Help Center/ Host Security Service/ User Guide/ Proactive Defense/ Container WTP/ Modifying Container WTP Configuration
Updated on 2025-12-12 GMT+08:00
View PDF
Share

Modifying Container WTP Configuration

Scenario

You can modify configuration after container WTP is enabled. You can perform the following operations:

  • Modify a tag: HSS obtains the Deployment of the website application based on the cluster resource tag. If the upgrade policy is rolling upgrade, the container that matches the protected image in the Deployment is set to read-only. You can modify the range of containers that need to be set to read-only.
  • Manage protected directories: Add, modify, or delete protected directories.
  • Change the protection mode: Container WTP supports the alarm mode and interception mode. You can set the mode based on service requirements.
  • Enable process monitoring or set privileged processes: If you want HSS to record information about processes that may be tampered with, enable process monitoring. To allow a privileged process to modify files in the protected directory, you must first enable process monitoring and then configure the privileged process. Only nodes with the Linux kernel version 5.10 or later support this function.

Modifying Container WTP Configurations

  1. Log in to the HSS console.
  2. Click in the upper left corner and select a region or project.
  3. In the navigation pane, choose Prevention > Web Tamper Protection.
  4. Click the Container WTP tab. In the row containing the target image, click Edit in the Operation column.
  5. On the Edit page, modify the container WTP configuration.

    Figure 1 Edit asset
    • Modify tags: When the container WTP protection mode is Interception, HSS obtains the Deployment of the website application based on the cluster resource tag. When the Deployment upgrade policy is rolling upgrade, the container that matches the protected image in the Deployment is set to read-only. You can modify the range of containers that need to be set to read-only. A maximum of 10 tags can be added. If multiple tags are added, only the Deployments with all tags are matched.
    • Manage protected directories.

      You can add, modify, and delete protected directories.

      • Modify a protected directory

        On the Edit page, you can modify excluded file types. To modify the directory, excluded subdirectories, excluded file paths, and local backup paths of a protected directory, click Edit in its Operation column. For details about related parameters, see Table 1.

        Table 1 Protected directory parameters

        Parameter

        Description

        Example Value

        Protected Directory

        Container WTP protects specified directories, automatically backs up files in the directories, and monitors changes in protected directories and files. In interception mode, HSS attempts to block suspicious file modifications. If HSS detects that a file has been tampered with, it immediately restores its content using its backup.

        Add the path of the container website application to be protected to the protection directory. The rules are as follows:
        • It cannot start with a space, end with a slash (/), or contain semicolons (;). Up to 256 characters are allowed.
        • An image can have up to 50 protected directories.
        • The folder levels of a protected directory cannot exceed 100.
        • The total folders in protected directories cannot exceed 900,000.

        Do not add network directories as protected directories. The reasons are as follows:

        • Inefficient detection

          A network directory usually contains a large number of files and may reach hundreds of terabytes, severely slowing down a scan.

        • Network bandwidth consumption

          Accessing a network directory consumes network bandwidth. A large-scale scan may fully occupy the network bandwidth and affect your workloads. For example, the access speed may slow down and the network latency may increase.

        /etc/lesuo

        Excluded Subdirectory (Optional)

        If a protected directory contains subdirectories that do not need to be protected, you can exclude the subdirectories.

        The requirements for adding a subdirectory are as follows:

        • Enter a subdirectory name or the relative subdirectory path under a protected directory. If you enter a subdirectory name, all subdirectories that match the name will be excluded, regardless of their levels.
        • A subdirectory name or path cannot start or end with a slash (/) and can contain up to 256 characters.
        • Up to 10 subdirectories can be added. Use semicolons (;) to separate multiple subdirectories.

        data/cache or cache

        Excluded File Path (Optional)

        If a protected directory contains files that do not need to be protected, exclude the files.

        The requirements for adding excluded file paths are as follows:

        • Enter a file name or the relative file path under a protected directory. If you enter a file name, all files that match the name will be excluded, regardless of their levels.
        • A file name or path cannot start or end with a slash (/), and can contain up to 256 characters.
        • Up to 50 files can be added. Use semicolons (;) to separate multiple files.

        data/ma.txt or ma.txt

        Excluded File Type (Optional)

        If a protected directory contains files of certain types that do not need to be protected, exclude these file types, for example, logs. You can exclude any type of files.

        log
      • Remove a protected directory

        If a directory no longer needs protection, click Delete in its Operation column.

      • Add a protected directory

        Click Add Protected Directory. In the dialog box that is displayed, enter directory information and click OK. For details about related parameters, see Table 1.

    • Change the protection mode.

      The protection mode indicates the type of action taken in response to file tampering. You can select a mode from the drop-down list.

      • Alarm: If HSS detects file tampering in a protected directory, it does not block the tampering but only sends an alarm notification to you, letting you check and determine how to handle it. Select it if your web page content needs to be updated at unpredictable times.
      • Block: If HSS detects that a file in the protected directory has been tampered with, it blocks tampering operations to prevent unauthorized changes and protect the integrity of the web page file. Select it if your web page content does not need to be frequently updated.
    • Enable process monitoring or set privileged processes.

      For images running Linux kernel 5.10 or later, you are advised to enable Monitor Processes.

      Click to enable it. HSS will provide the following functions:

      • Record processes suspected of tampering.

        When a tampering event is detected, the service obtains the process path and process command line, and reports an alarm. The alarm will be displayed in the protection event list for you to locate suspicious processes.

      • Configure privileged processes.

        A privileged process is a process authorized to modify a protected directory.

        After container WTP is enabled, the files in the protected directory cannot be modified.

        You can add privileged processes and use them to modify the files in protected directories or update websites. Ensure the specified privileged processes, which are authorized to access protected directories, are secure and reliable.

        To enable the privileged process, you also need to configure the following parameters:

        • Process File Path

          Set one or multiple complete file paths of privileged processes. Put each privileged process file path on a separate line. Up to 10 privileged processes are allowed.

        • Trust Subprocess

          If Trust Subprocess is enabled, HSS will trust all the subprocesses up to five levels deep in the subdirectories of specified directories, and allow the subprocesses to modify protected directories. Subprocesses can modify protected directories.

  1. Confirm the settings. On the Edit page, click OK.
  2. Verify the change.

    It takes a few minutes for the configuration to take effect. You are advised to verify the configuration after 3 to 5 minutes.

    • Modify Tag

      If all containers corresponding to the selected tag are set to read-only file systems, the modification is successful.

    • Protected Directory

      In the Protected Containers column of a target image, click the number view details.

      If the information about the protected directory is correct and the Protection Status is Protected, the directory is successfully added or modified.

      If the deleted protected directory is not displayed in the list, its deletion is successful.

    • Type

      When you attempt to modify a file, HSS performs protection actions based on the selected protection mode. The protection mode is set successfully.

    • Process Monitoring

      If the reported protection event contains the process path and process command line information, the process is monitored successfully.

    • Privileged Process

      If the web page can be modified through a privileged process, the process is successfully configured.

Parent Topic: Container WTP