Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Situation Awareness
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive

Configuring Policies

Updated on 2025-01-21 GMT+08:00

Scenario

After HSS is enabled, you can configure HSS policies based on your service requirements.

Constraints

  • The professional, enterprise, premium, WTP, or container edition is enabled.
  • For the default policy groups, you are advised to retain their default configurations.
  • Modifications on a policy take effect only in the group it belongs to.

Accessing the Policies Page

  1. Log in to the management console.
  2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > HSS.
  1. In the navigation tree on the left, choose Security Operation > Policies. On the displayed page, Policy group parameters describes the fields.

    NOTE:

    If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.

    Figure 1 Policy management
    Table 1 Policy group parameters

    Parameter

    Description

    Policy Group

    Name of a policy group The preset policy group names are as follows:

    • tenant_linux_advanced_default_policy_group: preset policy of the Linux professional edition, which can only be viewed but cannot be copied or deleted.
    • tenant_windows_advanced_default_policy_group: preset policy of the Windows professional edition, which can only be viewed but cannot be copied or deleted.
    • tenant_linux_container_default_policy_group: preset Linux policy of the container edition. You can copy this policy group and create a new one based on it.
    • tenant_linux_enterprise_default_policy_group is the default Linux policy of the enterprise edition. This policy group can only be viewed, and cannot be copied or deleted.
    • tenant_windows_enterprise_default_policy_group: preset Windows policy of the enterprise edition. This policy group can only be viewed, and cannot be copied or deleted.
    • tenant_linux_premium_default_policy_group: preset Linux policy of the premium edition. You can create a policy group by copying this default group and modify the copy.
    • tenant_windows_premium_default_policy_group: preset Windows policy of the premium edition. You can create a policy group by copying this default group and modify the copy.
    • wtp_ServerName is a WTP edition policy group. It is generated by default when WTP is enabled for a server.

    Description

    Detailed description of a policy group.

    Supported Version

    HSS edition supported by a policy group.

    Supported OS

    OS supported by a policy group.

    Associated Servers

    To view details about the servers associated with a policy group, click the number in the Servers column of the group.

  2. Click the name of a policy group to access the policy detail list.

    Figure 2 Policies

  3. In the row of the policy, click Enable or Disable in the Operation column.

    After a policy is disabled, HSS does not check for security issues based on the policy.

  4. Click the name of a policy to modify it. The following sections describe the policies.

Asset Discovery

  1. Click Asset Discovery.
  2. On the displayed page, modify the settings as required. For more information, see Table 2.

    Table 2 Parameter description

    Parameter

    Description

    Scan Time

    Fixed time for automatic assets scan. The scan time can be customized for middleware, web frameworks, kernel modules, web applications, websites, web services, and databases.

    Offset time is the automatic adjust ahead of or behind the specified scan time.

    • Accounts: Linux accounts are automatically checked every hour, and Windows accounts are checked in real time.
    • Open ports are automatically checked every 30 seconds.
    • Processes are automatically checked every hour.
    • Installed software is automatically checked once a day.
    • Auto-started items are automatically checked every hour.
    • Middleware/Web framework: You can select the scan date and time together.
    • Kernel modules: You can set the scan date and time as required.
    • Web applications/Websites/Web services/Databases: You can select the scan date and time together.

    Scanned Web Directories

    Specifies a web directory to be scanned.

  3. Confirm the information and click OK.

    If All projects are selected for an enterprise project and the policy of the default policy group is modified, you can click Save and Apply to Other Projects to apply the modification to other policies of the same version.

Weak Password Scan

Weak passwords are not attributed to a certain type of vulnerabilities, but they bring no less security risks than any type of vulnerabilities. Data and programs will become insecure if their passwords are cracked.

HSS proactively detects the accounts using weak passwords and generates alarms for the accounts. You can also add a password that may have been leaked to the weak password list to prevent server accounts from using the password.

  1. Click Weak Password Detection.
  2. In the Policy Settings area, modify the settings as required. For more information, see Table 3.

    Figure 3 Modifying the weak password detection policy
    Table 3 Parameter description

    Parameter

    Description

    Scan Time

    Time point when detections are performed. It can be accurate to the minute.

    Random Deviation Time (Seconds)

    Random deviation time of the weak password based on Scan Time. The value range is 0 to 7200s.

    Scan Days

    Days in a week when weak passwords are scanned. You can select one or more days.

    User-defined Weak Passwords

    You can add a password that may have been leaked to this weak password text box to prevent server accounts from using the password.

    Enter only one weak password per line. Up to 300 weak passwords can be added.

    Password Complexity Policy Check

    A password complexity policy refers to the password rules and standards set on a server. If you enable Password Complexity Policy Check, HSS will check the password complexity policy when you manually perform a baseline check.

  3. Confirm the information and click OK.

    If All projects are selected for an enterprise project and the policy of the default policy group is modified, you can click Save and Apply to Other Projects to apply the modification to other policies of the same version.

Configuration Check

  1. Click Configuration Check.
  2. On the Configure Check, modify the policy.

    Figure 4 Modifying the configuration check policy
    Table 4 Parameter description

    Parameter

    Description

    Scan Time

    Time point when detections are performed. It can be accurate to the minute.

    Random Deviation Time (Seconds)

    Random deviation time of the system detection. The value ranges from 0 to 7,200s.

    Scan Days

    Day in a week when a detection is performed. You can select any days from Monday to Sunday.

    System Default Baseline Library

    The detection baseline has been configured in the system. You only need to select the baseline you want to scan. All parameters are in their default values and cannot be modified.

  3. Select the baseline to be detected or customize a baseline.

    NOTE:

    To check whether your system meets compliance requirements, select DJCP MLPS in the Type area.

  4. Confirm the information and click OK.

    If All projects are selected for an enterprise project and the policy of the default policy group is modified, you can click Save and Apply to Other Projects to apply the modification to other policies of the same version.

Web Shell Detection

If User-defined Scan Paths is not specified, the website paths in your assets are scanned by default. If User-defined Scan Paths is specified, website paths and the specified paths are scanned.

  1. Click Web Shell Detection.
  2. On the Web Shell Detection page, modify the settings as required. For more information, see Table 5.

    Figure 5 Modifying the web shell detection policy
    Table 5 Parameter description

    Parameter

    Description

    Scan Time

    Time point when detections are performed. It can be accurate to the minute.

    Random Deviation Time (Seconds)

    Random deviation time. The value ranges from 0 to 7,200s.

    Scan Days

    Days in a week when web shells are scanned. You can select one or more days.

    User-defined Scan Paths

    Web paths to be scanned. A file path must:

    • Start with a slash (/) and end with no slashes (/).
    • Occupy a separate line and cannot contain spaces.

  3. Confirm the information and click OK.

    If All projects are selected for an enterprise project and the policy of the default policy group is modified, you can click Save and Apply to Other Projects to apply the modification to other policies of the same version.

File Protection

  1. Click File Protection.
  2. On the File Protection page, modify the policy. For more information, see Table 6.

    The following figure uses the Linux policy as an example.
    Figure 6 Modifying the file protection policy
    Table 6 Parameter description

    Parameter

    Description

    Supported OS

    File Privilege Escalation

    • Detects privilege escalation.
      • : enabled
      • : disabled
    • Ignored File Path: Files to be ignored. Start the path with a slash (/) and do not end it with a slash (/). Each path occupies a line. No spaces are allowed between path names.

    Linux

    File Integrity

    • Checks the integrity of key files.
      • : enabled
      • : disabled
    • File Paths: Configure the file paths.

    Linux

    Important File Directory Change

    • Detects the directory change of key files.
      • : enabled
      • : disabled
    • Session IP Whitelist: If the file process belongs to the sessions of the listed IP addresses, no audit applies.
    • Unmonitored File Types: File types that do not need to be monitored.
    • Unmonitored File Paths: File paths that do not need to be monitored.
    • Monitoring Login Keys: monitors login keys.
      • : enabled
      • : disabled

    Linux

    Directory Monitoring Mode for Linux

    • Directory monitoring mode. Its value can be Conservative or Sensitive. The Conservative mode has two more attributes (Monitor Subdirectory and Monitor Property Change) selected by default than the Sensitive modes.
    • Some file or directory monitoring paths are preset in the system. You can modify the file change type to be detected and add the file or directory paths to be monitored.
      • File or Directory Path: path of the file or directory to be monitored. Up to 50 paths can be added. Ensure the specified paths are valid.
      • Alias: alias of a file or directory path. You can enter a name that is easy to distinguish.
      • Monitor Subdirectory: If this option is selected, all files in the corresponding subdirectories are monitored. If it is not selected, subdirectories are not monitored.
      • Monitor Creation, Monitor Deletion, Monitor Movement, and Monitor Modification: Select them as needed.

    Linux

    Directory Monitoring Mode for Windows

    Some file or directory monitoring paths are preset in the system. You can modify the file change type to be detected and add the file or directory paths to be monitored.

    • File or Directory Path: path of the file or directory to be monitored. Up to 50 paths can be added. Ensure the specified paths are valid.
    • Alias: a user-defined name used to distinguish files or directories. Its value has no impact on the monitoring effect.
    • Monitor Subdirectory: If this option is selected, all files in the subdirectories are monitored. If it is not selected, subdirectories are not monitored.
    • File Name Extension: type of the file to be monitored. A maximum of 50 extensions can be added.
    • Ignored Path: Valid if Monitor Subdirectory is selected. It specifies the subdirectories that do not need to be monitored. Up to 20 paths can be added. Ensure the specified paths are valid.
    • Monitor Creation, Monitor Deletion, Monitor Movement, and Monitor Modification: Select them as needed.

    Windows

  3. Confirm the information and click OK.

    If All projects are selected for an enterprise project and the policy of the default policy group is modified, you can click Save and Apply to Other Projects to apply the modification to other policies of the same version.

HIPS Detection

  1. Click HIPS Detection.
  2. Modify the policy content. For more information, see Table 7.

    Figure 7 Modifying the HIPS detection policy
    Table 7 HIPS detection policy parameters

    Parameter

    Description

    Auto Blocking

    If this function is enabled, abnormal changes on registries, files, and processes will be automatically blocked to prevent reverse shells and high-risk commands.
    • : enabled
    • : disabled

    Trusted Processes

    Paths of trusted processes. You can click Add to add a path and click Delete to delete it.

  3. Confirm the information and click OK.

    If All projects are selected for an enterprise project and the policy of the default policy group is modified, you can click Save and Apply to Other Projects to apply the modification to other policies of the same version.

Login Security Check

  1. Click Login Security Check.
  2. On the displayed Login Security Check page, modify the policy content. Table 8 describes the parameters.

    Figure 8 Modifying the security check policy
    Table 8 Parameter description

    Parameter

    Description

    Lock Time (min)

    This parameter is used to determine how many minutes the IP addresses that send attacks are locked. The value range is 1 to 43200. Login is not allowed in the lockout duration.

    Check Whether the Audit Login Is Successful

    • After this function is enabled, HSS reports successful logins.
      • : enabled
      • : disabled

    Block Non-whitelisted Attack IP Address

    After this function is enabled, HSS blocks the login of brute force IP addresses (non-whitelisted IP addresses).

    Report Alarm on Brute-force Attack from Whitelisted IP Address

    • After this function is enabled, HSS generates alarms for brute force attacks from whitelisted IP addresses.
      • : enabled
      • : disabled

    Whitelist

    After an IP address is added to the whitelist, HSS does not block brute force attacks from the IP address in the whitelist. A maximum of 50 IP addresses or network segments can be added to the whitelist. Both IPv4 and IPv6 addresses are supported.

  3. Confirm the information and click OK.

    If All projects are selected for an enterprise project and the policy of the default policy group is modified, you can click Save and Apply to Other Projects to apply the modification to other policies of the same version.

Malicious File Detection

  1. Click Malicious File Detection.
  2. On the displayed page, modify the policy. For more information, see Table 9.

    Figure 9 Modifying the malicious file detection policy
    Table 9 Parameter description

    Parameter

    Description

    Whitelist Paths in Reverse Shell Check

    Process file path to be ignored in reverse shell detection

    Start with a slash (/) and end with no slashes (/). Occupy a separate line and cannot contain spaces.

    Ignored Reverse Shell Local Port

    Local ports that do not need to be scanned for reverse shells.

    Ignored Reverse Shell Remote Address

    Remote addresses that do not need to be scanned for reverse shells.

    Detect Reverse Shells

    • Detects reverse shells. You are advised to enable it.
      • : enabled
      • : disabled

    Abnormal Shell Detection

    • Detects abnormal shells. You are advised to enable it.
      • : enabled
      • : disabled

  3. Confirm the information and click OK.

    If All projects are selected for an enterprise project and the policy of the default policy group is modified, you can click Save and Apply to Other Projects to apply the modification to other policies of the same version.

Abnormal Process Behaviors

The abnormal process behavior policy supports two detection modes:

  • Sensitive: In-depth full scans are performed on all processes, which may cause false positives. Suitable for network protection drills and key event assurance.
  • Balanced: All processes are scanned. The scan result accuracy and the abnormal process detection rate are balanced. Suitable for routine protection.

This policy does not need to be configured separately. It changes with the protection mode of the policy group. To enable the sensitive mode, change the protection mode of the policy group to Sensitive by referring to Configuring the Policy Group Protection Mode.

Root Privilege Escalation Detection

  1. Click Root privilege escalation.
  2. In the displayed area, modify the settings as required. For more information, see Table 10.

    Figure 10 Modifying the root privilege escalation policy
    Table 10 Parameter description

    Parameter

    Description

    Ignored Process File Path

    Ignored process file path

    Start with a slash (/) and end with no slashes (/). Occupy a separate line and cannot contain spaces.

  3. Confirm the information and click OK.

    If All projects are selected for an enterprise project and the policy of the default policy group is modified, you can click Save and Apply to Other Projects to apply the modification to other policies of the same version.

Real-time Process

  1. Click Real-time Process.
  2. On the displayed page, modify the settings as required. For more information, see Table 11.

    Figure 11 Modifying the real-time process policy
    Table 11 Parameters for real-time process policy settings

    Parameter

    Description

    High-Risk Commands

    High-risk commands that contain keywords during detection. The command can contain only letters, numbers, hyphens (-), spaces, and special characters (/*\=>.:'"+-).

    NOTE:

    Currently, built-in shell commands cannot be detected.

    Whitelist (Do Not Record Logs)

    Paths or programs that are allowed or ignored during detection. You can enter the regular expression of the command to be added to the whitelist. The command regular expression is optional.

    Example:

    • Full path or program name of a process: /usr/bin/sleep
    • Command regular expression: ^[A-Za-z0-9[:space:]\\*\\.\\\":_'\\(>=-]+$

  3. Confirm the information and click OK.

    If All projects are selected for an enterprise project and the policy of the default policy group is modified, you can click Save and Apply to Other Projects to apply the modification to other policies of the same version.

Rootkit Detection

  1. Click Rootkit Detection.
  2. On the rootkit detection page, modify the policy content.

    Figure 12 Modifying the rootkit detection policy
    Table 12 Parameter description

    Parameter

    Description

    Example Value

    Kernel Module Whitelist

    Add the kernel modules that can be ignored during the detection.

    Up to 10 kernel modules can be added. Each module occupies a line.

    xt_conntrack

    virtio_scsi

    tun

  3. Confirm the information and click OK.

    If All projects are selected for an enterprise project and the policy of the default policy group is modified, you can click Save and Apply to Other Projects to apply the modification to other policies of the same version.

AV Detection

  1. Click AV Detection.
  2. On the AV Detection slide pane that is displayed, modify the settings as required. For details, see Table 13.

    Table 13 AV detection policy parameters

    Parameter

    Description

    Example Value

    Real-Time Protection

    After this function is enabled, AV detection is performed in real time when the current policy is executed. You are advised to enable this function.

    • : enabled
    • : disabled

    : enabled

    Protected File Type

    Type of the files to be checked in real time.

    • All: Select all file types.
    • Executable: Executable file types such as EXE, DLL, and SYS.
    • Compressed: Compressed file types such as ZIP, RAR, and JAR.
    • Text: Text file types such as PHP, JSP, HTML, and Bash.
    • OLE: Composite file types such as Microsoft Office files (PPT and DOC) and saved email files (MSG).
    • Other: File types except the preceding types.

    All

    Action

    Handling method for the object detection alarms.

    • Automated handling:Isolate high-risk virus files bu default. Report other virus files but do not isolate them.
    • Manual handling: Report all the detected virus files but do not isolate them. You need to handle them manually.

    Automatic handling

  3. Confirm the information and click OK.

    If All projects are selected for an enterprise project and the policy of the default policy group is modified, you can click Save and Apply to Other Projects to apply the modification to other policies of the same version.

Container Information Collection

  1. Click Container Information Collection.
  2. On the Container Information Collection slide pane that is displayed, modify the Policy Settings. For details about the parameters, see Table 14.

    NOTE:

    The whitelist has a higher priority than blacklist. If a directory is specified in both the whitelist and blacklist, it is regarded as a whitelisted item.

    Table 14 Container information collection policy parameters

    Parameter

    Description

    Example Value

    Mount Path Whitelist

    Enter the directory that can be mounted.

    /test/docker or /root/*

    Note: If a directory ends with an asterisk (*), it indicates all the sub-directories under the directory (excluding the main directory).

    For example, if /var/test/* is specified in the whitelist, all sub-directories in /var/test/ are whitelisted, excluding the test directory.

    Mount Path Blacklist

    Enter the directories that cannot be mounted. For example, user and bin, the directories of key host information files, are not advised being mounted. Otherwise, important information may be exposed.

  3. Confirm the information and click OK.

    If All projects are selected for an enterprise project and the policy of the default policy group is modified, you can click Save and Apply to Other Projects to apply the modification to other policies of the same version.

Cluster Intrusion Detection

  1. Click Cluster Intrusion Detection.
  2. On the Cluster Intrusion Detection slide pane that is displayed, modify the Policy Settings. For details about the parameters, see Table 15.

    Table 15 Cluster intrusion detection policy parameters

    Parameter

    Description

    Example Value

    Basic Detection Cases

    Select basic check items as required.

    Select all

    Whitelist

    You can customize the types and values that need to be ignored during the detection. You can add and delete types and values as required.

    The following types are supported:

    • IP address filter
    • Pod name filter
    • Image name filter
    • User filter
    • Pod tag filter
    • Namespace filter
      NOTE:

      Each type can be used only once.

    Type: IP address filtering

    Value: 192.168.x.x

    NOTE:

    After this policy is configured, you need to enable the log audit function and deploy the HSS agent on the management node (node where the APIServer is located) of the cluster to make the policy take effect.

  3. Confirm the information and click OK.

    If All projects are selected for an enterprise project and the policy of the default policy group is modified, you can click Save and Apply to Other Projects to apply the modification to other policies of the same version.

Container Escape Detection

  1. Click Container Escape. The container escape policy details page is displayed.
  2. On the container escape page that is displayed, edit the policy content. For details about the parameters, see Table 16.

    If no image, process, or POD needs to be added to the whitelist, leave the whitelist blank.
    Table 16 Container escape detection policy parameters

    Parameter

    Description

    Image Whitelist

    Enter the names of the images that do not need to perform container escape behavior detection. An image name can contain only letters, numbers, underscores (_), and hyphens (-), and each name needs to be on a separate line. Up to 100 image names are allowed.

    Process Whitelist

    Enter the full paths of processes that do not need to perform container escape behavior detection. A process path can contain only letters, numbers, underscores (_), and hyphens (-), and each path needs to be on a separate line. Up to 100 process paths are allowed.

    Pod Whitelist

    Enter the names of pods that do not need to perform container escape behavior detection. A pod name can contain only letters, numbers, underscores (_), and hyphens (-), and each name needs to be on a separate line. Up to 100 pod names are allowed.

  3. Confirm the information and click OK.

    If All projects are selected for an enterprise project and the policy of the default policy group is modified, you can click Save and Apply to Other Projects to apply the modification to other policies of the same version.

Container Escape Prevention

NOTE:

This function is in the OBT phase. To use it, submit a service ticket.

  1. Click Container Escape Prevention. The policy details page is displayed.
  2. Edit the policy. For details about the parameters, see Table 17.

    Figure 13 Container escape prevention policy
    Table 17 Container escape prevention policy parameters

    Parameter

    Description

    Example Value

    Action

    • Alarm: If an abnormal runtime behavior is detected, only an alarm is reported.
    • Block: If an abnormal runtime behavior is detected, an alarm is reported and the container instance is blocked.
    • Allow: If an abnormal runtime behavior is detected, the container instance is still allowed to run.

    Block

    Protection Scope

    Select the protection scope of abnormal runtime behavior detection. Specify server and image names to detect abnormal behaviors of the containers that use the specified images on specified servers.

    The configuration methods are as follows:

    • Server Name: Select a server from the drop-down list and click Add. Alternatively, enter a server name in the text box and press Enter. Each name can contain up to 128 characters. Up to 100 server names can be configured.
    • Image Name: Select an image name from the drop-down list and click Add. Alternatively, enter an image name in the text box and press Enter. Each name can contain up to 128 characters. Up to 100 image names can be configured.
    • Server name: test01
    • Image name: moby/buildkitbuildx-stable-1

    Policy Settings

    The container anti-escape policy contains preset rules detecting abnormal behaviors in processes, files, and system calls. A detection rule specifically a scenario where abnormal behaviors are checked for. It does not define runtime abnormal behaviors. You can enable or disable the detection rule as required. (The rules are disabled by default.) The rule names and IDs are as follows:

    • Escape by Writing in High-risk Directory on Host (ae246a6fb5290701): Check whether a sensitive host directory is mounted to a container, and a process in the container is used to write data to the directory.
    • Container Escape Tool Execution (ce246a6fb5290702): Check for the execution of container escape tools such as CDK.
    • User Configuration File Change on Host (de246a6fb5290703): Check for modifications on the system and application configuration files on a host.
    • High-risk System Call (ee246a6fb5290704): Check for high-risk system calls, such as chown, used by processes.

    In addition to the preceding detection rules, the HSS can detect abnormal network activities and process capabilities.

    If an abnormal behavior event triggers a detection rule whose Action is Alarm or Block, the ID of the triggered rule is displayed in the alarm summary reported by HSS.

    The Action of a detection rule is Alarm by default, but this setting has a lower priority than the Action of the policy. If the policy action is Block, the actual rule action will also be Block.

    Enable all ()

  3. Confirm the information and click OK.

Container Information Module

  1. Click Container Information Collection.
  2. Modify the policy content as prompted. For details about the parameters related to the policy, see Table 18.

    Table 18 Container information module policy parameters

    Parameter

    Description

    Custom Container Whitelist

    Enter the container name that can be ignored during the detection.

    • Simple names of containers can be configured based on Docker. HSS automatically performs fuzzy match. Other containers perform exact match based on their names.
    • Each container name needs to be on a separate line. Up to 100 whitelist items are allowed.

    Custom Image Organization Whitelist

    Enter the organization name that can be ignored during the detection.

    Each organization name needs to be on a separate line. Up to 100 whitelist items are allowed.

  3. Confirm the information and click OK.

    If All projects are selected for an enterprise project and the policy of the default policy group is modified, you can click Save and Apply to Other Projects to apply the modification to other policies of the same version.

Container File Monitoring

NOTICE:

If a monitored file path is under the mount path rather than the writable layer of the container on the server, changes on the file cannot trigger container file modification alarms. To protect such files, configure a file protection policy.

  1. Click Container File Monitoring.
  2. On the Container File Monitoring slide pane that is displayed, modify the Policy Settings. For details about the parameters, see Table 19.

    Table 19 Container file monitoring policy parameters

    Parameter

    Description

    Example Value

    Fuzzy Match

    Indicates whether to enable fuzzy match for the target file. You are advised to select this option.

    Selected

    Image Name

    Name of the target image to be checked

    test_bj4

    Image ID

    ID of the target image to be checked

    -

    File

    Name of the file in the target image to be checked

    /tmp/testw.txt

  3. Confirm the information and click OK.

    If All projects are selected for an enterprise project and the policy of the default policy group is modified, you can click Save and Apply to Other Projects to apply the modification to other policies of the same version.

Container Process Whitelist

  1. Click Container Process Whitelist.
  2. On the Container Process Whitelist slide pane that is displayed, modify the Policy Settings. For details about the parameters, see Table 20.

    Table 20 Container process whitelist policy parameters

    Parameter

    Description

    Example Value

    Fuzzy Match

    Indicates whether to enable fuzzy match for the target file. You are advised to select this option.

    Selected

    Image Name

    Name of the target image to be checked

    test_bj4

    Image ID

    ID of the target image to be checked

    -

    Process

    Full path of the file in the target image to be checked

    /tmp/testw

  3. Confirm the information and click OK.

    If All projects are selected for an enterprise project and the policy of the default policy group is modified, you can click Save and Apply to Other Projects to apply the modification to other policies of the same version.

Suspicious Image Behaviors

  1. Click Suspicious Image Behaviors.
  2. On the Suspicious Image Behaviors slide pane that is displayed, modify the Policy Settings. For details about the parameters, see Table 21.

    Table 21 Suspicious image behaviors policy parameters

    Parameter

    Description

    Example Value

    Rule Name

    Name of a rule

    -

    Description

    Brief description of a rule

    -

    Template

    • Configure templates based on different rules. The supported rules are as follows:
      • Image whitelist
      • Image blacklist
      • Image tag whitelist
      • Image tag blacklist
      • Create container whitelist
      • Create container blacklist
      • Container mount proc whitelist
      • Container seccomp unconfined
      • Container privilege whitelist
      • Container capability whitelist
    • The parameters are described as follows:
      • Exact match: Enter the names of the images you want to check. Use semicolons (;) to separate multiple names. A maximum of 20 names can be entered.
      • RegEx match: Use regular expressions to match images. Use semicolons (;) to separate multiple expressions. A maximum of 20 expressions can be entered.
      • Prefix match: Enter the prefixes of the images you want to check. Multiple prefixes are separated by semicolons (;). A maximum of 20 prefixes can be entered.
      • Tag Name: Enter the tag and value of the images you want to check. A maximum of 20 tags can be added.
      • Permission Type: Specify permissions to be checked or ignored. For details about permissions, see Table 22.

    -

    Table 22 Abnormal image permissions

    Permissions Name

    Description

    AUDIT_WRITE

    Write records to kernel auditing log.

    CHOWN

    Make arbitrary changes to file UIDs and GIDs.

    DAC_OVERRIDE

    Bypass file read, write, and execute permission checks.

    FOWNER

    Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file.

    FSETID

    Do not clear set-user-ID and set-group-ID permission bits when a file is modified.

    KILL

    Bypass permission checks for sending signals

    MKNOD

    Create special files using mknod.

    NET_BIND_SERVICE

    Bind a socket to internet domain privileged ports (port numbers less than 1024).

    NET_RAW

    Use RAW and PACKET sockets.

    SETFCAP

    Set file capabilities.

    SETGID

    Make arbitrary manipulations of process GIDs and supplementary GID list.

    SETPCAP

    Modify process capabilities.

    SETUID

    Make arbitrary manipulations of process UIDs.

    SYS_CHROOT

    Use chroot to change the root directory.

    AUDIT_CONTROL

    Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules.

    AUDIT_READ

    Allow reading audit logs via multicast netlink socket.

    BLOCK_SUSPEND

    Allow suspension prevention.

    BPF

    Allow creating BPF maps, loading BPF Type Format (BTF) data, retrieve JITed code of BPF programs, and more.

    CHECKPOINT_RESTORE

    Allow operations related to checkpoints and restoration.

    DAC_READ_SEARCH

    Bypass file read permission checks and directory read and execute permission checks.

    IPC_LOCK

    Lock memory (such as mlock, mlockall, mmap, and shmctl).

    IPC_OWNER

    Bypass permission checks for operations on System V IPC objects.

    LEASE

    Establish leases on arbitrary files

    LINUX_IMMUTABLE

    Set the FS_APPEND_FL and FS_IMMUTABLE_FL i-node flags.

    MAC_ADMIN

    Allow MAC configuration or state changes.

    MAC_OVERRIDE

    Override Mandatory Access Control (MAC).

    NET_ADMIN

    Perform various network-related operations.

    NET_BROADCAST

    Make socket broadcasts, and listen to multicasts.

    PERFMON

    Allow privileged system performance and observability operations using perf_events, i915_perf and other kernel subsystems.

    SYS_ADMIN

    Perform a range of system administration operations.

    SYS_BOOT

    Use reboot and kexec_load. Reboot and load a new kernel for later execution.

    SYS_MODULE

    Load and unload kernel modules.

    SYS_NICE

    Raise process nice value (nice, set priority) and change the nice value for arbitrary processes.

    SYS_PACCT

    Enable or disable process accounting.

    SYS_PTRACE

    Trace arbitrary processes using ptrace.

    SYS_RAWIO

    Perform I/O port operations (ipl and ioperm).

    SYS_RESOURCE

    Override resource limits.

    SYS_TIME

    Set the system clock (settimeofday, stime, and adjtimex) and real-time (hardware) clock.

    SYS_TTY_CONFIG

    Use vhangup. Employ various privileged ioctl operations on virtual terminals.

    SYSLOG

    Perform privileged syslog operations.

    WAKE_ALARM

    Trigger something that will wake up the system.

  3. Confirm the information and click OK.

    If All projects are selected for an enterprise project and the policy of the default policy group is modified, you can click Save and Apply to Other Projects to apply the modification to other policies of the same version.

Port Scan Detection

  1. Click Port Scan Detection.
  2. On the Port Scan Detection slide pane that is displayed, modify the Policy Settings. For details about the parameters, see Table 23.

    Table 23 Port scan detection policy parameters

    Parameter

    Description

    Example Value

    Source IP Address Whitelist

    Enter the IP address whitelist. Separate multiple IP addresses with semicolons (;).

    test_bj4

    Ports to Scan

    Details about the port number and protocol type to be detected

    -

  3. Confirm the information and click OK.

    If All projects are selected for an enterprise project and the policy of the default policy group is modified, you can click Save and Apply to Other Projects to apply the modification to other policies of the same version.

External Connection Detection

  1. Click External Connection Detection. The details page is displayed.
  2. On the page that is displayed, modify the policy details. Table 24 describes the parameters.

    Table 24 Parameters of an external connection detection policy

    Parameter

    Description

    Example Value

    Process Whitelist

    Traffic is filtered based on process names or process file paths, and the traffic directions in the whitelist.

    • Process name or file path: /usr/local/test
    • Traffic direction: bidirectional

    Traffic Whitelist

    Traffic is filtered based on source or destination IP addresses, ports, or a combination of them.

    -

    Collection Protocol

    The protocol to be detected. The value can be TCP or UDP.

    Select all

  3. Confirm the information and click OK.

    If All projects are selected for an enterprise project and the policy of the default policy group is modified, you can click Save and Apply to Other Projects to apply the modification to other policies of the same version.

Fileless Attack Detection

  1. Click Fileless attack detection.
  2. On the policy details page, view or modify the policy. The following table describes the parameters.

    Table 25 Parameters of a fileless attack detection policy

    Parameter

    Description

    Example Value

    Process injection

    • Process Injection: enables or disables process injection detection.
      • : enabled
      • : disabled
    • Trustlist Matching Specifications: How to match the user-defined path trustlist. Click to select a match mode. The options are as follows:
      • Full match, case sensitive
      • Full match, case-insensitive
      • Fuzzy matching
    • Path trustlist: Enter the paths that do not need to be checked for process injection. Enter one path on each line.
    • Fuzzy matching
    • /usr/sbin/hald

    LD hijacking

    • LD hijacking: enables or disables LD hijacking detection.
      • : enabled
      • : disabled
    • Full process detection: enables or disables LD hijacking threat detection for all processes.
      • : enabled
      • : disabled
    • Trustlist Matching Specifications: How to match the user-defined path trustlist. Click to select a match mode. The options are as follows:
      • Full match, case sensitive
      • Full match, case-insensitive
      • Fuzzy matching
    • Path trustlist: Enter the paths that do not need to be checked for LD highjacking. Enter one path on each line.
    • Fuzzy matching
    • /usr/sbin/hald

    Memory-based process

    • Memory-based process: enables or disables memory process detection.
      • : enabled
      • : disabled
    • Full process detection: Enable or disable memory-based process threat detection for all processes.
      • : enabled
      • : disabled
    • Trustlist Matching Specifications: How to match the user-defined path trustlist. Click to select a match mode. The options are as follows:
      • Full match, case sensitive
      • Full match, case-insensitive
      • Fuzzy matching
    • Path trustlist: Enter the paths that do not need to be checked for memory-based processes. Enter one path on each line.
    • Fuzzy matching
    • /usr/sbin/hald

  3. Confirm the information and click OK.

    If All projects are selected for an enterprise project and the policy of the default policy group is modified, you can click Save and Apply to Other Projects to apply the modification to other policies of the same version.

Self-protection

The self-protection policy protects HSS software, processes, and files from being damaged by malicious programs. You cannot customize the policy content.

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback