Enabling Container WTP

Scenarios

You can enable container WTP to protect website applications. Container WTP protects static web pages. The protection object is an image. If you enable the HSS container edition for a contain node, all containerized website applications associated with the target image on the container node will be protected.

Prerequisites

• You have enabled the HSS container edition for a container node. For details, see Enabling Protection.
• You have purchased container WTP. For details, see Purchasing Container WTP.

Enabling Container WTP

1. Log in to the HSS console.
2. Click in the upper left corner and select a region or project.
3. In the navigation pane on the left, choose > Web Tamper Protection.
4. Choose Container WTP and click Add Asset.
5. Select the images you want to protect. For more information, see Table 1.
   Figure 1 Select Image
   

   Table 1 Parameters for selecting an image

   Parameter	Description	Example Value
   Web Application Name	Enter the name of the website application you want to protect. The name must be unique.	www.test.com
   Protection Scope	Protection scope of the website application. You can select: Kubernetes cluster: The website application is deployed in a cluster. Independent node: The website application is deployed on an independent node.	Kubernetes cluster
   Tags (Optional)	This parameter is mandatory only when Protection Scope is set to Kubernetes cluster. You can configure resource tags for your cluster. HSS will automatically obtain the tags you configure for your cluster. If the container WTP type is set to Block, HSS identifies Deployments based on the website application cluster resource tags. If the rolling upgrade policy is used for Deployments, the containers that match protected images in Deployments will be configured to read-only. A maximum of 10 tags can be added. If multiple tags are added, only the deployments with all tags are matched.	Website
   Selected Images	Container WTP protects containerized website applications associated with protected images. If Protection Scope is set to Kubernetes cluster, the image in each cluster requires one container WTP quota. It can protect the containers associated with the image on all nodes where the HSS container protection is enabled in the cluster. If an image is used for multiple clusters, the number of required quotas is equal to the number of clusters. If Protection Scope is set to Independent node, every image for each node requires one quota of the container WTP service to protect the containers associated with the image. If an image is used for multiple nodes, the number of required quotas is equal to the number of nodes. Select the images you want to protect. Select Existing Image: You can select repository images or local images obtained by HSS. If the image you want to protect is from a third-party repository, ensure that the repository has been connected to HSS. For details, see Connecting to a Third-party Image Repository. Add Image: In the Add Image dialog box, enter the name and version of the image used for the website application you want to protect. Be sure to enter right information, or HSS will not be able to find or protect your containers. If no image tag is specified, all the running containers using any tags of the image will be protected. If Protection Scope is set to Kubernetes cluster and Type is set to Block, enabling protection will automatically restart the containers deployed in the Deployments identified by tag and using a rolling upgrade policy, and will configure their file systems to read-only. You are advised to select all images used for the website application at a time to avoid repeated restarts.	-

6. After the images to be protected are selected, click Next.
7. Configure a protection policy. For details about related parameters, see Table 2.
   Figure 2 Configuring a protection policy
   

   Table 2 Parameters for configuring a protection policy

   Parameter	Description	Example Value
   Protected Directory	Container WTP protects specified directories, automatically backs up files in the directories, and monitors changes in protected directories and files. In interception mode, HSS attempts to block suspicious file modifications. If HSS detects that a file has been tampered with, it immediately restores its content using its backup. Add the path of the containerized website application you want to protect. The requirements for adding a protected directory are as follows: It cannot start with a space, end with a slash (/), or contain semicolons (;). Up to 256 characters are allowed. You can add up to 50 protected directories for each image. The folder levels of a protected directory cannot exceed 100. The total folders in protected directories cannot exceed 900,000. Do not add network directories as protected directories. The reasons are as follows: Inefficient detection A network directory usually contains a large number of files and may reach hundreds of terabytes, severely slowing down a scan. Network bandwidth consumption Accessing a network directory consumes network bandwidth. A large-scale scan may fully occupy the network bandwidth and affect your workloads. For example, the access speed may slow down and the network latency may increase.	/etc/lesuo
   Excluded Subdirectory (Optional)	If a protected directory contains subdirectories that do not need to be protected, you can exclude the subdirectories. The requirements for adding a subdirectory are as follows: Enter a subdirectory name or the relative subdirectory path under a protected directory. If you enter a subdirectory name, all subdirectories that match the name will be excluded, regardless of their levels. A subdirectory name or path cannot start or end with a slash (/) and can contain up to 256 characters. Up to 10 subdirectories can be added. Use semicolons (;) to separate multiple subdirectories.	data/cache or cache
   Excluded File Path (Optional)	If a protected directory contains files that do not need to be protected, exclude the files. The requirements for adding excluded file paths are as follows: Enter a file name or the relative file path under a protected directory. If you enter a file name, all files that match the name will be excluded, regardless of their levels. A file name or path cannot start or end with a slash (/), and can contain up to 256 characters. Up to 50 files can be added. Use semicolons (;) to separate multiple files.	data/ma.txt or ma.txt
   Local Backup Path	Protected directories are backed up to the local backup path. After container WTP is enabled, files in the protected directory are automatically backed up to the local backup path. In block mode, once the system detects that a file in the protected directory is tampered with, it immediately uses the local backup to restore the tampered file. The requirements for adding local backup paths are as follows: The local backup path must be a complete writable path on the container host. A local backup path cannot contain semicolons (;), start with a space, or end with a slash (/). Up to 256 characters are allowed. Key system directories are a main attack target and cannot be used as backup paths, including but not limited to /etc/, /bin/, /usr/bin/, /var/spool/, /usr/sbin/, /sbin/, /usr/lib/, /lib/, /lib64/, /usr/lib64/, and their subdirectories. Local backup rule description: Excluded subdirectories and types of files are not backed up. Generally, the backup completes within 10 minutes. The actual duration depends on the size of files in the protected directory.	/backup
   Excluded File Type (Optional)	If a protected directory contains files of certain types that do not need to be protected, exclude these file types, for example, logs. You can exclude any type of files.	log
   Type	Type indicates the type of action taken in response to file tampering. Alarm: If HSS detects file tampering in a protected directory, it does not block the tampering but only sends an alarm notification to you, letting you check and determine how to handle it. Select it if your web page content needs to be updated at unpredictable times. Block: If HSS detects that a file in the protected directory has been tampered with, it blocks tampering operations to prevent unauthorized changes and protect the integrity of the web page file. Select it if your web page content does not need to be frequently updated.	Block
   Monitor Processes (Optional)	For images running Linux kernel 5.10 or later, you are advised to enable Monitor Processes. Click to enable it. HSS will provide the following functions: Record processes suspected of tampering. When a tampering event is detected, the service obtains the process path and process command line, and reports an alarm. The alarm will be displayed in the protection event list for you to locate suspicious processes. Configure privileged processes. A privileged process is a process authorized to modify a protected directory. After container WTP is enabled, the files in the protected directory cannot be modified. You can add privileged processes and use them to modify the files in protected directories or update websites. Ensure the specified privileged processes, which are authorized to access protected directories, are secure and reliable. To enable the privileged process, you also need to configure the following parameters: Process File Path Set one or multiple complete file paths of privileged processes. Put each privileged process file path on a separate line. Up to 10 privileged processes are allowed. Trust Subprocess If Trust Subprocess is enabled, HSS will trust all added privileged processes and their subprocesses within five levels. HSS will allow privileged processes to modify protected directories.	/Path/Software.type

8. Confirm parameter settings and click Next.
9. Configure when you want to enable Container WTP.
   • Now

     If you select Now for Enable Protection, you need to configure the quota you need, read the Host Security Service Disclaimer, and select the check box before "I have read and agree to the Host Security Service Disclaimer." You can configure quotas in either of the following ways:

     • Select a quota randomly: The system automatically allocates available quotas with the longest expiration time to all assets. This option is selected by default.
     • Quota ID: You need to select the quota IDs in the drop-down list based on the number of selected assets. For example, if two assets are selected, you need to select two target quota IDs as well.

     If Protection Scope is set to Kubernetes cluster and Type is set to Block, enabling protection will automatically restart the containers deployed in the Deployments identified by tag and using a rolling upgrade policy, and will configure their file systems to read-only. You are advised to enable protection during off-peak hours or cluster upgrade. In other scenarios, you can enable protection immediately.

   • Later

     If you select this, HSS saves the protection settings of the website application but does not enable protection. You can click Enable Protection on the Container WTP tab page later during off-peak hours or cluster upgrade.

10. Click OK. The container WTP configuration is complete.

    You can check the image protection status on the protected asset page. If the image status is Protected, the protection is enabled successfully. For details about protection statuses, see Table 3.

    Table 3 Container WTP status description

    Status	Description
    Unprotected	You have completed the WTP configuration but selected Later for Enable Protection when adding the asset. You can locate the row containing the target image and click Enable Protection in the Operation column.
    Protected	The target image is under protection.
    Partially protected	Some directories are protected, but some directories fail to be protected. You can click the number in the Protected Containers column of the target image to go to the protected container page and click View Details in the row where the container fails to be protected is listed.
    Protection failed	All protected directories failed to be protected. You can click the number in the Protected Containers column of the target image to go to the protected container page and click View Details in the row where the container fails to be protected.
    Redundant Protection	The current image is not associated with any containers. Possible causes: The node associated with this image is not protected by the container edition. Protection policies cannot be applied. This image is not associated with any container instances in a protected cluster or independent node. Container protection is enabled but cannot be applied.