Enabling Container Protection

Scenarios

The HSS container edition protects containers throughout their lifecycles. This section describes how to enable protection for container nodes.

Prerequisites

HSS can be billed in yearly/monthly or pay-per-use mode. To use yearly/monthly billing, ensure you have purchased sufficient protection quotas. For details, see Purchasing HSS. If you use the pay-per-use billing mode, you do not need to purchase quotas in advance.
Ensure that the agent has been installed on the container node and is online. For details about how to install the agent on a single node, see Installing the Agent on Huawei Cloud Servers and Installing the Agent on Third-party Servers. For details about how to install the agent on a cluster, see Installing the Agent on Containers.

Constraints

HSS can only protect Docker, Containerd, CRI-O, Podman, and iSulad containers.

Enabling the Container Edition

Log in to the HSS console.
Click in the upper left corner and select a region or project.
In the navigation pane, choose Asset Management > Containers & Quota.
In the row of a server, click Enable Protection in the Operation column. The confirmation dialog box is displayed.

By default, only the Linux servers where the agent is installed (that is, the servers eligible for the container edition) are displayed in the list. To install the agent on a server, perform the operations in Installing the Agent on Servers and Installing the Agent on Containers.
Figure 1 Enabling container protection
Confirm the node information and select a billing mode.

You can buy quota in yearly/monthly or pay-per-use mode.
- Yearly/Monthly
  - Billing Mode: Select Yearly/Monthly.
  - Select Quota: Select a quota allocation mode.
    - Random quota: Let the system allocate the quota with the longest remaining validity to the server.
    - Select a quota ID and allocate it to a server.
- Pay-per-use
  - Billing Mode: Select Pay-per-use.
  - Tags: Select a tag if you want to use it to identify multiple types of cloud resources.
- A container security quota protects one cluster node.
- If the version of the agent installed on the Linux server is 3.2.10 or later or the version of the agent installed on the Windows server is 4.0.22 or later, ransomware prevention is automatically enabled with the container edition. Deploy honeypot files on servers and automatically isolate suspicious encryption processes (there is a low probability that processes are incorrectly isolated). You are also advised to enable backup so that you can restore data in the case of a ransomware attack to minimize losses. For details, see Enabling Ransomware Backup.
Read the Host Security Service Disclaimer and select I have read and agree to the Container Guard Service Disclaimer.
Click OK. If the Protection Status of the node changes to Protected, protection has been enabled.
(Optional) Configure alarm notification, protection policies, server login protection, and malicious program isolation and removal.
- Configuring alarm notifications
  After HSS is enabled, alarms are displayed on the console by default. To learn the security risks of servers, containers, or web pages in a timely manner, you can enable alarm notification, and HSS will notify you of risks by SMS or email. For details, see Alarm Configuration.
- Configuring protection policies
  Each HSS edition provides a group of protection policies preset with default settings. You can enable or disable policies and adjust protection rules as needed. For details, see Policy Management.
- Configuring login protection
  To enhance server login security, perform the operations in Enabling 2FA, Configuring Common Login Locations, Configuring Common Login IP Addresses, and Configuring an SSH Login IP Address Whitelist.
- Enabling malicious program isolation and removal
  If this function is enabled, HSS will automatically isolate identified malicious programs, such as backdoors, Trojans, and worms, to help you handle security risks. For details, see Isolating and Killing Malicious Programs.

Viewing Scan Details

After server protection is enabled, HSS will immediately perform a comprehensive scan on the server. It may take a long time. After the scan is complete, you can check its details.

Choose Asset Management > Servers & Quota. Locate the server on the Servers tab page.

Check the Risk Level column of the server.

**Table 1** Risk status
Status	Description
Pending risk detection	The server is neither protected nor scanned.
Safe	No risks were found in the comprehensive scan on the server; or the protection has just been enabled, and no risks have been found yet.
Risky	The server has security risks.

Hover the cursor over the risk status to view the risk distribution.

You can click a value to go to the details page.

Advanced protection

HSS provides a series of advanced defense functions. You can enable or use them as required to enhance the security of your servers and containers. For details, see Table 4.

**Table 2** Advanced protection
Function	Description
Container Image Security	Container image security aims to ensure the security of images throughout their lifecycle, including development, deployment, and running. It scans for system vulnerabilities, application vulnerabilities, malicious files, software information, file information, unsafe baseline settings, weak passwords, sensitive information, software compliance issues, and base image information. It helps you identify and fix risks, and ensure images have passed strict checks before being deployed in the production environment, so that your system and applications can run stably and securely.
Cluster Environment Security	Cluster environment security scans the resources on the Kubernetes cluster management plane and data plane; identifies infrastructure as code (IaC) risks, vulnerabilities, unsafe settings, configuration compliance, sensitive information, and permissions management issues; and provides solutions, helping you build a comprehensive cluster security system.
Application Protection	To protect your applications with RASP, you simply need to add probes to them, without having to modify application files.
Ransomware Prevention	The function can detect and defend against ransomware. It can automatically back up data either at a scheduled time, or immediately if ransomware is detected. This can help you defend against ransomware and reduce loss. Ransomware prevention is automatically enabled with the container edition. HSS will deploy honeypot files on servers and automatically isolate suspicious encryption processes. You can modify the ransomware protection policy. You are also advised to enable backup so that you can restore data.
Application Process Control	Application process control helps to enhance the security of applications and processes running on servers. It can automatically identify and analyze application processes, and classify them into trusted, suspicious, and malicious processes. It allows trusted processes to run, and generates alarms for suspicious and malicious processes. This helps to build a secure environment for application processes, and protects servers from untrusted or malicious application processes.
Virus Scanning and Removal	This function combines cloud-based and local antivirus mechanisms to scan executable files, compressed files, scripts, documents, images, and audiovisual files for viruses. You can perform quick scan, full-disk scan, and custom scans on servers as needed to detect and remove virus files in a timely manner, enhancing the virus defense of the system.
Dynamic Port Honeypot	The dynamic port honeypot function is a proactive defense measure. It uses a real port as a honeypot port to induce attackers to access the network. In the horizontal penetration scenario, the function can effectively detect attackers' scanning, identify faulty servers, and protect real resources of the user.
Container Firewall	The container firewall can isolate pods, workloads, and nodes in a network to prevent lateral movement and minimize permissions, and enhancing security and stability.
Container Cluster Protection	HSS can check for non-compliance baseline issues, vulnerabilities, and malicious files when a container image is started and report alarms on or block container startup that has not been unauthorized or may incur high risks.