Policy Management Overview
What Is a Policy Group?
HSS comes in multiple editions, including basic, professional, enterprise, premium, WTP, and container editions. Except for the basic edition, they each have a default protection policy group. A policy group is a collection of policies. These policies can be applied to servers to centrally manage and configure the sensitivity, rules, and scope of HSS detection and protection.
You can create custom policy groups for HSS premium and container editions. If you have multiple servers protected by the premium or container edition but have different protection requirements for them, you can create custom policy groups for different servers and deploy different policy groups. For details, see Creating a Custom Policy Group.
What Policies Are Does a Policy Group Contain?
Policy groups vary by edition, as shown in Table 1. You can customize policies for asset management, baseline inspection, and intrusion detection as needed. For details, see Configuring Policies.
Function Type |
Policy |
Action |
Supported OS |
Default Status |
Professional Edition |
Enterprise Edition |
Premium Edition |
WTP Edition |
Container Edition |
---|---|---|---|---|---|---|---|---|---|
Assets |
Asset discovery |
Scan and display all software in one place, including software name, path, and major applications, helping you identify abnormal assets. |
Linux and Windows |
Enabled |
× |
× |
√ |
√ |
√ |
Baseline Inspection |
Weak password detection |
Change weak passwords to stronger ones based on HSS scan results and suggestions. |
Linux and Windows |
Enabled |
√ |
√ |
√ |
√ |
√ |
Container information collection |
Collect information about all containers on a server, including ports and directories, and report alarms for risky information. |
Linux |
Enabled |
× |
× |
× |
× |
√ |
|
Configuration check |
Check the unsafe Tomcat, Nginx, and SSH login configurations found by HSS. |
Linux and Windows |
Enabled |
× |
× |
√ |
√ |
√ |
|
Intrusions |
AV detection |
Check server assets and report, isolate, and kill the detected viruses. The generated alarms are displayed under .After AV detection is enabled, the resource usage is as follows: The CPU usage does not exceed 40% of a single vCPU. The actual CPU usage depends on the server status. For details, see How Many CPU and Memory Resources Are Occupied by the Agent When It Performs Scans? |
Linux and Windows |
Enabled |
√ |
√ |
√ |
√ |
× |
Cluster intrusion detection |
Detect container high-privilege changes, creation in key information, and virus intrusion. |
Linux |
Disabled |
× |
× |
× |
× |
√ |
|
Container escape |
Check for and generate alarms on container escapes. If you do not want to detect container escape for certain containers, you can set the image, process, and pod name whitelist. |
Linux |
Disabled |
× |
× |
× |
× |
√ |
|
Container anti-escape |
Container escape prevention can monitor abnormal runtime behaviors of five types (including processes, files, network activities, process capabilities, and system calls) on containers and their hosts; and report alarms and block abnormal behaviors to enhance container security. To use abnormal runtime behavior detection, configure a container escape prevention policy, select a protected object (a server or container), and enable the policy. |
Linux |
Disabled |
× |
× |
× |
× |
√ |
|
Container information module |
You can configure a trusted container whitelist based on the container name, organization name to which the image belongs, and namespace. The container whitelist does not detect or generate alarms. |
Linux |
Enabled |
× |
× |
× |
× |
√ |
|
Web shell detection |
Scan web directories on servers for web shells. |
Linux and Windows |
Enabled |
√ |
√ |
√ |
√ |
√ |
|
Container file monitoring |
Detect file access that violates security policies. Security O&M personnel can check whether hackers are intruding and tampering with sensitive files. |
Linux |
Enabled |
× |
× |
× |
× |
√ |
|
Container process whitelist |
Check for process startups that violate security policies. |
Linux |
Disabled |
× |
× |
× |
× |
√ |
|
Suspicious image behaviors |
Configure the blacklist and whitelist and customize permissions to ignore abnormal behaviors or report alarms. |
Linux |
Disabled |
× |
× |
× |
× |
√ |
|
HIPS detection |
Check registries, files, and processes, and report alarms for operations such as abnormal changes. |
Linux and Windows |
Enabled |
× |
√ |
√ |
√ |
√ |
|
File protection |
Check the files in the Linux OS, applications, and other components to detect tampering. |
Linux and Windows |
Enabled |
√ |
√ |
√ |
√ |
√ |
|
Login security check |
HSS can detect brute-force attacks on the following service accounts:
If the number of brute-force attacks (consecutive incorrect password attempts) reaches 5 or within 30 seconds or reaches 15 within 1 hour, HSS will block the login source IP address. By the IP address is blocked for 12 hours to prevent server intrusions caused by brute-force attacks. You can check whether a login IP address is trustworthy based on its attack type and how many times it has been blocked. You can manually unblock the IP addresses you trust. |
Linux and Windows |
Enabled |
√ |
√ |
√ |
√ |
√ |
|
Malicious file detection |
|
Linux |
Enabled |
√ |
√ |
√ |
√ |
√ |
|
External connection detection |
Detect a process proactively connects to an external network. |
Linux (kernel 5.10 or later) |
Enabled |
√ |
√ |
√ |
× |
√ |
|
Port scan detection |
Detect scanning or sniffing on specified ports and report alarms. |
Linux |
Disabled |
× |
× |
√ |
√ |
√ |
|
Abnormal process behaviors |
All the running processes on all your servers are monitored for you. You can create a process whitelist to ignore alarms on trusted processes, and can receive alarms on unauthorized process behavior and intrusions. |
Linux |
Enabled |
√ |
√ |
√ |
√ |
√ |
|
Root privilege escalation |
Detect the root privilege escalation for files in the current system. |
Linux |
Enabled |
√ |
√ |
√ |
√ |
√ |
|
Real-time process |
Monitor the executed commands in real time and generate alarms if high-risk commands are detected. |
Linux and Windows |
Enabled |
√ |
√ |
√ |
√ |
√ |
|
Rootkit detection |
Detect server assets and report alarms for suspicious kernel modules, files, and folders. |
Linux |
Enabled |
√ |
√ |
√ |
√ |
√ |
|
Fileless attack detection |
Scan for process injection, dynamic library injection, and memory file process behavior in user assets. |
Linux |
Disabled |
√ |
√ |
√ |
√ |
√ |
|
Self-protection |
Windows self-protection |
Prevent malicious programs from uninstalling the agent, tampering with HSS files, or stopping HSS processes.
|
Windows |
Disabled |
× |
× |
√ |
√ |
× |
Linux self-protection |
Prevent malicious programs from stopping the HSS process and uninstalling the agent.
|
Linux |
Disabled |
× |
× |
√ |
√ |
√ |
Policy Group Protection Modes
The Policy groups can detect threats in sensitive or balanced mode to meet the requirements of different scenarios. The two modes apply to the following scenarios:
- Sensitive mode: applicable to high security scenarios, such as network protection drills and key event security assurance. It achieves a high threat detection rate.
- Balanced mode: applicable to routine protection scenarios. The threat detection rate and accuracy are relatively balanced.
Policies affected by the protection mode: malicious file detection, web shell detection, HIPS detection, antivirus, and abnormal process behavior policies. For details about the differences between these policies in the two protection modes, see Table 2.
Policy Name |
Balanced |
Sensitive |
---|---|---|
Malicious File Detection |
|
|
Web Shell Detection |
The suspicious files that match YARA rules are not checked. |
All files |
HIPS detection |
Moderately sensitive |
Highly sensitive. Compared with the balanced mode, it is more suitable for special detection rules in network protection drills and key event assurance. |
AV Detection |
If Protected File Type is set to All for anti-virus detection, only the files with the following file name extensions are checked:
|
If Protected File Type is set to All for anti-virus detection, all types of files are checked. |
Abnormal Process Behaviors |
An alarm is generated only if multiple abnormal process behaviors are detected at the same time. |
An alarm is generated immediately if an abnormal process behavior is detected. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot