the minute.
Scan Days
Days in a week when assets are scanned. You can select one or more days.
Software Scanned
- Software name. A name can contain a maximum of 5000 characters without any space. Use commas (,) to separate software names.
- If this parameter is not specified, information about all installed software will be retrieved as its value.
Locations Scanned
Software search path. This parameter is not required for a Windows server.
Main Applications/Components
- Software Name
- Software Main Program
- Execute Command
- Operation: You can click Add or Remove to modify operations.
Obtain UDP Port
Obtains UDP port information and check the web directories.
- : enable
- : disable
Port Information Check Interval (s)
Interval between two consecutive port checks. The value range is 30s to 86,400s.
- Click OK.
System Configuration Detection
- In the policy group list, click the name of the group that contains the required policy.
Weak Password Scan
Weak passwords are not attributed to a certain type of vulnerabilities, but they bring no less security risks than any type of vulnerabilities. Data and programs will become insecure if their passwords are cracked.
HSS proactively detects the accounts using weak passwords and generates alarms for the accounts. You can also add a password that may have been leaked to the weak password list to prevent server accounts from using the password.
- In the policy group list, click the name of the group that contains the required policy.
- In the policy group list, click Weak Password Scan.
- In the Policy Settings area, modify the settings as required, as shown in Figure 3. For more information, see Table 3.
Table 3 Weak password scan parameters Parameter
Description
Use Basic Weak Password Dictionary
Whether to enable the weak password dictionary.
- : enable
- : disable
URL of Weak Password Dictionary
URL of the website that the weak password dictionary gets updates from
Weak Password Dictionary SHA256
SHA256 of the weak password dictionary
Scan Days
Days in a week when weak passwords are scanned. You can select one or more days.
User-defined Weak Passwords
You can add a password that may have been leaked to this weak password text box to prevent server accounts from using the password.
MySQL Weak Password Detection
Scans MySQL login passwords for weak passwords.
- Click OK.
High-risk Command Detection
- In the policy group list, click the name of the group that contains the required policy.
- Click High-risk Command Scan.
- In the Policy Settings area, modify the settings as required, as shown in Figure 4. For more information, see Table 4.
Table 4 High-risk command scan parameters Parameter
Description
Report or Log Process Terminations
Reports or records process termination.
- : enable
- : disable
Deduplicate and Report via the Message Channel
De-duplicates messages reported through the message channel.
- : enable
- : disable
Process Reporting Interval (Min)
This parameter takes effect only if Deduplicate and Report via the Message Channel has been enabled.
This parameter specifies the interval for reporting process statistics. Set it to a valid number.
Max. CPU Usage of Independent Process (%)
This parameter takes effect only if Deduplicate and Report via the Message Channel has been enabled.
This parameter specifies the maximum CPU usage of an independent process. The value range is 5 to 99.
Max. Memory Usage of Independent Process (MB)
This parameter takes effect only if Re-reporting via the Message Channel has been enabled.
This parameter specifies the maximum memory usage of an independent process. The value range is 50 to 1024.
Data Receiving IP & Port of Independent Process
This parameter takes effect only if Re-reporting via the Message Channel has been enabled.
This parameter specifies the data receiving IP address and port of an independent process.
Max. Independent Process Data Sending Rate (kbit/s)
This parameter takes effect only if Re-reporting via the Message Channel has been enabled.
This parameter specifies the maximum data sending rate of an independent process. The value range is 1 to 100.
Log Compaction
Compacts logs.
- : enable
- : disable
Collecting Process Network Info
Collects network connection information of processes.
- : enable
- : disable
Record Logs
Records logs.
- : enable
- : disable
Log File Path
Log file path
Maximum Log Size (MB)
Maximum size of a log file. The value range is 10 to 1024.
- If the size of a .log file exceeds the allowed maximum size, the system automatically renames the file as .log.0, creates a new .log file, and writes logs to the .log file.
- A maximum of two log files can exist. If the .log file exceeds the allowed maximum size, the system deletes the .log.0 file, renames the .log file as .log.0, creates a new .log file, and writes logs to the .log file.
High-Risk Commands
High-risk commands you want HSS to detect. Each command occupies a line.
Whitelist (Do Not Record Logs)
- Process Path or Process Name: full path of a process or full name of a program
- Regular Expression in CLI: regular expression of a command
- Operation: You can click Add or Delete to modify the list of processes and programs.
- Click OK.
Privilege Escalation Scan
- In the policy group list, click the name of the group that contains the required policy.
Abnormal or Reverse Shell Scan
- In the policy group list, click the name of the group that contains the required policy.
- Click Abnormal/Reverse Shell Scan.
- In the Policy Settings area, modify the settings as required, as shown in Figure 6. For more information, see Figure 6.
Table 6 Abnormal or reverse shell scan parameters Parameter
Description
Whitelist Paths in Reverse Shell Check
Process file path to be ignored in reverse shell detection
Reverse Shell Scanning Period (s):
Reverse shell scanning period. The value range is 30 to 86,400.
Abnormal Shell Detection
Detects abnormal shells. You are advised to enable it.
- : enable
- : disable
Max. Files Opened by a Process
Maximum number of files that can be opened by a process. The value range is 10 to 300,000.
- Click OK.
File Integrity Monitoring
- In the policy group list, click the name of the group that contains the required policy.
- Click File Integrity Monitoring.
- In the Policy Settings area, modify the settings as required, as shown in Figure 7. For more information, see Table 7.
Table 7 File integrity monitoring parameters Parameter
Description
Full Scan Interval (s)
Interval between two consecutive full scans on specified files. The value range is 3600 to 100,000.
For example, setting it to 3600 means the full scan is performed every hour.
File Status Check Interval (s)
Interval for checking file status. The value range is 10 to 600.
File Scan Interval (ms)
Interval between the checks of two files. The value range is 0 to 1000.
For example, if this parameter is set to 50, the system checks /usr/bin/ls 50 milliseconds after it checks /bin/ls.
File Paths
Path of the files to be checked
NOTE:- Exercise caution when modifying its settings. Its default values are all critical files and you are not advised to delete any of them.
- HSS does not monitor changes on the files that are not specified here.
- Click OK.
Web Shell Scan
Web shell scan takes effect only after a web path is set.
- In the policy group list, click the name of the group that contains the required policy.
- Click Web Shell Scan.
- In the Policy Settings area, modify the settings as required, as shown in Figure 8. For more information, see Table 8.
To prevent the software in web paths from affecting the HSS agent, do not set web paths under /usr/local.
Table 8 Web shell scan parameters Parameter
Description
Asset Discovery Linkage
Automatically scans the web paths you specified.
- : enable
- : disable
Monitored Web Directories
Web paths to be scanned. A file path must:
- Start with a slash (/) and end with no slashes (/).
- End with a port number.
- Occupy a separate line and cannot contain spaces.
Monitored Files Types
Extensions of files to be checked. Valid values include jsp, jspx, jspf, php, php5, php4.
Monitor File Modification
Monitors modifications on files.
- Click OK.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot