diff --git a/docs/hss/umn/ALL_META.TXT.json b/docs/hss/umn/ALL_META.TXT.json
new file mode 100644
index 00000000..987ac078
--- /dev/null
+++ b/docs/hss/umn/ALL_META.TXT.json
@@ -0,0 +1,4457 @@
+[
+ {
+ "dockw":"User Guide"
+ },
+ {
+ "uri":"hss_01_0042.html",
+ "node_id":"hss_01_0042.xml",
+ "product_code":"hss",
+ "code":"1",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Introduction",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Introduction",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0001.html",
+ "node_id":"hss_01_0001.xml",
+ "product_code":"hss",
+ "code":"2",
+ "des":"HSS is designed to protect server workloads in hybrid clouds and multi-cloud data centers. It provides host security functions, Container Guard Service (CGS), and Web Tam",
+ "doc_type":"usermanual",
+ "kw":"What Is HSS?,Introduction,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"What Is HSS?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0002.html",
+ "node_id":"hss_01_0002.xml",
+ "product_code":"hss",
+ "code":"3",
+ "des":"HSS helps you manage and maintain the security of all your servers and reduce common risks.You can check for and fix a range of security issues on a single console, easil",
+ "doc_type":"usermanual",
+ "kw":"Advantages,Introduction,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Advantages",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0226.html",
+ "node_id":"hss_01_0226.xml",
+ "product_code":"hss",
+ "code":"4",
+ "des":"Centralized security managementWith HSS, you can manage the security configurations and events of all your cloud servers on the console, reducing risks and management cos",
+ "doc_type":"usermanual",
+ "kw":"Scenarios,Introduction,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Scenarios",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0590.html",
+ "node_id":"hss_01_0590.xml",
+ "product_code":"hss",
+ "code":"5",
+ "des":"HSS comes in the enterprise, premium, Web Tamper Protection (WTP), and container editions, providing asset management, vulnerability management, baseline check, intrusion",
+ "doc_type":"usermanual",
+ "kw":"Editions and Features,Introduction,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Editions and Features",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0130.html",
+ "node_id":"hss_01_0130.xml",
+ "product_code":"hss",
+ "code":"6",
+ "des":"If you need to assign different permissions to employees in your enterprise to access your HSS resources, IAM is a good choice for fine-grained permissions management. IA",
+ "doc_type":"usermanual",
+ "kw":"user management,resource management,HSS Permissions Management,Introduction,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"HSS Permissions Management",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0137.html",
+ "node_id":"hss_01_0137.xml",
+ "product_code":"hss",
+ "code":"7",
+ "des":"Elastic Cloud Server (ECS)HSS can run on Linux servers (such as CentOS and EulerOS) and Windows servers (such as Windows 2012 and Windows 2016).The agent is probably inco",
+ "doc_type":"usermanual",
+ "kw":"Constraints and Limitations,Introduction,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Constraints and Limitations",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0015.html",
+ "node_id":"hss_01_0015.xml",
+ "product_code":"hss",
+ "code":"8",
+ "des":"The HSS agent can be installed on ECS.For details about ECS, see the Elastic Cloud Server User Guide.CCE can rapidly build a highly reliable container cluster based on cl",
+ "doc_type":"usermanual",
+ "kw":"Related Services,Introduction,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Related Services",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0004.html",
+ "node_id":"hss_01_0004.xml",
+ "product_code":"hss",
+ "code":"9",
+ "des":"Account cracking refers to the intruder behavior of guessing or cracking the password of an account.A weak password can be easily cracked.A malicious program, such as a w",
+ "doc_type":"usermanual",
+ "kw":"Account cracking,weak password,malicious program,Web Tamper Protection (WTP),Basic Concepts,Introduc",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Basic Concepts",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0292.html",
+ "node_id":"hss_01_0292.xml",
+ "product_code":"hss",
+ "code":"10",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Enabling HSS",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Enabling HSS",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0233.html",
+ "node_id":"hss_01_0233.xml",
+ "product_code":"hss",
+ "code":"11",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Installing an Agent",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Installing an Agent",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0571.html",
+ "node_id":"hss_01_0571.xml",
+ "product_code":"hss",
+ "code":"12",
+ "des":"To enable workload protection for cloud servers, install the agent first.This topic describes how to install the agent on a server running Linux.CentOS 6.x is no longer u",
+ "doc_type":"usermanual",
+ "kw":"Installing an Agent on Linux,Installing an Agent,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Installing an Agent on Linux",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0236.html",
+ "node_id":"hss_01_0236.xml",
+ "product_code":"hss",
+ "code":"13",
+ "des":"You can enable HSS only after the agent is installed on your servers. This topic describes how to install the agent on a server running a Windows OS. For details about ho",
+ "doc_type":"usermanual",
+ "kw":"Installing the Agent for Windows,Installing an Agent,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Installing the Agent for Windows",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0260.html",
+ "node_id":"hss_01_0260.xml",
+ "product_code":"hss",
+ "code":"14",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Enabling Protection",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Enabling Protection",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0230.html",
+ "node_id":"hss_01_0230.xml",
+ "product_code":"hss",
+ "code":"15",
+ "des":"Before enabling protection on servers, you need to allocate quota to a specified server. If the protection is disabled or the server is deleted, the quota can be allocate",
+ "doc_type":"usermanual",
+ "kw":"Enabling the Enterprise, or Premium Edition,Enabling Protection,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Enabling the Enterprise, or Premium Edition",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0214.html",
+ "node_id":"hss_01_0214.xml",
+ "product_code":"hss",
+ "code":"16",
+ "des":"Before enabling WTP, you need to allocate a quota to a specified server. If the service is disabled or the server is deleted, the quota can be allocated to other servers.",
+ "doc_type":"usermanual",
+ "kw":"Enabling Web Tamper Protection,Enabling Protection,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Enabling Web Tamper Protection",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0293.html",
+ "node_id":"hss_01_0293.xml",
+ "product_code":"hss",
+ "code":"17",
+ "des":"Before enabling protection for a container node, you need to allocate quota to a specified node. If the protection is disabled or the node is deleted, the quota can be al",
+ "doc_type":"usermanual",
+ "kw":"Enabling Container Protection,Enabling Protection,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Enabling Container Protection",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0241.html",
+ "node_id":"hss_01_0241.xml",
+ "product_code":"hss",
+ "code":"18",
+ "des":"After alarm notification is enabled, you can receive alarm notifications sent by HSS to learn about security risks facing your servers and web pages. Without this functio",
+ "doc_type":"usermanual",
+ "kw":"Enabling Alarm Notifications,Enabling HSS,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Enabling Alarm Notifications",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0051.html",
+ "node_id":"hss_01_0051.xml",
+ "product_code":"hss",
+ "code":"19",
+ "des":"After protection is enabled, you can configure the common login locations, common login IP addresses, and the SSH login IP address whitelist. You can also enable automati",
+ "doc_type":"usermanual",
+ "kw":"Common Security Configuration,Enabling HSS,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Common Security Configuration",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0410.html",
+ "node_id":"hss_01_0410.xml",
+ "product_code":"hss",
+ "code":"20",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Server Security Dashboard",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Server Security Dashboard",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0546.html",
+ "node_id":"hss_01_0546.xml",
+ "product_code":"hss",
+ "code":"21",
+ "des":"On the dashboard page of the HSS console, you can learn the security status and risks of all your servers and containers in real time, including the risk index, risk tren",
+ "doc_type":"usermanual",
+ "kw":"Risk Statistics,Risk Statistics,Server Security Dashboard,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Risk Statistics",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0558.html",
+ "node_id":"hss_01_0558.xml",
+ "product_code":"hss",
+ "code":"22",
+ "des":"Servers that are not protected by HSS are scanned for free. A security report on their vulnerabilities, unsafe passwords, and asset risks will be generated.If you need to",
+ "doc_type":"usermanual",
+ "kw":"Free Scan on Unprotected Servers,Server Security Dashboard,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Free Scan on Unprotected Servers",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0294.html",
+ "node_id":"hss_01_0294.xml",
+ "product_code":"hss",
+ "code":"23",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Asset Management",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Asset Management",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0387.html",
+ "node_id":"hss_01_0387.xml",
+ "product_code":"hss",
+ "code":"24",
+ "des":"You can count all your assets and check their statistics, including the agent status, protection status, quota, account, port, process, software, and auto-started items.S",
+ "doc_type":"usermanual",
+ "kw":"Asset Management,Asset Management,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Asset Management",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0463.html",
+ "node_id":"hss_01_0463.xml",
+ "product_code":"hss",
+ "code":"25",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Server Fingerprints",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Server Fingerprints",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0477.html",
+ "node_id":"hss_01_0477.xml",
+ "product_code":"hss",
+ "code":"26",
+ "des":"HSS can collect server asset fingerprints, including information about ports, processes, web applications, web services, web frameworks, and auto-started items. You can c",
+ "doc_type":"usermanual",
+ "kw":"Collecting Server Asset Fingerprints,Server Fingerprints,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Collecting Server Asset Fingerprints",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0383.html",
+ "node_id":"hss_01_0383.xml",
+ "product_code":"hss",
+ "code":"27",
+ "des":"HSS can collect server asset fingerprints, including information about ports, processes, web applications, web services, web frameworks, and auto-started items. You can c",
+ "doc_type":"usermanual",
+ "kw":"Viewing Server Asset Fingerprints,Server Fingerprints,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Viewing Server Asset Fingerprints",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0384.html",
+ "node_id":"hss_01_0384.xml",
+ "product_code":"hss",
+ "code":"28",
+ "des":"HSS proactively records the changes on account information, software information, and auto-started items. You can check the change details according to different dimensio",
+ "doc_type":"usermanual",
+ "kw":"Viewing the Operation History of Server Assets,Server Fingerprints,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Viewing the Operation History of Server Assets",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0464.html",
+ "node_id":"hss_01_0464.xml",
+ "product_code":"hss",
+ "code":"29",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Container Fingerprints",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Container Fingerprints",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0478.html",
+ "node_id":"hss_01_0478.xml",
+ "product_code":"hss",
+ "code":"30",
+ "des":"HSS can collect container asset fingerprints, including container accounts, ports, and processes. You can centrally check container asset information and detect risky ass",
+ "doc_type":"usermanual",
+ "kw":"Collecting Container Asset Fingerprints,Container Fingerprints,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Collecting Container Asset Fingerprints",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0465.html",
+ "node_id":"hss_01_0465.xml",
+ "product_code":"hss",
+ "code":"31",
+ "des":"HSS can collect container asset fingerprints, including container accounts, ports, and processes. You can centrally check container asset information and detect risky ass",
+ "doc_type":"usermanual",
+ "kw":"Viewing Container Asset Fingerprints,Container Fingerprints,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Viewing Container Asset Fingerprints",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0397.html",
+ "node_id":"hss_01_0397.xml",
+ "product_code":"hss",
+ "code":"32",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Server Management",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Server Management",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0003.html",
+ "node_id":"hss_01_0003.xml",
+ "product_code":"hss",
+ "code":"33",
+ "des":"The server list on the Servers page displays the protection status of only the servers used in the selected region.If your servers are managed by enterprise projects, you",
+ "doc_type":"usermanual",
+ "kw":"Viewing Server Protection Status,Server Management,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Viewing Server Protection Status",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0377.html",
+ "node_id":"hss_01_0377.xml",
+ "product_code":"hss",
+ "code":"34",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Enabling Protection",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Enabling Protection",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0396.html",
+ "node_id":"hss_01_0396.xml",
+ "product_code":"hss",
+ "code":"35",
+ "des":"The professional, enterprise, and premium editions provides different levels of protection for your servers. You can apply for and enable them as needed.HSS performs a fu",
+ "doc_type":"usermanual",
+ "kw":"Enterprise/Premium Edition,Enabling Protection,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Enterprise/Premium Edition",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0021.html",
+ "node_id":"hss_01_0021.xml",
+ "product_code":"hss",
+ "code":"36",
+ "des":"The WTP edition provides web tamper protection capabilities for your servers.The agent has been installed on the servers to be protected, the agent status is Online, and ",
+ "doc_type":"usermanual",
+ "kw":"WTP Edition,Enabling Protection,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"WTP Edition",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0395.html",
+ "node_id":"hss_01_0395.xml",
+ "product_code":"hss",
+ "code":"37",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Disabling Protection",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Disabling Protection",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0399.html",
+ "node_id":"hss_01_0399.xml",
+ "product_code":"hss",
+ "code":"38",
+ "des":"You can disable protection for a server. A quota that has been unbound from a server can be bound to another one.Disabling protection does not affect services, but will i",
+ "doc_type":"usermanual",
+ "kw":"Disabling the Enterprise/Premium Edition,Disabling Protection,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Disabling the Enterprise/Premium Edition",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0400.html",
+ "node_id":"hss_01_0400.xml",
+ "product_code":"hss",
+ "code":"39",
+ "des":"You can disable the WTP edition for a server. A quota that has been unbound from a server can be bound to another one.Disabling protection does not affect services, but w",
+ "doc_type":"usermanual",
+ "kw":"Disabling WTP,Disabling Protection,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Disabling WTP",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0573.html",
+ "node_id":"hss_01_0573.xml",
+ "product_code":"hss",
+ "code":"40",
+ "des":"This section describes how to export the server protection list to your local PC.The details of up to 1,000 servers can be exported at a time.",
+ "doc_type":"usermanual",
+ "kw":"Exporting the Server List,Server Management,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Exporting the Server List",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0174.html",
+ "node_id":"hss_01_0174.xml",
+ "product_code":"hss",
+ "code":"41",
+ "des":"You can switch the quota edition of a server to the enterprise or premium edition as needed.You can switch to the enterprise or premium edition.The server whose protectio",
+ "doc_type":"usermanual",
+ "kw":"Switching the HSS Quota Edition,Server Management,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Switching the HSS Quota Edition",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0024.html",
+ "node_id":"hss_01_0024.xml",
+ "product_code":"hss",
+ "code":"42",
+ "des":"You can quickly configure and start server scans by using policy groups. Simply create a group, add policies to it, and apply this group to servers. The agents deployed o",
+ "doc_type":"usermanual",
+ "kw":"Deploying a Policy,Server Management,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Deploying a Policy",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0023.html",
+ "node_id":"hss_01_0023.xml",
+ "product_code":"hss",
+ "code":"43",
+ "des":"To manage servers by group, you can create a server group and add servers to it.You can check the numbers of servers, unsafe servers, and unprotected servers in a group.A",
+ "doc_type":"usermanual",
+ "kw":"Managing Server Groups,Server Management,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Managing Server Groups",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0381.html",
+ "node_id":"hss_01_0381.xml",
+ "product_code":"hss",
+ "code":"44",
+ "des":"By default, HSS considers all servers as general assets. You can configure the asset importance levels of servers and manage servers accordingly.Assets are classified int",
+ "doc_type":"usermanual",
+ "kw":"Servers Importance Management,Server Management,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Servers Importance Management",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0295.html",
+ "node_id":"hss_01_0295.xml",
+ "product_code":"hss",
+ "code":"45",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Container Management",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Container Management",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0296.html",
+ "node_id":"hss_01_0296.xml",
+ "product_code":"hss",
+ "code":"46",
+ "des":"The Container Nodes page displays the protection, node, and Agent status of clusters in Cloud Container Engine (CCE), helping you learn the security status of clusters in",
+ "doc_type":"usermanual",
+ "kw":"Viewing the Container Node Protection List,Container Management,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Viewing the Container Node Protection List",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0398.html",
+ "node_id":"hss_01_0398.xml",
+ "product_code":"hss",
+ "code":"47",
+ "des":"You can enable the container security edition for your containers.To enable protection for a container node, you need to allocate a quota to the node. If the protection i",
+ "doc_type":"usermanual",
+ "kw":"Enabling Container Security Protection,Container Management,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Enabling Container Security Protection",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0401.html",
+ "node_id":"hss_01_0401.xml",
+ "product_code":"hss",
+ "code":"48",
+ "des":"You can disable the container edition for a server. A quota that has been unbound from a server can be bound to another one.Disabling protection does not affect services,",
+ "doc_type":"usermanual",
+ "kw":"Disabling Protection for Container Edition,Container Management,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Disabling Protection for Container Edition",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0297.html",
+ "node_id":"hss_01_0297.xml",
+ "product_code":"hss",
+ "code":"49",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Container Images",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Container Images",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0298.html",
+ "node_id":"hss_01_0298.xml",
+ "product_code":"hss",
+ "code":"50",
+ "des":"You can manually scan local images for vulnerabilities and software information and provides scan reports. This section describes how to perform security scans on local i",
+ "doc_type":"usermanual",
+ "kw":"Local Images,Container Images,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Local Images",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0299.html",
+ "node_id":"hss_01_0299.xml",
+ "product_code":"hss",
+ "code":"51",
+ "des":"Images in the private image repository come from SWR images. You can manually scan for and check reports on vulnerabilities, malicious files, software information, file i",
+ "doc_type":"usermanual",
+ "kw":"Managing SWR Private Images,Container Images,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Managing SWR Private Images",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0088.html",
+ "node_id":"hss_01_0088.xml",
+ "product_code":"hss",
+ "code":"52",
+ "des":"The images in the shared image repository are from SWR. You can view details about all shared images.Only the HSS container edition supports this function.Security scans ",
+ "doc_type":"usermanual",
+ "kw":"Managing SWR Shared Images,Container Images,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Managing SWR Shared Images",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0025.html",
+ "node_id":"hss_01_0025.xml",
+ "product_code":"hss",
+ "code":"53",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Risk Prevention",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Risk Prevention",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0140.html",
+ "node_id":"hss_01_0140.xml",
+ "product_code":"hss",
+ "code":"54",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Vulnerability Management",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Vulnerability Management",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0302.html",
+ "node_id":"hss_01_0302.xml",
+ "product_code":"hss",
+ "code":"55",
+ "des":"Vulnerability management can detect Linux, Windows, Web-CMS, and application vulnerabilities and provide suggestions, helping you learn about server vulnerabilities in re",
+ "doc_type":"usermanual",
+ "kw":"Vulnerability Management Overview,Vulnerability Management,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Vulnerability Management Overview",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0412.html",
+ "node_id":"hss_01_0412.xml",
+ "product_code":"hss",
+ "code":"56",
+ "des":"HSS can scan for Linux, Windows, Web-CMS, and application vulnerabilities. Automatic, scheduled (vulnerability policy configuration), and manual scans are supported.Autom",
+ "doc_type":"usermanual",
+ "kw":"Vulnerability Scan,Vulnerability Management,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Vulnerability Scan",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0063.html",
+ "node_id":"hss_01_0063.xml",
+ "product_code":"hss",
+ "code":"57",
+ "des":"You can view vulnerabilities of your assets on the Vulnerabilities page. The Vulnerabilities page contains two tabs: Vulnerabilities view and Server view, helping you ana",
+ "doc_type":"usermanual",
+ "kw":"Viewing Vulnerability Details,Vulnerability Management,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Viewing Vulnerability Details",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0574.html",
+ "node_id":"hss_01_0574.xml",
+ "product_code":"hss",
+ "code":"58",
+ "des":"You can refer to this section to export the vulnerability list.HSS enterprise or later edition has been enabled for the server.The Server Status is Running, Agent Status ",
+ "doc_type":"usermanual",
+ "kw":"Exporting the vulnerability list,Vulnerability Management,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Exporting the vulnerability list",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0141.html",
+ "node_id":"hss_01_0141.xml",
+ "product_code":"hss",
+ "code":"59",
+ "des":"If HSS detects a vulnerability on a server, you need to handle the vulnerability in a timely manner based on its severity and your business conditions to prevent the vuln",
+ "doc_type":"usermanual",
+ "kw":"Handling Vulnerabilities,Vulnerability Management,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Handling Vulnerabilities",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0509.html",
+ "node_id":"hss_01_0509.xml",
+ "product_code":"hss",
+ "code":"60",
+ "des":"If you evaluate that some vulnerabilities do not affect your services and do not want to view the vulnerabilities in the vulnerability list, you can whitelist the vulnera",
+ "doc_type":"usermanual",
+ "kw":"Managing the Vulnerability Whitelist,Vulnerability Management,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Managing the Vulnerability Whitelist",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0503.html",
+ "node_id":"hss_01_0503.xml",
+ "product_code":"hss",
+ "code":"61",
+ "des":"For vulnerabilities that have been handled, you can refer to this section to view the vulnerability handling history (handler and handling time).",
+ "doc_type":"usermanual",
+ "kw":"Viewing Vulnerability Handling History,Vulnerability Management,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Viewing Vulnerability Handling History",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0145.html",
+ "node_id":"hss_01_0145.xml",
+ "product_code":"hss",
+ "code":"62",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Baseline Inspection",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Baseline Inspection",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0303.html",
+ "node_id":"hss_01_0303.xml",
+ "product_code":"hss",
+ "code":"63",
+ "des":"Baseline Inspection includes password complexity policy detection, common weak password detection, and configuration check. It can detect insecure password configurations",
+ "doc_type":"usermanual",
+ "kw":"Baseline Inspection Overview,Baseline Inspection,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Baseline Inspection Overview",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0146.html",
+ "node_id":"hss_01_0146.xml",
+ "product_code":"hss",
+ "code":"64",
+ "des":"The baseline check supports automatic and manual baseline checks.Automatic baseline check: checks server configurations and common weak passwords.Manual baseline check: T",
+ "doc_type":"usermanual",
+ "kw":"Performing Baseline Inspection,Baseline Inspection,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Performing Baseline Inspection",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0147.html",
+ "node_id":"hss_01_0147.xml",
+ "product_code":"hss",
+ "code":"65",
+ "des":"This topic provides suggestions on how to fix baseline configuration risks on the server.Only enterprise edition, premium edition, web tamper protection edition, and cont",
+ "doc_type":"usermanual",
+ "kw":"Viewing and Processing Baseline Check Results,Baseline Inspection,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Viewing and Processing Baseline Check Results",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0597.html",
+ "node_id":"hss_01_0597.xml",
+ "product_code":"hss",
+ "code":"66",
+ "des":"This section describes how to export a baseline check report.Only enterprise edition, premium edition, web tamper protection edition, and container edition are supported.",
+ "doc_type":"usermanual",
+ "kw":"Exporting the Baseline Check Report,Baseline Inspection,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Exporting the Baseline Check Report",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0393.html",
+ "node_id":"hss_01_0393.xml",
+ "product_code":"hss",
+ "code":"67",
+ "des":"This section describes how to modify a created manual baseline check policy.If you select Linux for OS, you can select any checks included in Baseline and edit rules. Thi",
+ "doc_type":"usermanual",
+ "kw":"Managing Manual Baseline Check Policies,Baseline Inspection,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Managing Manual Baseline Check Policies",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0304.html",
+ "node_id":"hss_01_0304.xml",
+ "product_code":"hss",
+ "code":"68",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Container Image Security",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Container Image Security",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0305.html",
+ "node_id":"hss_01_0305.xml",
+ "product_code":"hss",
+ "code":"69",
+ "des":"This section describes how to check the vulnerabilities on the private image and determine whether to ignore the vulnerabilities.Container node protection has been enable",
+ "doc_type":"usermanual",
+ "kw":"Image Vulnerabilities,Container Image Security,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Image Vulnerabilities",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0306.html",
+ "node_id":"hss_01_0306.xml",
+ "product_code":"hss",
+ "code":"70",
+ "des":"Malicious files in the private images can be automatically detected, helping you discover and eliminate the security threats in your assets.A comprehensive check is autom",
+ "doc_type":"usermanual",
+ "kw":"Viewing Malicious File Detection Results,Container Image Security,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Viewing Malicious File Detection Results",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0307.html",
+ "node_id":"hss_01_0307.xml",
+ "product_code":"hss",
+ "code":"71",
+ "des":"Your private image repository is scanned for unsafe configurations and provides suggestions for modifying the configurations, helping you fight intrusions and meet compli",
+ "doc_type":"usermanual",
+ "kw":"Image Baseline Check,Container Image Security,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Image Baseline Check",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0142.html",
+ "node_id":"hss_01_0142.xml",
+ "product_code":"hss",
+ "code":"72",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Prevention",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Prevention",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0388.html",
+ "node_id":"hss_01_0388.xml",
+ "product_code":"hss",
+ "code":"73",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Application Protection",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Application Protection",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0390.html",
+ "node_id":"hss_01_0390.xml",
+ "product_code":"hss",
+ "code":"74",
+ "des":"You have enabled HSS premium, WTP, or container edition.Currently, only Linux servers are supported.So far, only Java applications can be protected.The premium, WTP, and ",
+ "doc_type":"usermanual",
+ "kw":"Enabling Application Protection,Application Protection,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Enabling Application Protection",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0389.html",
+ "node_id":"hss_01_0389.xml",
+ "product_code":"hss",
+ "code":"75",
+ "des":"To protect your applications with RASP, you simply need to add probes to them, without having to modify application files.Probes (monitoring and protection code) are adde",
+ "doc_type":"usermanual",
+ "kw":"Viewing Application Protection,Application Protection,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Viewing Application Protection",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0459.html",
+ "node_id":"hss_01_0459.xml",
+ "product_code":"hss",
+ "code":"76",
+ "des":"You can add, edit, and delete application protection policies, and select and configure detection rules for the policies.Currently, only Linux servers are supported.So fa",
+ "doc_type":"usermanual",
+ "kw":"Managing Application Protection Policies,Application Protection,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Managing Application Protection Policies",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0392.html",
+ "node_id":"hss_01_0392.xml",
+ "product_code":"hss",
+ "code":"77",
+ "des":"This section describes how to disable application protection.If your servers are managed by enterprise projects, you can select an enterprise project to view or operate t",
+ "doc_type":"usermanual",
+ "kw":"Disabling Application Protection,Application Protection,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Disabling Application Protection",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0153.html",
+ "node_id":"hss_01_0153.xml",
+ "product_code":"hss",
+ "code":"78",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"WTP",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"WTP",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0216.html",
+ "node_id":"hss_01_0216.xml",
+ "product_code":"hss",
+ "code":"79",
+ "des":"WTP monitors website directories in real time, backs up files, and restores tampered files using the backup, protecting websites from Trojans, illegal links, and tamperin",
+ "doc_type":"usermanual",
+ "kw":"Adding a Protected Directory,WTP,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Adding a Protected Directory",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0106.html",
+ "node_id":"hss_01_0106.xml",
+ "product_code":"hss",
+ "code":"80",
+ "des":"By default, HSS backs up the files from the protected directories (excluding specified subdirectories and file types) to the local backup directory you specified when add",
+ "doc_type":"usermanual",
+ "kw":"Configuring Remote Backup,WTP,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Configuring Remote Backup",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0466.html",
+ "node_id":"hss_01_0466.xml",
+ "product_code":"hss",
+ "code":"81",
+ "des":"If WTP is enabled, the content in the protected directories is read-only. To allow certain processes to modify files in the directories, add them to the privileged proces",
+ "doc_type":"usermanual",
+ "kw":"Adding a Privileged Process,WTP,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Adding a Privileged Process",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0217.html",
+ "node_id":"hss_01_0217.xml",
+ "product_code":"hss",
+ "code":"82",
+ "des":"You can schedule WTP protection to allow website updates in specific periods.Exercise caution when you set the periods to disable WTP, because files will not be protected",
+ "doc_type":"usermanual",
+ "kw":"Enabling/Disabling Scheduled Static WTP,WTP,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Enabling/Disabling Scheduled Static WTP",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0218.html",
+ "node_id":"hss_01_0218.xml",
+ "product_code":"hss",
+ "code":"83",
+ "des":"Dynamic WTP protects your web pages while Tomcat applications are running, and can detect tampering of dynamic data, such as database data. It can be enabled with static ",
+ "doc_type":"usermanual",
+ "kw":"Enabling Dynamic WTP,WTP,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Enabling Dynamic WTP",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0576.html",
+ "node_id":"hss_01_0576.xml",
+ "product_code":"hss",
+ "code":"84",
+ "des":"Once WTP is enabled, HSS will comprehensively check protected directories you specified. You can check records about detected tampering attacks.Only the servers that are ",
+ "doc_type":"usermanual",
+ "kw":"Viewing WTP Reports,WTP,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Viewing WTP Reports",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0087.html",
+ "node_id":"hss_01_0087.xml",
+ "product_code":"hss",
+ "code":"85",
+ "des":"Once static WTP is enabled, the HSS service will comprehensively check protected directories you specified. You can check records about detected tampering of host protect",
+ "doc_type":"usermanual",
+ "kw":"Viewing WTP Events,WTP,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Viewing WTP Events",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0346.html",
+ "node_id":"hss_01_0346.xml",
+ "product_code":"hss",
+ "code":"86",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Ransomware Prevention",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Ransomware Prevention",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0348.html",
+ "node_id":"hss_01_0348.xml",
+ "product_code":"hss",
+ "code":"87",
+ "des":"You have enabled HSS premium, WTP, or container edition.Only premium, WTP, and container editions support ransomware protection.If your servers are managed by enterprise ",
+ "doc_type":"usermanual",
+ "kw":"Enabling Ransomware Prevention,Ransomware Prevention,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Enabling Ransomware Prevention",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0347.html",
+ "node_id":"hss_01_0347.xml",
+ "product_code":"hss",
+ "code":"88",
+ "des":"You have enabled HSS premium, WTP, or container edition.After ransomware protection is enabled, you need to handle ransomware alarms and fix the vulnerabilities in your s",
+ "doc_type":"usermanual",
+ "kw":"Viewing Ransomware Protection,Ransomware Prevention,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Viewing Ransomware Protection",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0349.html",
+ "node_id":"hss_01_0349.xml",
+ "product_code":"hss",
+ "code":"89",
+ "des":"Currently, you can create a ransomware prevention policy only when enabling ransomware prevention.Only premium, WTP, and container editions support ransomware protection.",
+ "doc_type":"usermanual",
+ "kw":"Managing Ransomware Prevention Policies,Ransomware Prevention,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Managing Ransomware Prevention Policies",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0350.html",
+ "node_id":"hss_01_0350.xml",
+ "product_code":"hss",
+ "code":"90",
+ "des":"You can disable ransomware protection as needed. After protection is disabled, your server may be intruded by ransomware. Exercise caution when performing this operation.",
+ "doc_type":"usermanual",
+ "kw":"Disabling Ransomware Prevention,Ransomware Prevention,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Disabling Ransomware Prevention",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0360.html",
+ "node_id":"hss_01_0360.xml",
+ "product_code":"hss",
+ "code":"91",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"File Integrity Monitoring",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"File Integrity Monitoring",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0359.html",
+ "node_id":"hss_01_0359.xml",
+ "product_code":"hss",
+ "code":"92",
+ "des":"Check the files in the Linux OS, applications, and other components to detect tampering.Only premium, WTP, and container editions support file integrity-related operation",
+ "doc_type":"usermanual",
+ "kw":"Viewing File Integrity Management,File Integrity Monitoring,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Viewing File Integrity Management",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0361.html",
+ "node_id":"hss_01_0361.xml",
+ "product_code":"hss",
+ "code":"93",
+ "des":"Only premium, WTP, and container editions support file integrity-related operations.",
+ "doc_type":"usermanual",
+ "kw":"Checking Change Details,File Integrity Monitoring,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Checking Change Details",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0362.html",
+ "node_id":"hss_01_0362.xml",
+ "product_code":"hss",
+ "code":"94",
+ "des":"Only premium, WTP, and container editions support file integrity-related operations.",
+ "doc_type":"usermanual",
+ "kw":"Checking Modified Files,File Integrity Monitoring,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Checking Modified Files",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0030.html",
+ "node_id":"hss_01_0030.xml",
+ "product_code":"hss",
+ "code":"95",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Intrusion Detection",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Intrusion Detection",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0277.html",
+ "node_id":"hss_01_0277.xml",
+ "product_code":"hss",
+ "code":"96",
+ "des":"HSS generates alarms on a range of intrusion events, including brute-force attacks, abnormal process behaviors, web shells, abnormal logins, and malicious processes. You ",
+ "doc_type":"usermanual",
+ "kw":"Server Alarms,Intrusion Detection,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Server Alarms",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0026.html",
+ "node_id":"hss_01_0026.xml",
+ "product_code":"hss",
+ "code":"97",
+ "des":"The Events page displays the alarm events generated in the last 30 days. You can manually handle the alarmed items.The status of a handled event changes from Unhandled to",
+ "doc_type":"usermanual",
+ "kw":"Viewing Server Alarms,Intrusion Detection,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Viewing Server Alarms",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0413.html",
+ "node_id":"hss_01_0413.xml",
+ "product_code":"hss",
+ "code":"98",
+ "des":"The Events page displays the alarms generated in the last 30 days.The status of a handled alarm changes from Unhandled to Handled.To skip the checks on high-risk command ",
+ "doc_type":"usermanual",
+ "kw":"Handling Server Alarms,Intrusion Detection,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Handling Server Alarms",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0331.html",
+ "node_id":"hss_01_0331.xml",
+ "product_code":"hss",
+ "code":"99",
+ "des":"HSS can isolate detected threat files. Files that have been isolated are displayed on a slide-out panel on the Server Alarms page. You can click Isolated Files on the upp",
+ "doc_type":"usermanual",
+ "kw":"Managing Isolated Files,Intrusion Detection,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Managing Isolated Files",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0312.html",
+ "node_id":"hss_01_0312.xml",
+ "product_code":"hss",
+ "code":"100",
+ "des":"After node protection is enabled, an agent is deployed on each container host to monitor the running status of containers in real time. The agents support escape detectio",
+ "doc_type":"usermanual",
+ "kw":"Container Alarm Events,Intrusion Detection,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Container Alarm Events",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0313.html",
+ "node_id":"hss_01_0313.xml",
+ "product_code":"hss",
+ "code":"101",
+ "des":"HSS displays alarm and event statistics and their summary all on one page. You can have a quick overview of alarms, including the numbers of containers with alarms, handl",
+ "doc_type":"usermanual",
+ "kw":"Viewing Container Alarms,Intrusion Detection,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Viewing Container Alarms",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0414.html",
+ "node_id":"hss_01_0414.xml",
+ "product_code":"hss",
+ "code":"102",
+ "des":"HSS displays alarm and event statistics and their summary all on one page. You can have a quick overview of alarms, including the numbers of containers with alarms, handl",
+ "doc_type":"usermanual",
+ "kw":"Handling Container Alarms,Intrusion Detection,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Handling Container Alarms",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0367.html",
+ "node_id":"hss_01_0367.xml",
+ "product_code":"hss",
+ "code":"103",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Whitelist Management",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Whitelist Management",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0029.html",
+ "node_id":"hss_01_0029.xml",
+ "product_code":"hss",
+ "code":"104",
+ "des":"You can configure the IP addresses of destination servers, login IP addresses, login usernames, and user behaviors in the Login Whitelist.If the destination server IP add",
+ "doc_type":"usermanual",
+ "kw":"Managing Login Whitelist,Whitelist Management,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Managing Login Whitelist",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0028.html",
+ "node_id":"hss_01_0028.xml",
+ "product_code":"hss",
+ "code":"105",
+ "des":"You can configure the alarm whitelist to reduce false alarms. Events can be deleted from the whitelist.Whitelisted events will not trigger alarms.On the Alarms page, you ",
+ "doc_type":"usermanual",
+ "kw":"Managing the Alarm Whitelist,Whitelist Management,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Managing the Alarm Whitelist",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0496.html",
+ "node_id":"hss_01_0496.xml",
+ "product_code":"hss",
+ "code":"106",
+ "des":"HSS generates risky account alarms when non-root users are added to the root user group. You can add the trusted non-root users to the system user whitelist. HSS does not",
+ "doc_type":"usermanual",
+ "kw":"Managing the System User Whitelist,Whitelist Management,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Managing the System User Whitelist",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0041.html",
+ "node_id":"hss_01_0041.xml",
+ "product_code":"hss",
+ "code":"107",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Security Operations",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Security Operations",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0314.html",
+ "node_id":"hss_01_0314.xml",
+ "product_code":"hss",
+ "code":"108",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Policy Management",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Policy Management",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0045.html",
+ "node_id":"hss_01_0045.xml",
+ "product_code":"hss",
+ "code":"109",
+ "des":"If policies such as asset collection, baseline check, and intrusion detection do not meet your server protection requirements, you can manage these policies.Table 1 lists",
+ "doc_type":"usermanual",
+ "kw":"Overview,Policy Management,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Overview",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0368.html",
+ "node_id":"hss_01_0368.xml",
+ "product_code":"hss",
+ "code":"110",
+ "des":"For premium and container editions, you can copy a policy group and customize it as required to meet server security requirements in different application scenarios.If yo",
+ "doc_type":"usermanual",
+ "kw":"Creating a Policy Group,Policy Management,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Creating a Policy Group",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0044.html",
+ "node_id":"hss_01_0044.xml",
+ "product_code":"hss",
+ "code":"111",
+ "des":"After HSS is enabled, you can configure HSS policies based on your service requirements.The enterprise, premium, WTP, or container edition is enabled.For the default poli",
+ "doc_type":"usermanual",
+ "kw":"Configuring Policies,Policy Management,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Configuring Policies",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0596.html",
+ "node_id":"hss_01_0596.xml",
+ "product_code":"hss",
+ "code":"112",
+ "des":"Preset policy groups cannot be deleted. You can delete custom policy groups of premium edition and container edition.After a policy group is deleted, the Policy Group col",
+ "doc_type":"usermanual",
+ "kw":"Deleting a Policy Group,Policy Management,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Deleting a Policy Group",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0553.html",
+ "node_id":"hss_01_0553.xml",
+ "product_code":"hss",
+ "code":"113",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Security Report",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Security Report",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0554.html",
+ "node_id":"hss_01_0554.xml",
+ "product_code":"hss",
+ "code":"114",
+ "des":"You can subscribe to daily, weekly, monthly, and custom reports. The reports show your server security trends and key security events and risks.If you have enabled the en",
+ "doc_type":"usermanual",
+ "kw":"Checking a Security Report,Security Report,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Checking a Security Report",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0555.html",
+ "node_id":"hss_01_0555.xml",
+ "product_code":"hss",
+ "code":"115",
+ "des":"This section provides guidance for you to quickly subscribe to weekly or monthly security reports using preset templates on the console. For details about how to customiz",
+ "doc_type":"usermanual",
+ "kw":"Subscribing to a Security Report,Security Report,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Subscribing to a Security Report",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0556.html",
+ "node_id":"hss_01_0556.xml",
+ "product_code":"hss",
+ "code":"116",
+ "des":"If the type and content of the existing report template cannot meet your requirements, you can customize a report.The enterprise, premium, WTP, or container edition is en",
+ "doc_type":"usermanual",
+ "kw":"Creating a Security Report,Security Report,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Creating a Security Report",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0557.html",
+ "node_id":"hss_01_0557.xml",
+ "product_code":"hss",
+ "code":"117",
+ "des":"This section describes how to modify, cancel, or disable a subscribed report.The enterprise, premium, WTP, or container edition is enabled.You can use default security re",
+ "doc_type":"usermanual",
+ "kw":"Managing Security Reports,Security Report,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Managing Security Reports",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0373.html",
+ "node_id":"hss_01_0373.xml",
+ "product_code":"hss",
+ "code":"118",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Installation & Configuration",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Installation & Configuration",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0317.html",
+ "node_id":"hss_01_0317.xml",
+ "product_code":"hss",
+ "code":"119",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Agent Management",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Agent Management",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0374.html",
+ "node_id":"hss_01_0374.xml",
+ "product_code":"hss",
+ "code":"120",
+ "des":"You can sort servers, check whether the agent is installed on them, and can install or uninstall the agent. On the console, you can find the agent installation instructio",
+ "doc_type":"usermanual",
+ "kw":"Viewing Agent Status,Agent Management,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Viewing Agent Status",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0570.html",
+ "node_id":"hss_01_0570.xml",
+ "product_code":"hss",
+ "code":"121",
+ "des":"Install the agent on a server. Only then can the server be protected by HSS.If your servers are managed by enterprise projects, you can select an enterprise project to vi",
+ "doc_type":"usermanual",
+ "kw":"Installing an Agent,Agent Management,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Installing an Agent",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0462.html",
+ "node_id":"hss_01_0462.xml",
+ "product_code":"hss",
+ "code":"122",
+ "des":"HSS keeps improving its service capabilities, including but not limited to new features and defect fixes. Please upgrade your agent to the latest version in a timely mann",
+ "doc_type":"usermanual",
+ "kw":"Upgrading the Agent,Agent Management,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Upgrading the Agent",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0376.html",
+ "node_id":"hss_01_0376.xml",
+ "product_code":"hss",
+ "code":"123",
+ "des":"If you no longer need to use HSS, uninstall the agent by following the instructions provided in this section. If the agent is uninstalled, HSS will stop protecting your s",
+ "doc_type":"usermanual",
+ "kw":"Uninstalling an Agent,Agent Management,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Uninstalling an Agent",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0385.html",
+ "node_id":"hss_01_0385.xml",
+ "product_code":"hss",
+ "code":"124",
+ "des":"You can add common login locations, common IP addresses, and whitelist IP addresses, and enable malicious program isolation and killing to enhance server security.For det",
+ "doc_type":"usermanual",
+ "kw":"Security Configurations,Installation & Configuration,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Security Configurations",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0070.html",
+ "node_id":"hss_01_0070.xml",
+ "product_code":"hss",
+ "code":"125",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Audit",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Audit",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0071.html",
+ "node_id":"hss_01_0071.xml",
+ "product_code":"hss",
+ "code":"126",
+ "des":"Cloud Trace Service (CTS) records all operations on HSS, including requests initiated from the management console or open APIs and responses to the requests, for tenants ",
+ "doc_type":"usermanual",
+ "kw":"HSS Operations Supported by CTS,Audit,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"HSS Operations Supported by CTS",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0603.html",
+ "node_id":"hss_01_0603.xml",
+ "product_code":"hss",
+ "code":"127",
+ "des":"After you enable CTS and the management tracker is created, CTS starts recording operations on cloud resources. CTS stores operation records generated in the last seven d",
+ "doc_type":"usermanual",
+ "kw":"Querying Real-Time Traces,Audit,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Querying Real-Time Traces",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0131.html",
+ "node_id":"hss_01_0131.xml",
+ "product_code":"hss",
+ "code":"128",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Permissions Management",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Permissions Management",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0133.html",
+ "node_id":"hss_01_0133.xml",
+ "product_code":"hss",
+ "code":"129",
+ "des":"This section describes IAM's fine-grained permissions management for your HSS resources. With IAM, you can:Create IAM users for employees based on the organizational stru",
+ "doc_type":"usermanual",
+ "kw":"Creating a User and Granting Permissions,Permissions Management,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Creating a User and Granting Permissions",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0005.html",
+ "node_id":"hss_01_0005.xml",
+ "product_code":"hss",
+ "code":"130",
+ "des":"Custom policies can be created to supplement the system-defined policies of HSS.You can create custom policies using one of the following methods:Visual editor: Select cl",
+ "doc_type":"usermanual",
+ "kw":"HSS Custom Policies,Permissions Management,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"HSS Custom Policies",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0006.html",
+ "node_id":"hss_01_0006.xml",
+ "product_code":"hss",
+ "code":"131",
+ "des":"This section describes fine-grained permissions management for your HSS instances. If your account does not need individual IAM users, then you may skip over this section",
+ "doc_type":"usermanual",
+ "kw":"HSS Actions,Permissions Management,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"HSS Actions",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0032.html",
+ "node_id":"hss_01_0032.xml",
+ "product_code":"hss",
+ "code":"132",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"FAQs",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"FAQs",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0258.html",
+ "node_id":"hss_01_0258.xml",
+ "product_code":"hss",
+ "code":"133",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"About HSS",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"About HSS",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0033.html",
+ "node_id":"hss_01_0033.xml",
+ "product_code":"hss",
+ "code":"134",
+ "des":"Host Security Service (HSS) helps you identify and manage the assets on your servers, eliminate risks, and defend against intrusions and web page tampering. There are als",
+ "doc_type":"usermanual",
+ "kw":"What Is Host Security?,About HSS,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"What Is Host Security?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0318.html",
+ "node_id":"hss_01_0318.xml",
+ "product_code":"hss",
+ "code":"135",
+ "des":"Container Security Service (CGS) scans vulnerabilities and configuration information in images, helping enterprises detect container risks that cannot be found using conv",
+ "doc_type":"usermanual",
+ "kw":"What Is Container Security?,About HSS,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"What Is Container Security?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0319.html",
+ "node_id":"hss_01_0319.xml",
+ "product_code":"hss",
+ "code":"136",
+ "des":"Web Tamper Protection (WTP) monitors website directories in real time, backs up files, and restores tampered files using the backup. WTP protects your websites from Troja",
+ "doc_type":"usermanual",
+ "kw":"What Is Web Tamper Protection?,About HSS,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"What Is Web Tamper Protection?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0320.html",
+ "node_id":"hss_01_0320.xml",
+ "product_code":"hss",
+ "code":"137",
+ "des":"An image is a special file system. It provides programs, libraries, resources, configuration files and other files required for a running container. An image also contain",
+ "doc_type":"usermanual",
+ "kw":"What Are the Relationships Between Images, Containers, and Applications?,About HSS,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"What Are the Relationships Between Images, Containers, and Applications?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0245.html",
+ "node_id":"hss_01_0245.xml",
+ "product_code":"hss",
+ "code":"138",
+ "des":"The HSS agent is used to scan all servers and containers, monitor their status in real time, and collect their information and report to the cloud protection center.The a",
+ "doc_type":"usermanual",
+ "kw":"What Is the HSS Agent?,About HSS,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"What Is the HSS Agent?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0321.html",
+ "node_id":"hss_01_0321.xml",
+ "product_code":"hss",
+ "code":"139",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Agent FAQs",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Agent FAQs",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0037.html",
+ "node_id":"hss_01_0037.xml",
+ "product_code":"hss",
+ "code":"140",
+ "des":"Yes, it may be in conflict with DenyHosts.Symptom: The IP address of the login host is identified as an attack IP address but can not be unblocked.Cause: HSS and DenyHost",
+ "doc_type":"usermanual",
+ "kw":"Is the Agent in Conflict with Any Other Security Software?,Agent FAQs,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Is the Agent in Conflict with Any Other Security Software?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0119.html",
+ "node_id":"hss_01_0119.xml",
+ "product_code":"hss",
+ "code":"141",
+ "des":"Two uninstallation methods are available: one-click uninstallation and manual local uninstallation.The agent was installed using an incorrect package and you need to unin",
+ "doc_type":"usermanual",
+ "kw":"How Do I Uninstall the Agent?,Agent FAQs,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"How Do I Uninstall the Agent?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0069.html",
+ "node_id":"hss_01_0069.xml",
+ "product_code":"hss",
+ "code":"142",
+ "des":"The agent fails to be installed by running commands. The server list page on the console still indicates that the agent is not installed.The SELinux firewall has not been",
+ "doc_type":"usermanual",
+ "kw":"What Should I Do If Agent Installation Failed?,Agent FAQs,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"What Should I Do If Agent Installation Failed?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0036.html",
+ "node_id":"hss_01_0036.xml",
+ "product_code":"hss",
+ "code":"143",
+ "des":"Your agent is probably abnormal if it is in Not installed or Offline state. Agent statuses and their meaning are as follows:Uninstalled: No agent has been installed on th",
+ "doc_type":"usermanual",
+ "kw":"How Do I Fix an Abnormal Agent?,Agent FAQs,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"How Do I Fix an Abnormal Agent?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0096.html",
+ "node_id":"hss_01_0096.xml",
+ "product_code":"hss",
+ "code":"144",
+ "des":"The agent installation paths on servers running the Linux or Windows OS cannot be customized. Table 1 describes the default paths.",
+ "doc_type":"usermanual",
+ "kw":"What Is the Default Agent Installation Path?,Agent FAQs,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"What Is the Default Agent Installation Path?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0116.html",
+ "node_id":"hss_01_0116.xml",
+ "product_code":"hss",
+ "code":"145",
+ "des":"HSS uses lightweight agents, which occupy only a few resources and do not affect your services.The CPU and memory usage is as follows.A running agent occupies a maximum o",
+ "doc_type":"usermanual",
+ "kw":"How Many CPU and Memory Resources Are Occupied by the Agent When It Performs Scans?,Agent FAQs,User ",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"How Many CPU and Memory Resources Are Occupied by the Agent When It Performs Scans?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0195.html",
+ "node_id":"hss_01_0195.xml",
+ "product_code":"hss",
+ "code":"146",
+ "des":"Yes.All HSS editions can use the same agent installed on a server.",
+ "doc_type":"usermanual",
+ "kw":"Do WTP and HSS Use the Same Agent?,Agent FAQs,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Do WTP and HSS Use the Same Agent?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0007.html",
+ "node_id":"hss_01_0007.xml",
+ "product_code":"hss",
+ "code":"147",
+ "des":"Possible agent statuses are:Not installed: The agent has not been installed or successfully started.Online: The agent is running properly.Offline: The communication betwe",
+ "doc_type":"usermanual",
+ "kw":"How Do I View Servers Where No Agents Have Been Installed?,Agent FAQs,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"How Do I View Servers Where No Agents Have Been Installed?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0394.html",
+ "node_id":"hss_01_0394.xml",
+ "product_code":"hss",
+ "code":"148",
+ "des":"On a server, you only need to install the agent once.After the installation, you are advised to restart the servers before enabling HSS and binding quotas.Now both the HS",
+ "doc_type":"usermanual",
+ "kw":"What Can I Do If the Agent Status Is Still \"Not installed\" After Installation?,Agent FAQs,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"What Can I Do If the Agent Status Is Still \"Not installed\" After Installation?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0409.html",
+ "node_id":"hss_01_0409.xml",
+ "product_code":"hss",
+ "code":"149",
+ "des":"Servers are displayed on both the old and new console of HSS, regardless of whether their agents have been upgraded. The server statuses are properly displayed on the con",
+ "doc_type":"usermanual",
+ "kw":"What Do I Do If the Upgrade Fails?,Agent FAQs,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"What Do I Do If the Upgrade Fails?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0038.html",
+ "node_id":"hss_01_0038.xml",
+ "product_code":"hss",
+ "code":"150",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Brute-force Attack Defense",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Brute-force Attack Defense",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0008.html",
+ "node_id":"hss_01_0008.xml",
+ "product_code":"hss",
+ "code":"151",
+ "des":"HSS can detect the following types of brute force attacks:Windows: SqlServer (automatic interception is not supported currently) and RdpLinux: MySQL, vfstp, and SSHIf MyS",
+ "doc_type":"usermanual",
+ "kw":"How Does HSS Intercept Brute Force Attacks?,Brute-force Attack Defense,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"How Does HSS Intercept Brute Force Attacks?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0183.html",
+ "node_id":"hss_01_0183.xml",
+ "product_code":"hss",
+ "code":"152",
+ "des":"If a brute-force attack succeeded, take immediate measures to prevent attackers from further actions, such as breaching data, performing DDoS attacks, or implanting ranso",
+ "doc_type":"usermanual",
+ "kw":"How Do I Handle a Brute-force Attack Alarm?,Brute-force Attack Defense,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"How Do I Handle a Brute-force Attack Alarm?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0256.html",
+ "node_id":"hss_01_0256.xml",
+ "product_code":"hss",
+ "code":"153",
+ "des":"Intruders who cracked server accounts can exploit permissions to steal or tamper with data on servers, interrupting enterprise services and causing great loss.Configure t",
+ "doc_type":"usermanual",
+ "kw":"How Do I Defend Against Brute-force Attacks?,Brute-force Attack Defense,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"How Do I Defend Against Brute-force Attacks?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0097.html",
+ "node_id":"hss_01_0097.xml",
+ "product_code":"hss",
+ "code":"154",
+ "des":"The SSHD service in the host system does not depend on libwrap.so.As a free software library, libwrap implements the universal TCP Wrapper function. Any daemon that conta",
+ "doc_type":"usermanual",
+ "kw":"What Do I Do If the Account Cracking Prevention Function Does Not Take Effect on Some Accounts for L",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"What Do I Do If the Account Cracking Prevention Function Does Not Take Effect on Some Accounts for Linux Servers?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0287.html",
+ "node_id":"hss_01_0287.xml",
+ "product_code":"hss",
+ "code":"155",
+ "des":"HSS will block an IP address if it has five or more brute-force attack attempts detected within 30 seconds, or 15 or more brute-force attack attempts detected within 3600",
+ "doc_type":"usermanual",
+ "kw":"How Do I Unblock an IP Address?,Brute-force Attack Defense,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"How Do I Unblock an IP Address?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0418.html",
+ "node_id":"hss_01_0418.xml",
+ "product_code":"hss",
+ "code":"156",
+ "des":"An alarm indicates that an attack was detected. It does not mean your cloud servers have been intruded. If you receive an alarm, handle it and take countermeasures in a t",
+ "doc_type":"usermanual",
+ "kw":"What Do I Do If HSS Frequently Reports Brute-force Alarms?,Brute-force Attack Defense,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"What Do I Do If HSS Frequently Reports Brute-force Alarms?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0512.html",
+ "node_id":"hss_01_0512.xml",
+ "product_code":"hss",
+ "code":"157",
+ "des":"The remote port of a server has been changed, but the brute-force attack records still displays the old port.The remote port configuration is synchronized to HSS through ",
+ "doc_type":"usermanual",
+ "kw":"What Do I Do If My Remote Server Port Is Not Updated in Brute-force Attack Records?,Brute-force Atta",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"What Do I Do If My Remote Server Port Is Not Updated in Brute-force Attack Records?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0196.html",
+ "node_id":"hss_01_0196.xml",
+ "product_code":"hss",
+ "code":"158",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Weak Passwords and Unsafe Accounts",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Weak Passwords and Unsafe Accounts",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0197.html",
+ "node_id":"hss_01_0197.xml",
+ "product_code":"hss",
+ "code":"159",
+ "des":"Servers using weak passwords are exposed to intrusions. If a weak password alarm is reported, you are advised to change the alarmed password immediately.If simple passwor",
+ "doc_type":"usermanual",
+ "kw":"How Do I Handle a Weak Password Alarm?,Weak Passwords and Unsafe Accounts,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"How Do I Handle a Weak Password Alarm?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0166.html",
+ "node_id":"hss_01_0166.xml",
+ "product_code":"hss",
+ "code":"160",
+ "des":"Comply with the following rules:Use a password with high complexity.The password must meet the following requirements:Contains at least eight characters.Contain at least ",
+ "doc_type":"usermanual",
+ "kw":"How Do I Set a Secure Password?,Weak Passwords and Unsafe Accounts,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"How Do I Set a Secure Password?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0274.html",
+ "node_id":"hss_01_0274.xml",
+ "product_code":"hss",
+ "code":"161",
+ "des":"If you have enhanced passwords before disabling the weak password policy, the weak password alarm will not be reported again.If you do not enhance passwords before disabl",
+ "doc_type":"usermanual",
+ "kw":"Why Are the Weak Password Alarms Still Reported After the Weak Password Policy Is Disabled?,Weak Pas",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Why Are the Weak Password Alarms Still Reported After the Weak Password Policy Is Disabled?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0164.html",
+ "node_id":"hss_01_0164.xml",
+ "product_code":"hss",
+ "code":"162",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Intrusions",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Intrusions",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0206.html",
+ "node_id":"hss_01_0206.xml",
+ "product_code":"hss",
+ "code":"163",
+ "des":"Take immediate measures to contain the attack, preventing miners from occupying CPU or affecting other applications. If a server is intruded by a mining program, the mini",
+ "doc_type":"usermanual",
+ "kw":"What Do I Do If My Servers Are Subjected to a Mining Attack?,Intrusions,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"What Do I Do If My Servers Are Subjected to a Mining Attack?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0207.html",
+ "node_id":"hss_01_0207.xml",
+ "product_code":"hss",
+ "code":"164",
+ "des":"After you add a process to the whitelist, it will no longer trigger certain alarms, but its isolation will not be automatically canceled.Choose Installation & Configurati",
+ "doc_type":"usermanual",
+ "kw":"Why a Process Is Still Isolated After It Was Whitelisted?,Intrusions,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Why a Process Is Still Isolated After It Was Whitelisted?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0243.html",
+ "node_id":"hss_01_0243.xml",
+ "product_code":"hss",
+ "code":"165",
+ "des":"You are advised to:Back up data and disable unnecessary ports.Set a stronger server password.Enable HSS. Your servers will be protected from mining processes by its intru",
+ "doc_type":"usermanual",
+ "kw":"What Do I Do If a Mining Process Is Detected on a Server?,Intrusions,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"What Do I Do If a Mining Process Is Detected on a Server?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0193.html",
+ "node_id":"hss_01_0193.xml",
+ "product_code":"hss",
+ "code":"166",
+ "des":"Intrusions to your servers before HSS is enabled cannot be detected.If you have applied for HSS, remember to enable it to detect intrusions.Web attacks cannot be detected",
+ "doc_type":"usermanual",
+ "kw":"Why Some Attacks on Servers Are Not Detected?,Intrusions,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Why Some Attacks on Servers Are Not Detected?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0013.html",
+ "node_id":"hss_01_0013.xml",
+ "product_code":"hss",
+ "code":"167",
+ "des":"Whether you can unblock an IP address depends on why it was blocked. An IP address will be blocked if it is regarded as the source of a brute-force attack, listed in the ",
+ "doc_type":"usermanual",
+ "kw":"Can I Unblock an IP Address Blocked by HSS, and How?,Intrusions,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Can I Unblock an IP Address Blocked by HSS, and How?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0204.html",
+ "node_id":"hss_01_0204.xml",
+ "product_code":"hss",
+ "code":"168",
+ "des":"If a blocked IP address does not perform brute-force attacks in the next 12 hours, the IP address will be automatically unblocked.",
+ "doc_type":"usermanual",
+ "kw":"Why a Blocked IP Address Is Automatically Unblocked?,Intrusions,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Why a Blocked IP Address Is Automatically Unblocked?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0427.html",
+ "node_id":"hss_01_0427.xml",
+ "product_code":"hss",
+ "code":"169",
+ "des":"Detection period: real-time detectionIsolation and killing period:If you have enabled automatic isolation and killing, the system will scan and kill viruses in real time.",
+ "doc_type":"usermanual",
+ "kw":"How Often Does HSS Detect, Isolate, and Kill Malicious Programs?,Intrusions,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"How Often Does HSS Detect, Isolate, and Kill Malicious Programs?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0429.html",
+ "node_id":"hss_01_0429.xml",
+ "product_code":"hss",
+ "code":"170",
+ "des":"Check whether the blocked IP address is a malicious IP address or a normal one.If it is normal, add it to the whitelist.If it is malicious, no further operations are requ",
+ "doc_type":"usermanual",
+ "kw":"What Do I Do If an IP Address Is Blocked by HSS?,Intrusions,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"What Do I Do If an IP Address Is Blocked by HSS?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0430.html",
+ "node_id":"hss_01_0430.xml",
+ "product_code":"hss",
+ "code":"171",
+ "des":"Generally, ransomware is spread through Trojan implantation, emails, files, vulnerabilities, bundles, and storage media.To defend against ransomware intrusions, prevent b",
+ "doc_type":"usermanual",
+ "kw":"How Do I Defend Against Ransomware Attacks?,Intrusions,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"How Do I Defend Against Ransomware Attacks?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0188.html",
+ "node_id":"hss_01_0188.xml",
+ "product_code":"hss",
+ "code":"172",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Abnormal Logins",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Abnormal Logins",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0189.html",
+ "node_id":"hss_01_0189.xml",
+ "product_code":"hss",
+ "code":"173",
+ "des":"Even whitelisted IP addresses can certain trigger alarms. The SSH login IP address whitelist, Login Whitelist, and remote login functions focus on different aspects of se",
+ "doc_type":"usermanual",
+ "kw":"Why Do I Still Receive Remote Login Alarms After Configuring the Login IP Whitelist?,Abnormal Logins",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Why Do I Still Receive Remote Login Alarms After Configuring the Login IP Whitelist?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0091.html",
+ "node_id":"hss_01_0091.xml",
+ "product_code":"hss",
+ "code":"174",
+ "des":"The remote login detection function checks for remote logins into your servers in real time. HSS generates an alarm if it detects logins from locations other than the com",
+ "doc_type":"usermanual",
+ "kw":"How Do I Check the User IP address of a Remote Login?,Abnormal Logins,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"How Do I Check the User IP address of a Remote Login?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0113.html",
+ "node_id":"hss_01_0113.xml",
+ "product_code":"hss",
+ "code":"175",
+ "des":"If you select Successful Logins in the Real-Time Alarm Notifications area, HSS will send alarms when detecting any successful logins.If all the accounts on your ECSs are ",
+ "doc_type":"usermanual",
+ "kw":"What Can I Do If an Alarm Indicating Successful Login Is Reported?,Abnormal Logins,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"What Can I Do If an Alarm Indicating Successful Login Is Reported?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0120.html",
+ "node_id":"hss_01_0120.xml",
+ "product_code":"hss",
+ "code":"176",
+ "des":"No.If you do not want to receive remote login alarm notifications, add alarmed locations as common login locations, or deselect the remote login attempt item in alarm not",
+ "doc_type":"usermanual",
+ "kw":"Can I Disable Remote Login Detection?,Abnormal Logins,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Can I Disable Remote Login Detection?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0192.html",
+ "node_id":"hss_01_0192.xml",
+ "product_code":"hss",
+ "code":"177",
+ "des":"If you have enabled alarm notifications for intrusion detection, you will be notified immediately when an account is cracked or may be cracked.You can also check whether ",
+ "doc_type":"usermanual",
+ "kw":"How Do I Know Whether an Intrusion Succeeded?,Abnormal Logins,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"How Do I Know Whether an Intrusion Succeeded?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0165.html",
+ "node_id":"hss_01_0165.xml",
+ "product_code":"hss",
+ "code":"178",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Unsafe Settings",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Unsafe Settings",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0043.html",
+ "node_id":"hss_01_0043.xml",
+ "product_code":"hss",
+ "code":"179",
+ "des":"Your password complexity policy cannot be checked if no pluggable authentication module (PAM) is running in your system.For Debian or Ubuntu, run the apt-get install libp",
+ "doc_type":"usermanual",
+ "kw":"How Do I Install a PAM and Set a Proper Password Complexity Policy in a Linux OS?,Unsafe Settings,Us",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"How Do I Install a PAM and Set a Proper Password Complexity Policy in a Linux OS?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0095.html",
+ "node_id":"hss_01_0095.xml",
+ "product_code":"hss",
+ "code":"180",
+ "des":"A proper password complexity policy would be: eight characters for the length of a password and at least three types of the following characters used: uppercase letters, ",
+ "doc_type":"usermanual",
+ "kw":"How Do I Set a Proper Password Complexity Policy in a Windows OS?,Unsafe Settings,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"How Do I Set a Proper Password Complexity Policy in a Windows OS?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0198.html",
+ "node_id":"hss_01_0198.xml",
+ "product_code":"hss",
+ "code":"181",
+ "des":"HSS automatically performs a configuration detection for servers. You can repair unsafe configuration items or ignore the configuration items you trust based on the detec",
+ "doc_type":"usermanual",
+ "kw":"How Do I Handle Unsafe Configurations?,Unsafe Settings,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"How Do I Handle Unsafe Configurations?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0149.html",
+ "node_id":"hss_01_0149.xml",
+ "product_code":"hss",
+ "code":"182",
+ "des":"You can view the configuration check details online.",
+ "doc_type":"usermanual",
+ "kw":"How Do I View Configuration Check Reports?,Unsafe Settings,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"How Do I View Configuration Check Reports?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0246.html",
+ "node_id":"hss_01_0246.xml",
+ "product_code":"hss",
+ "code":"183",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Vulnerability Management",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Vulnerability Management",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0209.html",
+ "node_id":"hss_01_0209.xml",
+ "product_code":"hss",
+ "code":"184",
+ "des":"Restart the Windows OS after you fix its vulnerabilities.Restart the Linux OS after you fix its kernel vulnerabilities.",
+ "doc_type":"usermanual",
+ "kw":"How Do I Fix Vulnerabilities?,Vulnerability Management,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"How Do I Fix Vulnerabilities?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0176.html",
+ "node_id":"hss_01_0176.xml",
+ "product_code":"hss",
+ "code":"185",
+ "des":"Perform the following operations to locate the cause and fix the problems.For more information, see the section \"Handling Vulnerabilities\".No yum sources have been config",
+ "doc_type":"usermanual",
+ "kw":"What Do I Do If an Alarm Still Exists After I Fixed a Vulnerability?,Vulnerability Management,User G",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"What Do I Do If an Alarm Still Exists After I Fixed a Vulnerability?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0247.html",
+ "node_id":"hss_01_0247.xml",
+ "product_code":"hss",
+ "code":"186",
+ "des":"The vulnerability list displays vulnerabilities detected in the last seven days. After a vulnerability is detected for a server, if you change the server name and do not ",
+ "doc_type":"usermanual",
+ "kw":"Why a Server Displayed in Vulnerability Information Does Not Exist?,Vulnerability Management,User Gu",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Why a Server Displayed in Vulnerability Information Does Not Exist?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0114.html",
+ "node_id":"hss_01_0114.xml",
+ "product_code":"hss",
+ "code":"187",
+ "des":"After you fixed Windows OS vulnerabilities or Linux kernel vulnerabilities, you need to restart servers for the fix to take effect, or HSS will continue to warn you of th",
+ "doc_type":"usermanual",
+ "kw":"Do I Need to Restart a Server After Fixing its Vulnerabilities?,Vulnerability Management,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Do I Need to Restart a Server After Fixing its Vulnerabilities?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0250.html",
+ "node_id":"hss_01_0250.xml",
+ "product_code":"hss",
+ "code":"188",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Web Tamper Protection",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Web Tamper Protection",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0199.html",
+ "node_id":"hss_01_0199.xml",
+ "product_code":"hss",
+ "code":"189",
+ "des":"WTP protects files in directories. If no directories are specified, WTP cannot take effect even if it is enabled.",
+ "doc_type":"usermanual",
+ "kw":"Why Do I Need to Add a Protected Directory?,Web Tamper Protection,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Why Do I Need to Add a Protected Directory?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0185.html",
+ "node_id":"hss_01_0185.xml",
+ "product_code":"hss",
+ "code":"190",
+ "des":"If you need to modify files in the protected directory, stop protection for the protected directory first.After the files are modified, resume protection for the director",
+ "doc_type":"usermanual",
+ "kw":"How Do I Modify a Protected Directory?,Web Tamper Protection,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"How Do I Modify a Protected Directory?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0202.html",
+ "node_id":"hss_01_0202.xml",
+ "product_code":"hss",
+ "code":"191",
+ "des":"The causes of this problem vary by scenarios.SymptomThe agent status is Offline or Not installed in the server list on the Web Tamper Protection page.The agent status is ",
+ "doc_type":"usermanual",
+ "kw":"What Should I Do If WTP Cannot Be Enabled?,Web Tamper Protection,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"What Should I Do If WTP Cannot Be Enabled?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0255.html",
+ "node_id":"hss_01_0255.xml",
+ "product_code":"hss",
+ "code":"192",
+ "des":"Protected directories are read-only. To modify files or update the website, perform any of the following operations.Disable WTP while you modify files in protected direct",
+ "doc_type":"usermanual",
+ "kw":"How Do I Modify a File After WTP Is Enabled?,Web Tamper Protection,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"How Do I Modify a File After WTP Is Enabled?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0014.html",
+ "node_id":"hss_01_0014.xml",
+ "product_code":"hss",
+ "code":"193",
+ "des":"Dynamic WTP protects your Tomcat applications.For this function to take effect, ensure that:There are Tomcat applications running on your servers.Your servers run the Lin",
+ "doc_type":"usermanual",
+ "kw":"What Can I Do If I Enabled Dynamic WTP But Its Status Is Enabled but not in effect?,Web Tamper Prote",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"What Can I Do If I Enabled Dynamic WTP But Its Status Is Enabled but not in effect?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0017.html",
+ "node_id":"hss_01_0017.xml",
+ "product_code":"hss",
+ "code":"194",
+ "des":"The web tamper protection function of HSS monitors website directories in real time, backs up files, and restores tampered files using the backup, protecting websites fro",
+ "doc_type":"usermanual",
+ "kw":"What Are the Differences Between the Web Tamper Protection Functions of HSS and WAF?,Web Tamper Prot",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"What Are the Differences Between the Web Tamper Protection Functions of HSS and WAF?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0323.html",
+ "node_id":"hss_01_0323.xml",
+ "product_code":"hss",
+ "code":"195",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Container Guard Service",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Container Guard Service",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0325.html",
+ "node_id":"hss_01_0325.xml",
+ "product_code":"hss",
+ "code":"196",
+ "des":"Disabling protection does not affect services, but will increase security risks. You are advised to keep your servers protected.If your servers are managed by enterprise ",
+ "doc_type":"usermanual",
+ "kw":"How Do I Disable Node Protection?,Container Guard Service,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"How Do I Disable Node Protection?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0324.html",
+ "node_id":"hss_01_0324.xml",
+ "product_code":"hss",
+ "code":"197",
+ "des":"When you enable node protection, the system automatically installs the CGS plug-in on the node.An HSS quota protects one cluster node.",
+ "doc_type":"usermanual",
+ "kw":"How Do I Enable Node Protection?,Container Guard Service,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"How Do I Enable Node Protection?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0404.html",
+ "node_id":"hss_01_0404.xml",
+ "product_code":"hss",
+ "code":"198",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Ransomware Protection",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Ransomware Protection",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0405.html",
+ "node_id":"hss_01_0405.xml",
+ "product_code":"hss",
+ "code":"199",
+ "des":"The backup mechanism of ransomware protection inherits that of CBR (Cloud Backup and Restoration). Backup files of ransomware protection can be centrally managed and view",
+ "doc_type":"usermanual",
+ "kw":"What Are the Differences Between Ransomware Protection Backup and Cloud Backup?,Ransomware Protectio",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"What Are the Differences Between Ransomware Protection Backup and Cloud Backup?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0426.html",
+ "node_id":"hss_01_0426.xml",
+ "product_code":"hss",
+ "code":"200",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Security Configurations",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Security Configurations",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0436.html",
+ "node_id":"hss_01_0436.xml",
+ "product_code":"hss",
+ "code":"201",
+ "des":"You can log in to a server via the console but not via SSH.A server will be blocked if it is regarded as a suspicious server performing brute-force attacks (for example, ",
+ "doc_type":"usermanual",
+ "kw":"What Can I Do If I Cannot Remotely Log In to a Server via SSH?,Security Configurations,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"What Can I Do If I Cannot Remotely Log In to a Server via SSH?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0437.html",
+ "node_id":"hss_01_0437.xml",
+ "product_code":"hss",
+ "code":"202",
+ "des":"This FAQ shows you how to use 2FA.Logging in to a Linux serverUse PuTTY or Xshell to log in to your server.Select Keyboard Interactive and enter the user identity informa",
+ "doc_type":"usermanual",
+ "kw":"2FA,How Do I Use 2FA?,Security Configurations,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"How Do I Use 2FA?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0439.html",
+ "node_id":"hss_01_0439.xml",
+ "product_code":"hss",
+ "code":"203",
+ "des":"The two-factor authentication function does not take effect immediately after being enabled.Wait for 5 minutes and try again.Wait for 5 minutes and try again.To enable tw",
+ "doc_type":"usermanual",
+ "kw":"Why Can't I Receive a Verification Code After 2FA Is Enabled?,Security Configurations,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Why Can't I Receive a Verification Code After 2FA Is Enabled?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0440.html",
+ "node_id":"hss_01_0440.xml",
+ "product_code":"hss",
+ "code":"204",
+ "des":"The login failed probably because file configurations or the login mode was incorrect.Check whether the configuration file is correct.Configuration file path: /etc/ssh/ss",
+ "doc_type":"usermanual",
+ "kw":"Why Does My Login Fail After I Enable 2FA?,Security Configurations,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Why Does My Login Fail After I Enable 2FA?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0441.html",
+ "node_id":"hss_01_0441.xml",
+ "product_code":"hss",
+ "code":"205",
+ "des":"You can set your mobile phone number only if you have selected SMS/Email for Method. Set your mobile phone number in the SMN topic you choose.In the SMN Topic drop-down l",
+ "doc_type":"usermanual",
+ "kw":"How Do I Add a Mobile Phone Number or Email Address for Receiving 2FA Verification Notifications?,Se",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"How Do I Add a Mobile Phone Number or Email Address for Receiving 2FA Verification Notifications?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0472.html",
+ "node_id":"hss_01_0472.xml",
+ "product_code":"hss",
+ "code":"206",
+ "des":"Security-Enhanced Linux (SELinux) is a kernel module and security subsystem of Linux.SELinux minimizes the resources that can be accessed by service processes in the syst",
+ "doc_type":"usermanual",
+ "kw":"How Do I Disable the SELinux Firewall?,Security Configurations,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"How Do I Disable the SELinux Firewall?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0101.html",
+ "node_id":"hss_01_0101.xml",
+ "product_code":"hss",
+ "code":"207",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Others",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Others",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0269.html",
+ "node_id":"hss_01_0269.xml",
+ "product_code":"hss",
+ "code":"208",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"How Do I Use the Windows Remote Desktop Connection Tool to Connect to a Server?,Others,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"How Do I Use the Windows Remote Desktop Connection Tool to Connect to a Server?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0099.html",
+ "node_id":"hss_01_0099.xml",
+ "product_code":"hss",
+ "code":"209",
+ "des":"The following table describes log files and their paths.",
+ "doc_type":"usermanual",
+ "kw":"How Do I Check HSS Log Files?,Others,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"How Do I Check HSS Log Files?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0103.html",
+ "node_id":"hss_01_0103.xml",
+ "product_code":"hss",
+ "code":"210",
+ "des":"The account hacking prevention function for Linux supports MySQL 5.6 and 5.7. Perform the following steps to enable logging for login failure:show global variables like '",
+ "doc_type":"usermanual",
+ "kw":"How Do I Enable Logging for Login Failures?,Others,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"How Do I Enable Logging for Login Failures?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0117.html",
+ "node_id":"hss_01_0117.xml",
+ "product_code":"hss",
+ "code":"211",
+ "des":"If you are sure the changes on your critical files are safe, you do not need to handle the alarm. It will be automatically cleared in seven days.",
+ "doc_type":"usermanual",
+ "kw":"How Do I Clear an Alarm on Critical File Changes?,Others,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"How Do I Clear an Alarm on Critical File Changes?",
+ "githuburl":""
+ },
+ {
+ "uri":"hss_01_0417.html",
+ "node_id":"hss_01_0417.xml",
+ "product_code":"hss",
+ "code":"212",
+ "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "doc_type":"usermanual",
+ "kw":"Change History,User Guide",
+ "search_title":"",
+ "metedata":[
+ {
+ "opensource":"true",
+ "prodname":"hss",
+ "IsBot":"Yes",
+ "IsMulti":"Yes",
+ "documenttype":"usermanual"
+ }
+ ],
+ "title":"Change History",
+ "githuburl":""
+ }
+]
\ No newline at end of file
diff --git a/docs/hss/umn/CLASS.TXT.json b/docs/hss/umn/CLASS.TXT.json
new file mode 100644
index 00000000..687a0020
--- /dev/null
+++ b/docs/hss/umn/CLASS.TXT.json
@@ -0,0 +1,1910 @@
+[
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"Introduction",
+ "uri":"hss_01_0042.html",
+ "doc_type":"usermanual",
+ "p_code":"",
+ "code":"1"
+ },
+ {
+ "desc":"HSS is designed to protect server workloads in hybrid clouds and multi-cloud data centers. It provides host security functions, Container Guard Service (CGS), and Web Tam",
+ "product_code":"hss",
+ "title":"What Is HSS?",
+ "uri":"hss_01_0001.html",
+ "doc_type":"usermanual",
+ "p_code":"1",
+ "code":"2"
+ },
+ {
+ "desc":"HSS helps you manage and maintain the security of all your servers and reduce common risks.You can check for and fix a range of security issues on a single console, easil",
+ "product_code":"hss",
+ "title":"Advantages",
+ "uri":"hss_01_0002.html",
+ "doc_type":"usermanual",
+ "p_code":"1",
+ "code":"3"
+ },
+ {
+ "desc":"Centralized security managementWith HSS, you can manage the security configurations and events of all your cloud servers on the console, reducing risks and management cos",
+ "product_code":"hss",
+ "title":"Scenarios",
+ "uri":"hss_01_0226.html",
+ "doc_type":"usermanual",
+ "p_code":"1",
+ "code":"4"
+ },
+ {
+ "desc":"HSS comes in the enterprise, premium, Web Tamper Protection (WTP), and container editions, providing asset management, vulnerability management, baseline check, intrusion",
+ "product_code":"hss",
+ "title":"Editions and Features",
+ "uri":"hss_01_0590.html",
+ "doc_type":"usermanual",
+ "p_code":"1",
+ "code":"5"
+ },
+ {
+ "desc":"If you need to assign different permissions to employees in your enterprise to access your HSS resources, IAM is a good choice for fine-grained permissions management. IA",
+ "product_code":"hss",
+ "title":"HSS Permissions Management",
+ "uri":"hss_01_0130.html",
+ "doc_type":"usermanual",
+ "p_code":"1",
+ "code":"6"
+ },
+ {
+ "desc":"Elastic Cloud Server (ECS)HSS can run on Linux servers (such as CentOS and EulerOS) and Windows servers (such as Windows 2012 and Windows 2016).The agent is probably inco",
+ "product_code":"hss",
+ "title":"Constraints and Limitations",
+ "uri":"hss_01_0137.html",
+ "doc_type":"usermanual",
+ "p_code":"1",
+ "code":"7"
+ },
+ {
+ "desc":"The HSS agent can be installed on ECS.For details about ECS, see the Elastic Cloud Server User Guide.CCE can rapidly build a highly reliable container cluster based on cl",
+ "product_code":"hss",
+ "title":"Related Services",
+ "uri":"hss_01_0015.html",
+ "doc_type":"usermanual",
+ "p_code":"1",
+ "code":"8"
+ },
+ {
+ "desc":"Account cracking refers to the intruder behavior of guessing or cracking the password of an account.A weak password can be easily cracked.A malicious program, such as a w",
+ "product_code":"hss",
+ "title":"Basic Concepts",
+ "uri":"hss_01_0004.html",
+ "doc_type":"usermanual",
+ "p_code":"1",
+ "code":"9"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"Enabling HSS",
+ "uri":"hss_01_0292.html",
+ "doc_type":"usermanual",
+ "p_code":"",
+ "code":"10"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"Installing an Agent",
+ "uri":"hss_01_0233.html",
+ "doc_type":"usermanual",
+ "p_code":"10",
+ "code":"11"
+ },
+ {
+ "desc":"To enable workload protection for cloud servers, install the agent first.This topic describes how to install the agent on a server running Linux.CentOS 6.x is no longer u",
+ "product_code":"hss",
+ "title":"Installing an Agent on Linux",
+ "uri":"hss_01_0571.html",
+ "doc_type":"usermanual",
+ "p_code":"11",
+ "code":"12"
+ },
+ {
+ "desc":"You can enable HSS only after the agent is installed on your servers. This topic describes how to install the agent on a server running a Windows OS. For details about ho",
+ "product_code":"hss",
+ "title":"Installing the Agent for Windows",
+ "uri":"hss_01_0236.html",
+ "doc_type":"usermanual",
+ "p_code":"11",
+ "code":"13"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"Enabling Protection",
+ "uri":"hss_01_0260.html",
+ "doc_type":"usermanual",
+ "p_code":"10",
+ "code":"14"
+ },
+ {
+ "desc":"Before enabling protection on servers, you need to allocate quota to a specified server. If the protection is disabled or the server is deleted, the quota can be allocate",
+ "product_code":"hss",
+ "title":"Enabling the Enterprise, or Premium Edition",
+ "uri":"hss_01_0230.html",
+ "doc_type":"usermanual",
+ "p_code":"14",
+ "code":"15"
+ },
+ {
+ "desc":"Before enabling WTP, you need to allocate a quota to a specified server. If the service is disabled or the server is deleted, the quota can be allocated to other servers.",
+ "product_code":"hss",
+ "title":"Enabling Web Tamper Protection",
+ "uri":"hss_01_0214.html",
+ "doc_type":"usermanual",
+ "p_code":"14",
+ "code":"16"
+ },
+ {
+ "desc":"Before enabling protection for a container node, you need to allocate quota to a specified node. If the protection is disabled or the node is deleted, the quota can be al",
+ "product_code":"hss",
+ "title":"Enabling Container Protection",
+ "uri":"hss_01_0293.html",
+ "doc_type":"usermanual",
+ "p_code":"14",
+ "code":"17"
+ },
+ {
+ "desc":"After alarm notification is enabled, you can receive alarm notifications sent by HSS to learn about security risks facing your servers and web pages. Without this functio",
+ "product_code":"hss",
+ "title":"Enabling Alarm Notifications",
+ "uri":"hss_01_0241.html",
+ "doc_type":"usermanual",
+ "p_code":"10",
+ "code":"18"
+ },
+ {
+ "desc":"After protection is enabled, you can configure the common login locations, common login IP addresses, and the SSH login IP address whitelist. You can also enable automati",
+ "product_code":"hss",
+ "title":"Common Security Configuration",
+ "uri":"hss_01_0051.html",
+ "doc_type":"usermanual",
+ "p_code":"10",
+ "code":"19"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"Server Security Dashboard",
+ "uri":"hss_01_0410.html",
+ "doc_type":"usermanual",
+ "p_code":"",
+ "code":"20"
+ },
+ {
+ "desc":"On the dashboard page of the HSS console, you can learn the security status and risks of all your servers and containers in real time, including the risk index, risk tren",
+ "product_code":"hss",
+ "title":"Risk Statistics",
+ "uri":"hss_01_0546.html",
+ "doc_type":"usermanual",
+ "p_code":"20",
+ "code":"21"
+ },
+ {
+ "desc":"Servers that are not protected by HSS are scanned for free. A security report on their vulnerabilities, unsafe passwords, and asset risks will be generated.If you need to",
+ "product_code":"hss",
+ "title":"Free Scan on Unprotected Servers",
+ "uri":"hss_01_0558.html",
+ "doc_type":"usermanual",
+ "p_code":"20",
+ "code":"22"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"Asset Management",
+ "uri":"hss_01_0294.html",
+ "doc_type":"usermanual",
+ "p_code":"",
+ "code":"23"
+ },
+ {
+ "desc":"You can count all your assets and check their statistics, including the agent status, protection status, quota, account, port, process, software, and auto-started items.S",
+ "product_code":"hss",
+ "title":"Asset Management",
+ "uri":"hss_01_0387.html",
+ "doc_type":"usermanual",
+ "p_code":"23",
+ "code":"24"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"Server Fingerprints",
+ "uri":"hss_01_0463.html",
+ "doc_type":"usermanual",
+ "p_code":"23",
+ "code":"25"
+ },
+ {
+ "desc":"HSS can collect server asset fingerprints, including information about ports, processes, web applications, web services, web frameworks, and auto-started items. You can c",
+ "product_code":"hss",
+ "title":"Collecting Server Asset Fingerprints",
+ "uri":"hss_01_0477.html",
+ "doc_type":"usermanual",
+ "p_code":"25",
+ "code":"26"
+ },
+ {
+ "desc":"HSS can collect server asset fingerprints, including information about ports, processes, web applications, web services, web frameworks, and auto-started items. You can c",
+ "product_code":"hss",
+ "title":"Viewing Server Asset Fingerprints",
+ "uri":"hss_01_0383.html",
+ "doc_type":"usermanual",
+ "p_code":"25",
+ "code":"27"
+ },
+ {
+ "desc":"HSS proactively records the changes on account information, software information, and auto-started items. You can check the change details according to different dimensio",
+ "product_code":"hss",
+ "title":"Viewing the Operation History of Server Assets",
+ "uri":"hss_01_0384.html",
+ "doc_type":"usermanual",
+ "p_code":"25",
+ "code":"28"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"Container Fingerprints",
+ "uri":"hss_01_0464.html",
+ "doc_type":"usermanual",
+ "p_code":"23",
+ "code":"29"
+ },
+ {
+ "desc":"HSS can collect container asset fingerprints, including container accounts, ports, and processes. You can centrally check container asset information and detect risky ass",
+ "product_code":"hss",
+ "title":"Collecting Container Asset Fingerprints",
+ "uri":"hss_01_0478.html",
+ "doc_type":"usermanual",
+ "p_code":"29",
+ "code":"30"
+ },
+ {
+ "desc":"HSS can collect container asset fingerprints, including container accounts, ports, and processes. You can centrally check container asset information and detect risky ass",
+ "product_code":"hss",
+ "title":"Viewing Container Asset Fingerprints",
+ "uri":"hss_01_0465.html",
+ "doc_type":"usermanual",
+ "p_code":"29",
+ "code":"31"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"Server Management",
+ "uri":"hss_01_0397.html",
+ "doc_type":"usermanual",
+ "p_code":"23",
+ "code":"32"
+ },
+ {
+ "desc":"The server list on the Servers page displays the protection status of only the servers used in the selected region.If your servers are managed by enterprise projects, you",
+ "product_code":"hss",
+ "title":"Viewing Server Protection Status",
+ "uri":"hss_01_0003.html",
+ "doc_type":"usermanual",
+ "p_code":"32",
+ "code":"33"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"Enabling Protection",
+ "uri":"hss_01_0377.html",
+ "doc_type":"usermanual",
+ "p_code":"32",
+ "code":"34"
+ },
+ {
+ "desc":"The professional, enterprise, and premium editions provides different levels of protection for your servers. You can apply for and enable them as needed.HSS performs a fu",
+ "product_code":"hss",
+ "title":"Enterprise/Premium Edition",
+ "uri":"hss_01_0396.html",
+ "doc_type":"usermanual",
+ "p_code":"34",
+ "code":"35"
+ },
+ {
+ "desc":"The WTP edition provides web tamper protection capabilities for your servers.The agent has been installed on the servers to be protected, the agent status is Online, and ",
+ "product_code":"hss",
+ "title":"WTP Edition",
+ "uri":"hss_01_0021.html",
+ "doc_type":"usermanual",
+ "p_code":"34",
+ "code":"36"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"Disabling Protection",
+ "uri":"hss_01_0395.html",
+ "doc_type":"usermanual",
+ "p_code":"32",
+ "code":"37"
+ },
+ {
+ "desc":"You can disable protection for a server. A quota that has been unbound from a server can be bound to another one.Disabling protection does not affect services, but will i",
+ "product_code":"hss",
+ "title":"Disabling the Enterprise/Premium Edition",
+ "uri":"hss_01_0399.html",
+ "doc_type":"usermanual",
+ "p_code":"37",
+ "code":"38"
+ },
+ {
+ "desc":"You can disable the WTP edition for a server. A quota that has been unbound from a server can be bound to another one.Disabling protection does not affect services, but w",
+ "product_code":"hss",
+ "title":"Disabling WTP",
+ "uri":"hss_01_0400.html",
+ "doc_type":"usermanual",
+ "p_code":"37",
+ "code":"39"
+ },
+ {
+ "desc":"This section describes how to export the server protection list to your local PC.The details of up to 1,000 servers can be exported at a time.",
+ "product_code":"hss",
+ "title":"Exporting the Server List",
+ "uri":"hss_01_0573.html",
+ "doc_type":"usermanual",
+ "p_code":"32",
+ "code":"40"
+ },
+ {
+ "desc":"You can switch the quota edition of a server to the enterprise or premium edition as needed.You can switch to the enterprise or premium edition.The server whose protectio",
+ "product_code":"hss",
+ "title":"Switching the HSS Quota Edition",
+ "uri":"hss_01_0174.html",
+ "doc_type":"usermanual",
+ "p_code":"32",
+ "code":"41"
+ },
+ {
+ "desc":"You can quickly configure and start server scans by using policy groups. Simply create a group, add policies to it, and apply this group to servers. The agents deployed o",
+ "product_code":"hss",
+ "title":"Deploying a Policy",
+ "uri":"hss_01_0024.html",
+ "doc_type":"usermanual",
+ "p_code":"32",
+ "code":"42"
+ },
+ {
+ "desc":"To manage servers by group, you can create a server group and add servers to it.You can check the numbers of servers, unsafe servers, and unprotected servers in a group.A",
+ "product_code":"hss",
+ "title":"Managing Server Groups",
+ "uri":"hss_01_0023.html",
+ "doc_type":"usermanual",
+ "p_code":"32",
+ "code":"43"
+ },
+ {
+ "desc":"By default, HSS considers all servers as general assets. You can configure the asset importance levels of servers and manage servers accordingly.Assets are classified int",
+ "product_code":"hss",
+ "title":"Servers Importance Management",
+ "uri":"hss_01_0381.html",
+ "doc_type":"usermanual",
+ "p_code":"32",
+ "code":"44"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"Container Management",
+ "uri":"hss_01_0295.html",
+ "doc_type":"usermanual",
+ "p_code":"23",
+ "code":"45"
+ },
+ {
+ "desc":"The Container Nodes page displays the protection, node, and Agent status of clusters in Cloud Container Engine (CCE), helping you learn the security status of clusters in",
+ "product_code":"hss",
+ "title":"Viewing the Container Node Protection List",
+ "uri":"hss_01_0296.html",
+ "doc_type":"usermanual",
+ "p_code":"45",
+ "code":"46"
+ },
+ {
+ "desc":"You can enable the container security edition for your containers.To enable protection for a container node, you need to allocate a quota to the node. If the protection i",
+ "product_code":"hss",
+ "title":"Enabling Container Security Protection",
+ "uri":"hss_01_0398.html",
+ "doc_type":"usermanual",
+ "p_code":"45",
+ "code":"47"
+ },
+ {
+ "desc":"You can disable the container edition for a server. A quota that has been unbound from a server can be bound to another one.Disabling protection does not affect services,",
+ "product_code":"hss",
+ "title":"Disabling Protection for Container Edition",
+ "uri":"hss_01_0401.html",
+ "doc_type":"usermanual",
+ "p_code":"45",
+ "code":"48"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"Container Images",
+ "uri":"hss_01_0297.html",
+ "doc_type":"usermanual",
+ "p_code":"45",
+ "code":"49"
+ },
+ {
+ "desc":"You can manually scan local images for vulnerabilities and software information and provides scan reports. This section describes how to perform security scans on local i",
+ "product_code":"hss",
+ "title":"Local Images",
+ "uri":"hss_01_0298.html",
+ "doc_type":"usermanual",
+ "p_code":"49",
+ "code":"50"
+ },
+ {
+ "desc":"Images in the private image repository come from SWR images. You can manually scan for and check reports on vulnerabilities, malicious files, software information, file i",
+ "product_code":"hss",
+ "title":"Managing SWR Private Images",
+ "uri":"hss_01_0299.html",
+ "doc_type":"usermanual",
+ "p_code":"49",
+ "code":"51"
+ },
+ {
+ "desc":"The images in the shared image repository are from SWR. You can view details about all shared images.Only the HSS container edition supports this function.Security scans ",
+ "product_code":"hss",
+ "title":"Managing SWR Shared Images",
+ "uri":"hss_01_0088.html",
+ "doc_type":"usermanual",
+ "p_code":"49",
+ "code":"52"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"Risk Prevention",
+ "uri":"hss_01_0025.html",
+ "doc_type":"usermanual",
+ "p_code":"",
+ "code":"53"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"Vulnerability Management",
+ "uri":"hss_01_0140.html",
+ "doc_type":"usermanual",
+ "p_code":"53",
+ "code":"54"
+ },
+ {
+ "desc":"Vulnerability management can detect Linux, Windows, Web-CMS, and application vulnerabilities and provide suggestions, helping you learn about server vulnerabilities in re",
+ "product_code":"hss",
+ "title":"Vulnerability Management Overview",
+ "uri":"hss_01_0302.html",
+ "doc_type":"usermanual",
+ "p_code":"54",
+ "code":"55"
+ },
+ {
+ "desc":"HSS can scan for Linux, Windows, Web-CMS, and application vulnerabilities. Automatic, scheduled (vulnerability policy configuration), and manual scans are supported.Autom",
+ "product_code":"hss",
+ "title":"Vulnerability Scan",
+ "uri":"hss_01_0412.html",
+ "doc_type":"usermanual",
+ "p_code":"54",
+ "code":"56"
+ },
+ {
+ "desc":"You can view vulnerabilities of your assets on the Vulnerabilities page. The Vulnerabilities page contains two tabs: Vulnerabilities view and Server view, helping you ana",
+ "product_code":"hss",
+ "title":"Viewing Vulnerability Details",
+ "uri":"hss_01_0063.html",
+ "doc_type":"usermanual",
+ "p_code":"54",
+ "code":"57"
+ },
+ {
+ "desc":"You can refer to this section to export the vulnerability list.HSS enterprise or later edition has been enabled for the server.The Server Status is Running, Agent Status ",
+ "product_code":"hss",
+ "title":"Exporting the vulnerability list",
+ "uri":"hss_01_0574.html",
+ "doc_type":"usermanual",
+ "p_code":"54",
+ "code":"58"
+ },
+ {
+ "desc":"If HSS detects a vulnerability on a server, you need to handle the vulnerability in a timely manner based on its severity and your business conditions to prevent the vuln",
+ "product_code":"hss",
+ "title":"Handling Vulnerabilities",
+ "uri":"hss_01_0141.html",
+ "doc_type":"usermanual",
+ "p_code":"54",
+ "code":"59"
+ },
+ {
+ "desc":"If you evaluate that some vulnerabilities do not affect your services and do not want to view the vulnerabilities in the vulnerability list, you can whitelist the vulnera",
+ "product_code":"hss",
+ "title":"Managing the Vulnerability Whitelist",
+ "uri":"hss_01_0509.html",
+ "doc_type":"usermanual",
+ "p_code":"54",
+ "code":"60"
+ },
+ {
+ "desc":"For vulnerabilities that have been handled, you can refer to this section to view the vulnerability handling history (handler and handling time).",
+ "product_code":"hss",
+ "title":"Viewing Vulnerability Handling History",
+ "uri":"hss_01_0503.html",
+ "doc_type":"usermanual",
+ "p_code":"54",
+ "code":"61"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"Baseline Inspection",
+ "uri":"hss_01_0145.html",
+ "doc_type":"usermanual",
+ "p_code":"53",
+ "code":"62"
+ },
+ {
+ "desc":"Baseline Inspection includes password complexity policy detection, common weak password detection, and configuration check. It can detect insecure password configurations",
+ "product_code":"hss",
+ "title":"Baseline Inspection Overview",
+ "uri":"hss_01_0303.html",
+ "doc_type":"usermanual",
+ "p_code":"62",
+ "code":"63"
+ },
+ {
+ "desc":"The baseline check supports automatic and manual baseline checks.Automatic baseline check: checks server configurations and common weak passwords.Manual baseline check: T",
+ "product_code":"hss",
+ "title":"Performing Baseline Inspection",
+ "uri":"hss_01_0146.html",
+ "doc_type":"usermanual",
+ "p_code":"62",
+ "code":"64"
+ },
+ {
+ "desc":"This topic provides suggestions on how to fix baseline configuration risks on the server.Only enterprise edition, premium edition, web tamper protection edition, and cont",
+ "product_code":"hss",
+ "title":"Viewing and Processing Baseline Check Results",
+ "uri":"hss_01_0147.html",
+ "doc_type":"usermanual",
+ "p_code":"62",
+ "code":"65"
+ },
+ {
+ "desc":"This section describes how to export a baseline check report.Only enterprise edition, premium edition, web tamper protection edition, and container edition are supported.",
+ "product_code":"hss",
+ "title":"Exporting the Baseline Check Report",
+ "uri":"hss_01_0597.html",
+ "doc_type":"usermanual",
+ "p_code":"62",
+ "code":"66"
+ },
+ {
+ "desc":"This section describes how to modify a created manual baseline check policy.If you select Linux for OS, you can select any checks included in Baseline and edit rules. Thi",
+ "product_code":"hss",
+ "title":"Managing Manual Baseline Check Policies",
+ "uri":"hss_01_0393.html",
+ "doc_type":"usermanual",
+ "p_code":"62",
+ "code":"67"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"Container Image Security",
+ "uri":"hss_01_0304.html",
+ "doc_type":"usermanual",
+ "p_code":"53",
+ "code":"68"
+ },
+ {
+ "desc":"This section describes how to check the vulnerabilities on the private image and determine whether to ignore the vulnerabilities.Container node protection has been enable",
+ "product_code":"hss",
+ "title":"Image Vulnerabilities",
+ "uri":"hss_01_0305.html",
+ "doc_type":"usermanual",
+ "p_code":"68",
+ "code":"69"
+ },
+ {
+ "desc":"Malicious files in the private images can be automatically detected, helping you discover and eliminate the security threats in your assets.A comprehensive check is autom",
+ "product_code":"hss",
+ "title":"Viewing Malicious File Detection Results",
+ "uri":"hss_01_0306.html",
+ "doc_type":"usermanual",
+ "p_code":"68",
+ "code":"70"
+ },
+ {
+ "desc":"Your private image repository is scanned for unsafe configurations and provides suggestions for modifying the configurations, helping you fight intrusions and meet compli",
+ "product_code":"hss",
+ "title":"Image Baseline Check",
+ "uri":"hss_01_0307.html",
+ "doc_type":"usermanual",
+ "p_code":"68",
+ "code":"71"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"Prevention",
+ "uri":"hss_01_0142.html",
+ "doc_type":"usermanual",
+ "p_code":"",
+ "code":"72"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"Application Protection",
+ "uri":"hss_01_0388.html",
+ "doc_type":"usermanual",
+ "p_code":"72",
+ "code":"73"
+ },
+ {
+ "desc":"You have enabled HSS premium, WTP, or container edition.Currently, only Linux servers are supported.So far, only Java applications can be protected.The premium, WTP, and ",
+ "product_code":"hss",
+ "title":"Enabling Application Protection",
+ "uri":"hss_01_0390.html",
+ "doc_type":"usermanual",
+ "p_code":"73",
+ "code":"74"
+ },
+ {
+ "desc":"To protect your applications with RASP, you simply need to add probes to them, without having to modify application files.Probes (monitoring and protection code) are adde",
+ "product_code":"hss",
+ "title":"Viewing Application Protection",
+ "uri":"hss_01_0389.html",
+ "doc_type":"usermanual",
+ "p_code":"73",
+ "code":"75"
+ },
+ {
+ "desc":"You can add, edit, and delete application protection policies, and select and configure detection rules for the policies.Currently, only Linux servers are supported.So fa",
+ "product_code":"hss",
+ "title":"Managing Application Protection Policies",
+ "uri":"hss_01_0459.html",
+ "doc_type":"usermanual",
+ "p_code":"73",
+ "code":"76"
+ },
+ {
+ "desc":"This section describes how to disable application protection.If your servers are managed by enterprise projects, you can select an enterprise project to view or operate t",
+ "product_code":"hss",
+ "title":"Disabling Application Protection",
+ "uri":"hss_01_0392.html",
+ "doc_type":"usermanual",
+ "p_code":"73",
+ "code":"77"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"WTP",
+ "uri":"hss_01_0153.html",
+ "doc_type":"usermanual",
+ "p_code":"72",
+ "code":"78"
+ },
+ {
+ "desc":"WTP monitors website directories in real time, backs up files, and restores tampered files using the backup, protecting websites from Trojans, illegal links, and tamperin",
+ "product_code":"hss",
+ "title":"Adding a Protected Directory",
+ "uri":"hss_01_0216.html",
+ "doc_type":"usermanual",
+ "p_code":"78",
+ "code":"79"
+ },
+ {
+ "desc":"By default, HSS backs up the files from the protected directories (excluding specified subdirectories and file types) to the local backup directory you specified when add",
+ "product_code":"hss",
+ "title":"Configuring Remote Backup",
+ "uri":"hss_01_0106.html",
+ "doc_type":"usermanual",
+ "p_code":"78",
+ "code":"80"
+ },
+ {
+ "desc":"If WTP is enabled, the content in the protected directories is read-only. To allow certain processes to modify files in the directories, add them to the privileged proces",
+ "product_code":"hss",
+ "title":"Adding a Privileged Process",
+ "uri":"hss_01_0466.html",
+ "doc_type":"usermanual",
+ "p_code":"78",
+ "code":"81"
+ },
+ {
+ "desc":"You can schedule WTP protection to allow website updates in specific periods.Exercise caution when you set the periods to disable WTP, because files will not be protected",
+ "product_code":"hss",
+ "title":"Enabling/Disabling Scheduled Static WTP",
+ "uri":"hss_01_0217.html",
+ "doc_type":"usermanual",
+ "p_code":"78",
+ "code":"82"
+ },
+ {
+ "desc":"Dynamic WTP protects your web pages while Tomcat applications are running, and can detect tampering of dynamic data, such as database data. It can be enabled with static ",
+ "product_code":"hss",
+ "title":"Enabling Dynamic WTP",
+ "uri":"hss_01_0218.html",
+ "doc_type":"usermanual",
+ "p_code":"78",
+ "code":"83"
+ },
+ {
+ "desc":"Once WTP is enabled, HSS will comprehensively check protected directories you specified. You can check records about detected tampering attacks.Only the servers that are ",
+ "product_code":"hss",
+ "title":"Viewing WTP Reports",
+ "uri":"hss_01_0576.html",
+ "doc_type":"usermanual",
+ "p_code":"78",
+ "code":"84"
+ },
+ {
+ "desc":"Once static WTP is enabled, the HSS service will comprehensively check protected directories you specified. You can check records about detected tampering of host protect",
+ "product_code":"hss",
+ "title":"Viewing WTP Events",
+ "uri":"hss_01_0087.html",
+ "doc_type":"usermanual",
+ "p_code":"78",
+ "code":"85"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"Ransomware Prevention",
+ "uri":"hss_01_0346.html",
+ "doc_type":"usermanual",
+ "p_code":"72",
+ "code":"86"
+ },
+ {
+ "desc":"You have enabled HSS premium, WTP, or container edition.Only premium, WTP, and container editions support ransomware protection.If your servers are managed by enterprise ",
+ "product_code":"hss",
+ "title":"Enabling Ransomware Prevention",
+ "uri":"hss_01_0348.html",
+ "doc_type":"usermanual",
+ "p_code":"86",
+ "code":"87"
+ },
+ {
+ "desc":"You have enabled HSS premium, WTP, or container edition.After ransomware protection is enabled, you need to handle ransomware alarms and fix the vulnerabilities in your s",
+ "product_code":"hss",
+ "title":"Viewing Ransomware Protection",
+ "uri":"hss_01_0347.html",
+ "doc_type":"usermanual",
+ "p_code":"86",
+ "code":"88"
+ },
+ {
+ "desc":"Currently, you can create a ransomware prevention policy only when enabling ransomware prevention.Only premium, WTP, and container editions support ransomware protection.",
+ "product_code":"hss",
+ "title":"Managing Ransomware Prevention Policies",
+ "uri":"hss_01_0349.html",
+ "doc_type":"usermanual",
+ "p_code":"86",
+ "code":"89"
+ },
+ {
+ "desc":"You can disable ransomware protection as needed. After protection is disabled, your server may be intruded by ransomware. Exercise caution when performing this operation.",
+ "product_code":"hss",
+ "title":"Disabling Ransomware Prevention",
+ "uri":"hss_01_0350.html",
+ "doc_type":"usermanual",
+ "p_code":"86",
+ "code":"90"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"File Integrity Monitoring",
+ "uri":"hss_01_0360.html",
+ "doc_type":"usermanual",
+ "p_code":"72",
+ "code":"91"
+ },
+ {
+ "desc":"Check the files in the Linux OS, applications, and other components to detect tampering.Only premium, WTP, and container editions support file integrity-related operation",
+ "product_code":"hss",
+ "title":"Viewing File Integrity Management",
+ "uri":"hss_01_0359.html",
+ "doc_type":"usermanual",
+ "p_code":"91",
+ "code":"92"
+ },
+ {
+ "desc":"Only premium, WTP, and container editions support file integrity-related operations.",
+ "product_code":"hss",
+ "title":"Checking Change Details",
+ "uri":"hss_01_0361.html",
+ "doc_type":"usermanual",
+ "p_code":"91",
+ "code":"93"
+ },
+ {
+ "desc":"Only premium, WTP, and container editions support file integrity-related operations.",
+ "product_code":"hss",
+ "title":"Checking Modified Files",
+ "uri":"hss_01_0362.html",
+ "doc_type":"usermanual",
+ "p_code":"91",
+ "code":"94"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"Intrusion Detection",
+ "uri":"hss_01_0030.html",
+ "doc_type":"usermanual",
+ "p_code":"",
+ "code":"95"
+ },
+ {
+ "desc":"HSS generates alarms on a range of intrusion events, including brute-force attacks, abnormal process behaviors, web shells, abnormal logins, and malicious processes. You ",
+ "product_code":"hss",
+ "title":"Server Alarms",
+ "uri":"hss_01_0277.html",
+ "doc_type":"usermanual",
+ "p_code":"95",
+ "code":"96"
+ },
+ {
+ "desc":"The Events page displays the alarm events generated in the last 30 days. You can manually handle the alarmed items.The status of a handled event changes from Unhandled to",
+ "product_code":"hss",
+ "title":"Viewing Server Alarms",
+ "uri":"hss_01_0026.html",
+ "doc_type":"usermanual",
+ "p_code":"95",
+ "code":"97"
+ },
+ {
+ "desc":"The Events page displays the alarms generated in the last 30 days.The status of a handled alarm changes from Unhandled to Handled.To skip the checks on high-risk command ",
+ "product_code":"hss",
+ "title":"Handling Server Alarms",
+ "uri":"hss_01_0413.html",
+ "doc_type":"usermanual",
+ "p_code":"95",
+ "code":"98"
+ },
+ {
+ "desc":"HSS can isolate detected threat files. Files that have been isolated are displayed on a slide-out panel on the Server Alarms page. You can click Isolated Files on the upp",
+ "product_code":"hss",
+ "title":"Managing Isolated Files",
+ "uri":"hss_01_0331.html",
+ "doc_type":"usermanual",
+ "p_code":"95",
+ "code":"99"
+ },
+ {
+ "desc":"After node protection is enabled, an agent is deployed on each container host to monitor the running status of containers in real time. The agents support escape detectio",
+ "product_code":"hss",
+ "title":"Container Alarm Events",
+ "uri":"hss_01_0312.html",
+ "doc_type":"usermanual",
+ "p_code":"95",
+ "code":"100"
+ },
+ {
+ "desc":"HSS displays alarm and event statistics and their summary all on one page. You can have a quick overview of alarms, including the numbers of containers with alarms, handl",
+ "product_code":"hss",
+ "title":"Viewing Container Alarms",
+ "uri":"hss_01_0313.html",
+ "doc_type":"usermanual",
+ "p_code":"95",
+ "code":"101"
+ },
+ {
+ "desc":"HSS displays alarm and event statistics and their summary all on one page. You can have a quick overview of alarms, including the numbers of containers with alarms, handl",
+ "product_code":"hss",
+ "title":"Handling Container Alarms",
+ "uri":"hss_01_0414.html",
+ "doc_type":"usermanual",
+ "p_code":"95",
+ "code":"102"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"Whitelist Management",
+ "uri":"hss_01_0367.html",
+ "doc_type":"usermanual",
+ "p_code":"95",
+ "code":"103"
+ },
+ {
+ "desc":"You can configure the IP addresses of destination servers, login IP addresses, login usernames, and user behaviors in the Login Whitelist.If the destination server IP add",
+ "product_code":"hss",
+ "title":"Managing Login Whitelist",
+ "uri":"hss_01_0029.html",
+ "doc_type":"usermanual",
+ "p_code":"103",
+ "code":"104"
+ },
+ {
+ "desc":"You can configure the alarm whitelist to reduce false alarms. Events can be deleted from the whitelist.Whitelisted events will not trigger alarms.On the Alarms page, you ",
+ "product_code":"hss",
+ "title":"Managing the Alarm Whitelist",
+ "uri":"hss_01_0028.html",
+ "doc_type":"usermanual",
+ "p_code":"103",
+ "code":"105"
+ },
+ {
+ "desc":"HSS generates risky account alarms when non-root users are added to the root user group. You can add the trusted non-root users to the system user whitelist. HSS does not",
+ "product_code":"hss",
+ "title":"Managing the System User Whitelist",
+ "uri":"hss_01_0496.html",
+ "doc_type":"usermanual",
+ "p_code":"103",
+ "code":"106"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"Security Operations",
+ "uri":"hss_01_0041.html",
+ "doc_type":"usermanual",
+ "p_code":"",
+ "code":"107"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"Policy Management",
+ "uri":"hss_01_0314.html",
+ "doc_type":"usermanual",
+ "p_code":"107",
+ "code":"108"
+ },
+ {
+ "desc":"If policies such as asset collection, baseline check, and intrusion detection do not meet your server protection requirements, you can manage these policies.Table 1 lists",
+ "product_code":"hss",
+ "title":"Overview",
+ "uri":"hss_01_0045.html",
+ "doc_type":"usermanual",
+ "p_code":"108",
+ "code":"109"
+ },
+ {
+ "desc":"For premium and container editions, you can copy a policy group and customize it as required to meet server security requirements in different application scenarios.If yo",
+ "product_code":"hss",
+ "title":"Creating a Policy Group",
+ "uri":"hss_01_0368.html",
+ "doc_type":"usermanual",
+ "p_code":"108",
+ "code":"110"
+ },
+ {
+ "desc":"After HSS is enabled, you can configure HSS policies based on your service requirements.The enterprise, premium, WTP, or container edition is enabled.For the default poli",
+ "product_code":"hss",
+ "title":"Configuring Policies",
+ "uri":"hss_01_0044.html",
+ "doc_type":"usermanual",
+ "p_code":"108",
+ "code":"111"
+ },
+ {
+ "desc":"Preset policy groups cannot be deleted. You can delete custom policy groups of premium edition and container edition.After a policy group is deleted, the Policy Group col",
+ "product_code":"hss",
+ "title":"Deleting a Policy Group",
+ "uri":"hss_01_0596.html",
+ "doc_type":"usermanual",
+ "p_code":"108",
+ "code":"112"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"Security Report",
+ "uri":"hss_01_0553.html",
+ "doc_type":"usermanual",
+ "p_code":"",
+ "code":"113"
+ },
+ {
+ "desc":"You can subscribe to daily, weekly, monthly, and custom reports. The reports show your server security trends and key security events and risks.If you have enabled the en",
+ "product_code":"hss",
+ "title":"Checking a Security Report",
+ "uri":"hss_01_0554.html",
+ "doc_type":"usermanual",
+ "p_code":"113",
+ "code":"114"
+ },
+ {
+ "desc":"This section provides guidance for you to quickly subscribe to weekly or monthly security reports using preset templates on the console. For details about how to customiz",
+ "product_code":"hss",
+ "title":"Subscribing to a Security Report",
+ "uri":"hss_01_0555.html",
+ "doc_type":"usermanual",
+ "p_code":"113",
+ "code":"115"
+ },
+ {
+ "desc":"If the type and content of the existing report template cannot meet your requirements, you can customize a report.The enterprise, premium, WTP, or container edition is en",
+ "product_code":"hss",
+ "title":"Creating a Security Report",
+ "uri":"hss_01_0556.html",
+ "doc_type":"usermanual",
+ "p_code":"113",
+ "code":"116"
+ },
+ {
+ "desc":"This section describes how to modify, cancel, or disable a subscribed report.The enterprise, premium, WTP, or container edition is enabled.You can use default security re",
+ "product_code":"hss",
+ "title":"Managing Security Reports",
+ "uri":"hss_01_0557.html",
+ "doc_type":"usermanual",
+ "p_code":"113",
+ "code":"117"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"Installation & Configuration",
+ "uri":"hss_01_0373.html",
+ "doc_type":"usermanual",
+ "p_code":"",
+ "code":"118"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"Agent Management",
+ "uri":"hss_01_0317.html",
+ "doc_type":"usermanual",
+ "p_code":"118",
+ "code":"119"
+ },
+ {
+ "desc":"You can sort servers, check whether the agent is installed on them, and can install or uninstall the agent. On the console, you can find the agent installation instructio",
+ "product_code":"hss",
+ "title":"Viewing Agent Status",
+ "uri":"hss_01_0374.html",
+ "doc_type":"usermanual",
+ "p_code":"119",
+ "code":"120"
+ },
+ {
+ "desc":"Install the agent on a server. Only then can the server be protected by HSS.If your servers are managed by enterprise projects, you can select an enterprise project to vi",
+ "product_code":"hss",
+ "title":"Installing an Agent",
+ "uri":"hss_01_0570.html",
+ "doc_type":"usermanual",
+ "p_code":"119",
+ "code":"121"
+ },
+ {
+ "desc":"HSS keeps improving its service capabilities, including but not limited to new features and defect fixes. Please upgrade your agent to the latest version in a timely mann",
+ "product_code":"hss",
+ "title":"Upgrading the Agent",
+ "uri":"hss_01_0462.html",
+ "doc_type":"usermanual",
+ "p_code":"119",
+ "code":"122"
+ },
+ {
+ "desc":"If you no longer need to use HSS, uninstall the agent by following the instructions provided in this section. If the agent is uninstalled, HSS will stop protecting your s",
+ "product_code":"hss",
+ "title":"Uninstalling an Agent",
+ "uri":"hss_01_0376.html",
+ "doc_type":"usermanual",
+ "p_code":"119",
+ "code":"123"
+ },
+ {
+ "desc":"You can add common login locations, common IP addresses, and whitelist IP addresses, and enable malicious program isolation and killing to enhance server security.For det",
+ "product_code":"hss",
+ "title":"Security Configurations",
+ "uri":"hss_01_0385.html",
+ "doc_type":"usermanual",
+ "p_code":"118",
+ "code":"124"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"Audit",
+ "uri":"hss_01_0070.html",
+ "doc_type":"usermanual",
+ "p_code":"",
+ "code":"125"
+ },
+ {
+ "desc":"Cloud Trace Service (CTS) records all operations on HSS, including requests initiated from the management console or open APIs and responses to the requests, for tenants ",
+ "product_code":"hss",
+ "title":"HSS Operations Supported by CTS",
+ "uri":"hss_01_0071.html",
+ "doc_type":"usermanual",
+ "p_code":"125",
+ "code":"126"
+ },
+ {
+ "desc":"After you enable CTS and the management tracker is created, CTS starts recording operations on cloud resources. CTS stores operation records generated in the last seven d",
+ "product_code":"hss",
+ "title":"Querying Real-Time Traces",
+ "uri":"hss_01_0603.html",
+ "doc_type":"usermanual",
+ "p_code":"125",
+ "code":"127"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"Permissions Management",
+ "uri":"hss_01_0131.html",
+ "doc_type":"usermanual",
+ "p_code":"",
+ "code":"128"
+ },
+ {
+ "desc":"This section describes IAM's fine-grained permissions management for your HSS resources. With IAM, you can:Create IAM users for employees based on the organizational stru",
+ "product_code":"hss",
+ "title":"Creating a User and Granting Permissions",
+ "uri":"hss_01_0133.html",
+ "doc_type":"usermanual",
+ "p_code":"128",
+ "code":"129"
+ },
+ {
+ "desc":"Custom policies can be created to supplement the system-defined policies of HSS.You can create custom policies using one of the following methods:Visual editor: Select cl",
+ "product_code":"hss",
+ "title":"HSS Custom Policies",
+ "uri":"hss_01_0005.html",
+ "doc_type":"usermanual",
+ "p_code":"128",
+ "code":"130"
+ },
+ {
+ "desc":"This section describes fine-grained permissions management for your HSS instances. If your account does not need individual IAM users, then you may skip over this section",
+ "product_code":"hss",
+ "title":"HSS Actions",
+ "uri":"hss_01_0006.html",
+ "doc_type":"usermanual",
+ "p_code":"128",
+ "code":"131"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"FAQs",
+ "uri":"hss_01_0032.html",
+ "doc_type":"usermanual",
+ "p_code":"",
+ "code":"132"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"About HSS",
+ "uri":"hss_01_0258.html",
+ "doc_type":"usermanual",
+ "p_code":"132",
+ "code":"133"
+ },
+ {
+ "desc":"Host Security Service (HSS) helps you identify and manage the assets on your servers, eliminate risks, and defend against intrusions and web page tampering. There are als",
+ "product_code":"hss",
+ "title":"What Is Host Security?",
+ "uri":"hss_01_0033.html",
+ "doc_type":"usermanual",
+ "p_code":"133",
+ "code":"134"
+ },
+ {
+ "desc":"Container Security Service (CGS) scans vulnerabilities and configuration information in images, helping enterprises detect container risks that cannot be found using conv",
+ "product_code":"hss",
+ "title":"What Is Container Security?",
+ "uri":"hss_01_0318.html",
+ "doc_type":"usermanual",
+ "p_code":"133",
+ "code":"135"
+ },
+ {
+ "desc":"Web Tamper Protection (WTP) monitors website directories in real time, backs up files, and restores tampered files using the backup. WTP protects your websites from Troja",
+ "product_code":"hss",
+ "title":"What Is Web Tamper Protection?",
+ "uri":"hss_01_0319.html",
+ "doc_type":"usermanual",
+ "p_code":"133",
+ "code":"136"
+ },
+ {
+ "desc":"An image is a special file system. It provides programs, libraries, resources, configuration files and other files required for a running container. An image also contain",
+ "product_code":"hss",
+ "title":"What Are the Relationships Between Images, Containers, and Applications?",
+ "uri":"hss_01_0320.html",
+ "doc_type":"usermanual",
+ "p_code":"133",
+ "code":"137"
+ },
+ {
+ "desc":"The HSS agent is used to scan all servers and containers, monitor their status in real time, and collect their information and report to the cloud protection center.The a",
+ "product_code":"hss",
+ "title":"What Is the HSS Agent?",
+ "uri":"hss_01_0245.html",
+ "doc_type":"usermanual",
+ "p_code":"133",
+ "code":"138"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"Agent FAQs",
+ "uri":"hss_01_0321.html",
+ "doc_type":"usermanual",
+ "p_code":"132",
+ "code":"139"
+ },
+ {
+ "desc":"Yes, it may be in conflict with DenyHosts.Symptom: The IP address of the login host is identified as an attack IP address but can not be unblocked.Cause: HSS and DenyHost",
+ "product_code":"hss",
+ "title":"Is the Agent in Conflict with Any Other Security Software?",
+ "uri":"hss_01_0037.html",
+ "doc_type":"usermanual",
+ "p_code":"139",
+ "code":"140"
+ },
+ {
+ "desc":"Two uninstallation methods are available: one-click uninstallation and manual local uninstallation.The agent was installed using an incorrect package and you need to unin",
+ "product_code":"hss",
+ "title":"How Do I Uninstall the Agent?",
+ "uri":"hss_01_0119.html",
+ "doc_type":"usermanual",
+ "p_code":"139",
+ "code":"141"
+ },
+ {
+ "desc":"The agent fails to be installed by running commands. The server list page on the console still indicates that the agent is not installed.The SELinux firewall has not been",
+ "product_code":"hss",
+ "title":"What Should I Do If Agent Installation Failed?",
+ "uri":"hss_01_0069.html",
+ "doc_type":"usermanual",
+ "p_code":"139",
+ "code":"142"
+ },
+ {
+ "desc":"Your agent is probably abnormal if it is in Not installed or Offline state. Agent statuses and their meaning are as follows:Uninstalled: No agent has been installed on th",
+ "product_code":"hss",
+ "title":"How Do I Fix an Abnormal Agent?",
+ "uri":"hss_01_0036.html",
+ "doc_type":"usermanual",
+ "p_code":"139",
+ "code":"143"
+ },
+ {
+ "desc":"The agent installation paths on servers running the Linux or Windows OS cannot be customized. Table 1 describes the default paths.",
+ "product_code":"hss",
+ "title":"What Is the Default Agent Installation Path?",
+ "uri":"hss_01_0096.html",
+ "doc_type":"usermanual",
+ "p_code":"139",
+ "code":"144"
+ },
+ {
+ "desc":"HSS uses lightweight agents, which occupy only a few resources and do not affect your services.The CPU and memory usage is as follows.A running agent occupies a maximum o",
+ "product_code":"hss",
+ "title":"How Many CPU and Memory Resources Are Occupied by the Agent When It Performs Scans?",
+ "uri":"hss_01_0116.html",
+ "doc_type":"usermanual",
+ "p_code":"139",
+ "code":"145"
+ },
+ {
+ "desc":"Yes.All HSS editions can use the same agent installed on a server.",
+ "product_code":"hss",
+ "title":"Do WTP and HSS Use the Same Agent?",
+ "uri":"hss_01_0195.html",
+ "doc_type":"usermanual",
+ "p_code":"139",
+ "code":"146"
+ },
+ {
+ "desc":"Possible agent statuses are:Not installed: The agent has not been installed or successfully started.Online: The agent is running properly.Offline: The communication betwe",
+ "product_code":"hss",
+ "title":"How Do I View Servers Where No Agents Have Been Installed?",
+ "uri":"hss_01_0007.html",
+ "doc_type":"usermanual",
+ "p_code":"139",
+ "code":"147"
+ },
+ {
+ "desc":"On a server, you only need to install the agent once.After the installation, you are advised to restart the servers before enabling HSS and binding quotas.Now both the HS",
+ "product_code":"hss",
+ "title":"What Can I Do If the Agent Status Is Still \"Not installed\" After Installation?",
+ "uri":"hss_01_0394.html",
+ "doc_type":"usermanual",
+ "p_code":"139",
+ "code":"148"
+ },
+ {
+ "desc":"Servers are displayed on both the old and new console of HSS, regardless of whether their agents have been upgraded. The server statuses are properly displayed on the con",
+ "product_code":"hss",
+ "title":"What Do I Do If the Upgrade Fails?",
+ "uri":"hss_01_0409.html",
+ "doc_type":"usermanual",
+ "p_code":"139",
+ "code":"149"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"Brute-force Attack Defense",
+ "uri":"hss_01_0038.html",
+ "doc_type":"usermanual",
+ "p_code":"132",
+ "code":"150"
+ },
+ {
+ "desc":"HSS can detect the following types of brute force attacks:Windows: SqlServer (automatic interception is not supported currently) and RdpLinux: MySQL, vfstp, and SSHIf MyS",
+ "product_code":"hss",
+ "title":"How Does HSS Intercept Brute Force Attacks?",
+ "uri":"hss_01_0008.html",
+ "doc_type":"usermanual",
+ "p_code":"150",
+ "code":"151"
+ },
+ {
+ "desc":"If a brute-force attack succeeded, take immediate measures to prevent attackers from further actions, such as breaching data, performing DDoS attacks, or implanting ranso",
+ "product_code":"hss",
+ "title":"How Do I Handle a Brute-force Attack Alarm?",
+ "uri":"hss_01_0183.html",
+ "doc_type":"usermanual",
+ "p_code":"150",
+ "code":"152"
+ },
+ {
+ "desc":"Intruders who cracked server accounts can exploit permissions to steal or tamper with data on servers, interrupting enterprise services and causing great loss.Configure t",
+ "product_code":"hss",
+ "title":"How Do I Defend Against Brute-force Attacks?",
+ "uri":"hss_01_0256.html",
+ "doc_type":"usermanual",
+ "p_code":"150",
+ "code":"153"
+ },
+ {
+ "desc":"The SSHD service in the host system does not depend on libwrap.so.As a free software library, libwrap implements the universal TCP Wrapper function. Any daemon that conta",
+ "product_code":"hss",
+ "title":"What Do I Do If the Account Cracking Prevention Function Does Not Take Effect on Some Accounts for Linux Servers?",
+ "uri":"hss_01_0097.html",
+ "doc_type":"usermanual",
+ "p_code":"150",
+ "code":"154"
+ },
+ {
+ "desc":"HSS will block an IP address if it has five or more brute-force attack attempts detected within 30 seconds, or 15 or more brute-force attack attempts detected within 3600",
+ "product_code":"hss",
+ "title":"How Do I Unblock an IP Address?",
+ "uri":"hss_01_0287.html",
+ "doc_type":"usermanual",
+ "p_code":"150",
+ "code":"155"
+ },
+ {
+ "desc":"An alarm indicates that an attack was detected. It does not mean your cloud servers have been intruded. If you receive an alarm, handle it and take countermeasures in a t",
+ "product_code":"hss",
+ "title":"What Do I Do If HSS Frequently Reports Brute-force Alarms?",
+ "uri":"hss_01_0418.html",
+ "doc_type":"usermanual",
+ "p_code":"150",
+ "code":"156"
+ },
+ {
+ "desc":"The remote port of a server has been changed, but the brute-force attack records still displays the old port.The remote port configuration is synchronized to HSS through ",
+ "product_code":"hss",
+ "title":"What Do I Do If My Remote Server Port Is Not Updated in Brute-force Attack Records?",
+ "uri":"hss_01_0512.html",
+ "doc_type":"usermanual",
+ "p_code":"150",
+ "code":"157"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"Weak Passwords and Unsafe Accounts",
+ "uri":"hss_01_0196.html",
+ "doc_type":"usermanual",
+ "p_code":"132",
+ "code":"158"
+ },
+ {
+ "desc":"Servers using weak passwords are exposed to intrusions. If a weak password alarm is reported, you are advised to change the alarmed password immediately.If simple passwor",
+ "product_code":"hss",
+ "title":"How Do I Handle a Weak Password Alarm?",
+ "uri":"hss_01_0197.html",
+ "doc_type":"usermanual",
+ "p_code":"158",
+ "code":"159"
+ },
+ {
+ "desc":"Comply with the following rules:Use a password with high complexity.The password must meet the following requirements:Contains at least eight characters.Contain at least ",
+ "product_code":"hss",
+ "title":"How Do I Set a Secure Password?",
+ "uri":"hss_01_0166.html",
+ "doc_type":"usermanual",
+ "p_code":"158",
+ "code":"160"
+ },
+ {
+ "desc":"If you have enhanced passwords before disabling the weak password policy, the weak password alarm will not be reported again.If you do not enhance passwords before disabl",
+ "product_code":"hss",
+ "title":"Why Are the Weak Password Alarms Still Reported After the Weak Password Policy Is Disabled?",
+ "uri":"hss_01_0274.html",
+ "doc_type":"usermanual",
+ "p_code":"158",
+ "code":"161"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"Intrusions",
+ "uri":"hss_01_0164.html",
+ "doc_type":"usermanual",
+ "p_code":"132",
+ "code":"162"
+ },
+ {
+ "desc":"Take immediate measures to contain the attack, preventing miners from occupying CPU or affecting other applications. If a server is intruded by a mining program, the mini",
+ "product_code":"hss",
+ "title":"What Do I Do If My Servers Are Subjected to a Mining Attack?",
+ "uri":"hss_01_0206.html",
+ "doc_type":"usermanual",
+ "p_code":"162",
+ "code":"163"
+ },
+ {
+ "desc":"After you add a process to the whitelist, it will no longer trigger certain alarms, but its isolation will not be automatically canceled.Choose Installation & Configurati",
+ "product_code":"hss",
+ "title":"Why a Process Is Still Isolated After It Was Whitelisted?",
+ "uri":"hss_01_0207.html",
+ "doc_type":"usermanual",
+ "p_code":"162",
+ "code":"164"
+ },
+ {
+ "desc":"You are advised to:Back up data and disable unnecessary ports.Set a stronger server password.Enable HSS. Your servers will be protected from mining processes by its intru",
+ "product_code":"hss",
+ "title":"What Do I Do If a Mining Process Is Detected on a Server?",
+ "uri":"hss_01_0243.html",
+ "doc_type":"usermanual",
+ "p_code":"162",
+ "code":"165"
+ },
+ {
+ "desc":"Intrusions to your servers before HSS is enabled cannot be detected.If you have applied for HSS, remember to enable it to detect intrusions.Web attacks cannot be detected",
+ "product_code":"hss",
+ "title":"Why Some Attacks on Servers Are Not Detected?",
+ "uri":"hss_01_0193.html",
+ "doc_type":"usermanual",
+ "p_code":"162",
+ "code":"166"
+ },
+ {
+ "desc":"Whether you can unblock an IP address depends on why it was blocked. An IP address will be blocked if it is regarded as the source of a brute-force attack, listed in the ",
+ "product_code":"hss",
+ "title":"Can I Unblock an IP Address Blocked by HSS, and How?",
+ "uri":"hss_01_0013.html",
+ "doc_type":"usermanual",
+ "p_code":"162",
+ "code":"167"
+ },
+ {
+ "desc":"If a blocked IP address does not perform brute-force attacks in the next 12 hours, the IP address will be automatically unblocked.",
+ "product_code":"hss",
+ "title":"Why a Blocked IP Address Is Automatically Unblocked?",
+ "uri":"hss_01_0204.html",
+ "doc_type":"usermanual",
+ "p_code":"162",
+ "code":"168"
+ },
+ {
+ "desc":"Detection period: real-time detectionIsolation and killing period:If you have enabled automatic isolation and killing, the system will scan and kill viruses in real time.",
+ "product_code":"hss",
+ "title":"How Often Does HSS Detect, Isolate, and Kill Malicious Programs?",
+ "uri":"hss_01_0427.html",
+ "doc_type":"usermanual",
+ "p_code":"162",
+ "code":"169"
+ },
+ {
+ "desc":"Check whether the blocked IP address is a malicious IP address or a normal one.If it is normal, add it to the whitelist.If it is malicious, no further operations are requ",
+ "product_code":"hss",
+ "title":"What Do I Do If an IP Address Is Blocked by HSS?",
+ "uri":"hss_01_0429.html",
+ "doc_type":"usermanual",
+ "p_code":"162",
+ "code":"170"
+ },
+ {
+ "desc":"Generally, ransomware is spread through Trojan implantation, emails, files, vulnerabilities, bundles, and storage media.To defend against ransomware intrusions, prevent b",
+ "product_code":"hss",
+ "title":"How Do I Defend Against Ransomware Attacks?",
+ "uri":"hss_01_0430.html",
+ "doc_type":"usermanual",
+ "p_code":"162",
+ "code":"171"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"Abnormal Logins",
+ "uri":"hss_01_0188.html",
+ "doc_type":"usermanual",
+ "p_code":"132",
+ "code":"172"
+ },
+ {
+ "desc":"Even whitelisted IP addresses can certain trigger alarms. The SSH login IP address whitelist, Login Whitelist, and remote login functions focus on different aspects of se",
+ "product_code":"hss",
+ "title":"Why Do I Still Receive Remote Login Alarms After Configuring the Login IP Whitelist?",
+ "uri":"hss_01_0189.html",
+ "doc_type":"usermanual",
+ "p_code":"172",
+ "code":"173"
+ },
+ {
+ "desc":"The remote login detection function checks for remote logins into your servers in real time. HSS generates an alarm if it detects logins from locations other than the com",
+ "product_code":"hss",
+ "title":"How Do I Check the User IP address of a Remote Login?",
+ "uri":"hss_01_0091.html",
+ "doc_type":"usermanual",
+ "p_code":"172",
+ "code":"174"
+ },
+ {
+ "desc":"If you select Successful Logins in the Real-Time Alarm Notifications area, HSS will send alarms when detecting any successful logins.If all the accounts on your ECSs are ",
+ "product_code":"hss",
+ "title":"What Can I Do If an Alarm Indicating Successful Login Is Reported?",
+ "uri":"hss_01_0113.html",
+ "doc_type":"usermanual",
+ "p_code":"172",
+ "code":"175"
+ },
+ {
+ "desc":"No.If you do not want to receive remote login alarm notifications, add alarmed locations as common login locations, or deselect the remote login attempt item in alarm not",
+ "product_code":"hss",
+ "title":"Can I Disable Remote Login Detection?",
+ "uri":"hss_01_0120.html",
+ "doc_type":"usermanual",
+ "p_code":"172",
+ "code":"176"
+ },
+ {
+ "desc":"If you have enabled alarm notifications for intrusion detection, you will be notified immediately when an account is cracked or may be cracked.You can also check whether ",
+ "product_code":"hss",
+ "title":"How Do I Know Whether an Intrusion Succeeded?",
+ "uri":"hss_01_0192.html",
+ "doc_type":"usermanual",
+ "p_code":"172",
+ "code":"177"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"Unsafe Settings",
+ "uri":"hss_01_0165.html",
+ "doc_type":"usermanual",
+ "p_code":"132",
+ "code":"178"
+ },
+ {
+ "desc":"Your password complexity policy cannot be checked if no pluggable authentication module (PAM) is running in your system.For Debian or Ubuntu, run the apt-get install libp",
+ "product_code":"hss",
+ "title":"How Do I Install a PAM and Set a Proper Password Complexity Policy in a Linux OS?",
+ "uri":"hss_01_0043.html",
+ "doc_type":"usermanual",
+ "p_code":"178",
+ "code":"179"
+ },
+ {
+ "desc":"A proper password complexity policy would be: eight characters for the length of a password and at least three types of the following characters used: uppercase letters, ",
+ "product_code":"hss",
+ "title":"How Do I Set a Proper Password Complexity Policy in a Windows OS?",
+ "uri":"hss_01_0095.html",
+ "doc_type":"usermanual",
+ "p_code":"178",
+ "code":"180"
+ },
+ {
+ "desc":"HSS automatically performs a configuration detection for servers. You can repair unsafe configuration items or ignore the configuration items you trust based on the detec",
+ "product_code":"hss",
+ "title":"How Do I Handle Unsafe Configurations?",
+ "uri":"hss_01_0198.html",
+ "doc_type":"usermanual",
+ "p_code":"178",
+ "code":"181"
+ },
+ {
+ "desc":"You can view the configuration check details online.",
+ "product_code":"hss",
+ "title":"How Do I View Configuration Check Reports?",
+ "uri":"hss_01_0149.html",
+ "doc_type":"usermanual",
+ "p_code":"178",
+ "code":"182"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"Vulnerability Management",
+ "uri":"hss_01_0246.html",
+ "doc_type":"usermanual",
+ "p_code":"132",
+ "code":"183"
+ },
+ {
+ "desc":"Restart the Windows OS after you fix its vulnerabilities.Restart the Linux OS after you fix its kernel vulnerabilities.",
+ "product_code":"hss",
+ "title":"How Do I Fix Vulnerabilities?",
+ "uri":"hss_01_0209.html",
+ "doc_type":"usermanual",
+ "p_code":"183",
+ "code":"184"
+ },
+ {
+ "desc":"Perform the following operations to locate the cause and fix the problems.For more information, see the section \"Handling Vulnerabilities\".No yum sources have been config",
+ "product_code":"hss",
+ "title":"What Do I Do If an Alarm Still Exists After I Fixed a Vulnerability?",
+ "uri":"hss_01_0176.html",
+ "doc_type":"usermanual",
+ "p_code":"183",
+ "code":"185"
+ },
+ {
+ "desc":"The vulnerability list displays vulnerabilities detected in the last seven days. After a vulnerability is detected for a server, if you change the server name and do not ",
+ "product_code":"hss",
+ "title":"Why a Server Displayed in Vulnerability Information Does Not Exist?",
+ "uri":"hss_01_0247.html",
+ "doc_type":"usermanual",
+ "p_code":"183",
+ "code":"186"
+ },
+ {
+ "desc":"After you fixed Windows OS vulnerabilities or Linux kernel vulnerabilities, you need to restart servers for the fix to take effect, or HSS will continue to warn you of th",
+ "product_code":"hss",
+ "title":"Do I Need to Restart a Server After Fixing its Vulnerabilities?",
+ "uri":"hss_01_0114.html",
+ "doc_type":"usermanual",
+ "p_code":"183",
+ "code":"187"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"Web Tamper Protection",
+ "uri":"hss_01_0250.html",
+ "doc_type":"usermanual",
+ "p_code":"132",
+ "code":"188"
+ },
+ {
+ "desc":"WTP protects files in directories. If no directories are specified, WTP cannot take effect even if it is enabled.",
+ "product_code":"hss",
+ "title":"Why Do I Need to Add a Protected Directory?",
+ "uri":"hss_01_0199.html",
+ "doc_type":"usermanual",
+ "p_code":"188",
+ "code":"189"
+ },
+ {
+ "desc":"If you need to modify files in the protected directory, stop protection for the protected directory first.After the files are modified, resume protection for the director",
+ "product_code":"hss",
+ "title":"How Do I Modify a Protected Directory?",
+ "uri":"hss_01_0185.html",
+ "doc_type":"usermanual",
+ "p_code":"188",
+ "code":"190"
+ },
+ {
+ "desc":"The causes of this problem vary by scenarios.SymptomThe agent status is Offline or Not installed in the server list on the Web Tamper Protection page.The agent status is ",
+ "product_code":"hss",
+ "title":"What Should I Do If WTP Cannot Be Enabled?",
+ "uri":"hss_01_0202.html",
+ "doc_type":"usermanual",
+ "p_code":"188",
+ "code":"191"
+ },
+ {
+ "desc":"Protected directories are read-only. To modify files or update the website, perform any of the following operations.Disable WTP while you modify files in protected direct",
+ "product_code":"hss",
+ "title":"How Do I Modify a File After WTP Is Enabled?",
+ "uri":"hss_01_0255.html",
+ "doc_type":"usermanual",
+ "p_code":"188",
+ "code":"192"
+ },
+ {
+ "desc":"Dynamic WTP protects your Tomcat applications.For this function to take effect, ensure that:There are Tomcat applications running on your servers.Your servers run the Lin",
+ "product_code":"hss",
+ "title":"What Can I Do If I Enabled Dynamic WTP But Its Status Is Enabled but not in effect?",
+ "uri":"hss_01_0014.html",
+ "doc_type":"usermanual",
+ "p_code":"188",
+ "code":"193"
+ },
+ {
+ "desc":"The web tamper protection function of HSS monitors website directories in real time, backs up files, and restores tampered files using the backup, protecting websites fro",
+ "product_code":"hss",
+ "title":"What Are the Differences Between the Web Tamper Protection Functions of HSS and WAF?",
+ "uri":"hss_01_0017.html",
+ "doc_type":"usermanual",
+ "p_code":"188",
+ "code":"194"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"Container Guard Service",
+ "uri":"hss_01_0323.html",
+ "doc_type":"usermanual",
+ "p_code":"132",
+ "code":"195"
+ },
+ {
+ "desc":"Disabling protection does not affect services, but will increase security risks. You are advised to keep your servers protected.If your servers are managed by enterprise ",
+ "product_code":"hss",
+ "title":"How Do I Disable Node Protection?",
+ "uri":"hss_01_0325.html",
+ "doc_type":"usermanual",
+ "p_code":"195",
+ "code":"196"
+ },
+ {
+ "desc":"When you enable node protection, the system automatically installs the CGS plug-in on the node.An HSS quota protects one cluster node.",
+ "product_code":"hss",
+ "title":"How Do I Enable Node Protection?",
+ "uri":"hss_01_0324.html",
+ "doc_type":"usermanual",
+ "p_code":"195",
+ "code":"197"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"Ransomware Protection",
+ "uri":"hss_01_0404.html",
+ "doc_type":"usermanual",
+ "p_code":"132",
+ "code":"198"
+ },
+ {
+ "desc":"The backup mechanism of ransomware protection inherits that of CBR (Cloud Backup and Restoration). Backup files of ransomware protection can be centrally managed and view",
+ "product_code":"hss",
+ "title":"What Are the Differences Between Ransomware Protection Backup and Cloud Backup?",
+ "uri":"hss_01_0405.html",
+ "doc_type":"usermanual",
+ "p_code":"198",
+ "code":"199"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"Security Configurations",
+ "uri":"hss_01_0426.html",
+ "doc_type":"usermanual",
+ "p_code":"132",
+ "code":"200"
+ },
+ {
+ "desc":"You can log in to a server via the console but not via SSH.A server will be blocked if it is regarded as a suspicious server performing brute-force attacks (for example, ",
+ "product_code":"hss",
+ "title":"What Can I Do If I Cannot Remotely Log In to a Server via SSH?",
+ "uri":"hss_01_0436.html",
+ "doc_type":"usermanual",
+ "p_code":"200",
+ "code":"201"
+ },
+ {
+ "desc":"This FAQ shows you how to use 2FA.Logging in to a Linux serverUse PuTTY or Xshell to log in to your server.Select Keyboard Interactive and enter the user identity informa",
+ "product_code":"hss",
+ "title":"How Do I Use 2FA?",
+ "uri":"hss_01_0437.html",
+ "doc_type":"usermanual",
+ "p_code":"200",
+ "code":"202"
+ },
+ {
+ "desc":"The two-factor authentication function does not take effect immediately after being enabled.Wait for 5 minutes and try again.Wait for 5 minutes and try again.To enable tw",
+ "product_code":"hss",
+ "title":"Why Can't I Receive a Verification Code After 2FA Is Enabled?",
+ "uri":"hss_01_0439.html",
+ "doc_type":"usermanual",
+ "p_code":"200",
+ "code":"203"
+ },
+ {
+ "desc":"The login failed probably because file configurations or the login mode was incorrect.Check whether the configuration file is correct.Configuration file path: /etc/ssh/ss",
+ "product_code":"hss",
+ "title":"Why Does My Login Fail After I Enable 2FA?",
+ "uri":"hss_01_0440.html",
+ "doc_type":"usermanual",
+ "p_code":"200",
+ "code":"204"
+ },
+ {
+ "desc":"You can set your mobile phone number only if you have selected SMS/Email for Method. Set your mobile phone number in the SMN topic you choose.In the SMN Topic drop-down l",
+ "product_code":"hss",
+ "title":"How Do I Add a Mobile Phone Number or Email Address for Receiving 2FA Verification Notifications?",
+ "uri":"hss_01_0441.html",
+ "doc_type":"usermanual",
+ "p_code":"200",
+ "code":"205"
+ },
+ {
+ "desc":"Security-Enhanced Linux (SELinux) is a kernel module and security subsystem of Linux.SELinux minimizes the resources that can be accessed by service processes in the syst",
+ "product_code":"hss",
+ "title":"How Do I Disable the SELinux Firewall?",
+ "uri":"hss_01_0472.html",
+ "doc_type":"usermanual",
+ "p_code":"200",
+ "code":"206"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"Others",
+ "uri":"hss_01_0101.html",
+ "doc_type":"usermanual",
+ "p_code":"132",
+ "code":"207"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"How Do I Use the Windows Remote Desktop Connection Tool to Connect to a Server?",
+ "uri":"hss_01_0269.html",
+ "doc_type":"usermanual",
+ "p_code":"207",
+ "code":"208"
+ },
+ {
+ "desc":"The following table describes log files and their paths.",
+ "product_code":"hss",
+ "title":"How Do I Check HSS Log Files?",
+ "uri":"hss_01_0099.html",
+ "doc_type":"usermanual",
+ "p_code":"207",
+ "code":"209"
+ },
+ {
+ "desc":"The account hacking prevention function for Linux supports MySQL 5.6 and 5.7. Perform the following steps to enable logging for login failure:show global variables like '",
+ "product_code":"hss",
+ "title":"How Do I Enable Logging for Login Failures?",
+ "uri":"hss_01_0103.html",
+ "doc_type":"usermanual",
+ "p_code":"207",
+ "code":"210"
+ },
+ {
+ "desc":"If you are sure the changes on your critical files are safe, you do not need to handle the alarm. It will be automatically cleared in seven days.",
+ "product_code":"hss",
+ "title":"How Do I Clear an Alarm on Critical File Changes?",
+ "uri":"hss_01_0117.html",
+ "doc_type":"usermanual",
+ "p_code":"207",
+ "code":"211"
+ },
+ {
+ "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.",
+ "product_code":"hss",
+ "title":"Change History",
+ "uri":"hss_01_0417.html",
+ "doc_type":"usermanual",
+ "p_code":"",
+ "code":"212"
+ }
+]
\ No newline at end of file
diff --git a/docs/hss/umn/PARAMETERS.txt b/docs/hss/umn/PARAMETERS.txt
new file mode 100644
index 00000000..6da8d5f0
--- /dev/null
+++ b/docs/hss/umn/PARAMETERS.txt
@@ -0,0 +1,3 @@
+version=""
+language="en-us"
+type=""
\ No newline at end of file
diff --git a/docs/hss/umn/en-us_image_0000001517158254.png b/docs/hss/umn/en-us_image_0000001517158254.png
new file mode 100644
index 00000000..2c9147cd
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001517158254.png differ
diff --git a/docs/hss/umn/en-us_image_0000001517317850.png b/docs/hss/umn/en-us_image_0000001517317850.png
new file mode 100644
index 00000000..5bca19f0
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001517317850.png differ
diff --git a/docs/hss/umn/en-us_image_0000001517477398.png b/docs/hss/umn/en-us_image_0000001517477398.png
new file mode 100644
index 00000000..6ecee2c2
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001517477398.png differ
diff --git a/docs/hss/umn/en-us_image_0000001517477582.png b/docs/hss/umn/en-us_image_0000001517477582.png
new file mode 100644
index 00000000..90c33e81
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001517477582.png differ
diff --git a/docs/hss/umn/en-us_image_0000001517477602.jpg b/docs/hss/umn/en-us_image_0000001517477602.jpg
new file mode 100644
index 00000000..74edbf67
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001517477602.jpg differ
diff --git a/docs/hss/umn/en-us_image_0000001517637370.png b/docs/hss/umn/en-us_image_0000001517637370.png
new file mode 100644
index 00000000..d071e29e
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001517637370.png differ
diff --git a/docs/hss/umn/en-us_image_0000001517637374.png b/docs/hss/umn/en-us_image_0000001517637374.png
new file mode 100644
index 00000000..28807ed3
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001517637374.png differ
diff --git a/docs/hss/umn/en-us_image_0000001517637478.png b/docs/hss/umn/en-us_image_0000001517637478.png
new file mode 100644
index 00000000..cb4776fa
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001517637478.png differ
diff --git a/docs/hss/umn/en-us_image_0000001517637590.png b/docs/hss/umn/en-us_image_0000001517637590.png
new file mode 100644
index 00000000..f5b140fb
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001517637590.png differ
diff --git a/docs/hss/umn/en-us_image_0000001558495162.png b/docs/hss/umn/en-us_image_0000001558495162.png
new file mode 100644
index 00000000..5b7e8213
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001558495162.png differ
diff --git a/docs/hss/umn/en-us_image_0000001563116264.png b/docs/hss/umn/en-us_image_0000001563116264.png
new file mode 100644
index 00000000..dbc1f75e
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001563116264.png differ
diff --git a/docs/hss/umn/en-us_image_0000001563224758.png b/docs/hss/umn/en-us_image_0000001563224758.png
new file mode 100644
index 00000000..4b50a3d7
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001563224758.png differ
diff --git a/docs/hss/umn/en-us_image_0000001563247778.png b/docs/hss/umn/en-us_image_0000001563247778.png
new file mode 100644
index 00000000..e7354558
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001563247778.png differ
diff --git a/docs/hss/umn/en-us_image_0000001563252390.png b/docs/hss/umn/en-us_image_0000001563252390.png
new file mode 100644
index 00000000..d8bee4fb
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001563252390.png differ
diff --git a/docs/hss/umn/en-us_image_0000001563395342.png b/docs/hss/umn/en-us_image_0000001563395342.png
new file mode 100644
index 00000000..09b79b8a
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001563395342.png differ
diff --git a/docs/hss/umn/en-us_image_0000001563539818.png b/docs/hss/umn/en-us_image_0000001563539818.png
new file mode 100644
index 00000000..2735230e
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001563539818.png differ
diff --git a/docs/hss/umn/en-us_image_0000001563713322.png b/docs/hss/umn/en-us_image_0000001563713322.png
new file mode 100644
index 00000000..062e982d
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001563713322.png differ
diff --git a/docs/hss/umn/en-us_image_0000001563731138.png b/docs/hss/umn/en-us_image_0000001563731138.png
new file mode 100644
index 00000000..cb9cbb28
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001563731138.png differ
diff --git a/docs/hss/umn/en-us_image_0000001563791430.png b/docs/hss/umn/en-us_image_0000001563791430.png
new file mode 100644
index 00000000..19f81e01
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001563791430.png differ
diff --git a/docs/hss/umn/en-us_image_0000001563800218.png b/docs/hss/umn/en-us_image_0000001563800218.png
new file mode 100644
index 00000000..c5febdbd
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001563800218.png differ
diff --git a/docs/hss/umn/en-us_image_0000001563952546.png b/docs/hss/umn/en-us_image_0000001563952546.png
new file mode 100644
index 00000000..164e04dc
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001563952546.png differ
diff --git a/docs/hss/umn/en-us_image_0000001563953746.png b/docs/hss/umn/en-us_image_0000001563953746.png
new file mode 100644
index 00000000..1ad91c14
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001563953746.png differ
diff --git a/docs/hss/umn/en-us_image_0000001564103542.png b/docs/hss/umn/en-us_image_0000001564103542.png
new file mode 100644
index 00000000..ae5f0004
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001564103542.png differ
diff --git a/docs/hss/umn/en-us_image_0000001564104674.png b/docs/hss/umn/en-us_image_0000001564104674.png
new file mode 100644
index 00000000..ba8896f8
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001564104674.png differ
diff --git a/docs/hss/umn/en-us_image_0000001564275346.png b/docs/hss/umn/en-us_image_0000001564275346.png
new file mode 100644
index 00000000..e01df20d
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001564275346.png differ
diff --git a/docs/hss/umn/en-us_image_0000001564547244.png b/docs/hss/umn/en-us_image_0000001564547244.png
new file mode 100644
index 00000000..e3bfe788
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001564547244.png differ
diff --git a/docs/hss/umn/en-us_image_0000001567973464.png b/docs/hss/umn/en-us_image_0000001567973464.png
new file mode 100644
index 00000000..fd8a1704
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001567973464.png differ
diff --git a/docs/hss/umn/en-us_image_0000001568317625.png b/docs/hss/umn/en-us_image_0000001568317625.png
new file mode 100644
index 00000000..cb4776fa
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001568317625.png differ
diff --git a/docs/hss/umn/en-us_image_0000001568317649.png b/docs/hss/umn/en-us_image_0000001568317649.png
new file mode 100644
index 00000000..08e39c44
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001568317649.png differ
diff --git a/docs/hss/umn/en-us_image_0000001568317673.png b/docs/hss/umn/en-us_image_0000001568317673.png
new file mode 100644
index 00000000..2da9f527
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001568317673.png differ
diff --git a/docs/hss/umn/en-us_image_0000001568317677.png b/docs/hss/umn/en-us_image_0000001568317677.png
new file mode 100644
index 00000000..b587616a
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001568317677.png differ
diff --git a/docs/hss/umn/en-us_image_0000001568317709.png b/docs/hss/umn/en-us_image_0000001568317709.png
new file mode 100644
index 00000000..77583563
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001568317709.png differ
diff --git a/docs/hss/umn/en-us_image_0000001568317737.png b/docs/hss/umn/en-us_image_0000001568317737.png
new file mode 100644
index 00000000..e2c5d84e
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001568317737.png differ
diff --git a/docs/hss/umn/en-us_image_0000001568437337.png b/docs/hss/umn/en-us_image_0000001568437337.png
new file mode 100644
index 00000000..40b0feae
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001568437337.png differ
diff --git a/docs/hss/umn/en-us_image_0000001568437401.png b/docs/hss/umn/en-us_image_0000001568437401.png
new file mode 100644
index 00000000..f8d6460e
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001568437401.png differ
diff --git a/docs/hss/umn/en-us_image_0000001568517685.png b/docs/hss/umn/en-us_image_0000001568517685.png
new file mode 100644
index 00000000..e5b96c31
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001568517685.png differ
diff --git a/docs/hss/umn/en-us_image_0000001568517705.png b/docs/hss/umn/en-us_image_0000001568517705.png
new file mode 100644
index 00000000..6ecee2c2
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001568517705.png differ
diff --git a/docs/hss/umn/en-us_image_0000001568637409.png b/docs/hss/umn/en-us_image_0000001568637409.png
new file mode 100644
index 00000000..6ce03300
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001568637409.png differ
diff --git a/docs/hss/umn/en-us_image_0000001568637417.png b/docs/hss/umn/en-us_image_0000001568637417.png
new file mode 100644
index 00000000..e291d65e
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001568637417.png differ
diff --git a/docs/hss/umn/en-us_image_0000001568637593.png b/docs/hss/umn/en-us_image_0000001568637593.png
new file mode 100644
index 00000000..350cea3f
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001568637593.png differ
diff --git a/docs/hss/umn/en-us_image_0000001568637685.png b/docs/hss/umn/en-us_image_0000001568637685.png
new file mode 100644
index 00000000..5514234c
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001568637685.png differ
diff --git a/docs/hss/umn/en-us_image_0000001568637701.png b/docs/hss/umn/en-us_image_0000001568637701.png
new file mode 100644
index 00000000..64906454
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001568637701.png differ
diff --git a/docs/hss/umn/en-us_image_0000001585737324.png b/docs/hss/umn/en-us_image_0000001585737324.png
new file mode 100644
index 00000000..06db5719
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001585737324.png differ
diff --git a/docs/hss/umn/en-us_image_0000001586056592.png b/docs/hss/umn/en-us_image_0000001586056592.png
new file mode 100644
index 00000000..3b1db499
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001586056592.png differ
diff --git a/docs/hss/umn/en-us_image_0000001606804308.png b/docs/hss/umn/en-us_image_0000001606804308.png
new file mode 100644
index 00000000..14f09278
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001606804308.png differ
diff --git a/docs/hss/umn/en-us_image_0000001606964064.png b/docs/hss/umn/en-us_image_0000001606964064.png
new file mode 100644
index 00000000..f6718f34
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001606964064.png differ
diff --git a/docs/hss/umn/en-us_image_0000001613689505.png b/docs/hss/umn/en-us_image_0000001613689505.png
new file mode 100644
index 00000000..af4fa1e2
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001613689505.png differ
diff --git a/docs/hss/umn/en-us_image_0000001613967749.png b/docs/hss/umn/en-us_image_0000001613967749.png
new file mode 100644
index 00000000..06b3046c
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001613967749.png differ
diff --git a/docs/hss/umn/en-us_image_0000001613970477.png b/docs/hss/umn/en-us_image_0000001613970477.png
new file mode 100644
index 00000000..0a509ad8
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001613970477.png differ
diff --git a/docs/hss/umn/en-us_image_0000001614183089.png b/docs/hss/umn/en-us_image_0000001614183089.png
new file mode 100644
index 00000000..adb3a43b
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001614183089.png differ
diff --git a/docs/hss/umn/en-us_image_0000001614383481.png b/docs/hss/umn/en-us_image_0000001614383481.png
new file mode 100644
index 00000000..b2a41c27
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001614383481.png differ
diff --git a/docs/hss/umn/en-us_image_0000001614384633.png b/docs/hss/umn/en-us_image_0000001614384633.png
new file mode 100644
index 00000000..c3368eed
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001614384633.png differ
diff --git a/docs/hss/umn/en-us_image_0000001618050385.png b/docs/hss/umn/en-us_image_0000001618050385.png
new file mode 100644
index 00000000..9133a067
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001618050385.png differ
diff --git a/docs/hss/umn/en-us_image_0000001618285045.png b/docs/hss/umn/en-us_image_0000001618285045.png
new file mode 100644
index 00000000..e09aeb36
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001618285045.png differ
diff --git a/docs/hss/umn/en-us_image_0000001618324457.png b/docs/hss/umn/en-us_image_0000001618324457.png
new file mode 100644
index 00000000..2184d6ca
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001618324457.png differ
diff --git a/docs/hss/umn/en-us_image_0000001618325933.png b/docs/hss/umn/en-us_image_0000001618325933.png
new file mode 100644
index 00000000..1255d7bc
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001618325933.png differ
diff --git a/docs/hss/umn/en-us_image_0000001619472165.png b/docs/hss/umn/en-us_image_0000001619472165.png
new file mode 100644
index 00000000..cf1b6b3c
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001619472165.png differ
diff --git a/docs/hss/umn/en-us_image_0000001620839122.png b/docs/hss/umn/en-us_image_0000001620839122.png
new file mode 100644
index 00000000..443af5be
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001620839122.png differ
diff --git a/docs/hss/umn/en-us_image_0000001620842718.png b/docs/hss/umn/en-us_image_0000001620842718.png
new file mode 100644
index 00000000..3deb3f4c
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001620842718.png differ
diff --git a/docs/hss/umn/en-us_image_0000001620847478.png b/docs/hss/umn/en-us_image_0000001620847478.png
new file mode 100644
index 00000000..a1ea2d7b
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001620847478.png differ
diff --git a/docs/hss/umn/en-us_image_0000001621122554.png b/docs/hss/umn/en-us_image_0000001621122554.png
new file mode 100644
index 00000000..7eb0206a
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001621122554.png differ
diff --git a/docs/hss/umn/en-us_image_0000001621154510.png b/docs/hss/umn/en-us_image_0000001621154510.png
new file mode 100644
index 00000000..1b12e04a
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001621154510.png differ
diff --git a/docs/hss/umn/en-us_image_0000001621162450.png b/docs/hss/umn/en-us_image_0000001621162450.png
new file mode 100644
index 00000000..630b79b5
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001621162450.png differ
diff --git a/docs/hss/umn/en-us_image_0000001621167210.png b/docs/hss/umn/en-us_image_0000001621167210.png
new file mode 100644
index 00000000..d273559b
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001621167210.png differ
diff --git a/docs/hss/umn/en-us_image_0000001621219284.png b/docs/hss/umn/en-us_image_0000001621219284.png
new file mode 100644
index 00000000..a79107d1
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001621219284.png differ
diff --git a/docs/hss/umn/en-us_image_0000001621322446.png b/docs/hss/umn/en-us_image_0000001621322446.png
new file mode 100644
index 00000000..85f0836d
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001621322446.png differ
diff --git a/docs/hss/umn/en-us_image_0000001621339160.png b/docs/hss/umn/en-us_image_0000001621339160.png
new file mode 100644
index 00000000..8104f930
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001621339160.png differ
diff --git a/docs/hss/umn/en-us_image_0000001621479770.png b/docs/hss/umn/en-us_image_0000001621479770.png
new file mode 100644
index 00000000..dfabf286
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001621479770.png differ
diff --git a/docs/hss/umn/en-us_image_0000001621479774.png b/docs/hss/umn/en-us_image_0000001621479774.png
new file mode 100644
index 00000000..14f09278
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001621479774.png differ
diff --git a/docs/hss/umn/en-us_image_0000001621479778.png b/docs/hss/umn/en-us_image_0000001621479778.png
new file mode 100644
index 00000000..5d5f6991
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001621479778.png differ
diff --git a/docs/hss/umn/en-us_image_0000001621479782.png b/docs/hss/umn/en-us_image_0000001621479782.png
new file mode 100644
index 00000000..afecccbd
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001621479782.png differ
diff --git a/docs/hss/umn/en-us_image_0000001621480454.png b/docs/hss/umn/en-us_image_0000001621480454.png
new file mode 100644
index 00000000..fc724e8e
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001621480454.png differ
diff --git a/docs/hss/umn/en-us_image_0000001621481094.png b/docs/hss/umn/en-us_image_0000001621481094.png
new file mode 100644
index 00000000..e5c568c9
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001621481094.png differ
diff --git a/docs/hss/umn/en-us_image_0000001621634874.png b/docs/hss/umn/en-us_image_0000001621634874.png
new file mode 100644
index 00000000..6e3337de
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001621634874.png differ
diff --git a/docs/hss/umn/en-us_image_0000001621639582.png b/docs/hss/umn/en-us_image_0000001621639582.png
new file mode 100644
index 00000000..f6718f34
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001621639582.png differ
diff --git a/docs/hss/umn/en-us_image_0000001621639586.png b/docs/hss/umn/en-us_image_0000001621639586.png
new file mode 100644
index 00000000..f6718f34
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001621639586.png differ
diff --git a/docs/hss/umn/en-us_image_0000001621639590.png b/docs/hss/umn/en-us_image_0000001621639590.png
new file mode 100644
index 00000000..f6718f34
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001621639590.png differ
diff --git a/docs/hss/umn/en-us_image_0000001621640278.png b/docs/hss/umn/en-us_image_0000001621640278.png
new file mode 100644
index 00000000..64c6d24b
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001621640278.png differ
diff --git a/docs/hss/umn/en-us_image_0000001621640914.png b/docs/hss/umn/en-us_image_0000001621640914.png
new file mode 100644
index 00000000..2a78f983
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001621640914.png differ
diff --git a/docs/hss/umn/en-us_image_0000001621799506.png b/docs/hss/umn/en-us_image_0000001621799506.png
new file mode 100644
index 00000000..fa5b274d
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001621799506.png differ
diff --git a/docs/hss/umn/en-us_image_0000001621799510.png b/docs/hss/umn/en-us_image_0000001621799510.png
new file mode 100644
index 00000000..14f09278
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001621799510.png differ
diff --git a/docs/hss/umn/en-us_image_0000001621799514.png b/docs/hss/umn/en-us_image_0000001621799514.png
new file mode 100644
index 00000000..f6718f34
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001621799514.png differ
diff --git a/docs/hss/umn/en-us_image_0000001621799518.png b/docs/hss/umn/en-us_image_0000001621799518.png
new file mode 100644
index 00000000..14f09278
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001621799518.png differ
diff --git a/docs/hss/umn/en-us_image_0000001621827002.png b/docs/hss/umn/en-us_image_0000001621827002.png
new file mode 100644
index 00000000..f8c10104
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001621827002.png differ
diff --git a/docs/hss/umn/en-us_image_0000001621959478.png b/docs/hss/umn/en-us_image_0000001621959478.png
new file mode 100644
index 00000000..14f09278
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001621959478.png differ
diff --git a/docs/hss/umn/en-us_image_0000001621959482.png b/docs/hss/umn/en-us_image_0000001621959482.png
new file mode 100644
index 00000000..14f09278
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001621959482.png differ
diff --git a/docs/hss/umn/en-us_image_0000001621959486.png b/docs/hss/umn/en-us_image_0000001621959486.png
new file mode 100644
index 00000000..14f09278
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001621959486.png differ
diff --git a/docs/hss/umn/en-us_image_0000001621959490.png b/docs/hss/umn/en-us_image_0000001621959490.png
new file mode 100644
index 00000000..9ea1175c
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001621959490.png differ
diff --git a/docs/hss/umn/en-us_image_0000001621960166.png b/docs/hss/umn/en-us_image_0000001621960166.png
new file mode 100644
index 00000000..676e91ea
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001621960166.png differ
diff --git a/docs/hss/umn/en-us_image_0000001622044122.png b/docs/hss/umn/en-us_image_0000001622044122.png
new file mode 100644
index 00000000..5182221e
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001622044122.png differ
diff --git a/docs/hss/umn/en-us_image_0000001622204562.png b/docs/hss/umn/en-us_image_0000001622204562.png
new file mode 100644
index 00000000..4a3b552e
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001622204562.png differ
diff --git a/docs/hss/umn/en-us_image_0000001622361502.png b/docs/hss/umn/en-us_image_0000001622361502.png
new file mode 100644
index 00000000..62d5aabf
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001622361502.png differ
diff --git a/docs/hss/umn/en-us_image_0000001622521482.png b/docs/hss/umn/en-us_image_0000001622521482.png
new file mode 100644
index 00000000..36d58313
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001622521482.png differ
diff --git a/docs/hss/umn/en-us_image_0000001629357728.png b/docs/hss/umn/en-us_image_0000001629357728.png
new file mode 100644
index 00000000..2716cbf4
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001629357728.png differ
diff --git a/docs/hss/umn/en-us_image_0000001630021161.png b/docs/hss/umn/en-us_image_0000001630021161.png
new file mode 100644
index 00000000..e112e7f4
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001630021161.png differ
diff --git a/docs/hss/umn/en-us_image_0000001630512626.png b/docs/hss/umn/en-us_image_0000001630512626.png
new file mode 100644
index 00000000..94968363
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001630512626.png differ
diff --git a/docs/hss/umn/en-us_image_0000001635697117.png b/docs/hss/umn/en-us_image_0000001635697117.png
new file mode 100644
index 00000000..5a244971
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001635697117.png differ
diff --git a/docs/hss/umn/en-us_image_0000001669602353.png b/docs/hss/umn/en-us_image_0000001669602353.png
new file mode 100644
index 00000000..17befca9
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001669602353.png differ
diff --git a/docs/hss/umn/en-us_image_0000001669682473.png b/docs/hss/umn/en-us_image_0000001669682473.png
new file mode 100644
index 00000000..a8d991a1
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001669682473.png differ
diff --git a/docs/hss/umn/en-us_image_0000001669828885.png b/docs/hss/umn/en-us_image_0000001669828885.png
new file mode 100644
index 00000000..b1d95226
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001669828885.png differ
diff --git a/docs/hss/umn/en-us_image_0000001669838757.png b/docs/hss/umn/en-us_image_0000001669838757.png
new file mode 100644
index 00000000..7cc98d2a
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001669838757.png differ
diff --git a/docs/hss/umn/en-us_image_0000001669998725.png b/docs/hss/umn/en-us_image_0000001669998725.png
new file mode 100644
index 00000000..a0cecec1
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001669998725.png differ
diff --git a/docs/hss/umn/en-us_image_0000001670234665.png b/docs/hss/umn/en-us_image_0000001670234665.png
new file mode 100644
index 00000000..bb951a35
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001670234665.png differ
diff --git a/docs/hss/umn/en-us_image_0000001670239397.png b/docs/hss/umn/en-us_image_0000001670239397.png
new file mode 100644
index 00000000..9c847df8
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001670239397.png differ
diff --git a/docs/hss/umn/en-us_image_0000001670239401.png b/docs/hss/umn/en-us_image_0000001670239401.png
new file mode 100644
index 00000000..f6718f34
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001670239401.png differ
diff --git a/docs/hss/umn/en-us_image_0000001670239405.png b/docs/hss/umn/en-us_image_0000001670239405.png
new file mode 100644
index 00000000..14f09278
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001670239405.png differ
diff --git a/docs/hss/umn/en-us_image_0000001670239409.png b/docs/hss/umn/en-us_image_0000001670239409.png
new file mode 100644
index 00000000..f6718f34
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001670239409.png differ
diff --git a/docs/hss/umn/en-us_image_0000001670239413.png b/docs/hss/umn/en-us_image_0000001670239413.png
new file mode 100644
index 00000000..14f09278
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001670239413.png differ
diff --git a/docs/hss/umn/en-us_image_0000001670240065.png b/docs/hss/umn/en-us_image_0000001670240065.png
new file mode 100644
index 00000000..2eb851a5
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001670240065.png differ
diff --git a/docs/hss/umn/en-us_image_0000001670240689.png b/docs/hss/umn/en-us_image_0000001670240689.png
new file mode 100644
index 00000000..b35d6159
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001670240689.png differ
diff --git a/docs/hss/umn/en-us_image_0000001670319513.png b/docs/hss/umn/en-us_image_0000001670319513.png
new file mode 100644
index 00000000..bce1c33a
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001670319513.png differ
diff --git a/docs/hss/umn/en-us_image_0000001670319517.png b/docs/hss/umn/en-us_image_0000001670319517.png
new file mode 100644
index 00000000..f6718f34
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001670319517.png differ
diff --git a/docs/hss/umn/en-us_image_0000001670319521.png b/docs/hss/umn/en-us_image_0000001670319521.png
new file mode 100644
index 00000000..14f09278
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001670319521.png differ
diff --git a/docs/hss/umn/en-us_image_0000001670319525.png b/docs/hss/umn/en-us_image_0000001670319525.png
new file mode 100644
index 00000000..d420c453
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001670319525.png differ
diff --git a/docs/hss/umn/en-us_image_0000001670320201.png b/docs/hss/umn/en-us_image_0000001670320201.png
new file mode 100644
index 00000000..7611369d
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001670320201.png differ
diff --git a/docs/hss/umn/en-us_image_0000001670375709.png b/docs/hss/umn/en-us_image_0000001670375709.png
new file mode 100644
index 00000000..0be9758d
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001670375709.png differ
diff --git a/docs/hss/umn/en-us_image_0000001670401553.png b/docs/hss/umn/en-us_image_0000001670401553.png
new file mode 100644
index 00000000..c82a4996
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001670401553.png differ
diff --git a/docs/hss/umn/en-us_image_0000001670439437.png b/docs/hss/umn/en-us_image_0000001670439437.png
new file mode 100644
index 00000000..6f071632
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001670439437.png differ
diff --git a/docs/hss/umn/en-us_image_0000001670439441.png b/docs/hss/umn/en-us_image_0000001670439441.png
new file mode 100644
index 00000000..14f09278
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001670439441.png differ
diff --git a/docs/hss/umn/en-us_image_0000001670439445.png b/docs/hss/umn/en-us_image_0000001670439445.png
new file mode 100644
index 00000000..f6718f34
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001670439445.png differ
diff --git a/docs/hss/umn/en-us_image_0000001670439449.png b/docs/hss/umn/en-us_image_0000001670439449.png
new file mode 100644
index 00000000..14f09278
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001670439449.png differ
diff --git a/docs/hss/umn/en-us_image_0000001670439453.png b/docs/hss/umn/en-us_image_0000001670439453.png
new file mode 100644
index 00000000..f6718f34
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001670439453.png differ
diff --git a/docs/hss/umn/en-us_image_0000001670440105.png b/docs/hss/umn/en-us_image_0000001670440105.png
new file mode 100644
index 00000000..5315978a
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001670440105.png differ
diff --git a/docs/hss/umn/en-us_image_0000001670554661.png b/docs/hss/umn/en-us_image_0000001670554661.png
new file mode 100644
index 00000000..bb951a35
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001670554661.png differ
diff --git a/docs/hss/umn/en-us_image_0000001670559389.png b/docs/hss/umn/en-us_image_0000001670559389.png
new file mode 100644
index 00000000..f6718f34
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001670559389.png differ
diff --git a/docs/hss/umn/en-us_image_0000001670559393.png b/docs/hss/umn/en-us_image_0000001670559393.png
new file mode 100644
index 00000000..07667143
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001670559393.png differ
diff --git a/docs/hss/umn/en-us_image_0000001670559397.png b/docs/hss/umn/en-us_image_0000001670559397.png
new file mode 100644
index 00000000..f6718f34
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001670559397.png differ
diff --git a/docs/hss/umn/en-us_image_0000001670559401.png b/docs/hss/umn/en-us_image_0000001670559401.png
new file mode 100644
index 00000000..8e288774
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001670559401.png differ
diff --git a/docs/hss/umn/en-us_image_0000001670681377.png b/docs/hss/umn/en-us_image_0000001670681377.png
new file mode 100644
index 00000000..d4bdc941
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001670681377.png differ
diff --git a/docs/hss/umn/en-us_image_0000001670681801.png b/docs/hss/umn/en-us_image_0000001670681801.png
new file mode 100644
index 00000000..a63b4f13
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001670681801.png differ
diff --git a/docs/hss/umn/en-us_image_0000001676837385.png b/docs/hss/umn/en-us_image_0000001676837385.png
new file mode 100644
index 00000000..1a362263
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001676837385.png differ
diff --git a/docs/hss/umn/en-us_image_0000001686938868.png b/docs/hss/umn/en-us_image_0000001686938868.png
new file mode 100644
index 00000000..14f09278
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001686938868.png differ
diff --git a/docs/hss/umn/en-us_image_0000001686938876.png b/docs/hss/umn/en-us_image_0000001686938876.png
new file mode 100644
index 00000000..f6718f34
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001686938876.png differ
diff --git a/docs/hss/umn/en-us_image_0000001686938880.png b/docs/hss/umn/en-us_image_0000001686938880.png
new file mode 100644
index 00000000..f6718f34
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001686938880.png differ
diff --git a/docs/hss/umn/en-us_image_0000001686939532.png b/docs/hss/umn/en-us_image_0000001686939532.png
new file mode 100644
index 00000000..f6718f34
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001686939532.png differ
diff --git a/docs/hss/umn/en-us_image_0000001687084998.png b/docs/hss/umn/en-us_image_0000001687084998.png
new file mode 100644
index 00000000..46371520
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001687084998.png differ
diff --git a/docs/hss/umn/en-us_image_0000001696678850.png b/docs/hss/umn/en-us_image_0000001696678850.png
new file mode 100644
index 00000000..6b11888b
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001696678850.png differ
diff --git a/docs/hss/umn/en-us_image_0000001696838310.png b/docs/hss/umn/en-us_image_0000001696838310.png
new file mode 100644
index 00000000..582b1618
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001696838310.png differ
diff --git a/docs/hss/umn/en-us_image_0000001696838318.png b/docs/hss/umn/en-us_image_0000001696838318.png
new file mode 100644
index 00000000..e4fcbfa9
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001696838318.png differ
diff --git a/docs/hss/umn/en-us_image_0000001703888418.png b/docs/hss/umn/en-us_image_0000001703888418.png
new file mode 100644
index 00000000..6ecee2c2
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001703888418.png differ
diff --git a/docs/hss/umn/en-us_image_0000001711689404.png b/docs/hss/umn/en-us_image_0000001711689404.png
new file mode 100644
index 00000000..c7353b57
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001711689404.png differ
diff --git a/docs/hss/umn/en-us_image_0000001711848916.png b/docs/hss/umn/en-us_image_0000001711848916.png
new file mode 100644
index 00000000..c9a2b427
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001711848916.png differ
diff --git a/docs/hss/umn/en-us_image_0000001734778037.png b/docs/hss/umn/en-us_image_0000001734778037.png
new file mode 100644
index 00000000..14f09278
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001734778037.png differ
diff --git a/docs/hss/umn/en-us_image_0000001734937857.png b/docs/hss/umn/en-us_image_0000001734937857.png
new file mode 100644
index 00000000..f6718f34
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001734937857.png differ
diff --git a/docs/hss/umn/en-us_image_0000001734937861.png b/docs/hss/umn/en-us_image_0000001734937861.png
new file mode 100644
index 00000000..f6718f34
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001734937861.png differ
diff --git a/docs/hss/umn/en-us_image_0000001735417828.png b/docs/hss/umn/en-us_image_0000001735417828.png
new file mode 100644
index 00000000..67b2184b
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001735417828.png differ
diff --git a/docs/hss/umn/en-us_image_0000001735433736.png b/docs/hss/umn/en-us_image_0000001735433736.png
new file mode 100644
index 00000000..09013e6f
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001735433736.png differ
diff --git a/docs/hss/umn/en-us_image_0000001735433752.png b/docs/hss/umn/en-us_image_0000001735433752.png
new file mode 100644
index 00000000..0fc5789e
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001735433752.png differ
diff --git a/docs/hss/umn/en-us_image_0000001735433768.png b/docs/hss/umn/en-us_image_0000001735433768.png
new file mode 100644
index 00000000..eb947fec
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001735433768.png differ
diff --git a/docs/hss/umn/en-us_image_0000001735474790.png b/docs/hss/umn/en-us_image_0000001735474790.png
new file mode 100644
index 00000000..e7af2391
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001735474790.png differ
diff --git a/docs/hss/umn/en-us_image_0000001735544818.png b/docs/hss/umn/en-us_image_0000001735544818.png
new file mode 100644
index 00000000..19f81e01
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001735544818.png differ
diff --git a/docs/hss/umn/en-us_image_0000001735576968.png b/docs/hss/umn/en-us_image_0000001735576968.png
new file mode 100644
index 00000000..d05c38bf
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001735576968.png differ
diff --git a/docs/hss/umn/en-us_image_0000001735592904.png b/docs/hss/umn/en-us_image_0000001735592904.png
new file mode 100644
index 00000000..962dd170
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001735592904.png differ
diff --git a/docs/hss/umn/en-us_image_0000001735592920.png b/docs/hss/umn/en-us_image_0000001735592920.png
new file mode 100644
index 00000000..29a3ae3a
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001735592920.png differ
diff --git a/docs/hss/umn/en-us_image_0000001735592936.png b/docs/hss/umn/en-us_image_0000001735592936.png
new file mode 100644
index 00000000..f3c35744
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001735592936.png differ
diff --git a/docs/hss/umn/en-us_image_0000001735592956.png b/docs/hss/umn/en-us_image_0000001735592956.png
new file mode 100644
index 00000000..7ebdbbad
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001735592956.png differ
diff --git a/docs/hss/umn/en-us_image_0000001743828960.png b/docs/hss/umn/en-us_image_0000001743828960.png
new file mode 100644
index 00000000..423298c3
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001743828960.png differ
diff --git a/docs/hss/umn/en-us_image_0000001744598325.png b/docs/hss/umn/en-us_image_0000001744598325.png
new file mode 100644
index 00000000..3e15dbf9
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001744598325.png differ
diff --git a/docs/hss/umn/en-us_image_0000001744678489.jpg b/docs/hss/umn/en-us_image_0000001744678489.jpg
new file mode 100644
index 00000000..fac6892b
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001744678489.jpg differ
diff --git a/docs/hss/umn/en-us_image_0000001745048576.png b/docs/hss/umn/en-us_image_0000001745048576.png
new file mode 100644
index 00000000..1b48a002
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001745048576.png differ
diff --git a/docs/hss/umn/en-us_image_0000001752813641.png b/docs/hss/umn/en-us_image_0000001752813641.png
new file mode 100644
index 00000000..bff32baf
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001752813641.png differ
diff --git a/docs/hss/umn/en-us_image_0000001752813769.png b/docs/hss/umn/en-us_image_0000001752813769.png
new file mode 100644
index 00000000..8e22d53e
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001752813769.png differ
diff --git a/docs/hss/umn/en-us_image_0000001757768557.png b/docs/hss/umn/en-us_image_0000001757768557.png
new file mode 100644
index 00000000..f0cba033
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001757768557.png differ
diff --git a/docs/hss/umn/en-us_image_0000001758618249.png b/docs/hss/umn/en-us_image_0000001758618249.png
new file mode 100644
index 00000000..0d21733f
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001758618249.png differ
diff --git a/docs/hss/umn/en-us_image_0000001759449225.png b/docs/hss/umn/en-us_image_0000001759449225.png
new file mode 100644
index 00000000..9d8df773
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001759449225.png differ
diff --git a/docs/hss/umn/en-us_image_0000001759608337.png b/docs/hss/umn/en-us_image_0000001759608337.png
new file mode 100644
index 00000000..a0996407
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001759608337.png differ
diff --git a/docs/hss/umn/en-us_image_0000001782400597.png b/docs/hss/umn/en-us_image_0000001782400597.png
new file mode 100644
index 00000000..86863be3
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001782400597.png differ
diff --git a/docs/hss/umn/en-us_image_0000001782537133.png b/docs/hss/umn/en-us_image_0000001782537133.png
new file mode 100644
index 00000000..ebe648a7
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001782537133.png differ
diff --git a/docs/hss/umn/en-us_image_0000001782537137.png b/docs/hss/umn/en-us_image_0000001782537137.png
new file mode 100644
index 00000000..7f806c24
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001782537137.png differ
diff --git a/docs/hss/umn/en-us_image_0000001782558509.png b/docs/hss/umn/en-us_image_0000001782558509.png
new file mode 100644
index 00000000..9c5417ea
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001782558509.png differ
diff --git a/docs/hss/umn/en-us_image_0000001782616881.png b/docs/hss/umn/en-us_image_0000001782616881.png
new file mode 100644
index 00000000..21312167
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001782616881.png differ
diff --git a/docs/hss/umn/en-us_image_0000001785666064.png b/docs/hss/umn/en-us_image_0000001785666064.png
new file mode 100644
index 00000000..423298c3
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001785666064.png differ
diff --git a/docs/hss/umn/en-us_image_0000001785825720.png b/docs/hss/umn/en-us_image_0000001785825720.png
new file mode 100644
index 00000000..b2bbbd33
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001785825720.png differ
diff --git a/docs/hss/umn/en-us_image_0000001798383608.png b/docs/hss/umn/en-us_image_0000001798383608.png
new file mode 100644
index 00000000..28e1f79c
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001798383608.png differ
diff --git a/docs/hss/umn/en-us_image_0000001801549361.png b/docs/hss/umn/en-us_image_0000001801549361.png
new file mode 100644
index 00000000..19c746d5
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001801549361.png differ
diff --git a/docs/hss/umn/en-us_image_0000001802080893.png b/docs/hss/umn/en-us_image_0000001802080893.png
new file mode 100644
index 00000000..8c2a6765
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001802080893.png differ
diff --git a/docs/hss/umn/en-us_image_0000001806095454.png b/docs/hss/umn/en-us_image_0000001806095454.png
new file mode 100644
index 00000000..b5efb406
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001806095454.png differ
diff --git a/docs/hss/umn/en-us_image_0000001807098924.png b/docs/hss/umn/en-us_image_0000001807098924.png
new file mode 100644
index 00000000..4492e581
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001807098924.png differ
diff --git a/docs/hss/umn/en-us_image_0000001807101012.png b/docs/hss/umn/en-us_image_0000001807101012.png
new file mode 100644
index 00000000..7809142c
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001807101012.png differ
diff --git a/docs/hss/umn/en-us_image_0000001807108040.png b/docs/hss/umn/en-us_image_0000001807108040.png
new file mode 100644
index 00000000..f5bd44af
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001807108040.png differ
diff --git a/docs/hss/umn/en-us_image_0000001807123476.png b/docs/hss/umn/en-us_image_0000001807123476.png
new file mode 100644
index 00000000..e842c818
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001807123476.png differ
diff --git a/docs/hss/umn/en-us_image_0000001807238698.png b/docs/hss/umn/en-us_image_0000001807238698.png
new file mode 100644
index 00000000..f0fafdea
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001807238698.png differ
diff --git a/docs/hss/umn/en-us_image_0000001807932576.png b/docs/hss/umn/en-us_image_0000001807932576.png
new file mode 100644
index 00000000..37bfb76f
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001807932576.png differ
diff --git a/docs/hss/umn/en-us_image_0000001808126138.png b/docs/hss/umn/en-us_image_0000001808126138.png
new file mode 100644
index 00000000..aa667393
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001808126138.png differ
diff --git a/docs/hss/umn/en-us_image_0000001808223252.png b/docs/hss/umn/en-us_image_0000001808223252.png
new file mode 100644
index 00000000..8ce8e756
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001808223252.png differ
diff --git a/docs/hss/umn/en-us_image_0000001808243728.png b/docs/hss/umn/en-us_image_0000001808243728.png
new file mode 100644
index 00000000..8a098267
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001808243728.png differ
diff --git a/docs/hss/umn/en-us_image_0000001816051597.png b/docs/hss/umn/en-us_image_0000001816051597.png
new file mode 100644
index 00000000..5094d2ef
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001816051597.png differ
diff --git a/docs/hss/umn/en-us_image_0000001830849746.png b/docs/hss/umn/en-us_image_0000001830849746.png
new file mode 100644
index 00000000..063af086
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001830849746.png differ
diff --git a/docs/hss/umn/en-us_image_0000001831694242.png b/docs/hss/umn/en-us_image_0000001831694242.png
new file mode 100644
index 00000000..4a7e417f
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001831694242.png differ
diff --git a/docs/hss/umn/en-us_image_0000001832628561.png b/docs/hss/umn/en-us_image_0000001832628561.png
new file mode 100644
index 00000000..81bc7531
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001832628561.png differ
diff --git a/docs/hss/umn/en-us_image_0000001852172057.png b/docs/hss/umn/en-us_image_0000001852172057.png
new file mode 100644
index 00000000..b3c4dae6
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001852172057.png differ
diff --git a/docs/hss/umn/en-us_image_0000001853711513.png b/docs/hss/umn/en-us_image_0000001853711513.png
new file mode 100644
index 00000000..a5e88766
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001853711513.png differ
diff --git a/docs/hss/umn/en-us_image_0000001853723125.png b/docs/hss/umn/en-us_image_0000001853723125.png
new file mode 100644
index 00000000..52fbad73
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001853723125.png differ
diff --git a/docs/hss/umn/en-us_image_0000001853795117.png b/docs/hss/umn/en-us_image_0000001853795117.png
new file mode 100644
index 00000000..88fbf698
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001853795117.png differ
diff --git a/docs/hss/umn/en-us_image_0000001853881857.png b/docs/hss/umn/en-us_image_0000001853881857.png
new file mode 100644
index 00000000..00d5033b
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001853881857.png differ
diff --git a/docs/hss/umn/en-us_image_0000001853897085.png b/docs/hss/umn/en-us_image_0000001853897085.png
new file mode 100644
index 00000000..430b8d08
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001853897085.png differ
diff --git a/docs/hss/umn/en-us_image_0000001853899257.png b/docs/hss/umn/en-us_image_0000001853899257.png
new file mode 100644
index 00000000..df0fbef3
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001853899257.png differ
diff --git a/docs/hss/umn/en-us_image_0000001853976253.png b/docs/hss/umn/en-us_image_0000001853976253.png
new file mode 100644
index 00000000..aabd7220
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001853976253.png differ
diff --git a/docs/hss/umn/en-us_image_0000001854003221.png b/docs/hss/umn/en-us_image_0000001854003221.png
new file mode 100644
index 00000000..3f775696
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001854003221.png differ
diff --git a/docs/hss/umn/en-us_image_0000001854004617.png b/docs/hss/umn/en-us_image_0000001854004617.png
new file mode 100644
index 00000000..85aecdb4
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001854004617.png differ
diff --git a/docs/hss/umn/en-us_image_0000001854854673.png b/docs/hss/umn/en-us_image_0000001854854673.png
new file mode 100644
index 00000000..2bbc8cbb
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001854854673.png differ
diff --git a/docs/hss/umn/en-us_image_0000001854995385.png b/docs/hss/umn/en-us_image_0000001854995385.png
new file mode 100644
index 00000000..8acbcdcd
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001854995385.png differ
diff --git a/docs/hss/umn/en-us_image_0000001855042505.png b/docs/hss/umn/en-us_image_0000001855042505.png
new file mode 100644
index 00000000..83a0bfee
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001855042505.png differ
diff --git a/docs/hss/umn/en-us_image_0000001862372558.png b/docs/hss/umn/en-us_image_0000001862372558.png
new file mode 100644
index 00000000..13297450
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001862372558.png differ
diff --git a/docs/hss/umn/en-us_image_0000001862551832.png b/docs/hss/umn/en-us_image_0000001862551832.png
new file mode 100644
index 00000000..7d124f9f
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001862551832.png differ
diff --git a/docs/hss/umn/en-us_image_0000001908410077.png b/docs/hss/umn/en-us_image_0000001908410077.png
new file mode 100644
index 00000000..87eb51e9
Binary files /dev/null and b/docs/hss/umn/en-us_image_0000001908410077.png differ
diff --git a/docs/hss/umn/hss_01_0001.html b/docs/hss/umn/hss_01_0001.html
new file mode 100644
index 00000000..0cbc83ac
--- /dev/null
+++ b/docs/hss/umn/hss_01_0001.html
@@ -0,0 +1,52 @@
+
+
+What Is HSS?
+HSS is designed to protect server workloads in hybrid clouds and multi-cloud data centers. It provides host security functions, Container Guard Service (CGS), and Web Tamper Protection (WTP).
+
HSS can help you remotely check and manage your servers and containers in a unified manner.
+
HSS protects your system integrity, enhances application security, monitors user operations, and detects intrusions.
+
Host Security
Host Security Service (HSS) helps you identify and manage the assets on your servers, eliminate risks, and defend against intrusions and web page tampering. There are also advanced protection and security operations functions available to help you easily detect and handle threats.
+
Install the HSS agent on your servers, and you will be able to check the server protection status and risks in a region on the HSS console.
+
Figure 1 illustrates how HSS works.
Figure 1 Working principles
+
+
+
+
The following table describes the HSS components.
+
Table 1 ComponentsComponent
+ |
+Description
+ |
+
|---|
+
+Management console
+ |
+A visualized management platform, where you can apply configurations in a centralized manner and view the protection status and scan results of servers in a region.
+ |
+
+HSS cloud protection center
+ |
+- Analyzes security risks in servers using AI, machine learning, and deep learning algorithms.
- Integrates multiple antivirus engines to detect and kill malicious programs in servers.
- Receives configurations and scan tasks sent from the console and forwards them to agents on the servers.
- Receives server information reported by agents, analyzes security risks and exceptions on servers, and displays the analysis results on the console.
+ |
+
+Agent
+ |
+- Communicates with the HSS cloud protection center via HTTPS and WSS. Port 10180 is used by default.
- Scans all servers every early morning; monitors the security status of servers; and reports the collected server information (including non-compliant configurations, insecure configurations, intrusion traces, software list, port list, and process list) to the cloud protection center.
- Blocks server attacks based on the security policies you configured.
+ NOTE: - If no agent is installed or the agent installed is abnormal, the HSS is unavailable.
- Select the agent and installation command suitable for your OS.
- The HSS agent can be used for all editions, including container security and Web Tamper Protection (WTP). You only need to install the agent once on the same server.
+
+ |
+
+
+
+
+
+
Container Security
HSS provides container security capabilities. The agent deployed on a server can scan the container images on the server, checking configurations, detecting vulnerabilities, and uncovering runtime issues that cannot be detected by traditional security software. Container security also provides functions such as process whitelist, read-only file protection, and container escape detection to minimize the security risks for a running container.
+
+
Web Tamper Protection
Web Tamper Protection (WTP) monitors website directories in real time and restores tampered files and directories using their backups. It protects website information, such as web pages, electronic documents, and images, from being tampered with or damaged by hackers.
+
Figure 2 How WTP works
+
+
Advantages
+HSS helps you manage and maintain the security of all your servers and reduce common risks.
+
Centralized Management
You can check for and fix a range of security issues on a single console, easily managing your servers.
+
- You can install the agent on ECSs in the same region to manage them all on a single console.
- On the security console, you can view the sources of server risks in a region, handle them according to displayed suggestions, and use filter, search, and batch processing functions to quickly analyze the risks of all servers in the region.
+
+
All-Round Protection
HSS protects servers against intrusions by prevention, defense, and post-intrusion scan.
+
+
Lightweight Agent
The agent occupies only a few resources, not affecting server system performance.
+
+
WTP
- The third-generation web anti-tampering technology and kernel-level event triggering technology are used. Files in user directories can be locked to prevent unauthorized tampering.
- The tampering detection and recovery technologies are used. Files modified only by authorized users are backed up on local and remote servers in real time, and will be used to recover tampered websites (if any) detected by HSS.
+
+
Viewing Server Protection Status
+The server list on the Servers page displays the protection status of only the servers used in the selected region.
+
Viewing Server Protection Status
- Log in to the management console.
- Click
in the upper left corner of the page, select a region, and choose Security > . The page is displayed. - In the navigation pane, choose Asset Management > Servers & Quota. On the Servers tab, view the protection status of the server. For more information, see Table 1.
If your servers are managed by enterprise projects, you can select the target enterprise project to view or operate the asset and detection information.
+
Figure 1 Server protection status
+- To check the protection status of a server, enter a server name, server ID, or IP address in the search box above the server protection list.
- On the left of the server protection list, select a server protection edition or an asset importance category to view the protection status of each type of servers.
+
+
Table 1 Protection status descriptionParameter
+ |
+Description
+ |
+
|---|
+
+Agent Status
+ |
+
+ |
+
+Protection Status
+ |
+- Enabled: The server is fully protected by HSS.
- Unprotected: HSS is disabled for the server. After the agent is installed, click Enable in the Operation column to enable protection.
+ |
+
+Scan Results
+ |
+- Risky: The host has risks.
- Safe: No risks are found.
- Pending risk detection: HSS is not enabled for the server.
+ |
+
+
+
+
+
+
+
Viewing the WTP Status
- Log in to the management console and go to the HSS page.
- Choose Prevention > Web Tamper Protection and click Servers to view the protection status of the servers.
To check the protection status of a target server, enter a server name, server ID, or IP address in the search box above the protection list, and click 
.
+Figure 2 Servers protected by WTP
+
+
Table 2 StatusesParameter
+ |
+Description
+ |
+
|---|
+
+Protection Status
+ |
+Protected: HSS provides static web tamper protection (WTP) for the server.
+ |
+
+Dynamic WTP
+ |
+Status of dynamic WTP, which can be:  : Dynamic WTP is enabled. : Dynamic WTP is disabled. After enabling dynamic WTP, restart Tomcat to make this setting take effect.
+ |
+
+Static Tampering Attacks
+ |
+Number of times that static web page files are attacked and tampered with.
+ |
+
+Dynamic Tampering Attacks
+ |
+Number of web application vulnerability exploits and injection attacks.
+ |
+
+
+
+
+
+
+
Exporting the Server List
- Log in to the management console and go to the HSS page.
- Choose . The Servers tab page is displayed.
- Click
in the upper right corner of the Server tab page to export the details of the server list. The details of up to 1000 servers can be exported at a time.
+
+Figure 3 Exporting the server list
+
+
+
Basic Concepts
+Account Cracking
Account cracking refers to the intruder behavior of guessing or cracking the password of an account.
+
+
Weak Password
A weak password can be easily cracked.
+
+
Malicious Program
A malicious program, such as a web shell, Trojan, worm, or virus, is developed with attack or illegal remote control intents.
+
Malware covertly inlays code into another program to run intrusive or disruptive programs and damage the security and integrity of the data on an infected server. Malware includes viruses, Trojans, and worms, classified by their ways of transmission.
+
HSS reports both identified and suspicious malware.
+
+
Ransomware
Ransomware emerged with the Bitcoin economy. It is a Trojan that is disguised as a legitimate email attachment or bundled software and tricks you into opening or installing it. It can also arrive on your servers through website or server intrusion.
+
Ransomware often uses a range of algorithms to encrypt the victim's files and demand a ransom payment to get the decryption key. Digital currencies such as Bitcoin are typically used for the ransoms, making tracing and prosecuting the attackers difficult.
+
Ransomware interrupts businesses and can cause serious economic losses. We need to know how it works and how we can prevent it.
+
+
Web Tamper Protection
Web Tamper Protection (WTP) is an HSS edition that protects your files, such as web pages, documents, and images, in specific directories against tampering and sabotage from hackers and viruses.
+
+
Cluster
A cluster consists of one or more ECSs (also known as nodes) in the same subnet. It provides a computing resource pool for running containers.
+
+
Node
In CGS, each node corresponds to an ECS. Containers run on nodes.
+
+
Image
An image is a special file system. It provides not only programs, libraries, resources, configuration files but also some configuration parameters required for a running container. A Docker image does not contain any dynamic data, and its content remains unchanged after being built.
+
+
Container
A container is the instance of an image and can be created, started, stopped, deleted, and suspended.
+
+
Security Policy
A security policy indicates the security rule that must be followed for a running container. If a container violates a security policy, a container exception is displayed on the Runtime Security page of the CGS management console.
+
+
Project
Projects are used to group and isolate OpenStack resources, including computing, storage, and network resources. A project can be a department or a project team.
+
Multiple projects can be created for one account.
+
+
Protection Quota
To protect a server, bind it to an HSS quota.
+
The quotas of different HSS editions you applied for are displayed on the console.
+
Example:
+
- If you have applied for an HSS enterprise edition quota, you can bind it to a server.
- If you have applied for 10 HSS enterprise edition quotas, you can bind them to 10 servers.
+
+
HSS Custom Policies
+Custom policies can be created to supplement the system-defined policies of HSS.
+
You can create custom policies using one of the following methods:
- Visual editor: Select cloud services, actions, resources, and request conditions. You do not need to have knowledge of the policy syntax.
- JSON: Create a policy in JSON format or edit the JSON strings of an existing policy.
+
+
For details, see "Creating a Custom Policy" in Identity and Access Management User Guide. The following section contains examples of common HSS custom policies.
+
Example Custom Policies
+
- Example 2: Denying agent uninstallation
A deny policy must be used together with other policies. If the policies assigned to a user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.
+The following method can be used if you need to assign permissions of the HSS Administrator policy to a user but also forbid the user from deleting key pairs (hss:agent:uninstall). Create a custom policy with the action to delete key pairs, set its Effect to Deny, and assign both this and the HSS Administrator policies to the group the user belongs to. Then the user can perform all operations on HSS except uninstalling it. The following is an example policy that denies agent uninstallation.
+{
+ "Version": "1.1",
+ "Statement": [
+ {
+ "Effect": "Deny",
+ "Action": [
+ "hss:agent:uninstall"
+ ]
+ },
+ ]
+}
+ - Multi-action policies
A custom policy can contain the actions of multiple services that are of the project-level type. The following is a policy with multiple statements:
+{
+ "Version": "1.1",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Action": [
+ "hss:hosts:list"
+ ]
+ },
+ {
+ "Effect": "Allow",
+ "Action": [
+ "hss:hosts:switchVersion",
+ "hss:hosts:manualDetect",
+ "hss:manualDetectStatus:get"
+ ]
+ }
+ ]
+}
+
+
+
HSS Actions
+This section describes fine-grained permissions management for your HSS instances. If your account does not need individual IAM users, then you may skip over this section.
+
By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups, and assign policies or roles to these groups. The user then inherits permissions from the groups it is a member of. This process is called authorization. After authorization, the user can perform specified operations on cloud services based on the permissions.
+
You can grant users permissions by using roles and policies. Roles are provided by IAM to define service-based permissions depending on user's job responsibilities. IAM uses policies to perform fine-grained authorization. A policy defines permissions required to perform operations on specific cloud resources under certain conditions.
+
Supported Actions
HSS provides system-defined policies that can be directly used in IAM. You can also create custom policies and use them to supplement system-defined policies, implementing more refined access control. The following are related concepts:
+
- Permissions: Allow or deny certain operations.
- Actions: Specific operations that are allowed or denied.
- Dependent actions: When assigning permissions for an action, you also need to assign permissions for the dependent actions.
+
HSS supports the following actions that can be defined in custom policies:
+
+
Actions
+
Permission
+ |
+Action
+ |
+Related Action
+ |
+
|---|
+
+Query the protected server list
+ |
+hss:hosts:list
+ |
+vpc:ports:get
+vpc:publicIps:list
+ecs:cloudServers:list
+ |
+
+Enable or disable protection on servers
+ |
+hss:hosts:switchVersion
+ |
+-
+ |
+
+Manual scan
+ |
+hss:hosts:manualDetect
+ |
+-
+ |
+
+Check the status of a manual scan
+ |
+hss:manualDetectStatus:get
+ |
+-
+ |
+
+Query weak password scan reports
+ |
+hss:weakPwds:list
+ |
+-
+ |
+
+Query account cracking protection reports
+ |
+hss:accountCracks:list
+ |
+-
+ |
+
+Unblock an IP address that was blocked during account cracking prevention
+ |
+hss:accountCracks:unblock
+ |
+-
+ |
+
+Query malicious program scan results
+ |
+hss:maliciousPrograms:list
+ |
+-
+ |
+
+Query remote login scan results
+ |
+hss:abnorLogins:list
+ |
+-
+ |
+
+Query important file change reports
+ |
+hss:keyfiles:list
+ |
+-
+ |
+
+Query the open port list
+ |
+hss:ports:list
+ |
+-
+ |
+
+Query the vulnerability list
+ |
+hss:vuls:list
+ |
+-
+ |
+
+Perform batch operations on vulnerabilities
+ |
+hss:vuls:operate
+ |
+-
+ |
+
+Query the account list
+ |
+hss:accounts:list
+ |
+-
+ |
+
+Query the software list
+ |
+hss:softwares:list
+ |
+-
+ |
+
+Query the web path list
+ |
+hss:webdirs:list
+ |
+-
+ |
+
+Query the process list
+ |
+hss:processes:list
+ |
+-
+ |
+
+Query configuration scan reports
+ |
+hss:configDetects:list
+ |
+-
+ |
+
+Query web shell scan results
+ |
+hss:Webshells:list
+ |
+-
+ |
+
+Query risky account scan reports
+ |
+hss:riskyAccounts:list
+ |
+-
+ |
+
+Obtain server risk statistics
+ |
+hss:riskyDashboard:get
+ |
+-
+ |
+
+Query password complexity policy scan reports
+ |
+hss:complexityPolicys:list
+ |
+-
+ |
+
+Perform batch operations on malicious programs
+ |
+hss:maliciousPrograms:operate
+ |
+-
+ |
+
+Perform batch operations on open ports
+ |
+hss:ports:operate
+ |
+-
+ |
+
+Perform operations on detected unsafe settings
+ |
+hss:configDetects:operate
+ |
+-
+ |
+
+Perform batch operations on web shells
+ |
+hss:Webshells:operate
+ |
+-
+ |
+
+Configure common login locations
+ |
+hss:commonLocations:set
+ |
+-
+ |
+
+Query common login locations
+ |
+hss:commonLocations:list
+ |
+-
+ |
+
+Configure common login IP addresses
+ |
+hss:commonIPs:set
+ |
+-
+ |
+
+Query common login IP addresses
+ |
+hss:commonIPs:list
+ |
+-
+ |
+
+Configure the login IP address whitelist
+ |
+hss:whiteIps:set
+ |
+-
+ |
+
+Query the login IP address whitelist
+ |
+hss:whiteIps:list
+ |
+-
+ |
+
+Configure weak passwords
+ |
+hss:weakPwds:set
+ |
+-
+ |
+
+Query weak passwords
+ |
+hss:weakPwds:get
+ |
+-
+ |
+
+Configure web paths
+ |
+hss:webDirs:set
+ |
+-
+ |
+
+Query web paths
+ |
+hss:webDirs:get
+ |
+-
+ |
+
+Obtain the list of servers where 2FA is enabled
+ |
+hss:twofactorAuth:list
+ |
+-
+ |
+
+Enable 2FA
+ |
+hss:twofactorAuth:set
+ |
+-
+ |
+
+Enable or disable automatic isolation and killing of malicious programs
+ |
+hss:automaticKillMp:set
+ |
+-
+ |
+
+Query the programs that have been automatically isolated and killed
+ |
+hss:automaticKillMp:get
+ |
+-
+ |
+
+Query the agent download address
+ |
+hss:installAgent:get
+ |
+-
+ |
+
+Uninstall an agent
+ |
+hss:agent:uninstall
+ |
+-
+ |
+
+Query HSS alarms
+ |
+hss:alertConfig:get
+ |
+-
+ |
+
+Configure HSS alarms
+ |
+hss:alertConfig:set
+ |
+-
+ |
+
+Query the WTP list
+ |
+hss:wtpHosts:list
+ |
+vpc:ports:get
+vpc:publicIps:list
+ecs:cloudServers:list
+ |
+
+Enable or disable WTP
+ |
+hss:wtpProtect:switch
+ |
+-
+ |
+
+Configure backup servers
+ |
+hss:wtpBackup:set
+ |
+-
+ |
+
+Query backup servers
+ |
+hss:wtpBackup:get
+ |
+-
+ |
+
+Configure protected directories
+ |
+hss:wtpDirectorys:set
+ |
+-
+ |
+
+Query the protected directory list
+ |
+hss:wtpDirectorys:list
+ |
+-
+ |
+
+Query WTP records
+ |
+hss:wtpReports:list
+ |
+-
+ |
+
+Configure privileged processes
+ |
+hss:wtpPrivilegedProcess:set
+ |
+-
+ |
+
+Query the privileged process list
+ |
+hss:wtpPrivilegedProcesses:list
+ |
+-
+ |
+
+Configure a protection mode
+ |
+hss:wtpProtectMode:set
+ |
+-
+ |
+
+Query the protection mode
+ |
+hss:wtpProtectMode:get
+ |
+-
+ |
+
+Configure a protected file system
+ |
+hss:wtpFilesystems:set
+ |
+-
+ |
+
+Query the protected file system list
+ |
+hss:wtpFilesystems:list
+ |
+-
+ |
+
+Configure scheduled protection
+ |
+hss:wtpScheduledProtections:set
+ |
+-
+ |
+
+Query scheduled protection
+ |
+hss:wtpScheduledProtections:get
+ |
+-
+ |
+
+Configure WTP alarms
+ |
+hss:wtpAlertConfig:set
+ |
+-
+ |
+
+Query WTP alarms
+ |
+hss:wtpAlertConfig:get
+ |
+-
+ |
+
+Query WTP statistics
+ |
+hss:wtpDashboard:get
+ |
+-
+ |
+
+Query policy group
+ |
+hss:policy:get
+ |
+-
+ |
+
+Configure a policy group
+ |
+hss:policy:set
+ |
+-
+ |
+
+Query the detected intrusion list
+ |
+hss:event:get
+ |
+-
+ |
+
+Perform operations on intrusions
+ |
+hss:event:set
+ |
+-
+ |
+
+Query server groups
+ |
+hss:hostGroup:get
+ |
+-
+ |
+
+Configure server groups
+ |
+hss:hostGroup:set
+ |
+-
+ |
+
+Monitor file integrity
+ |
+hss:keyfiles:set
+ |
+-
+ |
+
+Query important file change reports
+ |
+hss:keyfiles:list
+ |
+-
+ |
+
+Query the auto-startup list
+ |
+hss:launch:list
+ |
+-
+ |
+
+
+
+
+
+
How Do I View Servers Where No Agents Have Been Installed?
+- Log in to the management console.
- On the Installation & Configuration page, click the Agents tab and click Offline. View the servers where the agent is not installed.
Possible agent statuses are:
+
+
+
How Does HSS Intercept Brute Force Attacks?
+Types of Detectable Brute Force Attacks
HSS can detect the following types of brute force attacks:
+
- Windows: SqlServer (automatic interception is not supported currently) and Rdp
- Linux: MySQL, vfstp, and SSH
+
If MySQL or VSFTP is installed on your server, after HSS is enabled, the agent will add rules to iptables to prevent MySQL and VSFTP brute force attacks. When detecting a brute-force attack, HSS will add the source IP address to the blocking list. The added rules are highlighted below.
Figure 1 Added rules
+
+
+
Existing iptables rules are used for blocking brute-force attacks. You are advised to keep them. If they are deleted, HSS will not be able to protect MySQL or VSFTP from brute-force attacks.
+
+
How Brute Force Attacks Are Intercepted
Brute-force attacks are a type of common intrusion attacks. Attackers submit many server passwords until eventually guessing correctly and gaining control over a server.
+
HSS uses brute-force detection algorithms and an IP address blacklist to effectively prevent brute-force attacks and block attacking IP addresses. The blocking duration is 12 hours. If a blocked IP address does not perform brute-force attacks in the default blocking duration, it will be automatically unblocked.
+
If HSS detects account cracking attacks on servers using Kunpeng EulerOS (EulerOS with ARM), it does not block the source IP addresses and only generates alarms. The SSH login IP address whitelist does not take effect for such servers.
+
+
+
Alarm Policies
- If a hacker successfully cracks the password and logs in to a server, a real-time alarm will be immediately sent to specified recipients.
- If a brute-force attack and risks of account hacking are detected, a real-time alarm will be immediately sent to specified recipients.
- If a brute-force attack is detected and failed, and no unsafe settings (such as weak passwords) are detected on the server, no real-time alarms will be sent. HSS will summarize all attacks in a day in its daily alarm report. You can also view blocked attacks on the Detection > Alarms page of the HSS console.
+
+
Viewing Brute Force Cracking Detection Results
- Log in to the management console.
- In the navigation pane, choose .
- View the brute force cracking detection result of the server or container.
- View the brute force cracking detection result of the server.
- Click the Server Alarms tab.
- In the Alarm Types area, select Abnormal User Behavior > Brute-force attacks to view alarm event records on the protected server.
- Click View Details in the Blocked IP Addresses area to view the blocked attack source IP address, attack type, blocking status, blocking times, blocking start time, and latest blocking time.
- Blocked indicates the brute-force attack has been blocked by HSS.
- Canceled indicates you have unblocked the source IP address of the brute force attack.
The default blocking duration is 12 hours. If a blocked IP address does not perform brute-force attacks in the default blocking duration, it will be automatically unblocked.
+
+
+
+ - View the brute force cracking detection result of a container.
- Click the Container Alarms tab.
- In the Alarm Types area, select Abnormal User Behavior > Brute-force attacks to view alarm event records on the protected container.
+
+
+
+
Managing Blocked IP Addresses
- If a server is frequently attacked, you are advised to fix its vulnerabilities in a timely manner and eliminate risks.
- If a valid IP address is blocked by mistake (for example, after O&M personnel enter incorrect passwords for multiple times), manually unblock the IP address.
If you manually unblocked an IP address, but incorrect password attempts from this IP address exceed the threshold again, this IP address will be blocked again.
+
+
+
+
Can I Unblock an IP Address Blocked by HSS, and How?
+Whether you can unblock an IP address depends on why it was blocked. An IP address will be blocked if it is regarded as the source of a brute-force attack, listed in the common IP blacklist, or not in the IP whitelist you set.
+
Brute-force Attack IP Address
+
+
IP Address in the Common IP Blacklist
You cannot manually unblock such IP addresses.
+
+
What Can I Do If I Enabled Dynamic WTP But Its Status Is Enabled but not in effect?
+Dynamic WTP protects your Tomcat applications.
+
For this function to take effect, ensure that:
+
- There are Tomcat applications running on your servers.
- Your servers run the Linux OS.
- The setenv.sh file has been automatically generated in the tomcat/bin directory (usually 20 minutes after you enable dynamic WTP). If the file exists, restart Tomcat to make dynamic WTP take effect.
+
If the status of dynamic WTP is Enabled but not in effect after you enable it, perform the following operations:
+
- Check whether the setenv.sh file has been generated in the tomcat/bin directory.
- If the setenv.sh file exists, check whether Tomcat has been restarted.
+
Related Services
+ECS
The HSS agent can be installed on ECS.
+
For details about ECS, see the Elastic Cloud Server User Guide.
+
+
Cloud Container Engine (CCE)
CCE can rapidly build a highly reliable container cluster based on cloud servers and add nodes to the cluster for management. HSS can install Hostguard-agent on the nodes to protect the container applications deployed on them.
+
CCE is a high-performance, high-reliability service through which enterprises can manage containerized applications. CCE supports native Kubernetes applications and tools, allowing you to easily set up a container runtime environment on the cloud. For more information, see the Container Service User Guide.
+
+
+
Software Repository for Container (SWR)
SWR provides easy, secure, and reliable management over container images throughout their lifecycles, facilitating the deployment of containerized services. For more information, see the Software Repository for Container User Guide. HSS scans for vulnerabilities and configurations in container images to help you detect the container environment that cannot be achieved by traditional security software.
+
+
What Are the Differences Between the Web Tamper Protection Functions of HSS and WAF?
+The web tamper protection function of HSS monitors website directories in real time, backs up files, and restores tampered files using the backup, protecting websites from tampering. This function is helpful for governments, educational institutions, and enterprises.
+
WAF protects user data on the application layer. It supports cache configuration on static web pages. When a user accesses a web page, the system returns a cached page to the user and randomly checks whether the page has been tampered with.
+
Differences Between the Web Tamper Protection Functions of HSS and WAF
The following table describes the differences between HSS and WAF.
+
+
Table 1 Differences between the web tamper protection functions of HSS and WAFItem
+ |
+HSS
+ |
+WAF
+ |
+
|---|
+
+Static web page protection
+ |
+
+ |
+- Static web pages can be cached on servers.
- Privileged process management is not supported.
+ |
+
+Dynamic web page protection
+ |
+Protects your data while Tomcat is running, detecting dynamic data tampering in databases.
+ |
+No
+ |
+
+Backup and restoration
+ |
+- Active backup and restoration
If WTP detects that a file in the protection directory is tampered with, it immediately uses the backup file on the local host to restore the file.
+ - Remote backup and restoration
If a file directory or backup directory on the local server is invalid, you can use the remote backup service to restore the tampered web page.
+
+ |
+No
+ |
+
+Suitable for
+ |
+Websites that have high security requirements and difficult to be manually recovered
+ |
+Websites that only require application-layer protection
+ |
+
+
+
+
+
+
How Do I Select WTP?
+
Website
+ |
+Service
+ |
+
|---|
+
+Common websites
+ |
+WAF web tamper protection + HSS enterprise edition
+ |
+
+Websites that require strong protection and anti-tampering capabilities
+ |
+WAF web tamper protection + HSS WTP
+ |
+
+
+
+
+
+
WTP Edition
+The WTP edition provides web tamper protection capabilities for your servers.
+
Web Tamper Protection Principles
+
Table 1 How WTP worksType
+ |
+Mechanism
+ |
+
|---|
+
+Static web page protection
+ |
+- Local directory lock
WTP locks files in a web file directory in a drive to prevent attackers from modifying them. Website administrators can update the website content by using privileged processes.
+ - Proactive backup and restoration
If WTP detects that a file in the protection directory is tampered with, it immediately uses the backup file on the local host to restore the file.
+ - Remote backup and restoration
If a file directory or backup directory on the local server is invalid, you can use the remote backup service to restore the tampered web page.
+
+ |
+
+Dynamic web page protection
+ |
+Dynamic web page protection for Tomcat.
+- Malicious behavior filtering based on RASP
The unique runtime application self-protection (RASP) detects application program behaviors, preventing attackers from tampering with web pages through application programs.
+ - Network disk file access control
WTP implements fine-grained management to control permissions for adding, modifying, and querying file content in network disks, preventing tampering without affecting website content release.
+
+ |
+
+
+
+
+
+
Prerequisite
- The agent has been installed on the servers to be protected, the agent status is Online, and the protection status is Unprotected.
+
+
Configuring Protected Directories
You can add up to 50 directories to be protected. For details, see Adding a Protected Directory.
+
To record the running status of the server in real time, exclude the log files in the protected directory. You can grant high read and write permissions for log files to prevent attackers from viewing or tampering with the log files.
+
+
Procedure
- Log in to the management console.
- Click
in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane, choose Protection > Web Tamper Protection. On the Web Tamper Protection page, click the Servers tab.
Figure 1 Entering the page for protected directory settings
+ - Click Add Server. In the displayed dialog box, select servers.
Selected servers must be equal to or fewer than the available quotas.
+
+Figure 2 Adding protected servers
+ - Click Add and Enable Protection and check the protection status. Choose Protection > Web Tamper Protection. On the Web Tamper Protection page, click the Servers tab. If the Protection Status of the server is Protected, WTP has been enabled.
- After WTP is enabled, configure protected directories for WTP to take effect. For details, see Adding a Protected Directory.
- Dynamic WTP can only be enabled for Linux servers, and can only be used after Tomcat is restarted.
- You can check the server protection status on the Web Tamper Protection page.
The premium edition will be enabled when you enable WTP. You can perform the following operations to check the protection status:
- Choose Prevention > Web Tamper Protection. If the Protection Status of the server is Protected, WTP has been enabled.
+
+
+
+
+
Managing Server Groups
+To manage servers by group, you can create a server group and add servers to it.
+
You can check the numbers of servers, unsafe servers, and unprotected servers in a group.
+
Creating a Server Group
After creating a server group, you can add servers to the group for unified management.
+
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane, choose , click Server Groups in the Server list, and click Create Server Group.
Figure 1 Accessing the page of server groups
+ - In the Create Server Group dialog box, enter a server group name and select the servers to be added to the group.
- A server group name must be unique, or the group will fail to be created.
- A name cannot contain spaces. It contains only letters, digits, underscores (_), hyphens (-), dots (.), asterisks (*), and plus signs (+). The length cannot exceed 64 characters.
+
+Figure 2 Creating a server group
+ - Click OK.
+
+
Adding Servers to Groups
You can add servers to an existing server group.
+
- Click the Server tab.
- Select one or more servers and click Add to Group.
Figure 3 Adding servers to a group
+ To add a server to a group, you can also locate the row where the server resides, click More in the Operation column, and choose Add to Group.
+
+ - In the displayed dialog box, select a server group and click OK.
A server can be added to only one server group.
+
+
+
+
Related Operations
Editing a server group
+
- Click Servers & Quota and click Server Groups on the Servers tab.
- Locate the row where a server group resides and click Edit in the Operation column.
- In the displayed dialog box, change the server group name and add or remove servers in the group.
- Click OK.
+
Deleting a server group
+
- Click Servers & Quota and click Server Groups on the Servers tab.
- Locate the row where a server group resides and click Delete in the Operation column.
After the server group is deleted, the Server Group column of the servers that were in the group will be blank.
+
+
+
+
Deploying a Policy
+You can quickly configure and start server scans by using policy groups. Simply create a group, add policies to it, and apply this group to servers. The agents deployed on your servers will scan everything specified in the policies.
+
+
Creating a Policy Group
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation tree on the left, choose
- Copy a policy group.
- Select the tenant_linux_premium_default_policy_group policy group. Locate the row that this policy group resides, click Copy in the Operation column.
Figure 1 Copying a Linux policy group
+ - Select the tenant_windows_premium_default_policy_group policy group. Click Copy in the Operation column.
Figure 2 Copying a Windows policy group
+
+ - In the dialog box displayed, enter a policy group name and description, and click OK.
- The name of a policy group must be unique, or the group will fail to be created.
- The policy group name and its description can contain only letters, digits, underscores (_), hyphens (-), and spaces, and cannot start or end with a space.
+
+Figure 3 Creating a policy group
+ - Click OK.
- Click the name of the policy group you just created. The policies in the group will be displayed.
Figure 4 Policy group details
+ - Click a policy name and modify its settings as required. For details, see Configuring Policies.
- Enable or disable the policy by clicking the corresponding button in the Operation column. You can click
to refresh the page.
+
+
Applying a Policy Group
- Log in to the management console and go to the HSS page.
- In the navigation pane, choose and click Servers.
- Select one or more servers for which you want to deploy a policy, and .
Figure 5 Applying a policy
+
+ - In the dialog box that is displayed, select a policy group and click OK.
- Old policies applied to a server will become invalid if you apply new policies to the server.
- Policies are applied to the servers within 1 minute.
- Policies applied to offline servers will not take effect until the servers are online.
- In a deployed policy group, you can enable, disable, or modify policies.
- A policy group that has been deployed cannot be deleted.
+
+
+
+
Risk Prevention
+
+
+
diff --git a/docs/hss/umn/hss_01_0026.html b/docs/hss/umn/hss_01_0026.html
new file mode 100644
index 00000000..5b23a6c1
--- /dev/null
+++ b/docs/hss/umn/hss_01_0026.html
@@ -0,0 +1,106 @@
+
+
+Viewing Server Alarms
+The Events page displays the alarm events generated in the last 30 days. You can manually handle the alarmed items.
+
The status of a handled event changes from Unhandled to Handled.
+
Constraints and Limitations
- To skip the checks on high-risk command execution, privilege escalations, reverse shells, abnormal shells, or web shells, manually disable the corresponding policies in the policy groups on the Policies page. HSS will not check the servers associated with disabled policies.
- Other detection items cannot be manually disabled.
- Servers that are not protected by HSS do not support operations related to alarms and events.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane on the left, choose Detection > Alarms and click Server Alarms.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+
+Figure 1 Server alarms
+
+Table 1 Alarm statisticsParameter
+ |
+Description
+ |
+
|---|
+
+Enterprise Project
+ |
+Select an enterprise project and view alarm details by enterprise project.
+ |
+
+Time range
+ |
+You can select a fixed time period or customize a time period to filter alarms. Only alarms generated within 30 days can be queried.
+The options are as follows:
+- Last 24 hours
- Last 3 days
- Last 7 days
- Last 30 days
- Custom
+ |
+
+Server Alarms
+ |
+Affected Servers
+ |
+Number of servers for which alarms are generated.
+ |
+
+Alarms to be Handled
+ |
+Number of alarms to be handled.
+By default, all alarms to be handled are displayed.
+ |
+
+Handled Alarms
+ |
+Number of handled alarms.
+ |
+
+Blocked IP Addresses
+ |
+Number of blocked IP addresses. You can click the number to check blocked IP address list.
+The blocked IP address list displays the server name, attack source IP address, login type, blocking status, number of blocks, blocking start time, and the latest blocking time.
+If a valid IP address is blocked by mistake (for example, after O&M personnel enter incorrect passwords for multiple times), you can manually unblock it. If a server is frequently attacked, you are advised to fix its vulnerabilities in a timely manner and eliminate risks.
+ NOTICE: - After a blocked IP address is unblocked, HSS will no longer block the operations performed by the IP address.
- A maximum of 10,000 IP addresses can be blocked for each type of software.
If your Linux server does not support ipset, a maximum of 50 IP addresses can be clocked for MySQL and vsftp.
+If your Linux server does not support ipset or hosts.deny, a maximum of 50 IP addresses can be blocked for SSH.
+
+
+ |
+
+Isolated Files
+ |
+HSS can isolate detected threat files. Files that have been isolated are displayed on a slide-out panel on the Server Alarms page. You can click Isolated Files on the upper right corner to check them.
+You can recover isolated files. For details, see Managing Isolated Files.
+ |
+
+Container Alarms
+ |
+Affected Servers
+ |
+Number of servers for which alarms are generated.
+ |
+
+Alarms to be Handled
+ |
+Number of alarms to be handled.
+By default, all alarms to be handled are displayed.
+ |
+
+Handled Alarms
+ |
+Number of handled alarms
+ |
+
+Threats
+ |
+Displays the statistics on alarms by severity.
+
+ |
+
+Top 5 Events
+ |
+Displays the top 5 alarm types and their quantities.
+ |
+
+
+
+
- Click an alarm event in the list of event types to view the affected servers and occurrence time of the event. The following information is displayed:
- Total number of alarms
- Number of each type of alarms
+ - Click an alarm name to view its details.
+
+
Managing the Alarm Whitelist
+You can configure the alarm whitelist to reduce false alarms. Events can be deleted from the whitelist.
+
Whitelisted events will not trigger alarms.
+
On the Alarms page, you can add falsely reported alarms to the alarm whitelist. After an alarm is added to the whitelist, HSS will not generate alarms or collect statistics on it.
+
Adding Events to the Alarm Whitelist
+
Table 1 Configuring the alarm whitelistMethod
+ |
+Description
+ |
+
|---|
+
+Add to alarm whitelist
+ |
+Choose to add the alarm to the whitelist when handling it.
+The following types of events can be added to the alarm whitelist:
+- Reverse shells
- Ransomware
- Malicious programs
- Web shell
- Abnormal process behaviors
- Process privilege escalations
- File privilege escalations
- High-risk command executions
- Malicious programs
- Important file changes
- File/Directory changes
- Abnormal shells
- Suspicious crontab tasks
- Invalid accounts
- Common vulnerability exploits
+ |
+
+
+
+
+
+
Checking the Alarm Whitelist
Perform the following steps to check the alarm whitelist:
+
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane on the left, choose .
- Click Alarm Whitelist to view the added alarm whitelist. For more information, see Table 2.
+
Table 2 Parameter descriptionParameter Name
+ |
+Description
+ |
+
|---|
+
+Alarm Type
+ |
+Name of the alarm whitelist type.
+ |
+
+SHA256
+ |
+Hash value of the target file.
+ |
+
+Description
+ |
+Description of the target whitelist.
+ |
+
+Added
+ |
+Time when an alarm is added to the whitelist.
+ |
+
+Enterprise Project
+ |
+Enterprise project
+ |
+
+
+
+
+
+
Related Operations
Removing alarms from the whitelist
+
To remove an alarm from the whitelist, select it and click Delete.
+
- Exercise caution when performing this operation. Whitelisted alarms cannot be restored after removal, and will be reported once triggered.
- After an alarm is deleted from the whitelist, the handling status of the events associated with the alarm is not updated. To change the status, choose Detection > Alarms, click Handle in the Operation column of an event, and select Remove from whitelist.
+
+
+
Managing Login Whitelist
+You can configure the IP addresses of destination servers, login IP addresses, login usernames, and user behaviors in the Login Whitelist.
+
- If the destination server IP address, login IP address, and username of a login are all whitelisted, this login will be allowed without checking.
- After an IP address is added to a whitelist by following the instructions in Adding Login Whitelist, the alarms (if any) that have been generated for the IP address will not be automatically cleared. Handle the alarms by referring to Viewing Server Alarms.
+
+
You can add Login Whitelist in either of the following ways:
+
- Add it to the Login Whitelist when handling false alarms of the Brute-force attack and Abnormal login types. For details, see Viewing Server Alarms.
- On the Login Whitelist page, add Login Whitelist.
+
Adding Login Whitelist
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- Choose to access the Whitelists page, and click Add.
Figure 1 Adding Login Whitelist
+ - On the displayed page, enter the server IP address, login IP address, and login username.
+
Table 1 Login security whitelist parametersParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Server IP Address
+ |
+- IPv4 addresses are supported
- Single IP addresses, IP address segments, and masks are supported. Use commas (,) to separate them.
+ |
+- 192.168.1.1
- 192.168.2.1-192.168.6.1
- 192.168.7.0/24
+ |
+
+Login IP Address
+ |
+
+Login Username
+ |
+Current login username
+ |
+hss_test
+ |
+
+Remarks
+ |
+Custom whitelist description
+ |
+Test
+ |
+
+
+
+
- Click OK.
+
+
Other Operations
Removing Login Whitelist
+
To delete a Login Whitelist, select the Login Whitelist to you want to delete and click Delete, or click Delete in the Operation column of the server IP address you want to delete in the Login Whitelist.
+
Exercise caution when performing the deletion operation because it cannot be rolled back.
+
+
+
Intrusion Detection
+
+
+
diff --git a/docs/hss/umn/hss_01_0032.html b/docs/hss/umn/hss_01_0032.html
new file mode 100644
index 00000000..5926333f
--- /dev/null
+++ b/docs/hss/umn/hss_01_0032.html
@@ -0,0 +1,35 @@
+
+
+FAQs
+
+
+
diff --git a/docs/hss/umn/hss_01_0033.html b/docs/hss/umn/hss_01_0033.html
new file mode 100644
index 00000000..ba411466
--- /dev/null
+++ b/docs/hss/umn/hss_01_0033.html
@@ -0,0 +1,43 @@
+
+
+What Is Host Security?
+Host Security Service (HSS) helps you identify and manage the assets on your servers, eliminate risks, and defend against intrusions and web page tampering. There are also advanced protection and security operations functions available to help you easily detect and handle threats.
+
How HSS Works
Install the HSS agent on your servers, and you will be able to check the server security status and risks in a region on the HSS console.
+
Figure 1 shows the working principles of HSS.
+
Figure 1 Working principles
+
The functions and working processes of HSS components are described as follows:
+
+
Table 1 ComponentsComponent
+ |
+Description
+ |
+
|---|
+
+Management console
+ |
+A visualized management platform, where you can apply configurations in a centralized manner and view the protection status and scan results of servers in a region.
+ |
+
+HSS cloud protection center
+ |
+- Analyzes security risks in servers using AI, machine learning, and deep learning algorithms.
- Integrates multiple antivirus engines to detect and kill malicious programs in servers.
- Receives configurations and scan tasks sent from the console and forwards them to agents on the servers.
- Receives server information reported by agents, analyzes security risks and exceptions on servers, and displays the analysis results on the console.
+ |
+
+Agent
+ |
+- Communicates with the HSS cloud protection center via HTTPS and WSS. Port 10180 is used by default.
- Scans all servers every early morning; monitors the security status of servers; and reports the collected server information (including non-compliant configurations, insecure configurations, intrusion traces, software list, port list, and process list) to the cloud protection center.
- Blocks server attacks based on the security policies you configured.
+ NOTE: - If no agent is installed or the agent installed is abnormal, the HSS is unavailable.
- Select the agent and installation command suitable for your OS.
- The HSS agent can be used for all editions, including container security and Web Tamper Protection (WTP). You only need to install the agent once on the same server.
+
+ |
+
+
+
+
+
+
How Do I Fix an Abnormal Agent?
+Your agent is probably abnormal if it is in Not installed or Offline state. Agent statuses and their meaning are as follows:
+
- Uninstalled: No agent has been installed on the server, or the agent has been installed but not started.
- Offline: The communication between the agent and the server is abnormal. The agent on the server has been deleted, or a server is offline.
- Online: The agent on the server is running properly.
+
Possible Causes
- The agent status on the console is not updated.
The agent status has not been updated. After the agent is installed, it takes 5 to 10 minutes for the console to update its status.
+ - OS version not supported.
For details, see "Constraints" in "Service Overview".
+ - The network is faulty.
The agent or the cloud protection center is abnormal. For example, the NIC is faulty, the IP address changes, or the bandwidth is low.
+ - The agent process is abnormal.
+
+
Solution
- Check whether the agent status remains Offline on the console for more than 10 minutes after the agent was installed.
- If yes, go to 2.
- If no, wait until the agent goes online. No further action is required. After the agent was installed, it takes 5 to 10 minutes for the console to update its status.
+ - Check whether your server OS is within the scope of support in "Constraints" in "Service Overview".
- If yes, go to 3.
- If no, the HSS agent cannot be installed or run on your server. Upgrade the OS to a version supported by HSS and try again.
+ - Check whether the server network is normal.
- If yes, go to 4.
- If no, After the server can access the network, check the agent status.
+ - Restart the agent process.
+
After the process is restarted, wait for about 2 minutes.
+- If the agent status is Online, no further action is required.
- If the agent status is still Not installed or Offline, uninstall the agent and install it again.
+
+
+
Is the Agent in Conflict with Any Other Security Software?
+Yes, it may be in conflict with DenyHosts.
+
- Symptom: The IP address of the login host is identified as an attack IP address but can not be unblocked.
- Cause: HSS and DenyHosts both block possible attack IP addresses, but HSS can not unblock the IP addresses that were blocked by DenyHosts.
- Handling method: Stop DenyHosts.
- Procedure
- Log in as user root to ECS.
- Run the following command to check whether DenyHosts has been installed:
ps -ef | grep denyhosts.py
+If information similar to the following is displayed, DenyHosts has been installed:
+
+ - Run the following command to stop DenyHosts:
kill -9 'cat /var/lock/denyhosts'
+ - Run the following command to cancel the automatic start of DenyHosts upon host startup:
chkconfig --del denyhosts;
+
+
+
Brute-force Attack Defense
+
+
+
diff --git a/docs/hss/umn/hss_01_0041.html b/docs/hss/umn/hss_01_0041.html
new file mode 100644
index 00000000..163f5807
--- /dev/null
+++ b/docs/hss/umn/hss_01_0041.html
@@ -0,0 +1,11 @@
+
+
+Security Operations
+
+
+
diff --git a/docs/hss/umn/hss_01_0042.html b/docs/hss/umn/hss_01_0042.html
new file mode 100644
index 00000000..0f46088e
--- /dev/null
+++ b/docs/hss/umn/hss_01_0042.html
@@ -0,0 +1,25 @@
+
+
+Introduction
+
+
+
diff --git a/docs/hss/umn/hss_01_0043.html b/docs/hss/umn/hss_01_0043.html
new file mode 100644
index 00000000..ab9bc5b0
--- /dev/null
+++ b/docs/hss/umn/hss_01_0043.html
@@ -0,0 +1,90 @@
+
+
+How Do I Install a PAM and Set a Proper Password Complexity Policy in a Linux OS?
+Installing a PAM
Your password complexity policy cannot be checked if no pluggable authentication module (PAM) is running in your system.
+
For Debian or Ubuntu, run the apt-get install libpam-cracklib command as the administrator to install a PAM.
+
A PAM is installed and running by default in CentOS, Fedora, and EulerOS.
+
+
+
Setting a Password Complexity Policy
A proper password complexity policy would be: the password must contain at least eight characters and must contain uppercase letters, lowercase letters, numbers, and special characters.
+
The preceding configurations are basic security requirements. For more security configurations, run the following commands to obtain help information in Linux OSs:
+
- For CentOS, Fedora, and EulerOS based on Red Hat 7.0, run:
man pam_pwquality
+
+
- For other Linux OSs, run:
man pam_cracklib
+
+
+
- CentOS, Fedora, and EulerOS
- Run the following command to edit the /etc/pam.d/system-auth file:
vi /etc/pam.d/system-auth
+ - Find the following information in the file:
+
- Add the following parameters and their values: minlen, dcredit, ucredit, lcredit, and ocredit. If the file already has these parameters, change their values. For details, see Table 1.
Example:
+password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 type=
+ Set dcredit, ucredit, lcredit, and ocredit to negative numbers.
+
+
+Table 1 Parameter descriptionParameter
+ |
+Description
+ |
+Example
+ |
+
|---|
+
+minlen
+ |
+Minimum length of a password.
+For example, if you want the minimum length to be eight, set the minlen value to 8.
+ |
+minlen=8
+ |
+
+dcredit
+ |
+Number of digits
+A negative value (for example, -N) indicates the number (for example, N) of digits required in a password. A positive value indicates that there is no limit.
+ |
+dcredit=-1
+ |
+
+ucredit
+ |
+Number of uppercase letters
+A negative value (for example, -N) indicates the number (for example, N) of uppercase letters required in a password. A positive value indicates that there is no limit.
+ |
+ucredit=-1
+ |
+
+lcredit
+ |
+Number of lowercase letters
+A negative value (for example, -N) indicates the number (for example, N) of lowercase letters required in a password. A positive value indicates that there is no limit.
+ |
+lcredit=-1
+ |
+
+ocredit
+ |
+Number of special characters
+A negative value (for example, -N) indicates the number (for example, N) of special characters required in a password. A positive value indicates that there is no limit.
+ |
+ocredit=-1
+ |
+
+
+
+
+ - Debian and Ubuntu
- Run the following command to edit the /etc/pam.d/common-password file:
vi /etc/pam.d/common-password
+ - Find the following information in the file:
password requisite pam_cracklib.so retry=3 minlen=8 difok=3
+ - Add the following parameters and their values: minlen, dcredit, ucredit, lcredit, and ocredit. If the file already has these parameters, change their values. For details, see Table 1.
Example:
+password requisite pam_cracklib.so retry=3 minlen=8 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 difok=3
+
+
+
+
Configuring Policies
+After HSS is enabled, you can configure HSS policies based on your service requirements.
+
Constraints
- The enterprise, premium, WTP, or container edition is enabled.
- For the default policy groups, you are advised to retain their default configurations.
- Modifications on a policy take effect only in the group it belongs to.
+
+
Accessing the Policies Page
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation tree on the left, choose Security Operation > Policies. On the displayed page, Policy group parameters describes the fields.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+
+
+Table 1 Policy group parametersParameter
+ |
+Description
+ |
+
|---|
+
+Policy Group
+ |
+Name of a policy group The preset policy group names are as follows:
+- tenant_linux_container_default_policy_group: preset Linux policy of the container edition. You can copy this policy group and create a new one based on it.
- tenant_linux_enterprise_default_policy_group is the default Linux policy of the enterprise edition. This policy group can only be viewed, and cannot be copied or deleted.
- tenant_windows_enterprise_default_policy_group: preset Windows policy of the enterprise edition. This policy group can only be viewed, and cannot be copied or deleted.
- tenant_linux_premium_default_policy_group: preset Linux policy of the premium edition. You can create a policy group by copying this default group and modify the copy.
- tenant_windows_premium_default_policy_group: preset Windows policy of the premium edition. You can create a policy group by copying this default group and modify the copy.
+ |
+
+ID
+ |
+Unique ID of a policy group
+ |
+
+Description
+ |
+Description of a policy group
+ |
+
+Supported Version
+ |
+HSS edition supported by a policy group.
+ |
+
+Associated Servers
+ |
+To view details about the servers associated with a policy group, click the number in the Servers column of the group.
+ |
+
+
+
+
- Click the name of the policy group to access the policy detail list.
You can click Enable or Disable in the Operation column of a policy. After a policy is disabled, the detection of the policy is not performed.
+
+ - You can modify the policy by clicking its name.
+
+
Asset Discovery
- Click Asset Discovery.
- On the displayed page, modify the settings as required. For more information, see Table 2.
Figure 1 Modifying the asset discovery policy
+
+Table 2 Parameter descriptionParameter
+ |
+Description
+ |
+
|---|
+
+Software Scanned
+ |
+- Software name. A name can contain a maximum of 5,000 characters without any space. Use commas (,) to separate software names.
- If this parameter is not specified, information about all installed software will be retrieved as its value.
+ |
+
+Software Search Path
+ |
+Path for software search. This parameter is not required for Windows servers.
+ |
+
+Scanned Web Directories
+ |
+Specifies a web directory to be scanned.
+ |
+
+Scanned Web Directory Depth
+ |
+Specifies the level depth for web directory scanning.
+ |
+
+
+
+
- Confirm the information and click OK.
+
+
Weak Password Scan
Weak passwords are not attributed to a certain type of vulnerabilities, but they bring no less security risks than any type of vulnerabilities. Data and programs will become insecure if their passwords are cracked.
+
HSS proactively detects the accounts using weak passwords and generates alarms for the accounts. You can also add a password that may have been leaked to the weak password list to prevent server accounts from using the password.
+
- Click Weak Password Detection.
- In the Policy Settings area, modify the settings as required. For more information, see Table 3.
Figure 2 Modifying the weak password detection policy
+
+Table 3 Parameter descriptionParameter
+ |
+Description
+ |
+
|---|
+
+Scan Time
+ |
+Time point when detections are performed. It can be accurate to the minute.
+ |
+
+Random Deviation Time (s)
+ |
+Random deviation time of the weak password based on Scan Time. The value range is 0 to 7200s.
+ |
+
+Scan Days
+ |
+Days in a week when weak passwords are scanned. You can select one or more days.
+ |
+
+Detection Break Time (ms)
+ |
+Interval between the checks of two accounts. The value range is 0 to 2,000.
+For example, if this parameter is set to 50, the system checks /bin/ls every 50 milliseconds.
+ |
+
+User-defined Weak Passwords
+ |
+You can add a password that may have been leaked to this weak password text box to prevent server accounts from using the password.
+Enter only one weak password per line. Up to 300 weak passwords can be added.
+ |
+
+
+
+
- Confirm the information and click OK.
+
+
Configuration Check
- Click Configuration Check.
- On the Configure Check, modify the policy.
Figure 3 Modifying the configuration check policy
+
+Table 4 Parameter descriptionParameter
+ |
+Description
+ |
+
|---|
+
+Scan Time
+ |
+Time point when detections are performed. It can be accurate to the minute.
+ |
+
+Random Deviation Time (Seconds)
+ |
+Random deviation time of the system detection. The value ranges from 0 to 7,200s.
+ |
+
+Scan Days
+ |
+Day in a week when a detection is performed. You can select any days from Monday to Sunday.
+ |
+
+System Default Baseline Library
+ |
+The detection baseline has been configured in the system. You only need to select the baseline you want to scan. All parameters are in their default values and cannot be modified.
+The parameters are as follows:
+- Scan: You can select this check box to execute the corresponding baseline policy. By default, this check box is not selected.
- Baseline Name
- Type
- Baseline Library Hash
- Keyword
- OS Type
- OS Name: name of the OS to be checked. This parameter is left empty by default.
- Allowed Executable Item ID: executable items allowed during baseline detection. This parameter is left empty by default.
+ |
+
+
+
+
- Select the baseline to be detected or customize a baseline.
- Confirm the information and click OK.
+
+
Web Shell Detection
If User-defined Scan Paths is not specified, the website paths in your assets are scanned by default. If User-defined Scan Paths is specified, only the specified paths are scanned.
+
- Click Web Shell Detection.
- On the Web Shell Detection page, modify the settings as required. For more information, see Table 5.
Figure 4 Modifying the web shell detection policy
+
+Table 5 Parameter descriptionParameter
+ |
+Description
+ |
+
|---|
+
+Scan Time
+ |
+Time point when detections are performed. It can be accurate to the minute.
+ |
+
+Random Deviation Time (Seconds)
+ |
+Random deviation time. The value ranges from 0 to 7,200s.
+ |
+
+Scan Days
+ |
+Days in a week when web shells are scanned. You can select one or more days.
+ |
+
+User-defined Scan Paths
+ |
+Web paths to be scanned. A file path must:
+- Start with a slash (/) and end with no slashes (/).
- Occupy a separate line and cannot contain spaces.
+ |
+
+Monitored Files Types
+ |
+Extensions of files to be checked. Valid values include jsp, jspx, jspf, php, php5, php4.
+ |
+
+
+
+
- Confirm the information and click OK.
+
+
File Protection
- Click File Protection.
- On the File Protection page, modify the policy. For more information, see Table 6.
Figure 5 Modifying the file protection policy
+
+
+ - Confirm the information and click OK.
+
+
Login Security Check
- Click Login Security Check.
- In the displayed Login Security Check page, modify the policy content. describes the parameters.
Figure 6 Modifying the security check policy
+
+Table 7 Parameter descriptionParameter
+ |
+Description
+ |
+
|---|
+
+Block Attacking IP Address
+ |
+After the function of blocking attacking IP addresses is enabled, HSS blocks the brute-force IP address logins.
+The agent modifies system configurations to block the source IP addresses of account cracking attacks.
+ : enabled : disabled
+ |
+
+Lock Time (Min.)
+ |
+This parameter is used to determine how many minutes the brute-force attacks are locked. The value range is 1 to 43,200 min. (Login is not allowed in the lockout duration.)
+ |
+
+Cracking Behavior Determination Threshold (s)
+ |
+This parameter is used together with Cracking Behavior Determination Threshold (Login Attempts). The value range is 5 to 3,600.
+For example, if this parameter is set to 30 and Cracking Behavior Determination Threshold (Login Attempts) is set to 5, the system determines that an account is cracked when the same IP address fails to log in to the system for five times within 30 seconds.
+ |
+
+Cracking Behavior Determination Threshold (Login Attempts)
+ |
+This parameter is used together with Cracking Behavior Determination Threshold. The value range is 1 to 36,000.
+ |
+
+Threshold for slow brute force attack (second)
+ |
+This parameter is used together with Threshold for slow brute force attack (failed login attempt). The value range is 600 to 86,400s.
+For example, if this parameter is set to 3600 and Threshold for slow brute force attack (failed login attempt) is set to 15, the system determines that an account is cracked when the same IP address fails to log in to the system for fifteen times within 3,600 seconds.
+ |
+
+Threshold for slow brute-force attack (failed login attempt)
+ |
+This parameter is used together with Threshold for slow brute force attack (second). The value range is 6 to 100.
+ |
+
+Cracking Behavior Determination Release Time (s)
+ |
+Interval for clearing login failure records generated due to cracking. The value range is 60 to 86,400s.
+The unblocked IP addresses are those that triggered brute-force alarms.
+ |
+
+Check Whether the Audit Login Is Successful
+ |
+- After this function is enabled, HSS reports login success logs.
 : enabled : disabled
+
+ |
+
+
+
+
- Confirm the information and click OK.
+
+
Malicious File Detection
- Click Malicious File Detection.
- On the displayed page, modify the policy. For more information, see Table 8.
Figure 7 Modifying the malicious file detection policy
+
+Table 8 Parameter descriptionParameter
+ |
+Description
+ |
+
|---|
+
+Whitelist Paths in Reverse Shell Check
+ |
+Process file path to be ignored in reverse shell detection
+Start with a slash (/) and end with no slashes (/). Occupy a separate line and cannot contain spaces.
+ |
+
+Reverse Shell Scanning Interval (s):
+ |
+Reverse shell scanning period. The value range is 30 to 86,400.
+ |
+
+Audit detection enhancement
+ |
+- Whether to enhance audit detection. You are advised to enable this function.
 : enabled : disabled
+
+ |
+
+Max. open files per process
+ |
+Maximum number of files that can be opened by a process. The value range is 10 to 300,000.
+ |
+
+Detect Reverse Shells
+ |
+- Detects reverse shells. You are advised to enable it.
 : enabled : disabled
+
+ |
+
+Auto-block Reverse Shells
+ |
+Specifies whether to enable automatic blocking of reverse shells. You are advised to enable this function.
+
+
+ |
+
+Abnormal Shell Detection
+ |
+- Detects abnormal shells. You are advised to enable it.
 : enabled : disabled
+
+ |
+
+
+
+
- Confirm the information and click OK.
+
+
Abnormal Process Behavior
- Click Abnormal process behaviors.
- In the displayed area, modify the settings as required. For more information, see Table 9.
Figure 8 Modifying the abnormal process behavior policy
+
+Table 9 Parameter descriptionParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Detection and Scanning Cycle (Seconds)
+ |
+Interval for checking the running programs on the host. The value range is 30 to 1,800.
+ |
+1800
+ |
+
+Detection Mode
+ |
+Select the method for abnormal process behavior detection.
+- Sensitive: In-depth and full detection and scanning are performed on all processes, which may cause false positives. Suitable for cyber protection drills and key event assurance drills.
- Balanced: All processes are detected and scanned. The detection result accuracy and the abnormal process detection rate are balanced. Suitable for routine protection.
- Conservative: All processes are detected and scanned. This mode provides high detection result accuracy and low false positives. Suitable for scenarios with a large number of false positives.
+ |
+Balanced
+ |
+
+Threshold for Score Reporting
+ |
+Score reporting threshold. The value range is 1 to 100.
+ |
+3
+ |
+
+
+
+
- Confirm the information and click OK.
+
+
Root Privilege Escalation Detection
- Click Root privilege escalation.
- In the displayed area, modify the settings as required. For more information, see Table 10.
Figure 9 Modifying the root privilege escalation policy
+
+Table 10 Parameter descriptionParameter
+ |
+Description
+ |
+
|---|
+
+Ignored Process File Path
+ |
+Ignored process file path
+Start with a slash (/) and end with no slashes (/). Occupy a separate line and cannot contain spaces.
+ |
+
+Scanning Interval (s)
+ |
+Interval for checking process files. The value range is 5 to 3,600.
+ |
+
+
+
+
- Confirm the information and click OK.
+
+
Real-time Process
- Click Real-time Process.
- On the displayed page, modify the settings as required. For more information, see Table 11.
Figure 10 Modifying the real-time process policy
+
+Table 11 Parameters for real-time process policy settingsParameter
+ |
+Description
+ |
+
|---|
+
+Full Process Report Interval (s)
+ |
+Interval for reporting the full process. The value range is 3,600 to 86,400.
+ |
+
+High-Risk Commands
+ |
+High-risk commands that contain keywords during detection.
+ |
+
+Whitelist (Do Not Record Logs)
+ |
+Paths or programs that are allowed or ignored during detection. You can enter the regular expression of the command to be added to the whitelist. The command regular expression is optional.
+ |
+
+
+
+
- Confirm the information and click OK.
+
+
Rootkit Detection
- Click Rootkit Detection.
- On the rootkit detection page, modify the policy content.
Figure 11 Modifying the rootkit detection policy
+
+Table 12 Parameter descriptionParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Scanning Interval (s)
+ |
+Interval for executing the check policy. The value ranges from 60 to 86,400.
+ |
+86400
+ |
+
+Check Library
+ |
+Check files and folders in the existing libraries. You are advised to enable this function.
+ : enabled : disabled
+ |
+ : enabled
+ |
+
+Check Kernel Space
+ |
+Perform the check by kernel modules. All kernel modules will be checked. You are advised to enable this function.
+
+ : enabled : disabled
+ |
+ : enabled
+ |
+
+Kernel Module Whitelist
+ |
+Add the kernel modules that can be ignored during the detection.
+Up to 10 kernel modules can be added. Each module occupies a line.
+ |
+xt_conntrack
+virtio_scsi
+tun
+ |
+
+
+
+
- Confirm the information and click OK.
+
+
AV Detection
- Click AV Detection.
- On the AV Detection slide pane that is displayed, modify the settings as required. For details, see Table 13.
Figure 12 Modifying an AV detection policy
+
+Table 13 AV detection policy parametersParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Real-Time Protection
+ |
+After this function is enabled, AV detection is performed in real time when the current policy is executed. You are advised to enable this function.
+ : enabled : disabled
+ |
+ : enabled
+ |
+
+Protected File Type
+ |
+Type of the files to be checked in real time.
+- All: Select all file types.
- Executable: Executable file types such as EXE, DLL, and SYS.
- Compressed: Compressed file types such as ZIP, RAR, and JAR.
- Text: Text file types such as PHP, JSP, HTML, and Bash.
- OLE: Composite file types such as Microsoft Office files (PPT and DOC) and saved email files (MSG).
- Other: File types except the preceding types.
+ |
+All
+ |
+
+Action
+ |
+Handling method for the object detection alarms.
+- Automated handling:Isolate high-risk virus files bu default. Report other virus files but do not isolate them.
- Manual handling: Report all the detected virus files but do not isolate them. You need to handle them manually.
+ |
+Automatic handling
+ |
+
+
+
+
- Confirm the information and click OK.
+
+
Container Information Collection
- Click Container Information Collection.
- On the Container Information Collection slide pane that is displayed, modify the Policy Settings. For details about the parameters, see Table 14.
Figure 13 Modifying the container information collection policy
+ The whitelist has a higher priority than blacklist. If a directory is specified in both the whitelist and blacklist, it is regarded as a whitelisted item.
+
+
+Table 14 Container information collection policy parametersParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Mount Path Whitelist
+ |
+Enter the directory that can be mounted.
+ |
+/test/docker or /root/*
+Note: If a directory ends with an asterisk (*), it indicates all the sub-directories under the directory (excluding the main directory).
+For example, if /var/test/* is specified in the whitelist, all sub-directories in /var/test/ are whitelisted, excluding the test directory.
+ |
+
+Mount Path Blacklist
+ |
+Enter the directories that cannot be mounted. For example, user and bin, the directories of key host information files, are not advised being mounted. Otherwise, important information may be exposed.
+ |
+
+
+
+
- Confirm the information and click OK.
+
+
Cluster Intrusion Detection
- Click Cluster Intrusion Detection.
- On the Cluster Intrusion Detection slide pane that is displayed, modify the Policy Settings. For details about the parameters, see Table 15.
Figure 14 Modifying the cluster intrusion detection policy
+
+Table 15 Cluster intrusion detection policy parametersParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Basic Detection Cases
+ |
+Select basic check items as required.
+ |
+Select all
+ |
+
+Whitelist
+ |
+You can customize the types and values that need to be ignored during the detection. You can add and delete types and values as required.
+The following types are supported:
+- IP address filter
- Pod name filter
- Image name filter
- User filter
- Pod tag filter
- Namespace filter
NOTE: Each type can be used only once.
+
+
+ |
+Type: IP address filtering
+Value: 192.168.x.x
+ |
+
+
+
+
After this policy is configured, you need to enable the log audit function and deploy the HSS agent on the management node (node where the APIServer is located) of the cluster to make the policy take effect.
+
+ - Confirm the information and click OK.
+
+
Container File Monitoring
If a monitored file path is under the mount path rather than the writable layer of the container on the server, changes on the file cannot trigger container file modification alarms. To protect such files, configure a file protection policy.
+
+
- Click Container File Monitoring.
- On the Container File Monitoring slide pane that is displayed, modify the Policy Settings. For details about the parameters, see Table 16.
Figure 15 Modifying the container file monitoring policy
+
+Table 16 Container file monitoring policy parametersParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Fuzzy match
+ |
+Indicates whether to enable fuzzy match for the target file. You are advised to select this option.
+ |
+Selected
+ |
+
+Block New Executable
+ |
+Monitor the behavior of the adding executable files. If this option is selected, adding executable files is prohibited. You are advised to select this option.
+ |
+Selected
+ |
+
+Image Name
+ |
+Name of the target image to be checked
+ |
+test_bj4
+ |
+
+Image ID
+ |
+ID of the target image to be checked
+ |
+-
+ |
+
+File
+ |
+Name of the file in the target image to be checked
+ |
+/tmp/testw.txt
+ |
+
+
+
+
- Confirm the information and click OK.
+
+
Container Process Whitelist
- Click Container Process Whitelist.
- On the Container Process Whitelist slide pane that is displayed, modify the Policy Settings. For details about the parameters, see Table 17.
Figure 16 Container process whitelist policy
+
+Table 17 Container process whitelist policy parametersParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Fuzzy Match
+ |
+Indicates whether to enable fuzzy match for the target file. You are advised to select this option.
+ |
+Selected
+ |
+
+Image Name
+ |
+Name of the target image to be detected
+ |
+test_bj4
+ |
+
+Image ID
+ |
+ID of the target image to be checked
+ |
+-
+ |
+
+File
+ |
+Path of the file in the target image to be checked
+ |
+/tmp/testw
+ |
+
+
+
+
- Confirm the information and click OK.
+
+
Suspicious Image Behaviors
- Click Suspicious Image Behaviors.
- On the Suspicious Image Behaviors slide pane that is displayed, modify the Policy Settings. For details about the parameters, see Table 18.
Figure 17 Modifying the suspicious image behavior policy
+
+Table 18 Suspicious image behaviors policy parametersParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Rule Name
+ |
+Name of a rule
+ |
+-
+ |
+
+Description
+ |
+Brief description of a rule
+ |
+-
+ |
+
+Template
+ |
+- Configure templates based on different rules. The supported rules are as follows:
- Image whitelist
- Image blacklist
- Image tag whitelist
- Image tag blacklist
- Create container whitelist
- Create container blacklist
- Container mount proc whitelist
- Container seccomp unconfined
- Container privilege whitelist
- Container capability whitelist
+ - The parameters are described as follows:
- Exact match: Enter the names of the images you want to check. Use semicolons (;) to separate multiple names. A maximum of 20 names can be entered.
- RegEx match: Use regular expressions to match images. Use semicolons (;) to separate multiple expressions. A maximum of 20 expressions can be entered.
- Prefix match: Enter the prefixes of the images you want to check. Multiple prefixes are separated by semicolons (;). A maximum of 20 prefixes can be entered.
- Tag Name: Enter the tag and value of the images you want to check. A maximum of 20 tags can be added.
- Permission Type: Specify permissions to be checked or ignored. For details about permissions, see Table 19.
+
+ |
+-
+ |
+
+
+
+
Table 19 Abnormal image permissionsPermissions Name
+ |
+Description
+ |
+
|---|
+
+AUDIT_WRITE
+ |
+Write records to kernel auditing log.
+ |
+
+CHOWN
+ |
+Make arbitrary changes to file UIDs and GIDs.
+ |
+
+DAC_OVERRIDE
+ |
+Bypass file read, write, and execute permission checks.
+ |
+
+FOWNER
+ |
+Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file.
+ |
+
+FSETID
+ |
+Do not clear set-user-ID and set-group-ID permission bits when a file is modified.
+ |
+
+KILL
+ |
+Bypass permission checks for sending signals
+ |
+
+MKNOD
+ |
+Create special files using mknod.
+ |
+
+NET_BIND_SERVICE
+ |
+Bind a socket to internet domain privileged ports (port numbers less than 1024).
+ |
+
+NET_RAW
+ |
+Use RAW and PACKET sockets.
+ |
+
+SETFCAP
+ |
+Set file capabilities.
+ |
+
+SETGID
+ |
+Make arbitrary manipulations of process GIDs and supplementary GID list.
+ |
+
+SETPCAP
+ |
+Modify process capabilities.
+ |
+
+SETUID
+ |
+Make arbitrary manipulations of process UIDs.
+ |
+
+SYS_CHROOT
+ |
+Use chroot to change the root directory.
+ |
+
+AUDIT_CONTROL
+ |
+Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules.
+ |
+
+AUDIT_READ
+ |
+Allow reading audit logs via multicast netlink socket.
+ |
+
+BLOCK_SUSPEND
+ |
+Allow suspension prevention.
+ |
+
+BPF
+ |
+Allow creating BPF maps, loading BPF Type Format (BTF) data, retrieve JITed code of BPF programs, and more.
+ |
+
+CHECKPOINT_RESTORE
+ |
+Allow operations related to checkpoints and restoration.
+ |
+
+DAC_READ_SEARCH
+ |
+Bypass file read permission checks and directory read and execute permission checks.
+ |
+
+IPC_LOCK
+ |
+Lock memory (such as mlock, mlockall, mmap, and shmctl).
+ |
+
+IPC_OWNER
+ |
+Bypass permission checks for operations on System V IPC objects.
+ |
+
+LEASE
+ |
+Establish leases on arbitrary files
+ |
+
+LINUX_IMMUTABLE
+ |
+Set the FS_APPEND_FL and FS_IMMUTABLE_FL i-node flags.
+ |
+
+MAC_ADMIN
+ |
+Allow MAC configuration or state changes.
+ |
+
+MAC_OVERRIDE
+ |
+Override Mandatory Access Control (MAC).
+ |
+
+NET_ADMIN
+ |
+Perform various network-related operations.
+ |
+
+NET_BROADCAST
+ |
+Make socket broadcasts, and listen to multicasts.
+ |
+
+PERFMON
+ |
+Allow privileged system performance and observability operations using perf_events, i915_perf and other kernel subsystems.
+ |
+
+SYS_ADMIN
+ |
+Perform a range of system administration operations.
+ |
+
+SYS_BOOT
+ |
+Use reboot and kexec_load. Reboot and load a new kernel for later execution.
+ |
+
+SYS_MODULE
+ |
+Load and unload kernel modules.
+ |
+
+SYS_NICE
+ |
+Raise process nice value (nice, set priority) and change the nice value for arbitrary processes.
+ |
+
+SYS_PACCT
+ |
+Enable or disable process accounting.
+ |
+
+SYS_PTRACE
+ |
+Trace arbitrary processes using ptrace.
+ |
+
+SYS_RAWIO
+ |
+Perform I/O port operations (ipl and ioperm).
+ |
+
+SYS_RESOURCE
+ |
+Override resource limits.
+ |
+
+SYS_TIME
+ |
+Set the system clock (settimeofday, stime, and adjtimex) and real-time (hardware) clock.
+ |
+
+SYS_TTY_CONFIG
+ |
+Use vhangup. Employ various privileged ioctl operations on virtual terminals.
+ |
+
+SYSLOG
+ |
+Perform privileged syslog operations.
+ |
+
+WAKE_ALARM
+ |
+Trigger something that will wake up the system.
+ |
+
+
+
+
- Confirm the information and click OK.
+
+
Port Scan Detection
- Click Port Scan Detection.
- On the Port Scan Detection slide pane that is displayed, modify the Policy Settings. For details about the parameters, see Table 20.
Figure 18 Modifying the port scanning policy
+
+Table 20 Port scan detection policy parametersParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Process Information Collection Interval (s):
+ |
+Interval for obtaining processes
+ |
+Selected
+ |
+
+Source IP Address Whitelist
+ |
+Enter the IP address whitelist. Separate multiple IP addresses with semicolons (;).
+ |
+test_bj4
+ |
+
+Packet Quantity Threshold
+ |
+-
+ |
+-
+ |
+
+Ports to Scan
+ |
+Details about the port number and protocol type to be detected
+ |
+-
+ |
+
+
+
+
- Confirm the information and click OK.
+
+
Overview
+If policies such as asset collection, baseline check, and intrusion detection do not meet your server protection requirements, you can manage these policies.
+
Table 1 lists the policies that can be managed by each HSS edition. For details about how to configure policies, see Configuring Policies.
+
If you have different protection requirements, you can create a custom policy group to deploy different protection policies for different servers. For details, see Creating a Policy Group.
+
+
Table 1 PoliciesFunction Type
+ |
+Policy
+ |
+Action
+ |
+Supported OS
+ |
+Enterprise Edition
+ |
+Premium Edition
+ |
+WTP Edition
+ |
+Container Edition
+ |
+
|---|
+
+Assets
+ |
+Asset discovery
+ |
+Scan and display all software in one place, including software name, path, and major applications, helping you identify abnormal assets.
+ |
+Linux and Windows
+ |
+×
+ |
+√
+ |
+√
+ |
+√
+ |
+
+Baseline Inspection
+ |
+Weak password detection
+ |
+Change weak passwords to stronger ones based on HSS scan results and suggestions.
+ |
+Linux
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+
+Configuration Check
+ |
+Check the unsafe Tomcat, Nginx, and SSH login configurations found by HSS.
+ |
+Linux and Windows
+ |
+×
+ |
+√
+ |
+√
+ |
+√
+ |
+
+Intrusions
+ |
+AV detection
+ |
+Check server assets and report, isolate, and kill the detected viruses.
+The generated alarms are displayed under .
+After AV detection is enabled, the resource usage is as follows:
+The CPU usage does not exceed 40% of a single vCPU. The actual CPU usage depends on the server status.
+ |
+Windows
+ |
+√
+ |
+√
+ |
+√
+ |
+×
+ |
+
+Container Information Collection
+ |
+Collect information about all containers on a server, including ports and directories, and report alarms for risky information.
+ |
+Linux
+ |
+×
+ |
+×
+ |
+×
+ |
+√
+ |
+
+Cluster Intrusion Detection
+ |
+Detect container high-privilege changes, creation in key information, and virus intrusion.
+ |
+Linux
+ |
+×
+ |
+×
+ |
+×
+ |
+√
+ |
+
+Web Shell Detection
+ |
+Scan web directories on servers for web shells.
+ |
+Linux and Windows
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+
+Container File Monitoring
+ |
+Detect file access that violates security policies. Security O&M personnel can check whether hackers are intruding and tampering with sensitive files.
+ |
+Linux
+ |
+×
+ |
+×
+ |
+×
+ |
+√
+ |
+
+Container Process Whitelist
+ |
+Check for process startups that violate security policies.
+ |
+Linux
+ |
+×
+ |
+×
+ |
+×
+ |
+√
+ |
+
+Suspicious Image Behaviors
+ |
+Configure the blacklist and whitelist and customize permissions to ignore abnormal behaviors or report alarms.
+ |
+Linux
+ |
+×
+ |
+×
+ |
+×
+ |
+√
+ |
+
+HIPS Detection
+ |
+Check registries, files, and processes, and report alarms for operations such as abnormal changes.
+ |
+Windows
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+
+File Protection
+ |
+Check the files in the Linux OS, applications, and other components to detect tampering.
+ |
+Linux
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+
+Login Security Check
+ |
+Detect brute-force attacks on SSH, FTP, and MySQL accounts.
+If the number of brute-force attacks (consecutive incorrect password attempts) from an IP address reaches 5 within 30 seconds, the IP address will be blocked.
+By default, suspicious SSH attackers are blocked for 12 hours. Other types of suspicious attackers are blocked for 24 hours. You can check whether the IP address is trustworthy based on its attack type and how many times it has been blocked. You can manually unblock the IP addresses you trust.
+ |
+Linux and Windows
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+
+Malicious File Detection
+ |
+- Reverse shell: Monitor user process behaviors in real time to detect reverse shells caused by invalid connections.
- Detect actions on abnormal shells, including moving, copying, and deleting shell files, and modifying the access permissions and hard links of the files.
+ |
+Linux
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+
+Port Scan Detection
+ |
+Detect scanning or sniffing on specified ports and report alarms.
+ |
+Linux
+ |
+×
+ |
+√
+ |
+√
+ |
+√
+ |
+
+Abnormal process behaviors
+ |
+All the running processes on all your servers are monitored for you. You can create a process whitelist to ignore alarms on trusted processes, and can receive alarms on unauthorized process behavior and intrusions.
+ |
+Linux
+ |
+×
+ |
+√
+ |
+√
+ |
+√
+ |
+
+Root privilege escalation
+ |
+Detect the root privilege escalation for files in the current system.
+ |
+Linux
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+
+Real-time Process
+ |
+Monitor the executed commands in real time and generate alarms if high-risk commands are detected.
+ |
+Linux and Windows
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+
+Rootkit Detection
+ |
+Detect server assets and report alarms for suspicious kernel modules, files, and folders.
+ |
+Linux
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+
+
+
+
+
Common Security Configuration
+After protection is enabled, you can configure the common login locations, common login IP addresses, and the SSH login IP address whitelist. You can also enable automatic isolation and killing of malicious programs.
+
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
+
Configuring Common Login Locations
After you configure common login locations, HSS will generate alarms on the logins from other login locations. A server can be added to multiple login locations.
+
- Choose Installation & Configuration and click the Security Configuration tab. Click Common Login Locations and click Add Common Login Location.
Figure 1 Adding a common login location
+ - In the dialog box that is displayed, select a geographical location and select servers. Confirm the information and click OK.
Figure 2 Configuring common login locations
+ - Return to the Security Configuration tab of the Installation & Configuration page. Check whether the added locations are displayed on the Common Login Locations subtab.
+
+
Configuring Common Login IP Addresses
After you configure common IP addresses, HSS will generate alarms on the logins from other IP addresses.
+
- Choose Installation & Configuration and click the Security Configuration tab. Click Common Login IP Addresses and click Add Common Login IP Address.
Figure 3 Adding a common login IP address
+
- In the dialog box that is displayed, enter an IP address and select servers. Confirm the information and click OK.
- A common login IP address must be a public IP address or IP address segment. Otherwise, you cannot remotely log in to the server in SSH mode.
- Only one IP address can be added at a time. To add multiple IP addresses, repeat the operations until all IP addresses are added. Up to 20 IP addresses can be added.
+
+Figure 4 Entering a common login IP address
+ - Return to the Security Configuration tab of the Installation & Configuration page. Check whether the added locations are displayed on the Common Login IP Addresses subtab.
+
+
Configuring an SSH Login IP Address Whitelist
The SSH login whitelist controls SSH access to servers to prevent account cracking.
+
- An account can have up to 10 SSH login IP addresses in the whitelist.
- After you configure an SSH login IP address whitelist, SSH logins will be allowed only from whitelisted IP addresses.
+
+
+
- Choose Installation & Configuration and click the Security Configuration tab. Click SSH IP Whitelist and click Add IP Address.
- In the dialog box that is displayed, enter an IP address and select servers. Confirm the information and click OK.
- A common login IP address must be a public IP address or IP address segment. Otherwise, you cannot remotely log in to the server in SSH mode.
- Only one IP address can be added at a time. To add multiple IP addresses, repeat the operations until all IP addresses are added.
+
+Figure 5 Entering an IP address
+ - Return to the Security Configuration tab of the Installation & Configuration page. Check whether the added locations are displayed on the Common Login IP Addresses subtab.
+
+
Isolating and Killing Malicious Programs
HSS automatically isolates and kills identified malicious programs, such as web shells, Trojans, and worms, removing security risks.
+
- Choose Installation & Configuration and click the Security Configuration tab. Click the Isolation and Killing of Malicious Programs tab and enable Isolate and Kill Malicious Programs.
After the cloud scan function is enabled, all HSS servers will be scanned. Some HSS quota editions can support only limited scanning capabilities. Therefore, you are advised to enable the enterprise edition or higher to enjoy all capabilities of the isolation and killing function.
+
+
- In the confirmation dialog box, click OK to enable the isolation and killing of malicious programs.
Automatic isolation and killing may cause false positives. You can choose Intrusions > Events to view isolated malicious programs. You can cancel the isolation or ignore misreported malicious programs.
+
+
+
+
Enabling 2FA
- Two-factor authentication (2FA) requires users to provide verification codes before they log in. The codes will be sent to their mobile phones or email boxes.
- You have to choose an SMN topic for servers where 2FA is enabled. The topic specifies the recipients of login verification codes, and HSS will authenticate login users accordingly.
+
Prerequisites
+
- You have created a message topic whose protocol is SMS or email.
- Server protection has been enabled.
- To enable 2FA, you need to disable the SELinux firewall.
+
Constraints and Limitations
+
If 2FA is enabled, it can be used only in following scenarios:
- Linux: The SSH password is used to log in to an ECS, and the OpenSSH version is earlier than 8.
- Windows: The RDP file is used to log in to a Windows ECS.
+
+
Procedure
+
- On the Two-Factor Authentication tab, select servers and click Enable 2FA. Alternatively, click Enable in the Operation column.
Figure 6 Enabling 2FA
+ - In the displayed Enable 2FA dialog box, select an authentication mode.
+
- Click OK. After 2FA is enabled, it takes about 5 minutes for the configuration to take effect.
When you log in to a remote Windows server from another Windows server where 2FA is enabled, you need to manually add credentials on the latter. Otherwise, the login will fail.
+
To add credentials, choose Start > Control Panel, and click User Accounts. Click Manage your credentials and then click Add a Windows credential. Add the username and password of the remote server that you want to access.
+
+
+
+
Viewing Vulnerability Details
+You can view vulnerabilities of your assets on the Vulnerabilities page. The Vulnerabilities page contains two tabs: Vulnerabilities view and Server view, helping you analyze vulnerabilities from the vulnerability and server perspectives.
+
Constraints
- Servers that are not protected by HSS do not support this function.
- The Server Status is Running, Agent Status is Online, and Protection Status is Protected. Otherwise, vulnerability scan cannot be performed.
+
+
Viewing Vulnerability Details (Vulnerability View)
- Log in to the management console.
- In the navigation pane, choose Prediction > Vulnerabilities.
- View vulnerability information on the Vulnerabilities page.
Figure 1 Viewing vulnerability details
+- Viewing vulnerability scan results
In the vulnerability statistics area in the upper part of the Vulnerabilities page, view vulnerability scan results. Table 1 describes related parameters.
+
+Table 1 Vulnerability scan parametersParameter
+ |
+Description
+ |
+
|---|
+
+Critical Vulnerabilities
+ |
+Click the number in Critical vulnerabilities. On the slide-out panel displayed, you can view all types of vulnerabilities to be urgently fixed.
+ |
+
+Unfixed Vulnerabilities
+ |
+Click the number in Unfixed Vulnerabilities. On the slide-out panel displayed, you can view all types of vulnerabilities that are not fixed.
+ |
+
+Servers with Vulnerabilities
+ |
+Click the number in Servers with Vulnerabilities. You can view the servers with vulnerabilities in the lower part of the Vulnerabilities page.
+ |
+
+Vulnerabilities Handled Today
+ |
+Click the number in Vulnerabilities Handled Today. On the slide-out panel displayed, you can view all types of vulnerabilities that have been handled today.
+ |
+
+Vulnerabilities Handled in Total
+ |
+Click the number in Vulnerabilities Handled in Total. On the slide-out panel displayed, you can view all types of vulnerabilities that have been handled. The number is just the quantity of vulnerabilities handled within one year.
+ |
+
+Detectable Vulnerabilities
+ |
+Displays the number of vulnerabilities that can be detected by HSS.
+ |
+
+Scans in Total
+ |
+Displays the number of vulnerability scans.
+Click Scan to manually scan for vulnerabilities on servers.
+ |
+
+
+
+
- Viewing the importance of assets affected by a vulnerability
In the vulnerability list in the lower part of the page, view the importance of the asset affected by a vulnerability in the Affected Servers column.
+
: major asset
: minor asset
: test asset
+ - Viewing vulnerability details
Click the name of a target vulnerability. On the vulnerability details slide-out panel displayed, you can view the repair suggestions, CVE details, affected servers, and historical handling records of the vulnerability.
+ - Viewing handled vulnerabilities or vulnerabilities to be handled
Above the vulnerability list, select Unhandled or Handled from the vulnerability handling status drop-down list to filter vulnerabilities to be handled or that have been handled.
+ - Exporting the vulnerability list
Click Export above the vulnerability list to export vulnerability data with just one-click. Then, you can view vulnerability information on your local PC.
+ A maximum of 30,000 vulnerabilities can be exported at a time.
+
+
+
+
+
+
Viewing Vulnerability Details (Server View)
The basic edition does not support this operation.
+
+
- Log in to the management console.
- In the navigation pane, choose Prediction > Vulnerabilities.
- In the upper right corner of the Vulnerabilities page, click Server view to view vulnerability information.
Figure 2 Viewing vulnerability details
+- Viewing vulnerability scan results
In the vulnerability statistics area in the upper part of the Vulnerabilities page, view vulnerability scan results. Table 2 describes related parameters.
+
+Table 2 Vulnerability scan parametersParameter
+ |
+Description
+ |
+
|---|
+
+Critical vulnerabilities
+ |
+Click the number in Critical vulnerabilities. On the slide-out panel displayed, you can view all types of vulnerabilities to be urgently fixed.
+ |
+
+Unfixed Vulnerabilities
+ |
+Click the number in Unfixed Vulnerabilities. On the slide-out panel displayed, you can view all types of vulnerabilities that are not fixed.
+ |
+
+Servers with Vulnerabilities
+ |
+Displays the number of servers with vulnerabilities.
+ |
+
+Vulnerabilities Handled Today
+ |
+Click the number in Vulnerabilities Handled Today. On the slide-out panel displayed, you can view all types of vulnerabilities that have been handled today.
+ |
+
+Vulnerabilities Handled in Total
+ |
+Click the number in Vulnerabilities Handled in Total. On the slide-out panel displayed, you can view all types of vulnerabilities that have been handled.
+ |
+
+Detectable Vulnerabilities
+ |
+Displays the number of vulnerabilities that can be detected by HSS.
+ |
+
+Scans in Total
+ |
+Displays the number of vulnerability scans.
+Click Scan to manually scan for vulnerabilities on servers.
+ |
+
+
+
+
- Viewing server details and vulnerabilities on servers
- Click the name of a target server. On the server details slide-out panel displayed, you can view details about the server and vulnerabilities on the server.
- Click the name of a target vulnerability. On the vulnerability details slide-out panel displayed, you can view the CVE details, affected servers, and historical handling records of the vulnerability.
+ - Viewing handled vulnerabilities or vulnerabilities to be handled
Above the vulnerability list, select Unhandled or Handled from the vulnerability handling status drop-down list to filter vulnerabilities to be handled or that have been handled.
+ - Exporting the list of servers with vulnerabilities
Click Export above the vulnerability list to export vulnerability data with just one-click. Then, you can view vulnerability information on your local PC.
+ A maximum of 30,000 vulnerabilities can be exported at a time.
+
+
+
+
+
+
What Should I Do If Agent Installation Failed?
+Symptoms
The agent fails to be installed by running commands. The server list page on the console still indicates that the agent is not installed.
+
+
Possible Causes
+
- The SELinux firewall has not been disabled.
- The root account is not used for installation.
- The installation command is incorrect.
- Residual information exists after the agent is uninstalled.
+
+
Solution
- Check whether the SELinux firewall of the server is disabled.
- If it is, go to the next step.
- If it is not, disable it and install the agent again.
+ - Check whether the installation command is suitable for the server region and OS.
- Switch to the server region.
- Copy the installation commands suitable for your server OS.
- Run 32-bit installation commands on a 32-bit server.
- Run 64-bit installation commands on a 64-bit server.
+
+- If yes, go to the next step.
- If the commands you used are incorrect, install the agent again with correct ones.
+ - Check whether the installation was performed by user root.
- If yes, go to the next step.
- If it was not, install the agent again as user root.
+ - Uninstall the agent as user root and forcibly install it.
- If the installation is successful, no further action is required.
- If the installation fails, contact technical support.
+
+
+
Audit
+
+
+
diff --git a/docs/hss/umn/hss_01_0071.html b/docs/hss/umn/hss_01_0071.html
new file mode 100644
index 00000000..b22e83cc
--- /dev/null
+++ b/docs/hss/umn/hss_01_0071.html
@@ -0,0 +1,408 @@
+
+
+HSS Operations Supported by CTS
+Table 1 lists HSS operations recorded by CTS.
+
+
Table 1 HSS operations that can be recorded by CTSOperation
+ |
+Resource Type
+ |
+Trace Name
+ |
+
|---|
+
+Unignoring a port
+ |
+hss
+ |
+notIgnorePortStatus
+ |
+
+Ignoring a port
+ |
+hss
+ |
+ignorePortStatus
+ |
+
+Unignoring configuration check items
+ |
+hss
+ |
+notIgnoreCheckRuleStat
+ |
+
+Ignoring configuration check items
+ |
+hss
+ |
+ignoreCheckRuleStat
+ |
+
+Retrying a baseline check
+ |
+hss
+ |
+runBaselineDetect
+ |
+
+Unbinding quota
+ |
+hss
+ |
+cancelHostsQuota
+ |
+
+Disabling container protection
+ |
+hss
+ |
+closeContainerProtectStatus
+ |
+
+Enabling container protection
+ |
+hss
+ |
+openContainerProtectStatus
+ |
+
+Unblocking an IP address
+ |
+hss
+ |
+changeBlockedIp
+ |
+
+Handling an event
+ |
+hss
+ |
+changeEvent
+ |
+
+Canceling the isolation of a file
+ |
+hss
+ |
+changeIsolatedFile
+ |
+
+Removing an alarm from whitelist
+ |
+hss
+ |
+removeAlarmWhiteList
+ |
+
+Adding Login Whitelist
+ |
+hss
+ |
+addLoginWhiteList
+ |
+
+Removing Login Whitelist
+ |
+hss
+ |
+removeLoginWhiteList
+ |
+
+Adding a server group
+ |
+hss
+ |
+addHostsGroup
+ |
+
+Adding servers to a group
+ |
+hss
+ |
+associateHostsGroup
+ |
+
+Modifying a server group
+ |
+hss
+ |
+changeHostsGroup
+ |
+
+Deleting a server group
+ |
+hss
+ |
+deleteHostsGroup
+ |
+
+Disabling HSS
+ |
+hss
+ |
+closeHostsProtectStatus
+ |
+
+Enabling HSS
+ |
+hss
+ |
+openHostsProtectStatus
+ |
+
+Uninstalling an agent
+ |
+hss
+ |
+uninstallAgents
+ |
+
+Scanning an image
+ |
+hss
+ |
+runImageScan
+ |
+
+Synchronizing the image list from SWR
+ |
+hss
+ |
+runImageSynchronizeTask
+ |
+
+Updating and scanning an SWR image
+ |
+hss
+ |
+runSwrImageScan
+ |
+
+Performing a security check again
+ |
+hss
+ |
+resetRiskScore
+ |
+
+Adding a policy group
+ |
+hss
+ |
+addPolicyGroup
+ |
+
+Removing a policy group
+ |
+hss
+ |
+deletePolicyGroup
+ |
+
+Applying a policy group
+ |
+hss
+ |
+deployPolicyGroup
+ |
+
+Modifying a policy
+ |
+hss
+ |
+modifyPolicyDetail
+ |
+
+Modifying a policy group
+ |
+hss
+ |
+modifyPolicyGroup
+ |
+
+Disabling automatic isolation and killing
+ |
+hss
+ |
+closeAutoKillVirusStatus
+ |
+
+Enabling automatic isolation and killing
+ |
+hss
+ |
+openAutoKillVirusStatus
+ |
+
+Configure common login IP addresses
+ |
+hss
+ |
+modifyLoginCommonIp
+ |
+
+Configure common login locations
+ |
+hss
+ |
+modifyLoginCommonLocation
+ |
+
+Configuring the SSH login whitelist
+ |
+hss
+ |
+modifyLoginWhiteIp
+ |
+
+Fixing a vulnerability
+ |
+hss
+ |
+changeVulStatus
+ |
+
+Adding a protected directory
+ |
+hss
+ |
+addHostProtectDirInfo
+ |
+
+Adding a privileged process
+ |
+hss
+ |
+addPrivilegedProcessInfo
+ |
+
+Adding a scheduled protection setting
+ |
+hss
+ |
+addTimingOffConfigInfo
+ |
+
+Removing a remote backup server
+ |
+hss
+ |
+deleteBackupHostInfo
+ |
+
+Removing a protected directory
+ |
+hss
+ |
+deleteHostProtectDirInfo
+ |
+
+Removing a privileged process
+ |
+hss
+ |
+deletePrivilegedProcessInfo
+ |
+
+Deleting scheduled protection settings
+ |
+hss
+ |
+deleteTimingOffConfigInfo
+ |
+
+Configuring the scheduled protection period
+ |
+hss
+ |
+setDateOffConfigInfo
+ |
+
+Modifying the status of a protected directory
+ |
+hss
+ |
+setProtectDirSwitchInfo
+ |
+
+Enabling or disabling dynamic WTP
+ |
+hss
+ |
+setRaspSwitch
+ |
+
+Configuring a remote backup server
+ |
+hss
+ |
+setRemoteBackupInfo
+ |
+
+Enabling or disabling scheduled protection
+ |
+hss
+ |
+setTimingOffSwitchInfo
+ |
+
+Disabling WTP
+ |
+hss
+ |
+closeWtpProtectionStatus
+ |
+
+Enabling WTP
+ |
+hss
+ |
+openWtpProtectionStatus
+ |
+
+Modifying a remote backup server
+ |
+hss
+ |
+updateBackupHostInfo
+ |
+
+Modifying a protected directory
+ |
+hss
+ |
+updateHostProtectDirInfo
+ |
+
+Modifying a privileged process
+ |
+hss
+ |
+updatePrivilegedProcessInfo
+ |
+
+Modifying the Tomcat bin directory
+ |
+hss
+ |
+updateRaspPathInfo
+ |
+
+Modifying the scheduled protection period
+ |
+hss
+ |
+updateTimingOffConfigInfo
+ |
+
+
+
+
+
Viewing WTP Events
+Once static WTP is enabled, the HSS service will comprehensively check protected directories you specified. You can check records about detected tampering of host protection files.
+
Constraints
Only the servers that are protected by the HSS WTP edition support the operations described in this section.
+
+
Prerequisites
- Agent Status of the server is Online, and its WTP Status is Enabled.
- WTP is enabled.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- Choose Prevention > Web Tamper Protection and click Events to view the tampering records of protected files on servers.
Figure 1 Events
+
+
+
Managing SWR Shared Images
+The images in the shared image repository are from SWR. You can view details about all shared images.
+
Constraints
- Only the HSS container edition supports this function.
+
- Security scans can be performed only on Linux images.
+
+
Viewing SWR Shared Images
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane, choose Asset Management > Containers & Quota.
If your servers are managed by enterprise projects, you can select the target enterprise project to view or operate the asset and detection information.
+
+ - Click the Container Images tab and click SWR shared image to view the shared image list.
You can view the version, size, organization, security risks, and owner of a shared image.
Figure 1 Viewing shared images
+
- Updating a shared image
Click Update Shared Images from SWR to update the shared image list.
+ - Filtering images of the latest version
If you select Display latest image versions only, you can filter the latest images of all images.
+
+
+
+
How Do I Check the User IP address of a Remote Login?
+Alarm Policies
The remote login detection function checks for remote logins into your servers in real time. HSS generates an alarm if it detects logins from locations other than the common login locations you set.
+
+
Viewing Remote Login Records on the Console
- Log in to the management console.
- In the navigation pane on the left, choose Detection > Alarms, and click Server Alarms.
- In the Event Types area, Choose Abnormal User Behavior > Abnormal logins, and click Remote Login.
+
+
Locally Viewing Remote Login Records
+
+
How Do I Set a Proper Password Complexity Policy in a Windows OS?
+A proper password complexity policy would be: eight characters for the length of a password and at least three types of the following characters used: uppercase letters, lowercase letters, digits, and special characters.
+
Perform the following steps to set a local security policy:
+
- Log in to the OS as user Administrator. Choose Start > Control Panel > System and Security > Administrative Tools. In the Administrative Tools folder, double-click Local Security Policy.
- Alternatively, click Start and type secpol.msc in the Search programs and files box.
- When a policy is applied to a server, the domain policy takes precedence over the locally defined policy on the server.
+
+ - Choose Account Policies > Password Policy and perform the following operations.
- Double-click Password must meet complexity requirements, select Enable, and click OK to enable the policy.
- Double-click Minimum password length, enter the length (greater than or equal to 8), and click OK to set the policy.
+
+ - Run the gpupdate command to refresh your system settings. After the refresh succeeded, the settings will take effect in the system.
+
What Is the Default Agent Installation Path?
+The agent installation paths on servers running the Linux or Windows OS cannot be customized. Table 1 describes the default paths.
+
+
Table 1 Default agent installation pathsOS
+ |
+Default Installation Path
+ |
+
|---|
+
+Linux
+ |
+/usr/local/hostguard/
+ |
+
+Windows
+ |
+C:\Program Files\HostGuard
+ |
+
+
+
+
+
What Do I Do If the Account Cracking Prevention Function Does Not Take Effect on Some Accounts for Linux Servers?
+Possible Causes
The SSHD service in the host system does not depend on libwrap.so.
+
As a free software library, libwrap implements the universal TCP Wrapper function. Any daemon that contains libwrap.so can use the rules in files /etc/hosts.allow and /etc/hosts.deny to perform simple access control on the host.
+
+
+
Solution
Log in to the server and install the HSS agent. Then run the following command:
+
sh /usr/local/hostguard/conf/config_ssh_xinetd.sh.
+
+
Affected Image Versions
- The following are Gentoo images that have the problem:
- Gentoo Linux 17.0 64bit (40 GB)
- Gentoo Linux 13.0 64bit (40 GB)
+ - The following are OpenSUSE images that have the problem:
- OpenSUSE 42.2 64bit (40 GB)
- OpenSUSE 13.2 64bit (40 GB)
+
+
+
How Do I Check HSS Log Files?
+Log Path
The following table describes log files and their paths.
+
+
OS
+ |
+Log Directory
+ |
+Log File
+ |
+
|---|
+
+Linux
+ |
+/var/log/hostguard/
+ |
+- hostwatch.log
- hostguard.log
- upgrade.log
- hostguard-service.log
- config_tool.log
- engine.log
+ |
+
+Windows
+ |
+C:\Program Files\HostGuard\log
+ |
+- hostwatch.log
- hostguard.log
- upgrade.log
+ |
+
+
+
+
+
+
Log Retention
+
Log File
+ |
+Description
+ |
+Maximum Size
+ |
+Retained File
+ |
+Retention Period
+ |
+
|---|
+
+hostwatch.log
+ |
+Records logs generated during the running of daemon processes.
+ |
+10 MB
+ |
+Latest eight files
+ |
+Until the HSS agent is uninstalled
+ |
+
+hostguard.log
+ |
+Records logs generated during the running of working processes.
+ |
+10 MB
+ |
+Latest eight files
+ |
+
+upgrade.log
+ |
+Records logs generated during version upgrading.
+ |
+10 MB
+ |
+Latest eight files
+ |
+
+hostguard-service.log
+ |
+Records logs (scripts) generated when the service starts.
+ |
+100 kB
+ |
+Latest two logs
+ |
+
+config_tool.log
+ |
+Records logs (programs) generated when the service starts.
+ |
+10 kB
+ |
+Latest two logs
+ |
+
+engine.log
+ |
+Records logs generated when the service exits.
+ |
+10 kB
+ |
+Latest two logs
+ |
+
+
+
+
+
+
Others
+
+
+
diff --git a/docs/hss/umn/hss_01_0103.html b/docs/hss/umn/hss_01_0103.html
new file mode 100644
index 00000000..5f9f7e0d
--- /dev/null
+++ b/docs/hss/umn/hss_01_0103.html
@@ -0,0 +1,22 @@
+
+
+How Do I Enable Logging for Login Failures?
+MySQL
The account hacking prevention function for Linux supports MySQL 5.6 and 5.7. Perform the following steps to enable logging for login failure:
+
- Log in to the host as the root user.
- Run the following command to query the log_warnings value:
show global variables like 'log_warnings'
+ - Run the following command to change the log_warnings value:
set global log_warnings=2
+ - Modify the configuration file.
- For a Linux OS, modify the my.conf file by adding log_warnings=2 to [MySQLd].
+
+
+
vsftp
This section shows you how to enable logging for vsftp login failures.
+
- Modify the configuration file (for example, /etc/vsftpd.conf) and set the following parameters:
vsftpd_log_file=log/file/path
+dual_log_enable=YES
+ - Restart the vsftp service. If the setting is successful, log records shown in the logs shown in Figure 1 will be returned when you log in to vsftp.
Figure 1 Log Records
+
+
+
Configuring Remote Backup
+By default, HSS backs up the files from the protected directories (excluding specified subdirectories and file types) to the local backup directory you specified when adding protected directories. To protect the local backup files from tampering, you must enable the remote backup function.
+
If the file and backup directory on the local server become invalid, you can manually obtain the backup file from the remote backup server to restore the tampered websites.
+
Constraints
Only the servers that are protected by the HSS WTP edition support the operations described in this section.
+
+
Prerequisites
The following servers can be used as remote backup servers:
+
Linux servers whose Server Status is Running and Agent Status is Online
+
- The remote backup function can be used when the Linux backup server is connected to your cloud server. To ensure a proper backup, you are advised to select a backup server on the same intranet as your cloud server.
- You are advised to use intranet servers least exposed to attacks as the remote backup servers.
+
+
+
Adding a Remote Backup Server
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- Choose Prevention > Web Tamper Protection, click Configure Protection.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+
+Figure 1 Entering the page for protected directory settings
+ - Click Settings under Protected Directory Settings.
Figure 2 Protected directory settings
+ - Click Manage Remote Backup. In the dialog box that is displayed, click Add Backup Server. For details, see Table 1.
Figure 3 Adding a Remote Backup Server
+
+Table 1 Backup server parametersParameter
+ |
+Description
+ |
+
|---|
+
+Address
+ |
+This address is the private network address of the server.
+ |
+
+Port
+ |
+Ensure that the port is not blocked by any security group or firewall or occupied.
+ |
+
+Backup Path
+ |
+Path of remote backup files.
+- If the protected directories of multiple servers are backed up to the same remote backup server, the data will be stored in separate folders named after agent IDs.
Assume the protected directories of the two servers are /hss01 and hss02, and the agent IDs of the two servers are f1fdbabc-6cdc-43af-acab-e4e6f086625f and f2ddbabc-6cdc-43af-abcd-e4e6f086626f, and the remote backup path is /hss01.
+The corresponding backup paths are /hss01/f1fdbabc-6cdc-43af-acab-e4e6f086625f and /hss01/f2ddbabc-6cdc-43af-abcd-e4e6f086626f.
+ - If WTP is enabled for the remote backup server, do not set the remote backup path to any directories protected by WTP. Otherwise, remote backup will fail.
+ |
+
+
+
+
- Click OK.
+
+
Setting remote backup
- Log in to the management console.
- Choose Prevention > Web Tamper Protection, click Configure Protection.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+
+Figure 4 Entering the page for protected directory settings
+ - Click Settings under Protected Directory Settings.
Figure 5 Protected directory settings
+ - Click Enable Remote Backup and select a remote backup server.
- Click OK to start remote backup.
+
+
Changing a Remote Backup Server
- Log in to the management console.
- Choose Prevention > Web Tamper Protection, click Configure Protection.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+
+Figure 6 Entering the page for protected directory settings
+ - Click Settings under Protected Directory Settings.
Figure 7 Protected directory settings
+ - Click Manage Remote Backup Servers. The Manage Remote Backup Servers page is displayed. Click Edit in the Operation column to modify the information about the remote backup server.
- Click OK.
+
+
Related Operations
Disabling remote backup
+
Exercise caution when performing this operation. If remote backup is disabled, HSS will no longer back up files in your protected directories.
+
+
What Can I Do If an Alarm Indicating Successful Login Is Reported?
+- If you select Successful Logins in the Real-Time Alarm Notifications area, HSS will send alarms when detecting any successful logins.
- If all the accounts on your ECSs are managed by a single administrator, such alarms help them conveniently monitor system accounts.
- If the system accounts are managed by multiple administrators, or different servers are managed by different administrators, too many alarms will interrupt O&M personnel. In this case, you are advised to disable the alarm item.
- Alarms on this event do not necessarily indicate attacks. Logins from valid IP addresses are not attacks.
+
Do I Need to Restart a Server After Fixing its Vulnerabilities?
+After you fixed Windows OS vulnerabilities or Linux kernel vulnerabilities, you need to restart servers for the fix to take effect, or HSS will continue to warn you of these vulnerabilities. For other types of vulnerabilities, you do not need to restart servers after fixing them.
+
How Many CPU and Memory Resources Are Occupied by the Agent When It Performs Scans?
+HSS uses lightweight agents, which occupy only a few resources and do not affect your services.
+
The CPU and memory usage is as follows.
+
Maximum CPU Usage
A running agent occupies a maximum of 20% of a vCPU. The actual usage depends on your server specifications. For details, see Resource Usage of Different Specifications While the Agent Is Running.
+
If the CPU usage exceeds 20% of a vCPU, the agent will automatically reduce CPU usage, spending more time on scans. This does not affect your services. If the CPU usage exceeds 25% of a vCPU, the agent will be automatically restarted.
+
The agent is scheduled to scan your servers from 00:00 to 04:00 a.m. local server time every day. It does not affect the normal running of the server system.
+
+
+
Peak Memory Usage
A running agent occupies about 500 MB memory. If the agent memory usage exceeds the maximum memory limit 500 MB, the agent will be automatically restarted within 5 minutes.
+
+
Resource Usage of Different Specifications While the Agent Is Running
The following table describes the CPU and memory usage of different specifications when the agent is running.
+
+
Table 1 Resource usage of the agentvCPUs
+ |
+Max. CPU Usage of Agent
+ |
+Max. Memory Usage
+ |
+
|---|
+
+1 vCPU
+ |
+20%
+ |
+500 MB
+ |
+
+2 vCPUs
+ |
+10%
+ |
+500 MB
+ |
+
+4 vCPUs
+ |
+5%
+ |
+500 MB
+ |
+
+8 vCPUs
+ |
+2.5%
+ |
+500 MB
+ |
+
+12 vCPUs
+ |
+About 1.67%
+ |
+500 MB
+ |
+
+16 vCPUs
+ |
+About 1.25%
+ |
+500 MB
+ |
+
+24 vCPUs
+ |
+About 0.84%
+ |
+500 MB
+ |
+
+32 vCPUs
+ |
+About 0.63%
+ |
+500 MB
+ |
+
+48 vCPUs
+ |
+About 0.42%
+ |
+500 MB
+ |
+
+60 vCPUs
+ |
+About 0.34%
+ |
+500 MB
+ |
+
+64 vCPUs
+ |
+About 0.32%
+ |
+500 MB
+ |
+
+
+
+
+
+
How Do I Clear an Alarm on Critical File Changes?
+If you are sure the changes on your critical files are safe, you do not need to handle the alarm. It will be automatically cleared in seven days.
+
How Do I Uninstall the Agent?
+Two uninstallation methods are available: one-click uninstallation and manual local uninstallation.
+
Scenario
- The agent was installed using an incorrect package and you need to uninstall it.
- The agent was installed using incorrect commands and you need to uninstall it.
- If the agent fails to be upgraded, uninstall the agent.
+
+
Prerequisites
When you uninstall the agent on the management console, the Agent Status of the server is Online.
+
+
Uninstalling the Agent on the Console in One-Click
You can uninstall an HSS agent from the HSS console.
+
After the agent is uninstalled from a server, HSS will not provide any protection for the server.
+
+
- Log in to the management console.
- In the navigation pane, choose .
- On the displayed page, click the Agents tab and click Online. In the row containing the desired server, click Uninstall Agent in the Operation column.
- In the displayed dialog box, click OK.
In the server list, if Agent Status of the server is Offline, its agent is successfully uninstalled.
+
+
+
Uninstalling the Agent from the Server
You can manually uninstall an agent on a server when you no longer use HSS or need to reinstall the agent.
+
After the agent is uninstalled from the target server, HSS will not provide any protection for the server.
+
+
- Uninstalling the Linux agent
- Log in to the server from which you want to uninstall the agent and run the following command to switch to user root:
su - root
+ - In any directory, run the following command to uninstall the agent:
Do not run the uninstallation command in the /usr/local/hostguard/ directory. You can run the uninstallation command in any other directory.
+
+- For EulerOS, CentOS and Red Hat, or other OSs that support RPM installation, run the rpm -e hostguard command.
- For Ubuntu and Debian OSs, or other OSs that support DEB installation, run the dpkg -P hostguard command.
+If information similar to the following is displayed, the agent has been successfully uninstalled. If the uninstallation fails, go to the step 3.
+Stopping Hostguard...
+Hostguard stopped
+Hostguard uninstalled.
+ - (Optional) If the agent fails to be uninstalled in step 2, perform the following operations to uninstall the agent:
- For OSs that support RPM installation, such as EulerOS, CentOS, and Red Hat.
- Run the following command to delete the installation record:
rpm -e --justdb hostguard
+ - Run the following command to check whether there are hostguard processes:
ps -ef | grep hostguard
+If there are residual processes, run the kill -9 PID command to kill all residual processes.
+ - Run the following command to check whether the /usr/local/hostguard directory exists:
ll /usr/local/hostguard
+If the directory exists, run the rm -rf /usr/local/hostguard command to delete it.
+ - Run the following command to check whether the /etc/init.d/hostguard file exists:
ll /etc/init.d/hostguard
+If the file exists, run the rm -f /etc/init.d/hostguard command to delete the file.
+
+ - For OSs that support DEB installation, such as Ubuntu and Debian.
- Run the following command to check whether there are hostguard processes:
ps -ef | grep hostguard
+If there are residual processes, run the kill -9 PID command to kill all residual processes.
+ - Run the following command to check whether the /usr/local/hostguard directory exists:
ll /usr/local/hostguard
+If the directory exists, run the rm -rf /usr/local/hostguard command to delete it.
+ - Run the following command to check whether the /etc/init.d/hostguard file exists:
ll /etc/init.d/hostguard
+If the file exists, run the rm -f /etc/init.d/hostguard command to delete the file.
+
+
+
+ - Uninstalling the Windows agent
- Log in to the server that you want to uninstall the agent.
- Click Start and choose Control Panel > Programs. Then select HostGuard and click Uninstall.
- Alternatively, go to the C:\Program File\HostGuard directory and double-click unins000.exe to uninstall the program.
- If you have created a folder for storing the agent shortcut under the Start menu when installing the agent, you can also choose Start > HostGuard > Uninstall HostGuard to uninstall HostGuard.
+
+ - In the Uninstall HostGuard dialog box, click Yes.
- (Optional) Restart the server.
- If you have enabled WTP, you need to restart the server after uninstalling the agent. In the Uninstall HostGuard dialog box, click Yes to restart the server.
- If you have not enabled WTP, you do not need to restart the server. In the Uninstall HostGuard dialog box, click No to skip server restart.
+
+
+
+
Can I Disable Remote Login Detection?
+No.
+
If you do not want to receive remote login alarm notifications, add alarmed locations as common login locations, or deselect the remote login attempt item in alarm notification settings.
+
+
HSS Permissions Management
+If you need to assign different permissions to employees in your enterprise to access your HSS resources, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure the access to your cloud resources.
+
With IAM, you can use your account to create IAM users for your employees, and assign permissions to the users to control their access to specific resource types. For example, some software developers in your enterprise need to use HSS resources but must not delete them or perform any high-risk operations. To achieve this result, you can create IAM users for the software developers and grant them only the permissions required for using HSS resources.
+
If your account does not need individual IAM users for permissions management, then you may skip over this chapter.
+
HSS Permissions
By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from their groups and can perform specified operations on cloud services.
+
HSS is a project-level service deployed and accessed in specific physical regions. To assign HSS permissions to a user group, specify the scope as region-specific projects and select projects for the permissions to take effect. If All projects is selected, the permissions will take effect for the user group in all region-specific projects. When accessing HSS, the users need to switch to a region where they have been authorized to use cloud services.
+
You can grant permissions by using roles or policies.
- Roles: A type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. This mechanism provides only a limited number of service-level roles for authorization. Some roles depend other roles to take effect. When you assign such roles to users, remember to assign the roles they depend on. However, roles are not an ideal choice for fine-grained authorization and secure access control.
- Policies: A type of fine-grained authorization that defines permissions required to perform operations on specific cloud resources under certain conditions. This type of authorization is more flexible and ideal for secure access control. For example, you can grant HSS users only the permissions for managing a certain type of resources.
+
+
The following table describes more details.
+
Table 1 System-defined permissions supported by HSSRole/Policy Name
+ |
+Description
+ |
+Type
+ |
+Dependency
+ |
+
|---|
+
+HSS Administrator
+ |
+HSS administrator, who has all permissions of HSS
+ |
+System-defined role
+ |
+
+ |
+
+HSSFullAccess
+ |
+All HSS permissions
+ |
+Policy
+ |
+None
+ |
+
+HSSReadOnlyAccess
+ |
+Read-only permission for HSS
+ |
+Policy
+ |
+None
+ |
+
+
+
+
+
+
+
WTP provides two types of user permissions by default: user management and resource management. User management permissions include permissions for managing users, user groups, and user group permissions. Resource management permissions include permissions for performing operations on cloud resources.
+
Permissions Management
+
+
+
diff --git a/docs/hss/umn/hss_01_0133.html b/docs/hss/umn/hss_01_0133.html
new file mode 100644
index 00000000..fea1e0dd
--- /dev/null
+++ b/docs/hss/umn/hss_01_0133.html
@@ -0,0 +1,63 @@
+
+
+Creating a User and Granting Permissions
+This section describes IAM's fine-grained permissions management for your HSS resources. With IAM, you can:
+
- Create IAM users for employees based on the organizational structure of your enterprise. Each IAM user has their own security credentials, providing access to HSS resources.
- Grant only the permissions required for users to perform a specific task.
- Entrust a cloud account or cloud service to perform professional and efficient O&M on your HSS resources.
+
If your account does not require individual IAM users, skip this chapter.
+
This section describes the procedure for granting permissions (see Figure 1).
+
Prerequisite
Before authorizing permissions to a user group, you need to know which HSS permissions can be added to the user group.
Table 1 describes the policy details.
+
Table 1 System-defined permissions supported by HSSRole/Policy Name
+ |
+Description
+ |
+Type
+ |
+Dependency
+ |
+
|---|
+
+HSS Administrator
+ |
+HSS administrator, who has all permissions of HSS
+ |
+System-defined role
+ |
+
+ |
+
+HSS FullAccess
+ |
+All HSS permissions
+ |
+System-defined policy
+ |
+None
+ |
+
+HSS ReadOnlyAccess
+ |
+Read-only permission for HSS
+ |
+System-defined policy
+ |
+None
+ |
+
+
+
+
+
+
+
Authorization Process
Figure 1 Process for granting permissions
+
- Create a user group and assign permissions. On the IAM console, grant the HSS Administrator permission.
- Create a user and add it to the group. On the IAM console, add the user to the group created in 1.
- Log in and verify permissions.
Log in to the HSS console as the created user, and verify that the user only has read permissions for HSS.
+In Service List on the console, select any other services (for example, there is only the HSS Administrator policy). If a message indicating that the permission is insufficient is displayed, the HSS Administrator permission takes effect.
+
+
+
Constraints and Limitations
+Supported Server Types
Elastic Cloud Server (ECS)
+
+
Supported OSs
HSS can run on Linux servers (such as CentOS and EulerOS) and Windows servers (such as Windows 2012 and Windows 2016).
+
- The agent is probably incompatible with the Linux or Windows versions that have reached end of life. To obtain better HSS service experience, you are advised to install or upgrade to an OS version supported by the agent.
+
+
+
- Server OSs supported by the agent
+
OS Type
+ |
+System Architecture
+ |
+Supported OS
+ |
+
|---|
+
+Linux
+
+ |
+X86
+ |
+- CentOS 7.4, 7.5, 7.6, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, and 9 (64-bit)
- Debian 9, 10, 11.0.0, 11.1.0 (64-bit)
- EulerOS 2.2, 2.3, 2.5, 2.7 and 2.9 (64-bit)
- Fedora 28 (64-bit)
- OpenSUSE: 15.3 (64-bit)
- Ubuntu 16, 18, 20.03, 20.04, and 22.04 (64-bit)
- Red Hat 7.4, 7.6, 8.0, 8.7 (64-bit)
- OpenEuler 20.03 LTS, 22.03 SP3 LTS, and 22.03 (64-bit)
- AlmaLinux 9.0 (64-bit)
- Rocky Linux 8.4, 8.5 and 9.0 (64-bit)
+ |
+
+ARM
+ |
+- CentOS 7.4, 7.5, 7.6, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, and 9 (64-bit)
- EulerOS 2.8 and 2.9 (64-bit)
- Fedora 29 (64-bit)
- OpenSUSE: 15 64bit with ARM(40GB)
- Ubuntu 18 (64-bit)
- Kylin V7 and V10 (64-bit)
- NeoKylin: V10 (aarch64-bit)
+ |
+
+Windows
+ |
+X86
+ |
+- Windows Server 2019
- Windows Server 2016
- Windows Server 2012
- Windows Server 2008
NOTE: If any third-party security software is installed on the server, disable the protection function of the software before agent installation, and enable it afterwards.
+
+
+ |
+
+
+
+
+
OSs that Support Vulnerability Scan and Fix
HSS can scan for and fix vulnerabilities in the OSs described in Table 1.
+
+
Table 1 OSs that support vulnerability scan and fixOS Type
+ |
+Supported OS
+ |
+
|---|
+
+Windows
+ |
+- Windows Server 2019 Datacenter 64-bit English (40 GB)
- Windows Server 2019 Datacenter 64-bit Chinese (40 GB)
- Windows Server 2016 Standard 64-bit English (40 GB)
- Windows Server 2016 Standard 64-bit Chinese (40 GB)
- Windows Server 2016 Datacenter 64-bit English (40 GB)
- Windows Server 2016 Datacenter 64-bit Chinese (40 GB)
- Windows Server 2012 R2 Standard 64-bit English (40 GB)
- Windows Server 2012 R2 Standard 64-bit Chinese (40 GB)
- Windows Server 2012 R2 Datacenter 64-bit English (40 GB)
- Windows Server 2012 R2 Datacenter 64-bit Chinese (40 GB)
+ |
+
+Linux
+ |
+- EulerOS: 2.2, 2.3, 2.5, 2.8, 2.9 (64-bit)
- CentOS 7.4, 7.5, 7.6, 7.7, 7.8 and 7.9 (64-bit)
- Ubuntu 16.04, 18.04, 20.04 (64-bit)
- Debian 9 and 10 (64-bit)
- Kylin V10 (64-bit)
- UnionTech OS V20 server E and V20 server D (64-bit)
+ |
+
+
+
+
+
+
Vulnerability Management
+
+
+
diff --git a/docs/hss/umn/hss_01_0141.html b/docs/hss/umn/hss_01_0141.html
new file mode 100644
index 00000000..563ca164
--- /dev/null
+++ b/docs/hss/umn/hss_01_0141.html
@@ -0,0 +1,231 @@
+
+
+Handling Vulnerabilities
+If HSS detects a vulnerability on a server, you need to handle the vulnerability in a timely manner based on its severity and your business conditions to prevent the vulnerability from being exploited by intruders.
+
Vulnerabilities can be handled in the following ways:
+
- Fixing vulnerabilities
If a vulnerability may harm your services, fix it as soon as possible. For Linux and Windows vulnerabilities, you can let HSS fix them in one-click. Web-CMS vulnerabilities and application vulnerabilities cannot be automatically fixed. Handle them by referring to the suggestions provided on the vulnerability details page.
+ - Ignoring vulnerabilities
Some vulnerabilities are risky only in specific conditions. For example, if a vulnerability can be exploited only through an open port, but the target server does not open any ports, the vulnerability will not harm the server. If you can confirm that a vulnerability is harmless, you can ignore it. If the vulnerability is detected again in the next vulnerability scan, HSS will still report it.
+
+
Constraints
- CentOS 6 and CentOS 8 are officially End of Life (EOL) and no longer maintained. HSS scans them for vulnerabilities based on Red Hat patch notices but cannot fix them. You are advised to change to other OSs.
- Ubuntu 18.04 and earlier versions do not support free patch updates. You need to apply and configure Ubuntu Pro to install upgrade packages, or vulnerability fix will fail.
- The kernel vulnerabilities on CCE, MRS, and BMS servers cannot be fixed. Fixing them may make some functions unavailable.
- To handle vulnerabilities on a server, ensure the server is in the Running state, its agent status is Online, and its protection status is Protected.
+
+
Precautions
- Vulnerability fixing operations cannot be rolled back. If a vulnerability fails to be fixed, services will probably be interrupted, and incompatibility issues will probably occur in middleware or upper layer applications. To prevent unexpected consequences, you are advised to use CBR to back up ECSs. Then, use idle servers to simulate the production environment and test-fix the vulnerability. If the test-fix succeeds, fix the vulnerability on servers running in the production environment.
- Servers need to access the Internet and use external image sources to fix vulnerabilities.
+
+
Urgency
- High: This vulnerability must be fixed as soon as possible. Attackers may exploit this vulnerability to damage the server.
- Medium: You are advised to fix the vulnerability to enhance your server security.
- Safe for now: This vulnerability has a small threat to server security. You can choose to fix or ignore it.
+
+
Vulnerability Fix Priority
HSS' vulnerability scan system classifies vulnerability fix priorities into four levels: critical, high, medium, and low. You can refer to the priorities to fix the vulnerabilities that have significant impact on your server first.
+
- Critical: This vulnerability must be fixed immediately. Attackers may exploit this vulnerability to cause great damage to the server.
- High: This vulnerability must be fixed as soon as possible. Attackers may exploit this vulnerability to damage the server.
- Medium: You are advised to fix the vulnerability to enhance your server security.
- Low: This vulnerability has a small threat to server security. You can choose to fix or ignore it.
+
+
Vulnerability Display
Detected vulnerabilities will be displayed in the vulnerability list for seven days, regardless of whether you have handled them.
+
+
Automatically Fixing Vulnerabilities (Vulnerability View)
You can only fix Linux and Windows vulnerabilities with one-click on the console.
+
A maximum of 1,000 server vulnerabilities can be fixed at a time. If there are more than 1,000 vulnerabilities, fix them in batches.
+
+
- Log in to the management console.
- In the navigation pane, choose Prediction > Vulnerabilities.
- Fix Linux and Windows vulnerabilities.
- Fixing a single vulnerability
Locate the row containing a target vulnerability and click Fix in the Operation column.
+ - Fixing multiple vulnerabilities
Select all target vulnerabilities and click Fix in the upper left corner of the vulnerability list to fix vulnerabilities in batches.
+To fix all Linux or Windows vulnerabilities, select Select all Linux vulnerabilities or Select all Windows vulnerabilities in the Fix dialog box.
+ - Fix one or more servers affected by a vulnerability.
- Click a vulnerability name.
- On the vulnerability details slide-out panel displayed, click the Affected tab, locate the row containing the target server, and click Fix in the Operation column.
You can also select all target servers and click Fix above the server list to fix vulnerabilities for the servers in batches.
+
+
+
- In the Fix dialog box displayed, select I am aware that if I have not backed up my ECSs before fixing vulnerabilities, services may be interrupted and fail to be rolled back during maintenance. and click Auto Fix.
- Click a vulnerability name.
- Click the Handling History tab to view the fix status of the target vulnerability in the Status column. Table 1 describes vulnerability fix statuses.
+
Table 1 Vulnerability fix statusesStatus
+ |
+Description
+ |
+
|---|
+
+Unhandled
+ |
+The vulnerability is not fixed.
+ |
+
+Ignored
+ |
+The vulnerability does not affect your services. You have ignored the vulnerability.
+ |
+
+Verifying
+ |
+HSS is verifying whether a fixed vulnerability is successfully fixed.
+ |
+
+Fixing
+ |
+HSS is fixing the vulnerability.
+ |
+
+Fixed
+ |
+The vulnerability has been successfully fixed.
+ |
+
+Restart required
+ |
+The vulnerability has been successfully fixed. You need to restart the server as soon as possible.
+ |
+
+Failed
+ |
+The vulnerability fails to be fixed. The possible cause is that the vulnerability does not exist or has been changed.
+ |
+
+Restart the server and try again
+ |
+This status is displayed only for vulnerabilities that exist on Windows servers.
+The vulnerability has not been fixed on the Windows server for a long time. As a result, the latest patch cannot be installed. You need to install an earlier patch, restart the server, and then install the latest patch.
+ |
+
+
+
+
+
+
Automatically Fixing Vulnerabilities (Server View)
You can only fix Linux and Windows vulnerabilities with one-click on the console.
+
- Log in to the management console.
- In the navigation pane, choose Prediction > Vulnerabilities.
- Fix Linux and Windows vulnerabilities.
- Fixing all vulnerabilities on a server
- Locate the row containing a target server and click Fix in the Operation column.
You can also select multiple servers and click Fix in the upper part of the vulnerability list. To fix all server vulnerabilities, you can select all servers in the batch fix dialog box.
+ - In the Fix dialog box displayed, select the type of the vulnerability to be fixed, select I am aware that if I have not backed up my ECSs before fixing vulnerabilities, services may be interrupted and fail to be rolled back during maintenance., and click OK.
Only Linux and Windows vulnerabilities can be automatically fixed with one-click. Web-CMS and application vulnerabilities need to be manually fixed by logging in to the server.
+ - Click the server name. On the server details slide-out panel displayed, view the vulnerability fix status. Table 2 describes vulnerability fix statuses.
+ - Fixing one or more vulnerabilities on a server
- Click the name of a target server. The server details slide-out panel is displayed.
- Locate the row containing a target vulnerability and click Fix in the Operation column.
Alternatively, you can select all target vulnerabilities and click Fix above the vulnerability list to fix vulnerabilities in batches.
+ - In the Fix dialog box displayed, select I am aware that if I have not backed up my ECSs before fixing vulnerabilities, services may be interrupted and fail to be rolled back during maintenance., and click Auto Fix.
- In the Status column of the target vulnerability, view the fix status of the vulnerability. Table 2 describes vulnerability fix statuses.
+
+
+Table 2 Vulnerability fix statusesStatus
+ |
+Description
+ |
+
|---|
+
+Unhandled
+ |
+The vulnerability is not fixed.
+ |
+
+Ignored
+ |
+The vulnerability does not affect your services. You have ignored the vulnerability.
+ |
+
+Verifying
+ |
+HSS is verifying whether a fixed vulnerability is successfully fixed.
+ |
+
+Fixing
+ |
+HSS is fixing the vulnerability.
+ |
+
+Fixed
+ |
+The vulnerability has been successfully fixed.
+ |
+
+Restart required
+ |
+The vulnerability has been successfully fixed. You need to restart the server as soon as possible.
+ |
+
+Failed
+ |
+The vulnerability fails to be fixed. The possible cause is that the vulnerability does not exist or has been changed.
+ |
+
+Restart the server and try again
+ |
+This status is displayed only for vulnerabilities that exist on Windows servers.
+The vulnerability has not been fixed on the Windows server for a long time. As a result, the latest patch cannot be installed. You need to install an earlier patch, restart the server, and then install the latest patch.
+ |
+
+
+
+
+
+
Ignoring a Vulnerability
Some vulnerabilities are risky only in specific conditions. For example, if a vulnerability can be exploited only through an open port, but the target server does not open any ports, the vulnerability will not harm the server. Such vulnerabilities can be ignored.
+
After the vulnerability is ignored, no alarm will be generated for the vulnerability.
+
- Log in to the management console.
- In the navigation pane, choose Prediction > Vulnerabilities.
- Locate the row containing a target vulnerability and click Ignore in the Operation column.
- In the dialog box displayed, click OK.
+
+
Whitelisting Vulnerabilities
If you evaluate that some vulnerabilities do not affect your services and do not want to view the vulnerabilities in the vulnerability list, you can whitelist the vulnerabilities. After they are whitelisted, the vulnerabilities will be ignored in the vulnerability list and no alarms will be reported. The vulnerabilities will not be scanned and the vulnerability information will not be displayed when the next vulnerability scan task is executed.
+
- Log in to the management console.
- In the navigation pane, choose Prediction > Vulnerabilities.
+
+
+
Verifying the Vulnerability Fix
After you manually fix vulnerabilities, you are advised to verify the fixing result.
- Method 1: On the vulnerability details page, click Verify to perform one-click verification.
- The fixing of emergency vulnerabilities cannot be verified.
- Only application vulnerabilities of the JAR package can be verified. Application vulnerabilities of the non-JAR package are automatically filtered out and not verified.
+
+ - Method 2: Ensure the software has been upgraded to the latest version. The following table provides the commands to check the software upgrade result.
+
Table 4 Verification commandsOS
+ |
+Verification Command
+ |
+
|---|
+
+CentOS/Fedora /Euler/Redhat/Oracle
+ |
+rpm -qa | grep Software_name
+ |
+
+Debian/Ubuntu
+ |
+dpkg -l | grep Software_name
+ |
+
+Gentoo
+ |
+emerge --search Software_name
+ |
+
+
+
+
+
+
+
Prevention
+
+
+
diff --git a/docs/hss/umn/hss_01_0145.html b/docs/hss/umn/hss_01_0145.html
new file mode 100644
index 00000000..e29e1c33
--- /dev/null
+++ b/docs/hss/umn/hss_01_0145.html
@@ -0,0 +1,23 @@
+
+
+Baseline Inspection
+
+
+
diff --git a/docs/hss/umn/hss_01_0146.html b/docs/hss/umn/hss_01_0146.html
new file mode 100644
index 00000000..e866194f
--- /dev/null
+++ b/docs/hss/umn/hss_01_0146.html
@@ -0,0 +1,69 @@
+
+
+Performing Baseline Inspection
+The baseline check supports automatic and manual baseline checks.
+
- Automatic baseline check: checks server configurations and common weak passwords.
- Manual baseline check: To view the real-time baseline risks of a specified server or detect the password complexity policy, you can manually perform a baseline check.
+
Automated Baseline Checks
automatically performs a check for all server configurations and common weak passwords at 01:00 every day.
+
Premium edition, web tamper protection edition, and container edition allow you to customize the automatic detection period for configurations and common weak passwords. For details, see Configuration Check and Weak Password Scan.
+
+
Manually Performing a Baseline Check
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane on the left, choose Prediction > Baseline Checks.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+
+Figure 1 Baseline check overview
+ - (Optional) Create a manual baseline check policy.
Before manually checking the baseline policy, you need to create a manual baseline check policy for the target server. If you have created a policy for the target server, skip this step.
- Click Policies in the upper right corner of the page.
Figure 2 Baseline policies
+ - Click Create Policy and configure the policy information by referring to Table 1.
To check baseline details, click
Rule Details on the right of a baseline name.
If you select Linux for OS, you can select any checks included in Baseline and edit rules. This function is not supported for Windows servers.
+
+
Figure 3 Creating a policy
+
+
Table 1 Baseline policy parametersParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Policy
+ |
+Policy name
+ |
+linux_web1_security_policy
+ |
+
+OS
+ |
+OS that will be checked.
+
+ |
+Linux
+ |
+
+Baseline
+ |
+Baseline used for a check. Check items are as follows:
+- For Linux,
- The cloud security practice baseline can check Apache2, Docker, MongoDB, Redis, MySQL5, Nginx, Tomcat, SSH, vsftp, CentOS7, EulerOS, EulerOS_ext, Kubernetes-Node, Kubernetes-Master.
- DJCP MLPS compliance: Apache 2, MongoDB, MySQL 5, Nginx, Tomcat, CentOS 6, CentOS 7, CentOS 8, Debian 9, Debian 10, Debian 11, Red Hat 6, Red Hat 7, Red Hat 8, Ubuntu 12, Ubuntu 14, Ubuntu 16, Ubuntu 18, Alma.
+ - For Windows,
The cloud security practice baseline can check MongoDB, Apache2, MySQL, Nginx, Redis, Tomcat, Windows_2008, Windows_2012, Windows_2016, Windows_2019, and SqlServer.
+
+ |
+Cloud security practices: Select all.
+ |
+
+
+
+
+
- Confirm the information, click Next, and select the server to be associated with the application based on the server name, server ID, EIP, or private IP address.
Figure 4 Selecting servers
+
+ - Confirm the information and click OK. The baseline policy will be displayed in the policy list.
+
- In the upper left corner of the Baseline Inspection page, select the target baseline inspection policy.
Figure 5 Selecting the target baseline policy
+ - Click Scan in the upper right corner of the page.
- If the time displayed in the Last scanned area under the Baseline Check Policy is the actual check time, the check is complete.
- After a manual check is performed, the button will display Scanning and be disabled. If the check time exceeds 30 minutes, the button will be automatically enabled again. If the time displayed in the Last scanned area becomes the current check time, it indicates the check has completed.
- After the check is complete, you can view the check results and handling suggestions by referring to Viewing and Processing Baseline Check Results.
+
+
+
+
Viewing and Processing Baseline Check Results
+This topic provides suggestions on how to fix baseline configuration risks on the server.
+
Constraints
Only enterprise edition, premium edition, web tamper protection edition, and container edition are supported.
+
+
Viewing Baseline Check Overview Information
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane on the left, choose Prediction > Baseline Checks.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+
+ - Click different tabs on the displayed page to check detected unsafe configurations. Figure 1 lists the corresponding parameters.
To view the check results of servers under different manual baseline check policies, you can switch between baseline check policies.
Figure 1 Baseline check overview
+
+
Table 1 Baseline check overviewParameter
+ |
+Description
+ |
+
|---|
+
+Baseline check policy
+ |
+Available baseline check policies that have been added. You can select, create, edit, and delete these policies.
+ |
+
+Scanned servers
+ |
+Total number of detected servers.
+ |
+
+Security baselines
+ |
+Number of baselines executed during the server detection.
+ |
+
+Baseline check items
+ |
+Total number of checked server configuration items.
+ |
+
+Safe settings rate
+ |
+Percentage of configuration items that passed the baseline check to the total number of check items. Failed items are displayed by risk level.
+ |
+
+Top 5 servers with unsafe settings
+ |
+Statistics on servers with server configuration risks.
+The top 5 servers with the highest risks are preferentially sorted. If no high-risk settings exist, the servers are sorted into medium-risk and low-risk ones in sequence.
+ |
+
+Servers with weak passwords
+ |
+Total number of detected servers, as well as the numbers of servers with weak passwords, those without weak passwords, and those with weak password detection disabled.
+ |
+
+Top 5 servers with weak passwords
+ |
+Statistics on the top 5 servers with most weak password risks.
+ |
+
+Unsafe configuration
+ |
+Alarms generated for servers with configuration risks and the risk statistics.
+ |
+
+Password complexity policies
+ |
+Statistics on servers with weak passwords that do not meet the baseline requirements.
+ |
+
+Common weak passwords
+ |
+Statistics on servers with weak passwords and accounts.
+ |
+
+
+
+
+
+
+
Viewing and Processing Configuration Check Results
- Click the Unsafe Configurations tab to view the risk items. For more information, see Table 2.
+
Table 2 Parameter descriptionParameter
+ |
+Description
+ |
+
|---|
+
+Risk level
+ |
+Level of a detection result.
+
+ |
+
+Baseline name
+ |
+Name of the baseline that is checked.
+ |
+
+Type
+ |
+Policy type of the baseline that has been checked.
+- Cloud security practices
- DJCP MLPS
+ |
+
+Check item
+ |
+Total number of configuration items that are checked.
+ |
+
+Risky item
+ |
+Total number of the risky configurations.
+ |
+
+Affected servers
+ |
+Total number of servers affected by the detected risks in a baseline.
+ |
+
+Last scanned
+ |
+Time when the last detection was performed.
+ |
+
+Description
+ |
+Description of a baseline.
+ |
+
+
+
+
- Click the target baseline name in the list to view the baseline description, affected servers, and details about all check items.
Figure 2 Viewing baseline check details
+ - Handle risk items.
+
+
+
Viewing and Processing the Password Complexity Policy Detection Result
- Click the Password Complexity Policy Detection tab to view the risk statistical items and handling suggestions. For more information, see Table 3.
+
Table 3 Parameter descriptionParameter
+ |
+Description
+ |
+
|---|
+
+Server
+ |
+Name and IP address of the detected server.
+ |
+
+Password length
+ |
+Whether the password length of the target server meets the requirements.
+
+ |
+
+Uppercase letters
+ |
+Whether the uppercase letters used in the target server password meet the requirements.
+
+ |
+
+Lowercase letters
+ |
+Whether the lowercase letters used in the target server password meet the requirements.
+
+ |
+
+Digits
+ |
+Whether the digits used in the target server password meet the requirements.
+
+ |
+
+Special characters
+ |
+Whether the special characters used in the target server password meet the requirements.
+
+ |
+
+Suggestion
+ |
+Suggestion for fixing unsafe passwords
+ |
+
+
+
+
- Modify the password complexity policy on the server as recommended.
- After modifying the password complexity policy, perform a manual check in the upper part of the Baseline Checks page to verify the result.
If you do not perform a manual verification, HSS will automatically check the settings at 00:00:00 the next day.
+
+
+
Viewing and Processing Common Weak Password Detection Results
- Click the Common Weak Password Detection tab to view the statistics of risky weak password accounts on the server. For more information, see Viewing common weak password detection.
+
Table 4 Parameter descriptionParameter
+ |
+Description
+ |
+
|---|
+
+Server
+ |
+Name and IP address of the detected server.
+ |
+
+Account name
+ |
+Accounts with weak passwords that are detected on the target server.
+ |
+
+Account type
+ |
+Type of an account.
+ |
+
+Usage duration (Days)
+ |
+Period for using a weak password.
+ |
+
+
+
+
- Log in to the server and change the weak password.
- To enhance server security, you are advised to modify the accounts with weak passwords in a timely manner, such as SSH accounts.
- To protect internal data of your server, you are advised to modify software accounts that use weak passwords, such as MySQL accounts and FTP accounts.
+
- A password should contain more than eight characters, including uppercase letters, lowercase letters, digits, and special characters.
+
+ - After the weak password is changed, perform a manual check in the upper part of the Baseline Checks page to verify the result.
If you do not perform a manual verification, HSS will automatically check the settings at 00:00:00 the next day.
+
+
+
How Do I View Configuration Check Reports?
+You can view the configuration check details online.
+
Procedure
- Log in to the management console.
- In the navigation pane on the left, choose Prediction > Baseline Checks.
- On the Unsafe Configurations tab, click the baseline name. The details page is displayed.
- In the row containing the target check item, click View Details in the Operation column to view the check item details and affected servers.
- You can rectify unsafe configuration items and ignore trusted configuration items based on the suggestions provided.
+
+
WTP
+
+
+
diff --git a/docs/hss/umn/hss_01_0164.html b/docs/hss/umn/hss_01_0164.html
new file mode 100644
index 00000000..93bc4c8b
--- /dev/null
+++ b/docs/hss/umn/hss_01_0164.html
@@ -0,0 +1,31 @@
+
+
+Intrusions
+
+
+
diff --git a/docs/hss/umn/hss_01_0165.html b/docs/hss/umn/hss_01_0165.html
new file mode 100644
index 00000000..01747f34
--- /dev/null
+++ b/docs/hss/umn/hss_01_0165.html
@@ -0,0 +1,21 @@
+
+
+Unsafe Settings
+
+
+
diff --git a/docs/hss/umn/hss_01_0166.html b/docs/hss/umn/hss_01_0166.html
new file mode 100644
index 00000000..3d2c8fa4
--- /dev/null
+++ b/docs/hss/umn/hss_01_0166.html
@@ -0,0 +1,16 @@
+
+
+How Do I Set a Secure Password?
+Comply with the following rules:
+
+
Switching the HSS Quota Edition
+You can switch the quota edition of a server to the enterprise or premium edition as needed.
+
Precautions
You can switch to the enterprise or premium edition.
+
+
+
Prerequisites
- The server whose protection quota is to be changed is in the Protected state.
- Before switching to a lower edition, check the server, handle known risks, and record operation information to prevent O&M errors and attacks.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane, choose Asset Management > Servers & Quota. Click the Servers tab.
Figure 1 Server list
+
- In the Operation column of a server, click Switch Edition.
- If HSS is switched from a higher edition to a lower edition, protected servers will be more vulnerable to attacks.
- You can switch from other editions to the enterprise, or premium edition. To use the WTP edition, you need to purchase and enable it separately.
+
+ - Click OK.
The edition information in the Edition column will be updated. If the edition information in the Edition column is updated, the HSS edition switch succeeded.
+
+
+
Follow-up Procedure
- After the edition is switched, you can allocate the idle edition quota to other servers.
- After switching to a lower edition, clear important data on the server, stop important applications on the server, and disconnect the server from the external network to avoid unnecessary loss caused by attacks.
- After switching to a higher edition, perform a security detection on the server, handle security risks on the server, and configure necessary functions in a timely manner.
+
+
What Do I Do If an Alarm Still Exists After I Fixed a Vulnerability?
+Perform the following operations to locate the cause and fix the problems.
+
For more information, see the section "Handling Vulnerabilities".
+
+
Possible Causes and Solutions on a Linux Server
- No yum sources have been configured.
In this case, configure a yum source suitable for your Linux OS, and fix the vulnerability again.
+ - The yum source does not have the latest upgrade package of the corresponding software.
Switch to the yum source having the required package and fix the vulnerability again.
+ - The intranet environment cannot connect to Internet.
Servers need to access the Internet and use external yum sources to fix vulnerabilities. If your servers cannot access the Internet, or the external image sources cannot provide stable services, you can use the image source.
+ - The old kernel version remains.
Old kernel versions often remain in servers after upgrade. You can run the verification commands to check whether the current kernel version meets the vulnerability fix requirements. If it does, ignore the vulnerability on the Linux Vulnerabilities tab of the Vulnerabilities page. You are not advised to delete the old kernel.
+
+Table 1 Verification commandsOS
+ |
+Verification Command
+ |
+
|---|
+
+CentOS/Fedora /Euler/Redhat/Oracle
+ |
+rpm -qa | grep Software_name
+ |
+
+Debian/Ubuntu
+ |
+dpkg -l | grep Software_name
+ |
+
+Gentoo
+ |
+emerge --search Software_name
+ |
+
+
+
+
- The server is not restarted after the kernel vulnerability is fixed.
After the kernel vulnerability is fixed, restart the server. If the server is not restarted, the vulnerability alarm still exists.
+
+
+
How Do I Handle a Brute-force Attack Alarm?
+- If a brute-force attack succeeded, take immediate measures to prevent attackers from further actions, such as breaching data, performing DDoS attacks, or implanting ransomware, miners, or Trojans.
- If a brute-force attack was blocked, take immediate measures to enhance your servers.
+
Mind map for troubleshooting
The following mind map describes how to handle a brute-force attack alarm.
+
Figure 1 Mind map for troubleshooting
+
+
Handling the Alarm of a Successful Brute-force Attack
If you received an alarm notification indicating that your account had been cracked, you are advised to harden your servers as soon as possible.
+
- Log in to the management console.
- Check whether the IP address that triggered the alarm is valid.
- In the navigation pane, choose .
- In the Alarm Types area, select Abnormal User Behavior > Abnormal logins to view abnormal login alarm events.
- Click the alarm event name. On the details page that is displayed, check the login IP address.
- If the IP address is from a normal user (for example, who entered incorrect password for multiple times but logged in before their account is blocked), your server is not intruded. In this case, you can click Handle and ignore the event.
- If the IP address is invalid, your server may have been intruded.
In this case, mark this event as handled, log in to the intruded server, and change its password to a stronger one. For details, see How Do I Set a Secure Password?
+
+
+ - Check for and eliminate malicious programs.
- In the navigation pane, choose .
- In the Alarm Types area, select Malware > Unclassified malware to filter the unclassified malware.
- In the Alarm Type column, select Malicious program and check alarm events.
You can click an alarm name to view alarm event details.
+
+ - Check for suspicious account change records.
- In the navigation pane on the left, choose Asset Management > Server Fingerprints.
- Click the Account Information tab. Detect suspicious account change records to prevent attackers from creating accounts or escalating account permissions (for example, adding login permissions to an account)..
+ - Check and handle invalid accounts.
- In the navigation pane, choose .
- In the Alarm Types area, select Abnormal User Behavior > Invalid accounts. View and handle the invalid account alarms.
+ - Check for and fix unsafe settings.
Check for and fix weak password complexity policies and unsafe software settings on your servers.
+
+
+
Handling the Alarm of a Blocked Brute-force Attack
If you have enabled , HSS will protect your servers against brute-force attacks.
+
You can configure a login security policy to specify the brute force cracking determination mode and blocking duration.
+
If you have not configured any login security detection policy, the following default login security policy is used: HSS will block an IP address if it has five or more brute-force attack attempts detected within 30 seconds, or 15 or more brute-force attack attempts detected within 3,600 seconds.
+
If you receive an alarm indicating that an attack source IP address is blocked, check whether the source IP address is a trusted IP address.
+
Constraints and Limitations
+
+
Procedure
+
- Log in to the management console.
- Choose . Choose Abnormal User Behavior > Brute-force attacks to view account brute force events.
Brute-force attack alarms will be generated if:
- The system uses weak passwords, is under brute-force attacks, and attacker IP addresses are blocked.
- Users fail to log in after several incorrect password attempts, and their IP addresses are blocked.
+
- Check whether the login IP address triggering the alarm is valid.
+
+
+
+
How Do I Modify a Protected Directory?
+- Log in to the management console.
- In the navigation pane, choose Prevention > Web Tamper Protection.
- Locate the target server and click Configure Protection in the Operation column.
- Click Settings. On the Protected Directory Settings page on the right, select the directory to be edited and click Edit in the Operation column.
- If you need to modify files in the protected directory, stop protection for the protected directory first.
- After the files are modified, resume protection for the directory in a timely manner.
+
+ - In the Edit Protected Directory dialog box, modify the settings and click OK.
+
Abnormal Logins
+
+
+
diff --git a/docs/hss/umn/hss_01_0189.html b/docs/hss/umn/hss_01_0189.html
new file mode 100644
index 00000000..79e2d9e4
--- /dev/null
+++ b/docs/hss/umn/hss_01_0189.html
@@ -0,0 +1,47 @@
+
+
+Why Do I Still Receive Remote Login Alarms After Configuring the Login IP Whitelist?
+Even whitelisted IP addresses can certain trigger alarms. The SSH login IP address whitelist, Login Whitelist, and remote login functions focus on different aspects of security, as described in Table 1.
+
+
Table 1 FunctionsFunction
+ |
+Description
+ |
+How to Mask Alarm
+ |
+
|---|
+
+SSH login IP address whitelist
+ |
+Only the IP addresses in this whitelist can log in to specified servers via SSH.
+ NOTICE: To avoid connection issues, ensure you have not missed necessary IP addresses before enabling this function.
+
+ |
+-
+ |
+
+Login Whitelist
+ |
+To reduce false brute-force attack alarms, add trusted login IP addresses and their destination server IP addresses to the Login Whitelist.
+ |
+Choose Detection > Whitelists. Click the Login Whitelist tab, and add IP addresses. HSS will not generate brute-force alarms for these IP addresses.
+ |
+
+Remote login
+ |
+Logins not from Common Login Locations and Common Login IP Addresses will trigger remote login alarms.
+You will be informed of new IP addresses that log in to your servers.
+ |
+Choose Installation & Configuration and click Security Configuration. Add login information on the Common Login Locations and Common Login IP Addresses tabs. Whitelisted logins will no longer trigger remote alarms.
+ |
+
+
+
+
+
How Do I Know Whether an Intrusion Succeeded?
+- If you have enabled alarm notifications for intrusion detection, you will be notified immediately when an account is cracked or may be cracked.
- You can also check whether attack IP addresses are blocked on the Detection page.
- To further determine the details, perform the following steps:
+
+
Why Some Attacks on Servers Are Not Detected?
+- Intrusions to your servers before HSS is enabled cannot be detected.
- If you have applied for HSS, remember to enable it to detect intrusions.
- Web attacks cannot be detected, because HSS mainly defends your servers. To protect websites, you can consult the security Solution Architect or use other secure services (such as WAF and Anti-DDoS).
+
Do WTP and HSS Use the Same Agent?
+Yes.
+
All HSS editions can use the same agent installed on a server.
+
Weak Passwords and Unsafe Accounts
+
+
+
diff --git a/docs/hss/umn/hss_01_0197.html b/docs/hss/umn/hss_01_0197.html
new file mode 100644
index 00000000..67bea199
--- /dev/null
+++ b/docs/hss/umn/hss_01_0197.html
@@ -0,0 +1,77 @@
+
+
+How Do I Handle a Weak Password Alarm?
+Servers using weak passwords are exposed to intrusions. If a weak password alarm is reported, you are advised to change the alarmed password immediately.
+
Causes
- If simple passwords are used and match those in the weak password library, a weak password alarm will be generated.
- A password used by multiple member accounts will be regarded as a weak password and trigger an alarm.
+
+
Checking and Changing Weak Passwords
- Log in to the management console.
- Choose and click the Common Weak Password Detection tab.
- Check the server, account name, account type, and usage duration of the weak password. Log in to the server and change the password.
+
+
Changing a Weak Password
+
System
+ |
+Procedure
+ |
+Remarks
+ |
+
|---|
+
+Windows OS
+ |
+To change the password in the Windows 10, perform the following steps:
+- Log in to the Windows OS.
- Click
 in the lower left corner and click  . - In the Windows Settings window, click Accounts.
- Choose Sign-in options from the navigation tree.
- On the Sign-in options tab, click Change under Password.
+ |
+None
+ |
+
+Linux OS
+ |
+Log in to the Linux server and run the following command:
+passwd [<user>]
+ |
+If you do not specify any username, you are changing the password of the current user.
+After the command is executed, enter the new password as prompted.
+ NOTE: Replace <user> with the username.
+
+ |
+
+MySQL database
+ |
+- Log in to the MySQL database.
- Run the following command to check the database user password:
SELECT user, host, authentication_string From user;
+This command is probably invalid in certain MySQL versions.
+In this case, run the following command:
+SELECT user, host password From user;
+ - Run the following command to change the password:
SET PASSWORD FOR'Username'@'Host'=PASSWORD('New_password');
+ - Run the following command to refresh password settings:
flush privileges;
+
+ |
+None
+ |
+
+Redis database
+ |
+- Open the Redis database configuration file redis.conf.
- Run the following command to change the password:
requirepass <password>;
+
+ |
+- If there is already a password, the command will change it to the new password.
- If there has been no password set, the command will set the password.
+ NOTE: Replace <password> with the new password.
+
+ |
+
+Tomcat
+ |
+- Open the conf/tomcat-user.xml configuration file in the Tomcat root directory.
- Change the value of password under the user node to a strong password.
+ |
+None
+ |
+
+
+
+
+
+
How Do I Handle Unsafe Configurations?
+HSS automatically performs a configuration detection for servers. You can repair unsafe configuration items or ignore the configuration items you trust based on the detection result.
+
- Modifying unsafe configuration items
View details about a detection rule, verify the detection result based on the audit description, and handle the exception based on the modification recommendation.
+You are advised to repair the configurations with a high threat level immediately. The configurations with a medium or low threat level can be fixed later based on service requirements.
+ - Ignoring trusted configuration items
- Click the name of an ECS to view its details. Choose .
- Locate the target risk item, click
in front of its name to expand the check items and click Ignore in the Operation column. You can also select multiple detection rules and click Ignore in the upper part of the page to ignore them in batches.To unignore an ignored detection rule, click Unignore in the Operation column. You can also select multiple ignored detection rules and click Unignore in the upper part of the page to unignore them in batches.
+
+ - Verification
After modifying configuration items, you are advised to choose and click Scan to perform manual scan immediately to verify the result.
+
+
Why Do I Need to Add a Protected Directory?
+WTP protects files in directories. If no directories are specified, WTP cannot take effect even if it is enabled.
+
What Should I Do If WTP Cannot Be Enabled?
+The causes of this problem vary by scenarios.
+
Agent Status Is Abnormal
- Symptom
The agent status is Offline or Not installed in the server list on the Web Tamper Protection page.
+ - Solution
Rectify the fault by following the instructions provided in How Do I Fix an Abnormal Agent. Ensure that Agent Status in the server list is Online.
+
+
+
Enterprise/Premium Edition HSS Has Been Enabled
+
+
Protection Was Enabled on the Wrong Page
To enable WTP, choose Web Tamper Protection > Servers.
+
If you have applied for the WTP edition, you can use all functions of the premium edition, and you can enable the server protection only on the Web Tamper Protection. After WTP is enabled, server protection of the premium edition is also enabled.
+
+
+
Why a Blocked IP Address Is Automatically Unblocked?
+If a blocked IP address does not perform brute-force attacks in the next 12 hours, the IP address will be automatically unblocked.
+
What Do I Do If My Servers Are Subjected to a Mining Attack?
+Take immediate measures to contain the attack, preventing miners from occupying CPU or affecting other applications. If a server is intruded by a mining program, the mining program may penetrate the intranet and persist on the intruded server.
+
You should also harden your servers to better block intrusions.
+
Troubleshooting Procedure
- Log in to the management console.
- Check Abnormal process behavior events.
Choose Detection > Alarms and click Server Alarms. Choose Abnormal System Behavior > Abnormal process behavior to view and handle the abnormal process behavior alarms. Click Handle in the Operation column of an event.
+ - Check auto-startup items. Some of your auto-startup items were probably created by attackers to start mining programs upon server restart.
Choose , click Auto-startup, and select Operation History to view the change history.
+
+
+
Hardening Servers
After you delete miner programs, harden your servers to better defend against intrusions.
+
Linux servers- Let HSS automatically scan your servers and applications in the early morning every day to help you detect and eliminate security risks.
- Set stronger passwords for all accounts (including system and application accounts), or change the login mode to key-based login.
- Set the security password. For details, see How Do I Set a Secure Password?.
- Use the key to log in to the server.
+ - Strictly control the usage of system administrator accounts. Grant only the least permissions required for applications and middleware and strictly control their usage.
- Configure access rules in security groups. Open only necessary ports. For special ports (such as remote login ports), only allow access from specified IP addresses or use VPN or bastion hosts to establish your own communications channels.
+
+
Windows servers
+
Use HSS to comprehensively check for and eliminate security risks. Improve your account, password, and authorization security.
- Account hardening
+
Measure
+ |
+Description
+ |
+Procedure
+ |
+
|---|
+
+Ensure default account security.
+ |
+- Disable user Guest.
- Disable and delete unnecessary accounts. (You are advised to disable inactive accounts for three months before deleting them.)
+ |
+- Open Control Panel.
- Click Administrative Tools. Open Computer Management.
- Choose System Tools > Local Users and Groups > Users.
- Double-click Guest. In the Guest Properties window, select Account is disabled.
- Click OK.
+ |
+
+Assign accounts with only necessary permissions to users.
+ |
+Create users and user groups of specific types.
+Example: administrators, database users, audit users
+ |
+- Open Control Panel.
- Click Administrative Tools. Open Computer Management.
- Choose System Tools > Local Users and Groups. Create users and groups as needed.
+ |
+
+Periodically check and delete unnecessary accounts.
+ |
+Periodically delete or lock unnecessary accounts.
+ |
+- Open Control Panel.
- Click Administrative Tools. Open Computer Management.
- Choose System Tools > Local Users and Groups.
- Choose Users or User Groups and delete unnecessary users or user groups.
+ |
+
+Do not display the last username.
+ |
+Forbid the login page from displaying the latest logged in user.
+ |
+- Open Control Panel.
- Click Administrative Tools. Open Local Security Policy.
- Choose Local Policies > Security Options.
- Double-click Interactive logon: Do not display last user name.
- In the displayed dialog box, select Enable and click OK.
+ |
+
+
+
+
- Password hardening
+
Setting
+ |
+Description
+ |
+Procedure
+ |
+
|---|
+
+Complexity
+ |
+In line with the requirements set in How Do I Set a Secure Password.
+ |
+- Open Control Panel.
- Click Administrative Tools. Open Local Security Policy.
- Choose Account Policies > Password Policy.
- Enable the policy Password must meet complexity requirements.
+ |
+
+Maximum password age
+ |
+In static password authentication mode, force users to change their passwords every 90 days or at shorter intervals.
+ |
+- Open Control Panel.
- Click Administrative Tools. Open Local Security Policy.
- Choose Account Policies > Password Policy.
- Set Maximum password age to 90 days or shorter.
+ |
+
+Account lockout policy
+ |
+In static password authentication mode, lock a user account if authentication for the user fails for 10 consecutive times.
+ |
+- Open Control Panel.
- Click Administrative Tools. Open Local Security Policy.
- Choose Account Policies > Account Lockout Policy.
- Set Account lockout threshold to 10 or smaller.
+ |
+
+
+
+
- Authorization hardening
+
Authorization
+ |
+Description
+ |
+Procedure
+ |
+
|---|
+
+Remote shutdowns
+ |
+Assign the permission Force shutdown from a remote system only to the Administrators group.
+ |
+- Open Control Panel.
- Click Administrative Tools. Open Local Security Policy.
- Choose Local Policies > User Rights Assignment.
- Assign the permission Force shutdown from a remote system only to the Administrators group.
+ |
+
+Local shutdown
+ |
+Assign the permission Shut down the system only to the Administrators group.
+ |
+- Open Control Panel.
- Click Administrative Tools. Open Local Security Policy.
- Choose Local Policies > User Rights Assignment.
- Assign the permission Shut down the system only to the Administrators group.
+ |
+
+User rights assignment
+ |
+Assign the permission Take ownership of files or other objects only to the Administrators group.
+ |
+- Open Control Panel.
- Click Administrative Tools. Open Local Security Policy.
- Choose Local Policies > User Rights Assignment.
- Assign the permission Shut down the system only to the Administrators group.
+ |
+
+Login
+ |
+Authorize users to log in to the computer locally.
+ |
+- Open Control Panel.
- Click Administrative Tools. Open Local Security Policy.
- Choose Local Policies > User Rights Assignment.
- Assign the permission Allow log on locally to the users you want to authorize.
+ |
+
+Access from the network
+ |
+Allow only the authorized users to access this computer from the network (for example, by network sharing). Access from other terminals are not allowed.
+ |
+- Open Control Panel.
- Click Administrative Tools. Open Local Security Policy.
- Choose Local Policies > User Rights Assignment.
- Assign the permission Access this computer from the network to the users you want to authorize.
+ |
+
+
+
+
+
+
+
Why a Process Is Still Isolated After It Was Whitelisted?
+After you add a process to the whitelist, it will no longer trigger certain alarms, but its isolation will not be automatically canceled.
+
Isolating and Killing a Malicious Program
- Choose Installation & Configuration and click the Security Configuration tab. Click the Isolation and Killing of Malicious Programs tab and enable this function.
- Choose Detection > Alarms. In the Events area, manually isolate and kill malicious programs.
+
If a program is isolated and killed, it will be terminated immediately and no longer able to perform read or write operations. Isolated source files of programs or processes are displayed on the Isolated Files slide-out panel and cannot harm your servers.
+
+
Canceling the Isolation of Files
- Choose Detection > Alarms. Click the value above Isolated Files to view the isolated files.
- In the row containing the target server, click Restore in the Operation column. The dialog box is displayed.
- Click OK to restore the isolation file.
After you cancel isolation, the read/write permissions of files will be restored, but terminated processes will not be automatically started.
+
+
+
How Do I Fix Vulnerabilities?
+Procedure
- Check the vulnerability detection results.
- Based on provided solutions, fix vulnerabilities one by one in descending order by severity.
- Restart the Windows OS after you fix its vulnerabilities.
- Restart the Linux OS after you fix its kernel vulnerabilities.
+ - HSS scans all Linux servers, Windows servers, and Web-CMS servers for vulnerabilities every early morning. After you fix the vulnerabilities, you are advised to perform a check immediately to verify the result.
+
+
Enabling Web Tamper Protection
+Before enabling WTP, you need to allocate a quota to a specified server. If the service is disabled or the server is deleted, the quota can be allocated to other servers.
+
The premium edition will be enabled when you enable WTP.
+
How WTP Prevents Web Page Tampering
+
Table 1 Protection mechanismsType
+ |
+Mechanism
+ |
+
|---|
+
+Static web page protection
+ |
+- Local directory lock
WTP locks files in a web file directory in a drive to prevent attackers from modifying them. Website administrators can update the website content by using privileged processes.
+ - Active backup and restoration
If WTP detects that a file in the protection directory is tampered with, it immediately uses the backup file on the local host to restore the file.
+ - Remote backup and restoration
If a file directory or backup directory on the local server is invalid, you can use the remote backup service to restore the tampered web page.
+
+ |
+
+Dynamic web page protection
+ |
+Provides runtime application self-protection (RASP) for Tomcat applications in the following ways:
+- Malicious behavior filtering based on RASP
The unique runtime application self-protection (RASP) detects application program behaviors, preventing attackers from tampering with web pages through application programs.
+ - Network disk file access control
WTP implements fine-grained management to control permissions for adding, modifying, and querying file content in network disks, preventing tampering without affecting website content release.
+
+ |
+
+
+
+
+
+
Prerequisites
- Choose . Click the Servers tab. The Protection Status of the server is Unprotected.
- Choose Asset Management > Servers & Quota. The Agent Status of a server is Online, and the Protection Status of the server is Unprotected.
+
+
Setting Protected Directories
You can set:
+
- You can add a maximum of 50 protected directories to a host. For details, see "Adding a Protected Directory".
- To record the running status of the server in real time, exclude the log files in the protected directory. You can grant high read and write permissions for log files to prevent attackers from viewing or tampering with the log files.
+
+
+
Enabling WTP
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane, choose Prevention > Web Tamper Protection. On the Web Tamper Protection page, click Add Server.
Figure 1 Adding protected servers
+ - On the Add Server page, click the Available servers tab. Select the target server, select a quota from the drop-down list or retain the default value, and click Add and Enable Protection.
- View the server status on the Web Tamper Protection page.
The premium edition will be enabled when you enable WTP.
+- Choose Prevention > Web Tamper Protection. If the Protection Status of the server is Protected, WTP has been enabled.
- Choose Asset Management > Servers & Quota and click the Servers tab. If the protection status of server is Protected, and Disable and Switch Edition are grayed out in the Operation column, the premium edition included with the WTP edition has been enabled.
+
+
- A quota can be bound to a server to protect it, on condition that the agent on the server is online.
- Disable WTP before updating a website and enable it after the update is complete. Otherwise, the website will fail to be updated.
- Your website is not protected while WTP is disabled. Enable it immediately after updating your website.
+
+
+
Related Operations
Disabling WTP
+
Choose Prevention > Web Tamper Protection and click the Servers tab. Click Disable Protection in the Operation column of a server.
+
- Before disabling WTP, perform a comprehensive detection on the server, handle known risks, and record operation information to prevent O&M errors and attacks on the server.
- If WTP is disabled, web applications are more likely to be tampered with. Therefore, you need to delete important data on the server, stop important services on the server, and disconnect the server from the external network in a timely manner to avoid unnecessary losses caused by attacks on the server.
- After you or disable WTP, files in the protected directory are no longer protected. You are advised to process files in the protected directory before performing these operations.
- If you find some files missing after disabling WTP, search for them in the local or remote backup path.
+
- The premium edition will be disabled when you disable WTP.
+
+
+
Adding a Protected Directory
+WTP monitors website directories in real time, backs up files, and restores tampered files using the backup, protecting websites from Trojans, illegal links, and tampering.
+
Prerequisites
You have enabled the WTP edition.
+
+
Constraints and Limitations
- Only the servers that are protected by the HSS WTP edition support the operations described in this section.
+
- The constraints on protected directories are as follows:
- For Linux,
- A server can have up to 50 protected directories.
- The complete path of a protected directory cannot exceed 256 characters.
- The folder levels of a protected directory cannot exceed 100.
- The total folders in protected directories cannot exceed 900,000.
+ - For Windows,
- A server can have up to 50 protected directories.
- The complete path of a protected directory cannot exceed 256 characters.
+
+ - The constraints on local backup paths are as follows:
- Local backup is supported only in Linux.
- The local backup path must be valid, or web tamper protection will not take effect.
- The local backup path cannot overlap with the added protected directory.
- The available capacity of the disk where the local backup path is located is greater than the size of all protected directories.
+
+
+
Adding a Protected Directory
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- Choose Prevention > Web Tamper Protection, click Configure Protection.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+
+Figure 1 Entering the page for protected directory settings
+ - Click Settings under Protected Directory Settings.
Figure 2 Protected directory settings
+ - You can add a maximum of 50 protected directories.
- Click Add. In the Add Protected Directory dialog box, set required parameters. For details, see Table 1.
Figure 3 Adding a protected directory
+
+Table 1 Parameters for a protected directoryParameter
+ |
+Description
+ |
+Restriction
+ |
+
|---|
+
+Protected Directory
+ |
+Files and folders in this directory are read-only.
+ |
+Do not set it to any OS directories.
+ |
+
+Excluded Subdirectory
+ |
+- Subdirectories that do not need to be protected in the protected directory, such as temporary file directories.
- Separate subdirectories with semicolons (;). A maximum of 10 subdirectories can be added.
+ |
+The subdirectory is a relative directory in the protected directory.
+ |
+
+Excluded File Types
+ |
+- Types of files that do not need to be protected in the protected directory, such as log files.
- Separate file types with semicolons (;).
- To record the running status of the server in real time, exclude the log files in the protected directory. You can grant high read and write permissions for log files to prevent attackers from viewing or tampering with the log files.
+ |
+-
+ |
+
+Local Backup Path
+ |
+- Only Linux is supported.
- After WTP is enabled, files in the protected directory are automatically backed up to the local backup path.
- Generally, the backup completes within 10 minutes. The actual duration depends on the size of files in the protected directory. Protection takes effect immediately when the backup completes.
- Excluded subdirectories and types of files are not backed up.
- If WTP detects that a file in the protection directory is tampered with, it immediately uses the backup file on the local host to restore the file.
+ |
+The local backup path cannot overlap with the added protected directory.
+ |
+
+Excluded File Path
+ |
+- Paths that do not need to be protected in the protected directory.
- Separate multiple paths with semicolons (;). A maximum of 50 paths can be added. The maximum length of a path is 256 characters.
- A single path cannot start with a space or end with a slash (/).
+ |
+The excluded file path is the relative file path of the protected directory.
+ |
+
+
+
+
- Click OK.
If you need to modify files in the protected directory, stop protection for the protected directory first. After the files are modified, resume protection for the directory in a timely manner.
+
+ - Enable remote backup.
By default, HSS backs up the files from the protected directories (excluding specified subdirectories and file types) to the local backup directory you specified when adding protected directories. To protect the local backup files from tampering, you must enable the remote backup function.
+For details about how to add a remote backup server, see Configuring Remote Backup.
+- On the Protected Directory Settings page, click Enable Remote Backup.
Figure 4 Enabling remote backup
+ - Select a backup server from the drop-down list box.
- Click OK.
+
+
+
Related Operations
- Suspend protection: You can suspend WTP for a directory if needed. It is recommended that you resume WTP in a timely manner to prevent the files in the directory from being tampered with.
- Edit a protected directory: You can modify the added protected directory as needed.
- Delete a protected directory: You can delete the directories that do not need to be protected.
+
- After you suspend protection for a protected directory, delete it, or modify its path, files in the directory will no longer be protected. Before performing these operations, ensure you have taken other measures to protect the files.
- After you suspend protection for a protected directory, delete it, or modify its path, if you find your files missing in the directory, search for them in the local or remote backup path.
+
+
+
Enabling/Disabling Scheduled Static WTP
+You can schedule WTP protection to allow website updates in specific periods.
+
Exercise caution when you set the periods to disable WTP, because files will not be protected in those periods.
+
+
Constraints
Only the servers that are protected by the HSS WTP edition support the operations described in this section.
+
+
Rules for Setting an Unprotected Period
- Unprotected period >= 5 minutes
- Unprotected period < 24 hours
- Periods (except for those starting at 00:00 or ending at 23:59) cannot overlap and must have an at least 5-minute interval.
- A period cannot span two days.
- The server time is used as a local time base.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- Choose Prevention > Web Tamper Protection, click Configure Protection.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+
+Figure 1 Entering the page for protected directory settings
+ - On the Configure Protection tab, click Settings under Scheduled Protection.
Figure 2 Configuring scheduled protection
+ - Set the unprotected period and days in a week to automatically disable protection.
- Click Add Unprotected Period. Configure parameters in the dialog box that is displayed.
Figure 3 Adding an unprotected period
+ Configuration constraints:
+
- Unprotected period >= 5 minutes
- Unprotected period < 24 hours
- Periods (except for those starting at 00:00 or ending at 23:59) cannot overlap and must have an at least 5-minute interval.
- A period cannot span two days.
- The server time is used as a time base.
+
+ - Click OK.
- Select the days to disable protection.
For example, if you select Mon., Thu., and Sat., the server automatically disables the WTP function during the unprotected period on these days.
+Figure 4 Selecting days to disable protection
+ - Click OK.
+ - Return to the Configure Protection tab and toggle on
to enable Scheduled Protection.Figure 5 Enabling scheduled protection
+
+
+
Enabling Dynamic WTP
+Dynamic WTP protects your web pages while Tomcat applications are running, and can detect tampering of dynamic data, such as database data. It can be enabled with static WTP or separately.
+
Constraints and Limitations
- Only the servers that are protected by the HSS WTP edition support the operations described in this section.
+
+
- Dynamic WTP can be provided only for Tomcat of JDK 8.
+
Prerequisites
You are using a server running the Linux OS.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- Choose Prevention > Web Tamper Protection, click Configure Protection.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+
+Figure 1 Entering the page for protected directory settings
+ - On the Configure Protection tab, toggle on
to enable Dynamic WTP.Figure 2 Enabling Dynamic WTP
+ - In the displayed dialog box, modify the Tomcat bin Directory.
To enable dynamic WTP, you need to modify the Tomcat bin directory first. The system presets the setenv.sh script in the bin directory for setting anti-tamper program startup parameters. After enabling dynamic WTP, restart Tomcat to make this setting take effect.
+Figure 3 Configuring a Tomcat directory
+ - Click OK to enable dynamic WTP.
+
+
Scenarios
+HSS
- Centralized security management
With HSS, you can manage the security configurations and events of all your cloud servers on the console, reducing risks and management costs.
+ - Security risk evaluation
You can check and eliminate all the risks (such as risky accounts, open ports, software vulnerabilities, and weak passwords) on your servers.
+ - Proactive security
Count and scan your server assets, check and fix vulnerabilities and unsafe settings, and proactively protect your network, applications, and files from attacks.
+ - Intrusion detection
Scan all possible attack vectors to detect and fight advanced persistent threats (APTs) and other threats in real time, protecting your system from their impact.
+
+
+
CGS
- Container image security
Vulnerabilities will probably be introduced to your system through the images downloaded from Docker Hub or through open-source frameworks.
+You can use CGS to scan images for risks, including image vulnerabilities, unsafe accounts, and malicious files. Receive reminders and suggestions and eliminate the risks accordingly.
+ - Container runtime security
Develop a whitelist of container behaviors to ensure that containers run with the minimum permissions required, securing containers against potential threats.
+
+
+
Enabling the Enterprise, or Premium Edition
+Before enabling protection on servers, you need to allocate quota to a specified server. If the protection is disabled or the server is deleted, the quota can be allocated to other servers.
+
For the WTP edition, choose Prevention > Web Tamper Protection > Server Protection and then enable it.
+
To enable the WTP edition, choose and click the Servers tab. All the functions of the premium edition are included with the WTP edition.
+
+
Check Mode
HSS performs a full scan in the early morning every day.
+
After you enable server protection, you can view scan results after the automatic scan in the next early morning.
+
+
Prerequisites
- The agent status of the server to be protected is Online. To check the status, choose Asset Management > Servers & Quota on the HSS.
- To better protect your containers, you are advised to set security configurations.
+
+
+
Enabling Protection
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane, choose Asset Management > Servers & Quota. Click the Servers tab.
Figure 1 Server list
+ - Select the target server and click Enable.
In the Enable Protection dialog box, select an HSS edition.
+Figure 2 Enabling HSS
+Figure 3 Confirming the protection information
+
+ - Click OK. View the server protection status in the server list.
If the Protection Status of the target server is Enabled, the enterprise or premium edition has been enabled.
+ - A quota can be bound to a server to protect it, on condition that the agent on the server is online.
+
+After HSS is enabled, it will scan your servers for security issues. Check items vary according to the edition you enabled.
+Figure 4 Automatic security check items
+
+
+
Viewing Detection Details
After server protection is enabled, HSS will immediately perform comprehensive detection on the server. The detection may take a long time.
+
On the left of the protection list, click Risky.
+
Figure 5 Viewing risky items
+
Click a server name to go to the details page. On this page, you can quickly check the detected information and risks of the server.
+
Figure 6 Viewing the detection result
+
+
Follow-up Procedure
You can manually configure check items. Configurable items vary according to the edition you enabled.
+
Figure 7 Manual check items
+
+
Related Operations
Disabling HSS
+
On the Servers tab of the Servers & Quotas page, click Disable in the Operation column of a server.
+
- Before disabling protection, perform a comprehensive detection on the server, handle known risks, and record operation information to prevent attacks.
- After protection is disabled, clear important data on the server, stop important applications on the server, and disconnect the server from the external network to avoid unnecessary loss caused by attacks.
+
+
Unbinding quota
+
Choose , and click the Quotas tab. Click Unbind in the Operation column. The usage status of the unbound quota will change from In use to Idle. HSS will automatically disable protection for the server unbound from the quota.
+
+
Installing an Agent
+
+
+
diff --git a/docs/hss/umn/hss_01_0236.html b/docs/hss/umn/hss_01_0236.html
new file mode 100644
index 00000000..55f670a4
--- /dev/null
+++ b/docs/hss/umn/hss_01_0236.html
@@ -0,0 +1,23 @@
+
+
+Installing the Agent for Windows
+You can enable HSS only after the agent is installed on your servers. This topic describes how to install the agent on a server running a Windows OS. For details about how to install an agent on the Linux OS, see Installing an Agent on Linux.
+
Default Installation Path
The agent installation path on servers running the Windows OS cannot be customized. The default path is:
+
C:\Program Files\HostGuard
+
+
Precaution
If you uninstall an agent and install it again on a Windows server, the message "Installation failed" will probably be displayed. This is a misreport and you can ignore it.
+
+
Prerequisite
- The server runs Windows OS.
- A remote management tool, such as pcAnywhere and UltraVNC, has been installed on your PC.
+
+
Procedure
- Log in to the management console.
- Click
in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed. - In the navigation pane, choose Installation & Configuration. Click the Agents tab. Click Offline.
Figure 1 Accessing the agent management page
+ - In the Operation column of the server, click Install Agent to obtain the link for downloading the agent installation script.
- Remotely log in to the server where the agent is to be installed.
- You can log in to the ECS management console and click Remote Login in the ECS list.
- If an EIP has been bound to the server, you can log in to the server by using Windows Remote Desktop Connection or a third-party remote management tool, such as pcAnywhere or UltraVNC.
+ - On the server where the agent is to be installed, open the link obtained in 4 by using the Internet Explorer. Download the agent installation script.
- Run the agent installation script as the administrator.
- Check the HostGuard.exe and HostWatch.exe processes in the Windows Task Manager.
If the processes do not exist, the agent installation fails. In this case, reinstall the agent.
+
+
+
Enabling Alarm Notifications
+After alarm notification is enabled, you can receive alarm notifications sent by
HSS to learn about security risks facing your servers and web pages. Without this function, you have to log in to the management console to view alarms.
- Alarm notification settings are effective only for the current region. To receive notifications from another region, switch to that region and configure alarm notification.
- Alarm notifications may be mistakenly blocked. If you have enabled notifications but not received any, check whether they have been blocked as spasms.
+
+
Enabling Alarm Notifications
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane, choose Installation & Configuration, and click Alarm Notifications. Table 1 describes the parameters.
+
Table 1 Alarm configurationsNotification Item
+ |
+Description
+ |
+Suggestion
+ |
+
|---|
+
+Daily alarm notification
+ |
+HSS scans the accounts, web directories, vulnerabilities, malicious programs, and key configurations in the server system at 00:00 every day, and sends the summarized detection results to the recipients you set in SMN, depending on which one you chose.
+To view notification items, click View Default Daily Notification Events.
+ |
+- It is recommended that you receive and periodically check all the content in the daily alarm notification to eliminate risks in a timely manner.
- Daily alarm notifications contain a lot of check items. If you want to send the notifications to recipients set in an SMN topic, you are advised to set the topic protocol to Email.
+ |
+
+Real-time alarm notification
+ |
+When an attacker intrudes a server, alarms are sent to the recipients you set in SMN, depending on which one you chose.
+To view notification items, click View Default Real-time Notification Events.
+ |
+- It is recommended that you receive all the content in the real-time alarm notification and view them in time. The HSS system monitors the security of servers in real time, detects the attacker's intrusion, and sends real-time alarm notifications for you to quickly handle the problem.
- Real-time alarm notifications are about urgent issues. If you want to send the notifications to recipients set in an SMN topic, you are advised to set the topic protocol to SMS.
+ |
+
+Severity
+ |
+Select the severities of alarms that you want to be notified of.
+ |
+All
+ |
+
+Masked Events
+ |
+Select the events that you do not wish to be notified of.
+Select events to be masked from the drop-down list box.
+ |
+Determine the events to be masked based on the description in Alarm Notifications.
+ |
+
+
+
+
- Select the alarm notification mode.
- Use SMN topic settings
Select an available topic from the drop-down list or click View Topics and create a topic.
+You can create multiple notification topics based on the O&M plan and alarm notification type to receive different types of alarm notifications. For details about topics and subscriptions, see the Simple Message Notification User Guide.
+
+ - Click Apply. A message will be displayed indicating that the alarm notification is set successfully.
+
+
Alarm Notifications
+
Notification Item
+ |
+Item
+ |
+Description
+ |
+
|---|
+
+Daily Alarm Notifications
+The service checks risks in your servers in the early morning every day, summarizes and collects detection results, and sends the results to your mobile phone or email box at 10:00 every day.
+ |
+
+Assets
+ |
+Dangerous ports
+ |
+Check for high-risk open ports and unnecessary ports.
+ |
+
+Vulnerabilities
+ |
+Critical vulnerabilities
+ |
+Detect critical vulnerabilities and fix them in a timely manner.
+ |
+
+Unsafe settings
+ |
+Unsafe configurations
+ |
+Detect unsafe settings of key applications that will probably be exploited by hackers to intrude servers.
+ |
+
+Common weak passwords
+ |
+Detect weak passwords in MySQL, FTP, and system accounts.
+ |
+
+Intrusions
+ |
+Malicious programs
+ |
+Check and handle detected malicious programs all in one place, including web shells, Trojan, mining software, worms, and viruses.
+ |
+
+Web shells
+ |
+Check whether the files (often PHP and JSP files) detected by HSS in your web directories are web shells.
+- Web shell information includes the Trojan file path, status, first discovery time, and last discovery time. You can choose to ignore warning on trusted files.
- You can use the manual detection function to detect web shells on servers.
+ |
+
+Reverse shells
+ |
+Monitor user process behaviors in real time to detect reverse shells caused by invalid connections.
+Reverse shells can be detected for protocols including TCP, UDP, and ICMP.
+ |
+
+File privilege escalations
+ |
+Check the file privilege escalations in your system.
+ |
+
+Process privilege escalations
+ |
+The following process privilege escalation operations can be detected: - Root privilege escalation by exploiting SUID program vulnerabilities
- Root privilege escalation by exploiting kernel vulnerabilities
+ |
+
+Critical file changes
+ |
+Receive alarms when critical system files are modified.
+ |
+
+File/Directory changes
+ |
+System files and directories are monitored. When a file or directory is modified, an alarm is generated, indicating that the file or directory may be tampered with.
+ |
+
+Abnormal process behaviors
+ |
+Check the processes on servers, including their IDs, command lines, process paths, and behavior.
+Send alarms on unauthorized process operations and intrusions.
+The following abnormal process behavior can be detected:
+- Abnormal CPU usage
- Processes accessing malicious IP addresses
- Abnormal increase in concurrent process connections
+ |
+
+High-risk command execution
+ |
+Check executed commands in real time and generate alarms if high-risk commands are detected.
+ |
+
+Abnormal shells
+ |
+Detect actions on abnormal shells, including moving, copying, and deleting shell files, and modifying the access permissions and hard links of the files.
+ |
+
+Abnormal logins
+ |
+Check and handle remote logins.
+If a user's login location is not any common login location you set, an alarm will be triggered.
+ |
+
+Invalid accounts
+ |
+Scan accounts on servers and list suspicious accounts in a timely manner.
+ |
+
+Vulnerability escapes
+ |
+The service reports an alarm if it detects container process behavior that matches the behavior of known vulnerabilities (such as Dirty COW, brute-force attack, runC, and shocker).
+ |
+
+File escapes
+ |
+The service reports an alarm if it detects that a container process accesses a key file directory (for example, /etc/shadow or /etc/crontab). Directories that meet the container directory mapping rules can also trigger such alarms.
+ |
+
+Abnormal container processes
+ |
+Container services are usually simple. If you are sure that only specific processes run in a container, you can add the processes to the whitelist of a policy, and associate the policy with the container.
+The service reports an alarm if it detects that a process not in the whitelist is running in the container.
+ |
+
+Abnormal container startups
+ |
+Check for unsafe parameter settings used during container startup.
+Certain startup parameters specify container permissions. If their settings are inappropriate, they may be exploited by attackers to intrude containers.
+ |
+
+High-risk system calls
+ |
+Users can run tasks in kernels by Linux system calls. The service reports an alarm if it detects a high-risk call, such as open_by_handle_at, ptrace, setns, and reboot.
+ |
+
+Sensitive file access
+ |
+Detect suspicious access behaviors (such as privilege escalation and persistence) on important files.
+ |
+
+Critical third-party DDoS vulnerabilities
+ |
+Detects third-party DDoS vulnerabilities that urgently need to be fixed.
+ |
+
+Malicious scan
+ |
+Detects abnormal scanning of server assets.
+ |
+
+Mining
+ |
+Detects the use of devices (computers, smartphones, tablets, or servers) to mine encrypted currencies without users' consent or knowledge. Once detected, an alarm is reported immediately.
+ |
+
+Brute-force attacks
+ |
+Check for brute-force attack attempts and successful brute-force attacks.
+- Your accounts are protected from brute-force attacks. HSS will block the attacking hosts when detecting such attacks.
- Trigger an alarm if a user logs in to the host by a brute-force attack.
+ |
+
+Real-Time Alarm Notifications
+When an event occurs, an alarm notification is immediately sent.
+ |
+
+Intrusions
+ |
+Malicious programs
+ |
+Check and handle detected malicious programs all in one place, including web shells, Trojans, mining software, worms, and viruses.
+ |
+
+Web shells
+ |
+Check whether the files (often PHP and JSP files) detected by HSS in your web directories are web shells.
+- Web shell information includes the Trojan file path, status, first discovery time, and last discovery time. You can choose to ignore warning on trusted files.
- You can use the manual detection function to detect web shells on servers.
+ |
+
+Reverse shell
+ |
+Monitor user process behaviors in real time to detect reverse shells caused by invalid connections.
+Reverse shells can be detected for protocols including TCP, UDP, and ICMP.
+ |
+
+File privilege escalations
+ |
+Check the file privilege escalations in your system.
+ |
+
+Process privilege escalations
+ |
+The following process privilege escalation operations can be detected: - Root privilege escalation by exploiting SUID program vulnerabilities
- Root privilege escalation by exploiting kernel vulnerabilities
+ |
+
+Critical file changes
+ |
+Receive alarms when critical system files are modified.
+ |
+
+File/Directory changes
+ |
+System files and directories are monitored. When a file or directory is modified, an alarm is generated, indicating that the file or directory may be tampered with.
+ |
+
+Abnormal process behaviors
+ |
+Check the processes on servers, including their IDs, command lines, process paths, and behavior.
+Send alarms on unauthorized process operations and intrusions.
+The following abnormal process behavior can be detected:
+- Abnormal CPU usage
- Processes accessing malicious IP addresses
- Abnormal increase in concurrent process connections
+ |
+
+High-risk command execution
+ |
+Check executed commands in real time and generate alarms if high-risk commands are detected.
+ |
+
+Abnormal shells
+ |
+Detect actions on abnormal shells, including moving, copying, and deleting shell files, and modifying the access permissions and hard links of the files.
+ |
+
+Exception Stat
+ |
+Check and handle remote logins.
+If a user's login location is not any common login location you set, an alarm will be triggered.
+ |
+
+Invalid accounts
+ |
+Scan accounts on servers and list suspicious accounts in a timely manner.
+ |
+
+Vulnerability escapes
+ |
+The service reports an alarm if it detects container process behavior that matches the behavior of known vulnerabilities (such as Dirty COW, brute-force attack, runC, and shocker).
+ |
+
+File escapes
+ |
+The service reports an alarm if it detects that a container process accesses a key file directory (for example, /etc/shadow or /etc/crontab). Directories that meet the container directory mapping rules can also trigger such alarms.
+ |
+
+Abnormal container processes
+ |
+Container services are usually simple. If you are sure that only specific processes run in a container, you can add the processes to the whitelist of a policy, and associate the policy with the container.
+The service reports an alarm if it detects that a process not in the whitelist is running in the container.
+ |
+
+Abnormal container startups
+ |
+Check for unsafe parameter settings used during container startup.
+Certain startup parameters specify container permissions. If their settings are inappropriate, they may be exploited by attackers to intrude containers.
+ |
+
+High-risk system calls
+ |
+Users can run tasks in kernels by Linux system calls. The service reports an alarm if it detects a high-risk call, such as open_by_handle_at, ptrace, setns, and reboot.
+ |
+
+Sensitive file access
+ |
+Detect suspicious access behaviors (such as privilege escalation and persistence) on important files.
+ |
+
+Critical third-party DDoS vulnerabilities
+ |
+Detects third-party DDoS vulnerabilities that urgently need to be fixed.
+ |
+
+Malicious scan
+ |
+Detects abnormal scanning of server assets.
+ |
+
+Mining
+ |
+Detects the use of devices (computers, smartphones, tablets, or servers) to mine encrypted currencies without users' consent or knowledge. Once detected, an alarm is reported immediately.
+ |
+
+Login
+ |
+Success login
+ |
+Notifications are sent to accounts that have successfully logged in.
+ |
+
+
+
+
+
+
What Do I Do If a Mining Process Is Detected on a Server?
+You are advised to:
+
- Back up data and disable unnecessary ports.
- Set a stronger server password.
- Enable HSS. Your servers will be protected from mining processes by its intrusion detection functions, such as account cracking prevention, remote login detection, malicious program detection, and web shell detection; as well as malicious program killing and vulnerability fixing functions.
+
What Is the HSS Agent?
+The HSS agent is used to scan all servers and containers, monitor their status in real time, and collect their information and report to the cloud protection center.
+
Functions of the Agent
- The agent runs scan tasks every day in the early morning to scan all servers and containers, monitors their security, and reports information collected from them to the cloud protection center.
- The agent blocks attacks targeted at servers and containers based on the security policies you configured.
+
- If no agent is installed or the agent installed is abnormal, the HSS is unavailable.
+
+
+
Linux Agent Processes
The agent process needs to be run by the root user.
+
The agent contains the following processes:
+
+
Table 1 Agent running process on a Linux serverAgent Process Name
+ |
+Function
+ |
+Path
+ |
+
|---|
+
+hostguard
+ |
+Detects security issues, protects the system, and monitors the agent.
+ |
+/usr/local/hostguard/bin/hostguard
+ |
+
+hostwatch
+ |
+Monitors the agent process.
+ |
+/usr/local/hostguard/bin/hostwatch
+ |
+
+upgrade
+ |
+Upgrades the agent.
+ |
+/usr/local/hostguard/bin/upgrade
+ |
+
+
+
+
+
+
Windows Agent Processes
The agent process needs to be run by the system user.
+
The agent contains the following processes:
+
+
Table 2 Agent running process on a Windows serverAgent Process Name
+ |
+Function
+ |
+Path
+ |
+
|---|
+
+hostguard.exe
+ |
+Detects security issues, protects the system, and monitors the agent.
+ |
+C:\Program Files\HostGuard\HostGuard.exe
+ |
+
+hostwatch.exe
+ |
+Monitors the agent process.
+ |
+C:\Program Files\HostGuard\HostWatch.exe
+ |
+
+upgrade.exe
+ |
+Upgrades the agent.
+ |
+C:\Program Files\HostGuard\upgrade.exe
+ |
+
+
+
+
+
+
Vulnerability Management
+
+
+
diff --git a/docs/hss/umn/hss_01_0247.html b/docs/hss/umn/hss_01_0247.html
new file mode 100644
index 00000000..0d9ca2b2
--- /dev/null
+++ b/docs/hss/umn/hss_01_0247.html
@@ -0,0 +1,11 @@
+
+
+Why a Server Displayed in Vulnerability Information Does Not Exist?
+The vulnerability list displays vulnerabilities detected in the last seven days. After a vulnerability is detected for a server, if you change the server name and do not perform a vulnerability scan again, the vulnerability list still displays the original server name.
+
Web Tamper Protection
+
+
+
diff --git a/docs/hss/umn/hss_01_0255.html b/docs/hss/umn/hss_01_0255.html
new file mode 100644
index 00000000..f7414e20
--- /dev/null
+++ b/docs/hss/umn/hss_01_0255.html
@@ -0,0 +1,17 @@
+
+
+How Do I Modify a File After WTP Is Enabled?
+Protected directories are read-only. To modify files or update the website, perform any of the following operations.
+
Temporarily Disabling WTP
Disable WTP while you modify files in protected directories.
+
Your website is not protected from tampering while WTP is disabled. Enable it immediately after updating your website.
+
+
Setting Scheduled Protection
You can set periodic static WTP, and update websites while WTP is automatically disabled.
+
Exercise caution when you set the periods to disable WTP, because files will not be protected in those periods.
+
+
How Do I Defend Against Brute-force Attacks?
+Impact of Account Cracking
Intruders who cracked server accounts can exploit permissions to steal or tamper with data on servers, interrupting enterprise services and causing great loss.
+
+
Preventive Measures
- Configure the SSH login whitelist.
The SSH login whitelist allows logins from only whitelisted IP address, effectively preventing account cracking.
+ - Enable 2FA.
2FA requires users to provide verification codes before they log in. The codes will be sent to their mobile phones or email boxes.
+Choose Installation & Configuration. On the Two-Factor Authentication tab, select servers and click Enable 2FA.
+ - Use non-default ports.
Change the default remote management ports 22 and 3389 to other ports.
+ - Configure security group rules to prevent the attacking IP addresses from accessing your service ports.
You are advised to allow only specified IP addresses to access open remote management ports (for example, for SSH and remote desktop login).
+
+You can configure security group rules to control access to your servers. For a port used for remote login, you can set IP addresses that are allowed to remotely log in to your ECSs.
+To allow IP address 192.168.20.2 to remotely access Linux ECSs in a security group over the SSH protocol and port 22, you can configure the following security group rule.
+
+Table 1 Setting IP addresses to remotely connect to ECSsDirection
+ |
+Protocol/Application
+ |
+Port
+ |
+Source
+ |
+
|---|
+
+Inbound
+ |
+SSH (22)
+ |
+22
+ |
+For example, 192.168.20.2/32
+ |
+
+
+
+
- Set a strong password.
HSS baseline checks include the password policy check and weak password detection, which can find accounts that use weak passwords on your servers. You can view and handle password risks on the console.
+
+
+
About HSS
+
+
+
diff --git a/docs/hss/umn/hss_01_0260.html b/docs/hss/umn/hss_01_0260.html
new file mode 100644
index 00000000..b8de126f
--- /dev/null
+++ b/docs/hss/umn/hss_01_0260.html
@@ -0,0 +1,19 @@
+
+
+Enabling Protection
+
+
+
diff --git a/docs/hss/umn/hss_01_0269.html b/docs/hss/umn/hss_01_0269.html
new file mode 100644
index 00000000..78bbe35e
--- /dev/null
+++ b/docs/hss/umn/hss_01_0269.html
@@ -0,0 +1,12 @@
+
+
+How Do I Use the Windows Remote Desktop Connection Tool to Connect to a Server?
+Procedure
- On the local PC, choose , and then run the mstsc command to start Windows Remote Desktop Connection.
- Click Options, and then click the Local Resources tab. In the Local devices and resources area, select Clipboard.
- Click the General tab. In Computer, enter the EIP of the server on which you want to install an agent. In User name, enter Administrator. Then click Connect.
- In the displayed dialog box, enter the user password of the server and click OK to connect to the server.
+
+
Why Are the Weak Password Alarms Still Reported After the Weak Password Policy Is Disabled?
+If you have enhanced passwords before disabling the weak password policy, the weak password alarm will not be reported again.
+
If you do not enhance passwords before disabling the weak password policy, the reported alarm will persist and be retained for 30 days.
+
- To enhance server security, you are advised to modify the accounts with weak passwords in a timely manner, such as SSH accounts.
- To protect internal data of your server, you are advised to modify software accounts that use weak passwords, such as MySQL accounts and FTP accounts.
+
After modifying weak passwords, you are advised to perform manual detection immediately to verify the result. If you do not perform manual verification and do not disable the weak password scan, HSS will automatically check the settings the next day in the early morning.
+
Server Alarms
+HSS generates alarms on a range of intrusion events, including brute-force attacks, abnormal process behaviors, web shells, abnormal logins, and malicious processes. You can learn all these events on the console, and eliminate security risks in your assets in a timely manner.
+
Constraints
Servers that are not protected by HSS do not support alarm-related operations.
+
+
Supported Alarms and Events
+
Event Type
+ |
+Alarm Name
+ |
+Description
+ |
+Enterprise Edition
+ |
+Premium Edition
+ |
+WTP Edition
+ |
+Supported OS
+ |
+Add to Alarm Whitelist
+ |
+Isolate and Kill
+ |
+
|---|
+
+Malware
+ |
+Malicious programs
+ |
+Malicious programs include Trojans and web shells implanted by hackers to steal your data or control your servers.
+For example, hackers will probably use your servers as miners or DDoS zombies. This occupies a large number of CPU and network resources, affecting service stability.
+Check malware, such as web shells, Trojan horses, mining software, worms, and other viruses and variants, and kill them in one-click. The malware is found and removed by analysis on program characteristics and behaviors, AI image fingerprint algorithms, and cloud scanning and killing.
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+√
+ |
+√
+ |
+
+Viruses
+ |
+Detect viruses in server assets, report alarms, and support automatic or manual viruses isolation and killing based on the alarms.
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+√
+ |
+√
+ |
+
+Worms
+ |
+Detect and kill worms on servers and report alarms.
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+√
+ |
+√
+ |
+
+Trojans
+ |
+Detect and remove Trojan and viruses on servers and report alarms.
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+√
+ |
+√
+ |
+
+Botnets
+ |
+Detect and kill botnets on servers and report alarms.
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+√
+ |
+√
+ |
+
+Backdoors
+ |
+Detect backdoors in servers and reports alarms.
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+√
+ |
+√
+ |
+
+Rootkits
+ |
+Detect server assets and report alarms for suspicious kernel modules, files, and folders.
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux
+ |
+√
+ |
+×
+ |
+
+Ransomware
+ |
+Check for ransomware in web pages, software, emails, and storage media.
+Ransomware can encrypt and control your data assets, such as documents, emails, databases, source code, images, and compressed files, to leverage victim extortion.
+ |
+×
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+√
+ |
+√ (Partially supported)
+ |
+
+Hacker tools
+ |
+Detect and kill hacker tools on servers and reports alarms.
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+√
+ |
+√
+ |
+
+Web shells
+ |
+Check whether the files (often PHP and JSP files) detected by HSS in your web directories are web shells.
+You can configure the web shell detection rule in the Web Shell Detection rule on the Policies page. HSS will check for suspicious or remotely executed commands.
+You need to add a protected directory in policy management. For details, see Web Shell Detection.
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+√
+ |
+×
+ |
+
+Mining
+ |
+Detect, scan, and remove mining software on servers, and report alarms.
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+√
+ |
+√
+ |
+
+Vulnerability Exploits
+ |
+Remote code execution
+ |
+Detect and report alarms on server intrusions that exploit vulnerabilities in real time.
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+√
+ |
+×
+ |
+
+Abnormal System Behavior
+ |
+Reverse shells
+ |
+Monitor user process behaviors in real time to detect reverse shells caused by invalid connections.
+Reverse shells can be detected for protocols including TCP, UDP, and ICMP.
+You can configure the reverse shell detection rule in the Malicious File Detection rule on the Policies page. HSS will check for suspicious or remotely executed commands.
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux
+ |
+√
+ |
+×
+ |
+
+File privilege escalations
+ |
+Detect file privilege escalation operations and generate alarms.
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux
+ |
+√
+ |
+×
+ |
+
+Process privilege escalations
+ |
+Detect the privilege escalation operations of the following processes and generate alarms: - Root privilege escalation by exploiting SUID program vulnerabilities
- Root privilege escalation by exploiting kernel vulnerabilities
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux
+ |
+√
+ |
+×
+ |
+
+Important file changes
+ |
+Monitor important system files (such as ls, ps, login, and top) in real time and generate alarms if these files are modified. For details about the monitored paths, see Monitored Important File Paths.
+HSS reports all the changes on important files, regardless of whether the changes are performed manually or by processes.
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux
+ |
+√
+ |
+×
+ |
+
+File/Directory changes
+ |
+Monitor system files and directories in real time and generate alarms if such files are created, deleted, moved, or if their attributes or content are modified.
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+√
+ |
+×
+ |
+
+Abnormal process behaviors
+ |
+Check the processes on servers, including their IDs, command lines, process paths, and behavior.
+Send alarms on unauthorized process operations and intrusions.
+The following abnormal process behavior can be detected:
+- Abnormal CPU usage
- Processes accessing malicious IP addresses
- Abnormal increase in concurrent process connections
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+√
+ |
+x (Partially supported)
+ |
+
+High-risk command executions
+ |
+You can configure what commands will trigger alarms in the High-risk Command Scan rule on the Policies page.
+HSS checks executed commands in real time and generates alarms if high-risk commands are detected.
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+√
+ |
+×
+ |
+
+Abnormal shells
+ |
+Detect actions on abnormal shells, including moving, copying, and deleting shell files, and modifying the access permissions and hard links of the files.
+You can configure the abnormal shell detection rule in the Malicious File Detection rule on the Policies page. HSS will check for suspicious or remotely executed commands.
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux
+ |
+√
+ |
+×
+ |
+
+Suspicious crontab tasks
+ |
+Check and list auto-started services, scheduled tasks, pre-loaded dynamic libraries, run registry keys, and startup folders.
+You can get notified immediately when abnormal automatic auto-start items are detected and quickly locate Trojans.
+ |
+×
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+√
+ |
+×
+ |
+
+Windows defender protection disabled
+ |
+Detect the preparations for ransomware encryption: Disable the Windows defender real-time protection function through the registry. Once the function is disabled, an alarm is reported immediately.
+ |
+√
+ |
+√
+ |
+√
+ |
+Windows
+ |
+√
+ |
+×
+ |
+
+Backup deletion
+ |
+Detect the preparations for ransomware encryption: Delete backup files or files in the Backup folder. Once backup deletion is detected, an alarm is reported immediately.
+ |
+√
+ |
+√
+ |
+√
+ |
+Windows
+ |
+√
+ |
+×
+ |
+
+Suspicious registry operations
+ |
+Detect operations such as disabling the system firewall through the registry and using the ransomware Stop to modify the registry and write specific strings in the registry. An alarm is reported immediately when such operations are detected.
+ |
+√
+ |
+√
+ |
+√
+ |
+Windows
+ |
+√
+ |
+×
+ |
+
+Abnormal User Behavior
+ |
+Brute-force attacks
+ |
+If hackers log in to your servers through brute-force attacks, they can obtain the control permissions of the servers and perform malicious operations, such as steal user data; implant ransomware, miners, or Trojans; encrypt data; or use your servers as zombies to perform DDoS attacks.
+Detect brute-force attacks on SSH, RDP, FTP, SQL Server, and MySQL accounts. - If the number of brute-force attacks (consecutive incorrect password attempts) from an IP address reaches 5 within 30 seconds, the IP address will be blocked. The default blocking duration is 12 hours.
- You can check whether the IP address is trustworthy based on its attack type and how many times it has been blocked. You can manually unblock the IP addresses you trust.
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+√
+ |
+×
+ |
+
+Abnormal logins
+ |
+Detect abnormal login behavior, such as remote login and brute-force attacks. If abnormal logins are reported, your servers may have been intruded by hackers.
+- Check and handle remote logins.
You can check the blocked login IP addresses, and who used them to log in to which server at what time.
+If a user's login location is not any common login location, an alarm will be triggered.
+ - Trigger an alarm if a user logs in to the server by a brute-force attack.
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+√
+ |
+×
+ |
+
+Invalid accounts
+ |
+Hackers can probably crack unsafe accounts on your servers and control the servers.
+HSS checks suspicious hidden accounts and cloned accounts and generates alarms on them.
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+√
+ |
+×
+ |
+
+User account added
+ |
+Detect the commands used to create hidden accounts. Hidden accounts cannot be found in the user interaction interface or be queried by commands.
+ |
+√
+ |
+√
+ |
+√
+ |
+Windows
+ |
+√
+ |
+×
+ |
+
+Password theft
+ |
+Detect the abnormal obtaining of system accounts and password hashes on servers and report alarms.
+ |
+√
+ |
+√
+ |
+√
+ |
+Windows
+ |
+√
+ |
+×
+ |
+
+Reconnaissance
+ |
+Port scan
+ |
+Detect scanning or sniffing on specified ports and report alarms.
+ |
+×
+ |
+√
+ |
+√
+ |
+Linux
+ |
+×
+ |
+×
+ |
+
+Host scan
+ |
+Detect the network scan activities based on server rules (including ICMP, ARP, and nbtscan) and report alarms.
+ |
+×
+ |
+√
+ |
+√
+ |
+Linux
+ |
+√
+ |
+×
+ |
+
+
+
+
+
+
Monitored Important File Paths
+
Type
+ |
+Linux
+ |
+
|---|
+
+bin
+ |
+/bin/ls
+/bin/ps
+/bin/bash
+/bin/netstat
+/bin/login
+/bin/find
+/bin/lsmod
+/bin/pidof
+/bin/lsof
+/bin/ss
+ |
+
+usr
+ |
+/usr/bin/ls
+/usr/bin/ps
+/usr/sbin/ps
+/usr/bin/bash
+/usr/bin/netstat
+/usr/sbin/netstat
+/usr/sbin/rsyslogd
+/usr/sbin/ifconfig
+/usr/bin/login
+/usr/bin/find
+/usr/sbin/lsmod
+/usr/sbin/pidof
+/usr/bin/lsof
+/usr/sbin/lsof
+/usr/sbin/tcpd
+/usr/bin/passwd
+/usr/bin/top
+/usr/bin/du
+/usr/bin/chfn
+/usr/bin/chsh
+/usr/bin/killall
+/usr/bin/ss
+/usr/sbin/ss
+/usr/bin/ssh
+/usr/bin/scp
+ |
+
+sbin
+ |
+/sbin/syslog-ng
+/sbin/rsyslogd
+/sbin/ifconfig
+/sbin/lsmod
+/sbin/pidof
+ |
+
+
+
+
+
+
How Do I Unblock an IP Address?
+HSS will block an IP address if it has five or more brute-force attack attempts detected within 30 seconds, or 15 or more brute-force attack attempts detected within 3600 seconds. If a normal IP address is blocked by mistake (for example, after O&M personnel enter incorrect passwords for multiple times), you can unblock the IP address.
+
If you manually unblocked an IP address, but incorrect password attempts from this IP address reach the threshold again, this IP address will be blocked again.
+
- The default blocking duration is 12 hours.
- If a blocked IP address does not perform brute-force attacks in the default blocking duration, it will be automatically unblocked.
+
+
Procedure
- Log in to the management console.
- In the navigation tree on the left, choose and click Server Alarms.
- In the Alarm Statistics area, click View Details under Blocked IP Addresses.
- In the blocked IP address list, select an IP address and click Cancel Interception.
+
+
Enabling HSS
+
+
+
diff --git a/docs/hss/umn/hss_01_0293.html b/docs/hss/umn/hss_01_0293.html
new file mode 100644
index 00000000..354b4b32
--- /dev/null
+++ b/docs/hss/umn/hss_01_0293.html
@@ -0,0 +1,27 @@
+
+
+Enabling Container Protection
+Before enabling protection for a container node, you need to allocate quota to a specified node. If the protection is disabled or the node is deleted, the quota can be allocated to other nodes.
+
Check Frequency
HSS performs a full check in the early morning every day.
+
After you enable server protection, you can view scan results after the automatic scan in the next early morning.
+
+
Prerequisites
- The Agent Status of a server is Online. To check the status, choose Asset Management > Containers & Quota.
- You have created nodes on CCE.
- The Protection Status of the node is Unprotected.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane, choose Asset Management > Containers & Quota.
Figure 1 Accessing the container node management page
+ - In the Operation column of the node list, click Enable Protection.
- In the displayed dialog box, confirm the server information.
- Click OK. If the Protection Status of the server changes to Protected, protection has been enabled.
A container security quota protects one cluster node.
+
+
+
+
Related Operations
Disabling protection for a node
+
Choose Asset Management > Containers & Quota, click the Container Nodes tab, and click Nodes. In the Operation column, click Disable Protection.
+
If protection is disabled, the quota status will change from occupied to idle. You can allocate the idle quota to another node to avoid quota waste.
+
- Before disabling protection, perform a comprehensive detection on the container, handle detected risks, and record operation information to prevent O&M errors and attacks on the container.
- After protection is disabled, clear important data on the container, stop important applications on the container, and disconnect the container from the external network to avoid unnecessary loss caused by attacks.
+
+
+
Asset Management
+
+
+
diff --git a/docs/hss/umn/hss_01_0295.html b/docs/hss/umn/hss_01_0295.html
new file mode 100644
index 00000000..8f612e8f
--- /dev/null
+++ b/docs/hss/umn/hss_01_0295.html
@@ -0,0 +1,21 @@
+
+
+Container Management
+
+
+
diff --git a/docs/hss/umn/hss_01_0296.html b/docs/hss/umn/hss_01_0296.html
new file mode 100644
index 00000000..52140e1c
--- /dev/null
+++ b/docs/hss/umn/hss_01_0296.html
@@ -0,0 +1,49 @@
+
+
+Viewing the Container Node Protection List
+The Container Nodes page displays the protection, node, and Agent status of clusters in Cloud Container Engine (CCE), helping you learn the security status of clusters in real time.
+
Constraints
- Only Linux servers are supported.
- Servers that are not protected by HSS enterprise, premium, WTP, or container editions cannot perform container-related operations.
+
+
Viewing the Clusters and Protection Quotas
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane on the left, choose . Click Container Nodes.
- View the node protection status on the Nodes page. You can obtain the details in Table 1.
In the HSS container node list, you can view only the servers where the agent has been installed. To view the servers where the agent has not been installed, choose Asset Management > Servers & Quota.
+
+
+Table 1 Parameter descriptionParameter
+ |
+Description
+ |
+
|---|
+
+Server Name
+ |
+Server name.
+ |
+
+Protection Status
+ |
+Protection status of a node. The options are as follows:
+- Unprotected: HSS is disabled for the server. After the agent is installed, click Enable in the Operation column to enable protection.
- Enabled: The server is fully protected by HSS.
+ |
+
+Server Status
+ |
+
+ |
+
+Agent Status
+ |
+You can select a status to view the server.
+- Online: The agent is running properly.
- Offline: The communication between the agent and the HSS server is abnormal, and HSS cannot protect your servers.
- Not installed: The agent has not been installed or successfully started.
+ |
+
+
+
+
+
+
Container Images
+
+
+
diff --git a/docs/hss/umn/hss_01_0298.html b/docs/hss/umn/hss_01_0298.html
new file mode 100644
index 00000000..6ae62da5
--- /dev/null
+++ b/docs/hss/umn/hss_01_0298.html
@@ -0,0 +1,20 @@
+
+
+Local Images
+You can manually scan local images for vulnerabilities and software information and provides scan reports. This section describes how to perform security scans on local images and view scan reports.
+
Constraints
- Only the HSS container edition supports this function.
+
- Only the local images of the Docker engine can be reported to the HSS console.
- Security scans can be performed only on Linux images.
+
+
Viewing Local Images
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane on the left, choose Asset Management > Containers & Quota. Click the Container Images tab and click Local image to view local images.
Figure 1 Viewing the local image scan results
+
+
+
Viewing Local Image Vulnerability Reports and Software Information
- Log in to the management console and go to the HSS page.
- In the navigation pane on the left, choose Asset Management > Containers & Quota. Click the Container Images tab and click Local image to view local images.
Figure 2 Viewing the local image scan results
+ - Click View Report in the Operation column of the target image to view the basic information, vulnerability report, and software information about the image.
+
+
Managing SWR Private Images
+Images in the private image repository come from SWR images. You can manually scan for and check reports on vulnerabilities, malicious files, software information, file information, baseline check, sensitive information.
+
Constraints
- Only the HSS container edition supports this function.
+
- Security scans can be performed only on Linux images.
+
+
Viewing Private Images
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane, choose Asset Management Container & Quota. On the displayed page, click the Container Images tab and click SWR private image.
Figure 1 Accessing the private image list
+ - You can click Update Private Images from SWR to update self-owned images from SWR.
+
+
Scanning a Private Image
You can choose all images, multiple images, or a single image and manually start a scan. The duration of a security scan depends on the scanned image size. Generally, scanning an image takes shorter than 3 minutes. After the scan is complete, click View Report to check the report.
+
Scan items of private images in SWR are as follows:
+
+
Scan Item
+ |
+Description
+ |
+
|---|
+
+Vulnerability
+ |
+Detect system and application vulnerabilities in images.
+ |
+
+Malicious file
+ |
+Detects malicious files in images.
+ |
+
+Software information
+ |
+Collects software information in an image.
+ |
+
+File information
+ |
+Collects file information in an image.
+ |
+
+Unsafe setting
+ |
+- Configuration check:
- Checks the images configurations of CentOS 7, Debian 10, EulerOS, and Ubuntu16.
- Checks SSH configurations.
+ - Weak password check: detects weak passwords in images.
- Password complexity check: detects insecure password complexity policies in images.
+ |
+
+Sensitive information
+ |
+Detects files that contain sensitive information in images.
+- The paths that are not checked by default are as follows:
- /usr/*
- /lib/*
- /lib32/*
- /bin/*
- /sbin/*
- /var/lib/*
- /var/log/*
- Any path/node_modules/any path/any name.md
- Any path/node_modules/any path/test/any path
- */service/iam/examples_test.go
- Any path/grafana/public/build/any name.js
+ NOTE: - Any path: indicates that the current path is a customized value and can be any path in the system.
- Any name: indicates that the file name in the current path is a customized value, which can be any name ended with .md or .js in the system.
- On the tab, click Configure Sensitive File Path to set the Linux path of the file that does not need to be checked. A maximum of 20 paths can be added.
+
+ - No checks are performed in the following scenarios:
- The file size is greater than 20 MB.
- The file type can be binary, common process, or auto generation.
+
+ |
+
+Software compliance
+ |
+Detects software and tools that are not allowed to be used.
+ |
+
+Basic image information
+ |
+Detects service images that are not created using base images.
+ |
+
+
+
+
+
- Log in to the management console and go to the HSS page.
- In the navigation pane, choose Asset Management > Containers & Quota.
- Click the Container Images tab and select Private images. In the Operation column of an image, click Scan.
- In the displayed dialog box, click OK to start the scan job.
- Scanned in the Scan Status column indicates the target image scan completed.
+
+
Vulnerability Management Overview
+Vulnerability management can detect Linux, Windows, Web-CMS, and application vulnerabilities and provide suggestions, helping you learn about server vulnerabilities in real time. Linux and Windows vulnerabilities can be fixed in one-click mode. This section describes how the vulnerabilities are detected and the vulnerabilities that can be scanned and fixed in each HSS edition.
+
The vulnerability list displays vulnerabilities detected in the last seven days. After a vulnerability is detected for a server, if you change the server name and do not perform a vulnerability scan again, the vulnerability list still displays the original server name.
+
+
+
How Vulnerability Scan Works
Table 1 describes how different types of vulnerabilities are detected.
+
+
Table 1 How vulnerability scan worksType
+ |
+Mechanism
+ |
+
|---|
+
+Linux vulnerability
+ |
+Based on the vulnerability database, checks and handles vulnerabilities in the software (such as kernel, OpenSSL, vim, glibc) you obtained from official Linux sources and have not compiled, reports the results to the management console, and generates alarms.
+ |
+
+Windows vulnerability
+ |
+Synchronizes Microsoft official patches, checks whether the patches on the server have been updated, pushes Microsoft official patches, reports the results to the management console, and generates vulnerability alarms.
+ |
+
+Web-CMS vulnerability
+ |
+Checks web directories and files for Web-CMS vulnerabilities, reports the results to the management console, and generates vulnerability alarms.
+ |
+
+Application vulnerability
+ |
+HSS detects the vulnerabilities in the software and dependency packages running on servers and container server machines, reports risky vulnerabilities to the console, and displays vulnerability alarms.
+ |
+
+
+
+
+
+
Types of Vulnerabilities That Can Be Scanned and Fixed
For details about the types of vulnerabilities that can be scanned and fixed in different HSS editions, see Types of vulnerabilities that can be scanned and fixed in each HSS edition.
+
The meanings of the symbols in the table are as follows:
+
- √: supported
- ×: not supported
+
+
Table 2 Types of vulnerabilities that can be scanned and fixed in each HSS editionVulnerability Type
+ |
+Function
+ |
+Enterprise Edition
+ |
+Premium Edition
+ |
+Web Tamper Protection Edition
+ |
+Container Edition
+ |
+
|---|
+
+Linux vulnerability
+ |
+Automatic vulnerability scan (reporting based on the software asset collection period)
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+
+Scheduled vulnerability scan (By default, vulnerabilities are scanned once a week. You can change the scan period by configuring vulnerability policies.)
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+
+Vulnerability whitelist
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+
+Manual vulnerability scan
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+
+One-click vulnerability fix
+ |
+√
+(A maximum of 50 vulnerabilities can be fixed at a time.)
+ |
+√
+ |
+√
+ |
+√
+ |
+
+Windows vulnerability
+ |
+Automatic vulnerability scan (reporting based on the software asset collection period)
+ |
+√
+ |
+√
+ |
+√
+ |
+×
+ |
+
+Scheduled vulnerability scan (By default, vulnerabilities are scanned once a week. You can change the scan period by configuring vulnerability policies.)
+ |
+√
+ |
+√
+ |
+√
+ |
+×
+ |
+
+Vulnerability whitelist
+ |
+√
+ |
+√
+ |
+√
+ |
+×
+ |
+
+Manual vulnerability scan
+ |
+√
+ |
+√
+ |
+√
+ |
+×
+ |
+
+One-click vulnerability fix
+ |
+√
+(A maximum of 50 vulnerabilities can be fixed at a time.)
+ |
+√
+ |
+√
+ |
+×
+ |
+
+Web-CMS vulnerability
+ |
+Automatic vulnerability scan (reporting based on the software asset collection period)
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+
+Scheduled vulnerability scan (By default, vulnerabilities are scanned once a week. You can change the scan period by configuring vulnerability policies.)
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+
+Vulnerability whitelist
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+
+Manual vulnerability scan
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+
+One-click vulnerability fix
+ |
+×
+ |
+×
+ |
+×
+ |
+×
+ |
+
+Application vulnerability
+ |
+Automatic vulnerability scan (reporting based on the middleware asset collection period)
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+
+Scheduled vulnerability scan (By default, vulnerabilities are scanned once a week. You can change the scan period by configuring vulnerability policies.)
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+
+Vulnerability whitelist
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+
+Manual vulnerability scan
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+
+One-click vulnerability fix
+ |
+×
+ |
+×
+ |
+×
+ |
+×
+ |
+
+
+
+
+
HSS can scan for Web-CMS and application vulnerabilities but cannot fix them. You can log in to your server to manually fix the vulnerability by referring to the suggestions displayed on the vulnerability details page.
+
+
+
Baseline Inspection Overview
+Baseline Inspection includes password complexity policy detection, common weak password detection, and configuration check. It can detect insecure password configurations and risky configurations in key software on servers, and provide rectification suggestions for detected risks, helping you correctly handle risky configurations on servers.
+
Baseline Inspection Content
+
Item
+ |
+Description
+ |
+Supported Check Mode
+ |
+Supported HSS Version
+ |
+
|---|
+
+Unsafe configuration
+ |
+Check the unsafe Tomcat, Nginx, SSH login, and system configurations found by HSS.
+Currently, the following check standards and types are supported:
+- For Linux,
- The cloud security practice baseline can check Apache2, Docker, MongoDB, Redis, MySQL5, Nginx, Tomcat, SSH, vsftp, CentOS7, EulerOS, EulerOS_ext, Kubernetes-Node, Kubernetes-Master.
- DJCP MLPS compliance: Apache 2, MongoDB, MySQL 5, Nginx, Tomcat, CentOS 6, CentOS 7, CentOS 8, Debian 9, Debian 10, Debian 11, Red Hat 6, Red Hat 7, Red Hat 8, Ubuntu 12, Ubuntu 14, Ubuntu 16, Ubuntu 18, Alma.
+ - For Windows,
The cloud security practice baseline can check MongoDB, Apache2, MySQL, Nginx, Redis, Tomcat, Windows_2008, Windows_2012, Windows_2016, Windows_2019, and SqlServer.
+
+ |
+- Automated baseline checks
- Manual baseline checks
+ |
+Enterprise, premium, WTP, and container edition
+ |
+
+Password complexity policies
+ |
+Check whether your password complexity policy of Linux system account is proper and modify it based on suggestions provided by HSS, improving password security.
+ |
+Manual baseline checks
+ |
+All versions
+ |
+
+Common weak passwords
+ |
+Weak passwords defined in the common weak password library. You can check for accounts and remind users to change them.
+Common weak passwords of MySQL, FTP, and system accounts.
+ |
+- Automated baseline checks
- Manually Performing a Baseline Check
+ |
+All
+ |
+
+
+
+
+
+
Usage Process
+
Table 1 Usage processNo.
+ |
+Operation
+ |
+Description
+ |
+
|---|
+
+1
+ |
+Performing baseline inspection
+ |
+The baseline inspection supports automatic and manual baseline checks.
+- Automatic baseline check: automatically performs a check for all server configurations and common weak passwords at 01:00 every day. Premium edition, web tamper protection edition, and container edition allow you to customize the automatic detection period for configurations and common weak passwords. For details, see Configuration Check and Weak Password Scan.
- Manual baseline inspection: To view the real-time baseline risks of a specified server, you can manually perform a baseline inspection.
+ |
+
+2
+ |
+Viewing and processing baseline inspection results
+ |
+After the baseline inspection is complete, you need to view and handle baseline configuration risks.
+ |
+
+
+
+
+
+
Container Image Security
+
+
+
diff --git a/docs/hss/umn/hss_01_0305.html b/docs/hss/umn/hss_01_0305.html
new file mode 100644
index 00000000..fe7be5d3
--- /dev/null
+++ b/docs/hss/umn/hss_01_0305.html
@@ -0,0 +1,60 @@
+
+
+Image Vulnerabilities
+This section describes how to check the vulnerabilities on the private image and determine whether to ignore the vulnerabilities.
+
Prerequisites
Container node protection has been enabled.
+
+
Constraints
Only vulnerabilities in Linux images can be checked.
+
+
Viewing Vulnerabilities in Private Images
- Log in to the management console and go to the HSS page.
- In the navigation pane on the left, choose Prediction > Container Images. On the displayed page, click Image Vulnerabilities and click Private Image Vulnerabilities to view private image vulnerabilities.
Click a risky image to check its vulnerability overview, including the vulnerability name, urgency, status, the number of affected images, and vulnerability description.
+
+Figure 1 Viewing vulnerabilities in private images
+
+Table 1 Parameter descriptionParameter
+ |
+Description
+ |
+Operation
+ |
+
|---|
+
+Vulnerability Name
+ |
+-
+ |
+- Click
 to view the details of a vulnerability, including CVE ID, CVSS Score, Disclosed, and Vulnerability Details. - Click the name of a vulnerability to view the images affected by the vulnerability. For details, see 3.
+ |
+
+Repair Urgency
+ |
+Shows whether the vulnerability should be repaired immediately.
+ |
+-
+ |
+
+Historically Affected Images
+ |
+Shows the number of images that have been affected.
+ |
+-
+ |
+
+Solution
+ |
+Provides a solution to fix the vulnerability.
+ |
+Click the link in the Solution column to view the solution.
+ |
+
+
+
+
- Click the vulnerability name to view its basic information and affected images.
+
+
Viewing Malicious File Detection Results
+Malicious files in the private images can be automatically detected, helping you discover and eliminate the security threats in your assets.
+
Check Frequency
A comprehensive check is automatically performed in the early morning every day.
+
+
Prerequisites
Container protection has been enabled.
+
+
Constraints
Only malicious files in Linux images can be detected.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation tree on the left, choose Prediction > Container Images.
- Click the Malicious Files tab to view details about the malicious files in private images. Delete the malicious files or create images again as needed based on the scan result.
- Malicious files include Trojans, worms, viruses, and Adware.
- In the Image Tag column, click an image version to view its vulnerability report.
+
+
+
Image Baseline Check
+Your private image repository is scanned for unsafe configurations and provides suggestions for modifying the configurations, helping you fight intrusions and meet compliance requirements.
+
Check Frequency
A comprehensive check is automatically performed by HSS at 04:10 every day.
+
+
Prerequisites
Container protection has been enabled.
+
+
Constraints
Only configuration risks in Linux images can be detected.
+
+
Check Items
- Accounts with duplicate names or UIDs
- Non-root accounts whose UIDs are 0
- Password check in code
- Accounts with duplicate password hash values
- Weak password hash algorithms
- The account password is not empty.
- Duplicate group names or GIDs
- Non-privileged account incorrectly included in the privilege group
- Old "+" entries in the /etc/passwd file
- Old "+" entries in the /etc/shadow file
- Old "+" entries in the /etc/group file
- Ensuring all groups in the /etc/passwd file are in the /etc/group file
- Unconfigured password validity period
- Ensuring that the password change dates of all users are past dates.
- Host trust relationship
- Preset root-level trust relationship establishment
- The default group of user root is GID 0.
- Members in the shadow group
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation tree on the left, choose Prediction > Container Images.
- Click the Unsafe Settings tab to view the unsafe settings in the image.
+
+
Container Alarm Events
+After node protection is enabled, an agent is deployed on each container host to monitor the running status of containers in real time. The agents support escape detection, high-risk system calls, abnormal processes, abnormal files, and container environment detection. You can learn alarm events comprehensively on the Container Alarms page, and eliminate security risks in your assets in a timely manner.
+
Container Alarm Types
+
Event Type
+ |
+Alarm Name
+ |
+Mechanism
+ |
+
|---|
+
+Malware
+ |
+Unclassified malware
+ |
+Check malware, such as web shells, Trojan horses, mining software, worms, and other viruses and variants. The malware is found and removed by analysis on program characteristics and behaviors, AI image fingerprint algorithms, and cloud scanning and killing.
+ |
+
+Ransomware
+ |
+Check for ransomware in web pages, software, emails, and storage media.
+Ransomware can encrypt and control your data assets, such as documents, emails, databases, source code, images, and compressed files, to leverage victim extortion.
+ |
+
+Web shells
+ |
+Check whether the files (often PHP and JSP files) in the web directories on containers are web shells.
+ |
+
+Vulnerability Exploits
+ |
+Vulnerability escapes
+ |
+HSS reports an alarm if it detects container process behavior that matches the behavior of known vulnerabilities (such as Dirty COW, brute-force attack, runC, and shocker).
+ |
+
+File escapes
+ |
+HSS reports an alarm if it detects that a container process accesses a key file directory (for example, /etc/shadow or /etc/crontab). Directories that meet the container directory mapping rules can also trigger such alarms.
+ |
+
+Abnormal System Behaviors
+
+ |
+Reverse shells
+ |
+Monitor user process behaviors in real time to detect reverse shells caused by invalid connections.
+Reverse shells can be detected for protocols including TCP, UDP, and ICMP.
+You can configure the reverse shell detection rule in the Malicious File Detection rule on the Policies page. HSS will check for suspicious or remotely executed commands.
+ |
+
+Process privilege escalations
+ |
+After hackers intrude containers, they will try exploiting vulnerabilities to grant themselves the root permissions or add permissions for files. In this way, they can illegally create system accounts, modify account permissions, and tamper with files.
+HSS can detect the following abnormal privilege escalation operations:
+- Root privilege escalation by exploiting SUID program vulnerabilities
- Root privilege escalation by exploiting kernel vulnerabilities
- File privilege escalation
+ |
+
+High-risk system calls
+ |
+Users can run tasks in kernels by Linux system calls. CGS reports an alarm if it detects a high-risk call, such as open_by_handle_at, ptrace, setns, and reboot.
+ |
+
+High-risk command executions
+ |
+Check executed commands in containers and generate alarms if high-risk commands are detected.
+ |
+
+Abnormal container processes
+ |
+- Malicious container program
HSS monitors container process behavior and process file fingerprints. It reports an alarm if it detects a process whose behavior characteristics match those of a predefined malicious program.
+ - Abnormal processes
Container services are usually simple. If you are sure that only specific processes run in a container, you can whitelist the processes on the Policy Groups page, and associate the policy with the container.
+HSS reports an alarm if it detects that a process not in the whitelist is running in the container.
+
+ |
+
+Sensitive file access
+ |
+HSS monitors the container image files associated with file protection policies, and reports an alarm if the files are modified.
+ |
+
+Abnormal container startups
+ |
+HSS monitors container startups and reports an alarm if it detects that a container with too many permissions is started. This alarm does not indicate an actual attack. Attacks exploiting this risk will trigger other HSS container alarms.
+HSS container check items include:
+- Privileged container startup (privileged:true)
Alarms are triggered by the containers started with the maximum permissions. Settings that can trigger such alarms include the –privileged=true parameter in the docker run command, and privileged: true in the securityContext of the container in a Kubernetes pod.
+If the alarm name is Container Security Options and the alarm content contains privileged:true, it indicates that the container is started in privileged container mode.
+ - Too many container capabilities (capability:[xxx])
In Linux OSs, system permissions are divided into groups before assigned to containers. A container only has a limited number of permissions, and the impact scope of this container is limited in the case of an incident. However, malicious users can grant all the system permissions to a container by modifying its startup configurations.
+If the alarm name is Container Security Options and the alarm content contains capabilities:[xxx], it indicates that the container is started with an overlarge capability set, which poses risks.
+ - Seccomp not enabled (seccomp=unconfined)
Secure computing mode (seccomp) is a Linux kernel feature. It can restrict system calls invoked by processes to reduce the attack surface of the kernel. If seccomp=unconfined is configured when a container is started, system calls will not be restricted for the container.
+If the alarm name is Container Security Options and the alarm content contains seccomp=unconfined, it indicates that the container is started without seccomp, which poses risks.
+ NOTE: If seccomp is enabled, permissions will be verified for every system call. The verifications will probably affect services if system calls are frequent. Before you decide whether to enable seccomp, you are advised to test-enable it and analyze the impact on your services.
+
+ - Container privilege escalation (no-new-privileges:false)
Processes can escalate permissions by running the sudo command and using SUID or SGID bits. Default container configurations do not allow privilege escalation.
+If –no-new-privileges=false is specified when a container is started, the container can escalate privileges.
+If the alarm name is Container Security Options and the alarm content contains no-new-privileges:false, it indicates that privilege escalation restriction is disabled for the container, which poses risks.
+ - High-risk directory mapping (mounts:[...])
For convenience purposes, when a container is started on a server, the directories of the server can be mapped to the container. In this way, services in the container can directly read and write resources on the server. However, this mapping incurs security risks. If any critical directory in the server OS is mapped to the container, improper operations in the container will probably damage the server OS.
+HSS reports an alarm if it detects that a critical server path (/boot, /dev, /etc, /sys, and /var/run) is mounted during container startup.
+If the alarm name is Container Mount Point and the alarm content contains mounts:[{"source":"xxx","destination":"yyy"...], it indicates that a file path mapped to the container is unsafe. In this case, check for risky directory mappings. You can configure the mount paths that are considered secure in the container information collection policy.
+ NOTE: Alarms will not be triggered for the files that need to be frequently accessed by Docker containers, such as /etc/hosts and /etc/resolv.conf.
+
+ - Startup of containers in the host namespace
The namespace of a container must be isolated from that of a server. If a container and a server use the same namespace, the container can access and modify the content on the server, which incurs container escape risks. To prevent such problems, HSS checks the container PID, network, and whether the container namespace is host.
+If the alarm name is Container Namespace and the alarm content contains Container PID Namespace Mode, Container IPC Namespace Mode, or Container Network Namespace Mode, it indicates that a container whose namespace is host is started. In this case, check the container startup options based on the alarm information. If you are sure that the container can be trusted, you can ignore the alarm.
+
+ |
+
+Container Image blocking
+ |
+If a container contains insecure images specified in the Suspicious Image Behaviors, before the container is started, an alarm will be generated for the insecure images.
+
+ |
+
+Abnormal User Behavior
+ |
+Invalid accounts
+ |
+Hackers can probably crack unsafe accounts on your containers and control the containers.
+HSS checks suspicious hidden accounts and cloned accounts and generates alarms on them.
+ |
+
+Brute-force attacks
+ |
+Detect and report alarms for brute-force attack behaviors, such as brute-force attack attempts and successful brute-force attacks, on containers.
+Detect SSH, web, and Enumdb brute-force attacks on containers.
+ NOTE: Currently, brute-force attacks can be detected only in the Docker runtime.
+
+ |
+
+Abnormal Cluster Behaviors
+ |
+Abnormal pod behaviors
+ |
+Detect abnormal operations such as creating privileged pods, static pods, and sensitive pods in a cluster and abnormal operations performed on existing pods and report alarms.
+ |
+
+User information enumerations
+ |
+Detect the operations of enumerating the permissions and executable operation list of cluster users and report alarms.
+ |
+
+Binding cluster roles
+ |
+Detect operations such as binding or creating a high-privilege cluster role or service account and report alarms.
+ |
+
+Kubernetes event deletions
+ |
+Detect the deletion of Kubernetes events and report alarms.
+ |
+
+
+
+
+
+
Viewing Container Alarms
+HSS displays alarm and event statistics and their summary all on one page. You can have a quick overview of alarms, including the numbers of containers with alarms, handled alarms, and unhandled alarms.
+
The Events page displays the alarm events generated in the last 30 days.
+
The status of a handled event changes from Unhandled to Handled.
+
Constraints
Servers that are not protected by HSS do not support operations related to alarms and events.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane, choose Detection > Alarms and click the Container Alarms tab to view container alarms and events.
Figure 1 Viewing container alarms
+- View the overview of container alarms and events.
- Alarm Statistics: You can view the number of containers that have alarms and the number of alarms to be handled and that have been handled.
- Threats: You can view the number of alarms in a container by severity.
- Top 5 Events: You can view the top 5 events with the largest number of alarms in a container.
+ - View the container alarms of a certain type.
In the Event Types area, select an alarm event type to view the corresponding alarm event list. In the alarm event list, you can view the alarm threat level, alarm name, and affected container name.
+ - View details about container alarms and events.
Click an alarm name to go to its details page. You can view the container ID, IP address, VM name, and image ID.
+
+
+
+
+
Policy Management
+
+
+
diff --git a/docs/hss/umn/hss_01_0317.html b/docs/hss/umn/hss_01_0317.html
new file mode 100644
index 00000000..4046a8c1
--- /dev/null
+++ b/docs/hss/umn/hss_01_0317.html
@@ -0,0 +1,21 @@
+
+
+Agent Management
+
+
+
diff --git a/docs/hss/umn/hss_01_0318.html b/docs/hss/umn/hss_01_0318.html
new file mode 100644
index 00000000..a8924347
--- /dev/null
+++ b/docs/hss/umn/hss_01_0318.html
@@ -0,0 +1,11 @@
+
+
+What Is Container Security?
+Container Security Service (CGS) scans vulnerabilities and configuration information in images, helping enterprises detect container risks that cannot be found using conventional security software. CGS also provides functions such as container process whitelist, container file monitoring, container information collection, and container escape detection to reduce risks.
+
What Is Web Tamper Protection?
+Web Tamper Protection (WTP) monitors website directories in real time, backs up files, and restores tampered files using the backup. WTP protects your websites from Trojans, illegal links, and tampering.
+
Web Tamper Protection (WTP) can detect and prevent tampering of files in specified directories, including web pages, documents, and images, and quickly restore them using valid backup files.
+
This section describes the operation process and main functions of WTP. See Figure 1 and Table 1.
+
Figure 1 WTP operation process
+
+
Table 1 WTP operation process and function descriptionType
+ |
+Operation
+ |
+Description and Reference
+ |
+
|---|
+
+Preparations
+ |
+--
+ |
+If no VDC operator account is available, contact an operations administrator to create a VDC administrator account, and then use the VDC administrator account to create a VDC operator.
+ |
+
+Getting Started with WTP
+ |
+Applying for Quota
+ |
+Apply for WTP quota.
+ |
+
+Installing an Agent
+ |
+The agent is provided by HSS. It runs scan tasks to scan all servers, monitors server security, and reports collected server information to the cloud protection center.
+You can enable WTP only after the agent is installed.
+ |
+
+Parameters required for configuring alarm notifications
+ |
+After alarm notification is enabled, you can receive alarm notifications sent by HSS to learn about security risks facing your servers and web pages.
+Without this function, you have to log in to the management console to view alarms.
+ |
+
+Enabling HSS
+ |
+Allocate a quota to a server and enable HSS for the server.
+ |
+
+Enable WTP
+ |
+Adding a Protected Directory
+ |
+Add a directory to be protected by WTP.
+ |
+
+Create remote backup
+ |
+By default, HSS backs up the files from the protected directories to the local backup directory you specified when you added protected directories. To protect the local backup files from tampering, you must enable the remote backup function.
+ |
+
+Adding a privileged process
+ |
+After WTP is enabled, the content in the protected directories is read-only. To allow certain processes to modify files in the directories, add them to the privileged process list.
+ |
+
+Set scheduled WTP protection
+ |
+You can schedule WTP protection to allow website updates in specific periods.
+ |
+
+Enabling dynamic WTP
+ |
+Dynamic WTP protects your data while Tomcat is running, detecting dynamic data tampering in databases.
+ |
+
+View WTP reports
+ |
+After WTP is enabled, HSS will immediately check the protected directories you specified. You can check records about detected tampering.
+ |
+
+
+
+
+
What Are the Relationships Between Images, Containers, and Applications?
+- An image is a special file system. It provides programs, libraries, resources, configuration files and other files required for a running container. An image also contains some configuration parameters (such as anonymous volumes, environment variables, and users) prepared for a running container. An image does not contain any dynamic data, and its content is unchangeable after creation.
- The relationship between the image and container is similar to that between the class and instance in the program design. An image is static, and a container is the entity for a running image. A container can be created, started, stopped, deleted, and suspended.
- Multiple containers can be started for an image.
- An application may include one or a set of containers.
+
Agent FAQs
+
+
+
diff --git a/docs/hss/umn/hss_01_0323.html b/docs/hss/umn/hss_01_0323.html
new file mode 100644
index 00000000..803d6d60
--- /dev/null
+++ b/docs/hss/umn/hss_01_0323.html
@@ -0,0 +1,17 @@
+
+
+Container Guard Service
+
+
+
diff --git a/docs/hss/umn/hss_01_0324.html b/docs/hss/umn/hss_01_0324.html
new file mode 100644
index 00000000..9fcc7d17
--- /dev/null
+++ b/docs/hss/umn/hss_01_0324.html
@@ -0,0 +1,14 @@
+
+
+How Do I Enable Node Protection?
+When you enable node protection, the system automatically installs the CGS plug-in on the node.
+
- Log in to the management console.
- In the navigation pane, choose Asset Management > Containers & Quota.
- In the Operation column of a node, click Enable Protection.
- Click OK to enable protection for the node. If Protection Status of the node is Protected, protection is enabled for the node.
- An HSS quota protects one cluster node.
+
+
+
How Do I Disable Node Protection?
+Before You Start
Disabling protection does not affect services, but will increase security risks. You are advised to keep your servers protected.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane, choose Asset Management > Containers & Quota.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+
+Figure 1 Accessing the container node management page
+ - Disable protection for one or multiple servers.
- Disabling protection for a server
- In the node list, click Disable Protection in the Operation column of a server.
- In the dialog box that is displayed, confirm the information and click OK.
- Choose and click the Container Nodes tab. Check the protection status in the server list. If it is Unprotected, the protection has been disabled.
Disabling protection does not affect services, but will increase security risks. You are advised to keep your servers protected.
+
+ - Disabling protection in batches
- In the node list, select servers, and click Disable Protection above the list.
- In the dialog box that is displayed, confirm the information and click OK.
- Choose and click the Container Nodes tab. Check the protection status in the server list. If it is Unprotected, the protection has been disabled.
Disabling protection does not affect services, but will increase security risks. You are advised to keep your servers protected.
+
+
+
+
+
+
Managing Isolated Files
+HSS can isolate detected threat files. Files that have been isolated are displayed on a slide-out panel on the Server Alarms page. You can click Isolated Files on the upper right corner to check them, and can recover isolated files anytime.
+
For details about events that can be isolated and killed, see Server Alarms.
+
Constraints
Servers that are not protected by HSS do not support alarm-related operations.
+
+
Isolation and Killing Operations
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane on the left, choose Detection > Alarms and click Server Alarms.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+
+Figure 1 Server alarms
+
+Table 1 Alarm statisticsParameter
+ |
+Description
+ |
+
|---|
+
+Enterprise Project
+ |
+Select an enterprise project and view alarm details by enterprise project.
+ |
+
+Time range
+ |
+You can select a fixed time period or customize a time period to filter alarms. Only alarms generated within 30 days can be queried.
+The options are as follows:
+- Last 24 hours
- Last 3 days
- Last 7 days
- Last 30 days
- Custom
+ |
+
+Server Alarms
+ |
+Affected Servers
+ |
+Number of servers for which alarms are generated.
+ |
+
+Alarms to be Handled
+ |
+Number of alarms to be handled.
+By default, all alarms to be handled are displayed.
+ |
+
+Handled Alarms
+ |
+Number of handled alarms.
+ |
+
+Blocked IP Addresses
+ |
+Number of blocked IP addresses. You can click the number to check blocked IP address list.
+The blocked IP address list displays the server name, attack source IP address, login type, blocking status, number of blocks, blocking start time, and the latest blocking time.
+If a valid IP address is blocked by mistake (for example, after O&M personnel enter incorrect passwords for multiple times), you can manually unblock it. If a server is frequently attacked, you are advised to fix its vulnerabilities in a timely manner and eliminate risks.
+ NOTICE: - After a blocked IP address is unblocked, HSS will no longer block the operations performed by the IP address.
- A maximum of 10,000 IP addresses can be blocked for each type of software.
If your Linux server does not support ipset, a maximum of 50 IP addresses can be clocked for MySQL and vsftp.
+If your Linux server does not support ipset or hosts.deny, a maximum of 50 IP addresses can be blocked for SSH.
+
+
+ |
+
+Isolated Files
+ |
+HSS can isolate detected threat files. Files that have been isolated are displayed on a slide-out panel on the Server Alarms page. You can click Isolated Files on the upper right corner to check them.
+You can recover isolated files. For details, see Managing Isolated Files.
+ |
+
+Container Alarms
+ |
+Affected Servers
+ |
+Number of servers for which alarms are generated.
+ |
+
+Alarms to be Handled
+ |
+Number of alarms to be handled.
+By default, all alarms to be handled are displayed.
+ |
+
+Handled Alarms
+ |
+Number of handled alarms
+ |
+
+Threats
+ |
+Displays the statistics on alarms by severity.
+
+ |
+
+Top 5 Events
+ |
+Displays the top 5 alarm types and their quantities.
+ |
+
+
+
+
- Locate an event that can be isolated and killed, click Handle in the Operation column, and select Isolate and Kill in the displayed box.
For details about events that can be isolated and killed, see Server Alarms.
+
+ - Click OK and isolate and kill the target alarm event.
Files that have been isolated are displayed on a slide-out panel on the Server Alarms page and cannot harm your servers. You can click Isolated Files on the upper right corner to check them.
+
+
+
Checking Isolated Files
- In the alarm statistics area on the Server Alarms page, click View Details under Isolated Files to check the isolated files.
- Check the servers, names, paths, and modification time of the isolated files.
+
+
One-click Restoration
- Click restore in the Operation column of the file isolation box list. You can specify that isolated files are removed from the isolation box.
- Click OK.
Recovered files will no longer be isolated. Exercise caution when performing this operation.
+
+
+
+
Ransomware Prevention
+
+
+
diff --git a/docs/hss/umn/hss_01_0347.html b/docs/hss/umn/hss_01_0347.html
new file mode 100644
index 00000000..0084ed75
--- /dev/null
+++ b/docs/hss/umn/hss_01_0347.html
@@ -0,0 +1,412 @@
+
+
+Viewing Ransomware Protection
+Prerequisites
You have enabled HSS premium, WTP, or container edition.
+
+
Constraints
- After ransomware protection is enabled, you need to handle ransomware alarms and fix the vulnerabilities in your systems and middleware in a timely manner.
+
+
Checking the Ransomware Prevention Overview
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane, choose Prevention > Ransomware Prevention. Check ransomware prevention details.
Figure 1 Ransomware prevention overview
+
+Table 1 Ransomware prevention parametersParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Enterprise Project
+ |
+After an enterprise project is selected, the overview page will display the data in the project only.
+You can select an existing enterprise project. By default, data of all servers is displayed.
+ |
+-
+ |
+
+Time range
+ |
+Select a time range to check ransomware defense statistics.
+Valid values: Last 24 hours, Last 3 days, Last 7 days, Last 30 days
+ |
+Last 30 days
+ |
+
+Protection Statistics
+ |
+Protected Servers
+ |
+Number of servers protected against ransomware.
+ |
+-
+ |
+
+Events
+ |
+Number of ransomware-related events detected within the specified time range.
+ |
+-
+ |
+
+Backup Statistics
+ |
+Backed Up Servers
+ |
+Number of servers whose data has been backed up.
+ |
+-
+ |
+
+Backup and Restoration Tasks
+ |
+Number of server data restoration tasks. You can click the number to view the task progress.
+ |
+-
+ |
+
+Protected Servers
+ |
+Server Name/ID
+ |
+Server name and ID. You can click a server name to view its details.
+ |
+-
+ |
+
+IP Address
+ |
+EIP and private IP address of a server.
+ |
+-
+ |
+
+OS
+ |
+Server OS.
+ |
+Linux
+ |
+
+Server Status
+ |
+Server status. It can be:
+
+ |
+-
+ |
+
+Ransomware Protection Status
+ |
+Ransomware protection status of a server. Its value can be:
+- Enabling
- Enabled
- Disabling
- Disabled
+ |
+Enabled
+ |
+
+Policy
+ |
+Policy used for the server.
+ |
+-
+ |
+
+Events
+ |
+Number of events detected within the selected time range.
+ |
+-
+ |
+
+Backup Status
+ |
+Status of the backup function. Its value can be:
+- Enabled: Automatic full data backup has been enabled for a server.
- Disabled: Automatic full data backup is disabled for a server.
+ |
+Enabled
+ |
+
+Backup Policy Status
+ |
+Status of the backup policy associated with the target server
+ |
+Enabled
+ |
+
+Vault Status
+ |
+Status of the vault associated with the backup on the target server
+ |
+Available
+ |
+
+Associated Vault
+ |
+Name of the vault bound to the target server
+ |
+-
+ |
+
+Bound Servers
+ |
+Number of servers associated with the backup vault
+ |
+3
+ |
+
+Used/Total Vault Capacity (GB)
+ |
+The used capacity and total capacity of the vault associated with the target server
+ |
+30/400
+ |
+
+Backups
+ |
+Number of backups generated in the vault
+ |
+18
+ |
+
+Policies
+ |
+Policy
+ |
+Policy name.
+ |
+-
+ |
+
+Action
+ |
+Action of a policy. Its value can be:
+- Report alarm: If a virus is detected, an alarm will be reported.
- Report alarm and isolate: If a virus is detected, an alarm will be reported and the virus will be isolated.
+ |
+Report alarm and isolate
+ |
+
+Bait File
+ |
+Files and directories that store invalid data on servers and are used as bait files.
+If ransomware prevention is enabled, this function is enabled by default.
+After bait file is enabled, the system deploys bait files in protected directories and key directories (unless otherwise specified by users). A bait file occupies only a few resources and does not affect your server performance.
+ |
+Enabled
+ |
+
+OS
+ |
+OS of the server to which the target policy is bound.
+ |
+Windows
+ |
+
+Associated Servers
+ |
+Number of servers associated with the policy.
+ |
+-
+ |
+
+
+
+
+
+
Viewing Backup and Restoration Tasks
The backup of HSS ransomware protection depends on Cloud Backup and Recovery (CBR). Before enabling server backup, ensure that you have applied for CBR.
+
+
- Log in to the management console and go to the HSS page.
- In the navigation pane, choose Prevention > Ransomware Prevention. Click the number of backup and restoration tasks.
- In the dialog box that is displayed, view the backup and restoration task details. You can filter or search for a server by its name or status. For more information, see Table 2.
+
Table 2 Backup and restoration task parametersParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Server Name/ID
+ |
+Name or ID of a server that executes a restoration task.
+ |
+-
+ |
+
+Backup Name
+ |
+Name of a backup file.
+ |
+-
+ |
+
+Restoration Status
+ |
+Restoration status of a server. It can be:
+- Succeeded
- Skipped
- Failed
- In progress
- Timed out
- Waiting
+If a task was skipped, failed, or timed out, perform restoration again.
+ |
+Succeeded
+ |
+
+Start/End Time
+ |
+Start and end time of backup and restoration.
+ |
+-
+ |
+
+
+
+
+
+
Restoring Server Data
The backup of HSS ransomware protection depends on Cloud Backup and Recovery (CBR). Before enabling server backup, ensure that you have applied for CBR.
+
+
- Log in to the management console and go to the HSS page.
- In the navigation pane, choose Prevention > Ransomware Prevention. Click the Protected Servers tab. In the Operation column of the target server, click More > Restore Data.
- In the dialog box that is displayed, view information about the server to be restored. You can search for the backup data source to be restored by filtering the backup status and searching for the backup name. For more information, see Table 3.
+
Table 3 Backup data source parametersParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Backup Name
+ |
+Name of a backup file.
+ |
+-
+ |
+
+Status
+ |
+Backup status. It can be:
+- Available
- Creating
- Deleting
- Restoring
- Error
+A backup in Available state can be used for restoration.
+ |
+Available
+ |
+
+Purpose
+ |
+Backup purpose. It can be:
+- Periodic execution: Data is backed up based on the backup period configured in the backup policy.
- Ransomware protection: Data is backed up immediately when a server is attacked by ransomware.
+ |
+Periodic execution
+ |
+
+Execution Time
+ |
+Time when the data source was backed up.
+ |
+-
+ |
+
+
+
+
- In the Operation column of a backup, click Restore Data.
Only a backup in the available state can be restored.
+
+ - In the dialog box that is displayed, confirm the server information and click OK.
+
+
Modifying a Backup Policy
The backup of HSS ransomware protection depends on Cloud Backup and Recovery (CBR). Before enabling server backup, ensure that you have applied for CBR.
+
+
- Log in to the management console and go to the HSS page.
- In the navigation pane, choose . The protected server list is displayed. Click the policy name in the Backup Policy Status column of the target server.
- Configure the policy in the dialog box that is displayed. For more information, see Table 4.
+
Table 4 Policy parametersParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Backup Frequency
+ |
+Data can be automatically backed up on specific days in a week, or at a fixed interval.
+- Weekly: Select one or more days in a week to back up data.
- Day based: The range of the backup interval is 1 to 30 days.
+ |
+Weekly
+ |
+
+Execution Time
+ |
+Time when automated backup is started.
+ NOTE: Example of policy configurations
+ Policy 1: Set Backup Frequency to Weekly, select Wednesday and Saturday, and set Execution Time to 00:00 and 13:00. Data will be automatically backed up at 00:00 and 13:00 every Wednesday and Saturday.
+ Policy 2: Set Backup Frequency to Day based and set the interval to two days. Set Execution Time to 02:00 and 14:00. Data will be automatically backed up at 02:00 and 14:00 at an interval of two days.
+
+ |
+00:00, 07:00
+ |
+
+Timezone
+ |
+Select the time zone of the backup time.
+ |
+UTC+08:00
+ |
+
+
+
+
- Confirm the settings and click Next. Configure the backup retention rule.
- Type: Backup Quantity
Configure the backup policy. For more information, see Table 5.
+
+Table 5 Parameters for data retention by quantityParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Rule
+ |
+Number of latest backups to be retained.
+ NOTICE: This setting takes effect no matter how you configure advanced options.
+ For example, if the rule is configured to keep the most recent 30 backups, and Advanced Options are configured to keep the latest backup in the last 3 months (90 days), the latest 30 backups will be retained.
+
+ |
+30
+ |
+
+(Optional) Advanced Options
+ |
+Daily backup: The latest backup on each of the specified days is retained.
+ |
+Keep the most recent backup from each of the last three months
+ |
+
+
+
+
- Type: Time period
Configure the backup policy. For more information, see Table 6.
+
+Table 6 Parameters for data retention by time periodParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Rule
+ |
+Select or customize a backup retention period. The system will automatically retain backups and delete old ones based on your settings. The retention period can be:
+- Days
- 1 month
- 3 months
- 6 months
- 1 year
+ |
+3 months
+ |
+
+
+
+
- Type: Permanent
Backup data will be permanently stored.
If the Retention Type of a rule is changed from Time period to Permanent, historical backups will still be deleted by following based on the Time period settings.
+
+
+ - Click OK.
+
+
Enabling Ransomware Prevention
+Prerequisites
- You have enabled HSS premium, WTP, or container edition.
+
+
Constraints
- Only premium, WTP, and container editions support ransomware protection.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane, choose Prevention > Ransomware Prevention. Click the Protected Servers tab. Click Add Server.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+
+
+ - In the dialog box that is displayed, select the target system to be protected and configure a protection policy.
- OS: Select the server system to be protected.
- Ransomware Prevention: Enable or disable ransomware prevention.
- Enable:
- Disable:
+ - Policy: Select an existing policy or create a protection policy.
- Use policy: Select an existing protection policy. For details, see Parameters for selecting an existing policy.
+
Table 1 Parameters for selecting an existing policyParameter
+ |
+Description
+ |
+
|---|
+
+Policy
+ |
+Select an existing policy.
+ |
+
+Action
+ |
+Select a ransomware event processing mode supported by the selected protection policy.
+- Report alarm and isolate
- Report alarm
+ |
+
+Bait File
+ |
+After bait protection is enabled, the system deploys bait files in protected directories and key directories (unless otherwise specified by users). A bait file occupies only a few resources and does not affect your server performance.
+If ransomware prevention is enabled, this function is enabled by default.
+ NOTE: Currently, Linux servers support dynamic generation and deployment of bait files. Windows servers support only static deployment of bait files.
+
+ |
+
+
+
+
- Create new: Create a protection policy on the current page. For details about the parameters, see Parameters for creating a protection policy.
+
Table 2 Protection policy parametersParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Policy
+ |
+Policy name
+ |
+test
+ |
+
+Action
+ |
+Indicates how an event is handled.
+- Report alarm and isolate
- Report alarm
+ |
+Report alarm and isolate
+ |
+
+Bait File
+ |
+After bait protection is enabled, the system deploys bait files in protected directories and key directories (unless otherwise specified by users). A bait file occupies only a few resources and does not affect your server performance.
+If ransomware prevention is enabled, this function is enabled by default.
+ NOTE: Currently, Linux servers support dynamic generation and deployment of bait files. Windows servers support only static deployment of bait files.
+
+ |
+Enabled
+ |
+
+Bait File Directories
+ |
+Protected directories (excluding subdirectories).
+Separate multiple directories with semicolons (;). You can configure up to 20 directories.
+This parameter is mandatory for Linux servers and optional for Windows servers.
+ |
+Linux: /etc/lesuo
+Windows: C:\Test
+ |
+
+Excluded Directory (Optional)
+ |
+Directories where bait files are not deployed.
+Separate multiple directories with semicolons (;). You can configure up to 20 excluded directories.
+ |
+Linux: /test
+Windows: C:\ProData
+ |
+
+Protected File Type
+ |
+Types of files to be protected.
+More than 70 file formats can be protected, including databases, containers, code, certificate keys, and backups.
+This parameter is mandatory for Linux servers only.
+ |
+Select all
+ |
+
+
+
+
+
+ - After the configuration is complete, click Next to configure the vault.
Server backup must be enabled.
+
+Select the target vault. For details about the vault list, see Table 3.
+ When selecting a vault, you are advised to determine the required capacity based on the backup rules, retention period, and server asset size. Select a vault with enough available capacity. Otherwise, the backup may fail.
+
+
+Table 3 Vault list parametersParameter
+ |
+Description
+ |
+
|---|
+
+Vault Name
+ |
+Name of the target vault
+ |
+
+Vault ID
+ |
+ID of the target vault
+ |
+
+Vault Status
+ |
+Status of the target vault.
+
+ |
+
+Used/Total Vault Capacity (GB)
+ |
+Current usage and total capacity of the target vault
+ |
+
+Used Capacity (GB)
+ |
+Total capacity of the server bound to the target vault.
+For example:
+Three servers with 60 GB hard disks are bound to vault A with 200 GB capacity.
+- The used capacity is the total storage capacity of the servers bound to vault A (3 x 60 GB = 180 GB).
- The used capacity does not occupy the capacity of vault A.
- The used capacity indicates the maximum capacity required for backing up servers bound to vault A. The used capacity cannot be greater than the capacity of vault A. Otherwise, the backup may fail.
+ |
+
+Number of bound servers
+ |
+Number of servers associated with the target vault
+ |
+
+Backup Policy Status
+ |
+Status of the rule for automatically backing up server data in the target vault
+- Enabled: The vault automatically backs up servers based on the selected backup policy.
- Disabled: The backup policy is not enabled and the vault cannot be used to back up data.
+ |
+
+
+
+
- Click Next and select servers. You can search for a server by its name or by filtering.
Figure 1 Selecting servers
+ - Click OK.
- In the navigation pane, choose Prevention > Ransomware Prevention. Click the Protected Servers tab and check protected servers.
+
+
Managing Ransomware Prevention Policies
+ Currently, you can create a ransomware prevention policy only when enabling ransomware prevention.
+
+
Constraints
Only premium, WTP, and container editions support ransomware protection.
+
+
Creating a Policy
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane, choose Prevention > Ransomware Prevention. Click the Protected Servers tab. Click Add Server.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+
+
+ - In the slide pane that is displayed, select Linux or Windows, enable protection, and select Create new. For more information, see Table 1.
The following uses a Linux server as an example.
Figure 1 Creating a policy
+
+
Table 1 Protection policy parametersParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Policy
+ |
+Policy name
+ |
+test
+ |
+
+Action
+ |
+Indicates how an event is handled.
+- Report alarm and isolate
- Report alarm
+ |
+Report alarm and isolate
+ |
+
+Bait File
+ |
+After bait protection is enabled, the system deploys bait files in protected directories and key directories (unless otherwise specified by users). A bait file occupies only a few resources and does not affect your server performance.
+If ransomware prevention is enabled, this function is enabled by default.
+ NOTE: Currently, Linux servers support dynamic generation and deployment of bait files. Windows servers support only static deployment of bait files.
+
+ |
+Enabled
+ |
+
+Bait File Directories
+ |
+Protected directories (excluding subdirectories).
+Separate multiple directories with semicolons (;). You can configure up to 20 directories.
+This parameter is mandatory for Linux servers and optional for Windows servers.
+ |
+Linux: /etc/lesuo
+Windows: C:\Test
+ |
+
+Excluded Directory (Optional)
+ |
+Directories where bait files are not deployed.
+Separate multiple directories with semicolons (;). You can configure up to 20 excluded directories.
+ |
+Linux: /test
+Windows: C:\ProData
+ |
+
+Protected File Type
+ |
+Types of files to be protected.
+More than 70 file formats can be protected, including databases, containers, code, certificate keys, and backups.
+This parameter is mandatory for Linux servers only.
+ |
+Select all
+ |
+
+
+
+
+
- Click Next and select servers. You can search for a server by its name or by filtering.
Figure 2 Selecting servers
+ - Click OK to enable ransomware protection and create the policy.
- In the navigation pane, choose Prevention > Ransomware Prevention. Click the Policies tab and check the new policy.
+
+
Modifying a Policy
- Log in to the management console and go to the HSS page.
- In the navigation pane, choose Prevention > Ransomware Prevention. Click the Policies tab.
- Click Edit in the Operation column of a policy. Edit the policy configurations and associated servers. For more information, see Table 2.
The following uses a Linux server as an example. On the
Protected Servers tab, you can also click the name of the policy associated with the server to edit the policy.
+
Table 2 Protection policy parametersParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Policy
+ |
+Policy name
+ |
+test
+ |
+
+Action
+ |
+Indicates how an event is handled.
+- Report alarm and isolate
- Report alarm
+ |
+Report alarm and isolate
+ |
+
+Bait File
+ |
+After bait protection is enabled, the system deploys bait files in protected directories and key directories (unless otherwise specified by users). A bait file occupies only a few resources and does not affect your server performance.
+If ransomware prevention is enabled, this function is enabled by default.
+ NOTE: Currently, Linux servers support dynamic generation and deployment of bait files. Windows servers support only static deployment of bait files.
+
+ |
+Enabled
+ |
+
+Bait File Directories
+ |
+Protected directories (excluding subdirectories).
+Separate multiple directories with semicolons (;). You can configure up to 20 directories.
+This parameter is mandatory for Linux servers and optional for Windows servers.
+ |
+Linux: /etc/lesuo
+Windows: C:\Test
+ |
+
+Excluded Directory (Optional)
+ |
+Directories where bait files are not deployed.
+Separate multiple directories with semicolons (;). You can configure up to 20 excluded directories.
+ |
+Linux: /test
+Windows: C:\ProData
+ |
+
+Protected File Type
+ |
+Types of files to be protected.
+More than 70 file formats can be protected, including databases, containers, code, certificate keys, and backups.
+This parameter is mandatory for Linux servers only.
+ |
+Select all
+ |
+
+
+
+
+
- Confirm the policy information and click OK.
+
+
Deleting a Policy
- Log in to the management console and go to the HSS page.
- In the navigation pane, choose Prevention > Ransomware Prevention. Click the Policies tab.
- Click Delete in the Operation column of the target policy.
After a policy is deleted, the associated servers are no longer protected. Before deleting a policy, you are advised to bind its associated servers to other policies.
+
+ - Confirm the policy information and click OK.
+
+
Disabling Ransomware Prevention
+Scenario
You can disable ransomware protection as needed. After protection is disabled, your server may be intruded by ransomware. Exercise caution when performing this operation.
+
+
Disabling Ransomware Prevention
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane, choose Prevention > Ransomware Prevention. Click the Protected Servers tab.
- Click in the Operation column of the target server.
- Confirm the information and click OK.
+
+
Viewing File Integrity Management
+Check the files in the Linux OS, applications, and other components to detect tampering.
+
Constraints
Only premium, WTP, and container editions support file integrity-related operations.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- Choose Prevention > File Integrity Monitoring. On the displayed file management page, select an enterprise project and check its servers and modified files.
Figure 1 Checking file integrity
+
+
+
File Integrity Monitoring
+You can check the statistics and details about file changes on your servers, including affected servers, file types, paths, and content.
+
Checking Change Details
+Constraints
Only premium, WTP, and container editions support file integrity-related operations.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- Choose Prevention > File Integrity Monitoring. The Server tab will be displayed.
- Click the server name to go to the server change details page.
+
Table 1 Parameters about file changesParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+File Name
+ |
+Name of a modified file.
+ |
+du
+ |
+
+Path
+ |
+Path of a modified file.
+ |
+-
+ |
+
+Change Description
+ |
+Description of the change.
+To view the change details, hover the cursor over the change content.
+ |
+SHA2560ba0c4b5e48e55a6 is changed to 4f6079f5b37d1513.
+ |
+
+Type
+ |
+Type of a modified file. Its value can be:
+
+ |
+File
+ |
+
+Action
+ |
+How a file was modified.
+
+ |
+Modify
+ |
+
+Last Modified
+ |
+The last time when a file was modified.
+ |
+-
+ |
+
+
+
+
+
+
Checking Modified Files
+Constraints
Only premium, WTP, and container editions support file integrity-related operations.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane, choose Prevention > File Integrity Monitoring. Click the Monitored Files tab. For details about parameters, see Table 1 in Checking Change Details.
+
+
Whitelist Management
+
+
+
diff --git a/docs/hss/umn/hss_01_0368.html b/docs/hss/umn/hss_01_0368.html
new file mode 100644
index 00000000..5e0310fa
--- /dev/null
+++ b/docs/hss/umn/hss_01_0368.html
@@ -0,0 +1,57 @@
+
+
+Creating a Policy Group
+For premium and container editions, you can copy a policy group and customize it as required to meet server security requirements in different application scenarios.
+
Procedure
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation tree on the left, choose Security Operation > Policies. On the displayed page, Policy group parameters describes the fields.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+
+
+Table 1 Policy group parametersParameter
+ |
+Description
+ |
+
|---|
+
+Policy Group
+ |
+Name of a policy group The preset policy group names are as follows:
+- tenant_linux_container_default_policy_group: preset Linux policy of the container edition. You can copy this policy group and create a new one based on it.
- tenant_linux_enterprise_default_policy_group is the default Linux policy of the enterprise edition. This policy group can only be viewed, and cannot be copied or deleted.
- tenant_windows_enterprise_default_policy_group: preset Windows policy of the enterprise edition. This policy group can only be viewed, and cannot be copied or deleted.
- tenant_linux_premium_default_policy_group: preset Linux policy of the premium edition. You can create a policy group by copying this default group and modify the copy.
- tenant_windows_premium_default_policy_group: preset Windows policy of the premium edition. You can create a policy group by copying this default group and modify the copy.
+ |
+
+ID
+ |
+Unique ID of a policy group
+ |
+
+Description
+ |
+Description of a policy group
+ |
+
+Supported Version
+ |
+HSS edition supported by a policy group.
+ |
+
+Associated Servers
+ |
+To view details about the servers associated with a policy group, click the number in the Servers column of the group.
+ |
+
+
+
+
- Select a premium or container edition policy group and click Copy in the Operation column of the policy group.
Figure 1 Copying a policy group
+ - In the dialog box displayed, enter a policy group name and description, and click OK.
- The name of a policy group must be unique, or the group will fail to be created.
- The policy group name and its description can contain only letters, digits, underscores (_), hyphens (-), and spaces, and cannot start or end with a space.
+
+ - Click OK.
After a policy group is created, you can configure rules for each policy in the policy group. For details, see Configuring Policies.
+
+
+
Follow-up Procedure
After creating a policy group and configuring policies, you can apply the new policy group to servers. For details, see Deploying a Policy.
+
+
Installation & Configuration
+
+
+
diff --git a/docs/hss/umn/hss_01_0374.html b/docs/hss/umn/hss_01_0374.html
new file mode 100644
index 00000000..dbc7caf6
--- /dev/null
+++ b/docs/hss/umn/hss_01_0374.html
@@ -0,0 +1,16 @@
+
+
+Viewing Agent Status
+You can sort servers, check whether the agent is installed on them, and can install or uninstall the agent. On the console, you can find the agent installation instructions and the link to the agent package.
+
Procedure
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane, choose Installation & Configuration. Click the Agents tab.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+
+Figure 1 Viewing agent management
+ - Click Offline to check the servers where the agent is not installed or is offline. Click Online to check the servers where the agent is online.
- Click Installation Guide to check the guide for installing the agent.
- Click Agent Version Information to view the latest version, earlier versions, and changes of the agent.
+
+
Uninstalling an Agent
+If you no longer need to use HSS, uninstall the agent by following the instructions provided in this section. If the agent is uninstalled, HSS will stop protecting your servers and detecting risks.
+
Uninstalling the Agent from a Single Server in One-Click
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane, choose Installation & Configuration. Click the Agents tab.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+
+Figure 1 Viewing agent management
+ - Click Online to view the list of servers where the agent has been installed. For details, see Table 1.
+
Table 1 Online agent parametersParameter
+ |
+Description
+ |
+
|---|
+
+Server Name/ID
+ |
+Server name and ID
+ |
+
+IP Address
+ |
+EIP or private IP address of a server
+ |
+
+OS
+ |
+Server OS. Its value can be:
+
+ |
+
+Agent Status
+ |
+Agent status of a server. Its value can be:
+
+ |
+
+
+
+
- Click Uninstall Agent in the Operation column of a server. In the dialog box that is displayed, confirm the uninstallation information and click OK.
+
+
Uninstalling the Agent from Multiple Servers in One-Click
- Log in to the management console.
- In the navigation pane, choose Installation & Configuration. Click the Agents tab.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+
+Figure 2 Viewing agent management
+ - Click Online to view the list of servers where the agent has been installed. For details, see Table 2.
+
Table 2 Online agent parametersParameter
+ |
+Description
+ |
+
|---|
+
+Server Name/ID
+ |
+Server name and ID
+ |
+
+IP Address
+ |
+EIP or private IP address of a server
+ |
+
+OS
+ |
+Server OS. Its value can be:
+
+ |
+
+Agent Status
+ |
+Agent status of a server. Its value can be:
+
+ |
+
+
+
+
- Select the target servers whose agent you want to uninstall.
If you check the box before Server Name/ID, all servers on the page will be selected.
+
+Figure 3 Selecting all servers whose agent needs to be uninstalled.
+ - Click Uninstall Agent above the server list. In the dialog box displayed, confirm the servers from which you want to uninstall the agent and click OK.
+
+
Manually Uninstalling the Agent from a Linux Server
- Remotely log in to the Linux server where the agent is to be uninstalled.
- You can log in to the ECS management console and click Remote Login in the ECS list.
- If your server has an EIP bound, you can also use a remote management tool, such as Xftp, SecureFX, WinSCP, PuTTY, or Xshell, to log in to the server and install the agent on the server as user root.
+ - If the agent has been installed, run the following command to uninstall it:
Do not run the uninstallation command in the /usr/local/hostguard/ directory. You can run the uninstallation command in any other directory.
+
+- For EulerOS, CentOS, and Red Hat, or other OSs that support RPM installation, run the rpm -e hostguard; command.
- For Ubuntu, Debian, and other OSs that support DEB installation, run the dpkg -P hostguard; command.
+ - Verify the uninstallation. If the /usr/local/hostguard/ directory is not found on the Linux server, the agent has been uninstalled.
+
+
Manually Uninstalling the Agent from a Windows Server
- Remotely log in to the Windows server where the agent is to be uninstalled.
- You can log in to the ECS management console and click Remote Login in the ECS list.
- If an EIP has been bound to the server, you can use Windows Remote Desktop Connection or a third-party remote management tool, such as mstsc or RDP, to log in to the server and install the agent on the server as an administrator.
+ - Go to C:\Program File\HostGuard on the Windows server.
- Double-click the unins000.exe file to uninstall the agent.
- In the HostGuard Uninstall dialog box, click Yes to delete HostGuard and all its components.
- (Optional) Restart the server.
- If you have enabled WTP, you need to restart the server after uninstalling the agent. In the HostGuard Uninstall dialog box, click Yes to restart the server.
- If you have not enabled WTP, you do not need to restart the server. In the HostGuard Uninstall dialog box, click No to skip server restart.
+ - If the C:\Program Files\HostGuard directory does not exist on the Windows server, the agent has been uninstalled.
+
+
+
Enabling Protection
+
+
+
diff --git a/docs/hss/umn/hss_01_0381.html b/docs/hss/umn/hss_01_0381.html
new file mode 100644
index 00000000..ad982d5f
--- /dev/null
+++ b/docs/hss/umn/hss_01_0381.html
@@ -0,0 +1,32 @@
+
+
+Servers Importance Management
+By default, HSS considers all servers as general assets. You can configure the asset importance levels of servers and manage servers accordingly.
+
Assets are classified into the following types:
- Important. Specify this level for servers that run important services or store important data.
- General. Specify this level for servers that run general services or store general data.
- Test. Specify this level for servers that run test services or store test data.
+
+
Checking Asset Importance
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane, choose Asset Management > Servers & Quota. Click the Servers tab.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+
+Figure 1 Server list
+ - In the lower part of the tab page, check the asset importance. You can click Important, General, or Test to view servers by importance level.
+
+
Specifying Asset Importance
- Log in to the management console and go to the HSS page.
- In the navigation pane, choose Asset Management > Servers & Quota. Click the Servers tab.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+
+Figure 2 Server list
+ - Configure asset importance.
+
+
+
Viewing Server Asset Fingerprints
+HSS can collect server asset fingerprints, including information about ports, processes, web applications, web services, web frameworks, and auto-started items. You can centrally check server asset information and detect risky assets in a timely manner based on the server fingerprints. This section describes how to view collected server asset fingerprints on the console.
+
Prerequisite
HSS enterprise edition, premium edition, WTP edition, or container edition has been enabled for the server.
+
+
Viewing Asset Information of All Servers
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- Choose to view all server assets.
Delete risky assets in a timely manner. You are advised to handle the ports as follows:
+- If HSS detects open high-risk ports or unused ports, check whether they are really used by your services.
- If a detected high-risk port is actually a normal port used for services, you can ignore it. The port will no longer be regarded risky or generate alarms.
+ If your servers are managed by enterprise projects, you can select the target enterprise project to view or operate the asset and detection information.
+
+Figure 1 Viewing server asset information
+
+Table 1 Asset fingerprintsItem
+ |
+Description
+ |
+Supported OS
+ |
+Automatic Detection Period
+ |
+
|---|
+
+Account Information
+ |
+Check and manage all accounts on your servers to keep them secure.
+You can check real-time and historical account information to find suspicious accounts.
+- Real-time account information includes the account name, number of servers, server name/IP address, login permission, root permission, user group, user directory, shell started by the user, and the last scan time.
- Historical account change records include the server name/IP address, change status, login permission, root permission, user group, user directory, shell started by the user, and the last scan time.
+ |
+Linux and Windows
+ |
+Automatic check every hour
+ |
+
+Open Ports
+ |
+Check open ports on your servers, including risky and unknown ports.
+You can easily identify high-risk ports by checking local ports, protocol types, server names, IP addresses, statuses, PIDs, and program files.
+- Manually disabling high-risk ports
If dangerous or unnecessary ports are found enabled, check whether they are mandatory for services, and disable them if they are not. For dangerous ports, you are advised to further check their program files, and delete or isolate their source files if necessary.
+It is recommended that you handle the ports at the Dangerous risk level promptly and handle the ports at the Unknown risk level based on the actual service conditions.
+ - Ignore risks: If a detected high-risk port is actually a normal port used for services, you can ignore it. The port will no longer be regarded risky or generate alarms.
+ |
+Linux and Windows
+ |
+Automated check every 30 seconds
+ |
+
+Processes
+ |
+Check processes on your servers and find abnormal processes.
+You can easily identify abnormal processes based process paths, server names, IP addresses, startup parameters, startup time, users who run the processes, file permissions, PIDs, and file hashes.
+If a suspicious process has not been detected in the last 30 days, its information will be automatically deleted from the process list.
+ |
+Linux and Windows
+ |
+Automatic check every hour
+ |
+
+Installed Software
+ |
+Check and manage all software installed on your containers, and identify insecure versions.
+You can check real-time and historical software information to determine whether the software is risky.
+- Real-time software information includes the software name, number of servers, server names, IP addresses, software versions, software update time, and the last scan time.
- Historical software change records include the server names, IP addresses, change statuses, software versions, software update time, and the last scan time.
+ |
+Linux and Windows
+ |
+Automatic check every day
+ |
+
+Auto-startup
+ |
+Check for auto-startup items and quickly locate Trojans.
+- Real-time information about auto-started items includes their names, types (auto-started service, startup folder, pre-loaded dynamic library, Run registry key, or scheduled task), number of servers, server names, IP addresses, paths, file hashes, users, and the last scan time.
- The historical change records of auto-started items include server names, IP addresses, change statuses, paths, file hashes, users, and the last scan time.
+ |
+Linux and Windows
+ |
+Automatic check every hour
+ |
+
+Websites
+ |
+You can check statistics about web directories and sites that can be accessed from the Internet. You can view the directories and permissions, access paths, external ports, certificate information (to be provided later), and key processes of websites.
+ |
+Linux
+ |
+Once a week (04:10 a.m. every Monday)
+ |
+
+Web Frameworks
+ |
+You can check statistics about frameworks used for web content presentation, including their versions, paths, and associated processes.
+ |
+Linux
+ |
+Once a week (04:10 a.m. every Monday)
+ |
+
+Middleware
+ |
+You can check information about servers, versions, paths, and processes associated with middleware.
+ |
+Linux and Windows
+ |
+Once a week (04:10 a.m. every Monday)
+ |
+
+Kernel Module
+ |
+You can check information about all the program module files running in kernels, including associated servers, version numbers, module descriptions, driver file paths, file permissions, and file hashes.
+ |
+Linux
+ |
+Once a week (04:10 a.m. every Monday)
+ |
+
+Web Services
+ |
+You can check details about the software used for web content access, including versions, paths, configuration files, and associated processes of all software.
+ |
+Linux
+ |
+Once a week (04:10 a.m. every Monday)
+ |
+
+Web Applications
+ |
+You can check details about software used for web content push and release, including versions, paths, configuration files, and associated processes of all software.
+ |
+Linux and Windows (only Tomcat is supported)
+ |
+Once a week (04:10 a.m. every Monday)
+ |
+
+Databases
+ |
+You can check details about software that provides data storage, including versions, paths, configuration files, and associated processes of all software.
+ |
+Linux and Windows (only MySQL is supported)
+ |
+Once a week (04:10 a.m. every Monday)
+ |
+
+
+
+
+
+
Viewing Asset Information of a Single Server
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane, choose Asset Management > Servers & Quota. Click the Servers tab.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+
+ - Click the name of the target server. On the server details page that is displayed, choose .
- Click a fingerprint in the fingerprint list to view its asset information. For more information, see Table 1.
+
+
Viewing the Operation History of Server Assets
+HSS proactively records the changes on account information, software information, and auto-started items. You can check the change details according to different dimensions and time ranges.
+
Prerequisite
HSS enterprise edition, premium edition, WTP edition, or container edition has been enabled for the server.
+
+
Checking Change Records
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- Choose Asset Management > Server Fingerprints and click Operation History. On the displayed Operation History page, select a dimension and time period to view the change history of accounts, software, and auto-started items.
+
+
Managing Account Information
Account changes are recorded.
- Action: The Action column records the operations. Its value can be Create (newly found in the latest check), Delete (found in earlier checks but missing in the latest check), and Modify (changes on account information, such as account names, administrator rights, and user groups, are detected).
- Last Scan Time: The last scan time indicates the time of the latest scan performed for servers in a period.
+
+
You can check the information about and changes on all accounts here. If you find unnecessary or super-privileged accounts (such as root) that are not mandatory for services, delete them or modify their permissions to prevent exploits.
+
+
Managing Software
Operations made to accounts are recorded.
- Action: Create and Delete.
- Last Scan Time: The last scan time records the time when the changes were detected, not the time they were made.
+
+
You can check the information about and changes on all software, upgrade software, and delete software that is unnecessary, suspicious, or in old version.
+
+
Auto-started Items
Trojans usually intrude servers by creating auto-started services, scheduled tasks, preloaded dynamic libraries, run registry keys, or startup folders. The auto-startup check function collects information about all auto-started items, including their names, types, and number of affected servers, making it easy for you to locate suspicious auto-started items.
+
You can check the servers, IP addresses, changes, paths, file hashes, users, and last scan time of auto-startup items.
+
+
Security Configurations
+You can add common login locations, common IP addresses, and whitelist IP addresses, and enable malicious program isolation and killing to enhance server security.
+
For details, see Common Security Configuration.
+
Asset Management
+You can count all your assets and check their statistics, including the agent status, protection status, quota, account, port, process, software, and auto-started items.
+
Constraints
Servers that are not protected by HSS do not support the asset overview function.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- Choose Asset Management > Assets. Check your assets and their statistics.
+
+
Application Protection
+
+
+
diff --git a/docs/hss/umn/hss_01_0389.html b/docs/hss/umn/hss_01_0389.html
new file mode 100644
index 00000000..741f5d60
--- /dev/null
+++ b/docs/hss/umn/hss_01_0389.html
@@ -0,0 +1,126 @@
+
+
+Viewing Application Protection
+To protect your applications with RASP, you simply need to add probes to them, without having to modify application files.
+
Technical Principles
Probes (monitoring and protection code) are added to the checkpoints (key functions) of applications through dynamic code injection. The probes identify attacks based on predefined rules, data passing through the checkpoints, and contexts (application logic, configurations, data, and event flows).
+
+
Prerequisites
You have enabled HSS premium, WTP, or container edition.
+
+
Constraints
- Currently, only Linux servers are supported.
- So far, only Java applications can be protected.
- The premium, WTP, and container editions support operations related to application protection.
+
+
Viewing Protection Settings
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- Choose Prevention > Application Protection. Click the Protected Servers tab.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+
+Figure 1 Viewing protection settings
+ - Click the Protection Servers tab and check the server list. The server parameters are as follows.
+
Table 1 Parameter descriptionParameter
+ |
+Description
+ |
+
|---|
+
+Server Name/ID
+ |
+Server name and ID
+ |
+
+IP Address
+ |
+Private IP address and EIP of the server
+ |
+
+OS
+ |
+Server OS
+ |
+
+Server Group
+ |
+Group that the server belongs to
+ |
+
+Policy
+ |
+Detection policies bound to the target server.
+ |
+
+Protection Status
+ |
+Agent status of a server.
+- Protected: The agent is online.
- Unprotected: The agent is offline.
+ |
+
+Microservice Protection
+ |
+Microservice protection status. Its value can be:
+- Effective: The microservice protection is enabled successfully.
- Installing: The microservice RASP protection software is being installed and protection is disabled.
- Installed but not configured: The microservice RASP protection software is successfully installed, but microservice startup parameters are not configured and protection is disabled.
- Installation failed: The microservice RASP protection software fails to be installed.
+ |
+
+RASP Protection.
+ |
+RASP protection status. Its value can be:
+If the following information is displayed next to  , protection is not enabled. Check whether there are operations that are not handled by referring to Enabling Application Protection.
+- Installing: The microservice RASP protection software is being installed and protection is disabled.
- Installed but not configured: The microservice RASP protection software is successfully installed, but microservice startup parameters are not configured and protection is disabled.
- Installation failed: The microservice RASP protection software fails to be installed.
+ |
+
+Detected Attacks
+ |
+Number of attacks detected by RASP.
+ |
+
+
+
+
+
+
Viewing Events
- Log in to the management console and go to the HSS page.
- Choose and click the Events tab. For details about the parameters, see Table 2.
Figure 2 Viewing protection events
+
+
Table 2 Event parametersParameter
+ |
+Description
+ |
+
|---|
+
+Severity
+ |
+Alarm severity. You can search for servers by alarm severities.
+
+ |
+
+Server Name
+ |
+Server that triggers an alarm
+ |
+
+Alarm Name
+ |
+Alarm name
+ |
+
+Alarm Time
+ |
+Time when an alarm is reported
+ |
+
+Attack Source IP Address
+ |
+IP address of the server that triggers the alarm
+ |
+
+Attack Source URL
+ |
+URL of the server that triggers the alarm
+ |
+
+
+
+
+
- You can click an alarm name to view the attack information (such as the request information and attack source IP address) and extended information (such as detection rule ID and description), and troubleshoot the problem accordingly.
+
+
Enabling Application Protection
+Prerequisites
You have enabled HSS premium, WTP, or container edition.
+
+
Constraints
- Currently, only Linux servers are supported.
- So far, only Java applications can be protected.
- The premium, WTP, and container editions support operations related to application protection.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- Choose Prevention > Application Protection. Click the Protected Servers tab.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+
+Figure 1 Viewing protection settings
+ - Click Add Server. Select servers in the dialog box that is displayed.
You can select a default security policy or create a security policy.
+
+
+Figure 2 Selecting the target server and policy
+ - Click Add and Enable Protection.
- On the Protected Servers tab, click the status in the RASP Protection column.
- Check the RASP software installation progress. Wait until the message "Installation completed." is displayed.
- Log in to the server, go to the Spring Boot startup path, and copy the parameters from the Configure Startup Parameters step to the command box.
- Restart the microservice to apply the protection settings.
- On the Protected Servers tab, check the protection status in the Microservice Protection column. If the status is Active, the protection has been enabled.
+
+
Disabling Application Protection
+This section describes how to disable application protection.
+
Procedure
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- Choose Prevention > Application Protection. Click the Protected Servers tab.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+
+Figure 1 Viewing protection settings
+ - Toggle off the
switch in the RASP Protection column or click Disable Protection in the Operation column. - In the dialog box that is displayed, confirm the server information and click OK.
After RASP is disabled for a server, the server will be removed from the Protected Servers tab. For details about how to enable protection, see Enabling Application Protection.
+
+
+
+
Managing Manual Baseline Check Policies
+This section describes how to modify a created manual baseline check policy.
+
Editing a Manual Baseline Check Policy
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane on the left, choose Prediction > Baseline Checks.
Figure 1 Baseline check overview
+
- Click Policies in the upper right corner of the page.
Figure 2 Baseline policies
+ - Click Edit in the Operation column of a policy. On the policy details page that is displayed, configure the policy name and check items.
If you select Linux for OS, you can select any checks included in Baseline and edit rules. This function is not supported for Windows servers.
+
+Figure 3 Editing a baseline check policy
+ - Confirm the configuration, click Next, and select servers.
- Confirm the information and click OK. You can view the updated policy in the policy list.
+
+
Deleting a Manual Baseline Check Policy
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane on the left, choose Prediction > Baseline Checks.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+
+Figure 4 Baseline check overview
+ - Click Policies in the upper right corner of the page.
Figure 5 Baseline policies
+ - Click Delete in the Operation column of a policy. In the dialog box that is displayed, confirm the information and click OK.
Only user-defined policies can be deleted. Default policies default_linux_security_check_policy and default_windows_security_check_policy cannot be deleted.
+
+
+
+
What Can I Do If the Agent Status Is Still "Not installed" After Installation?
+Precautions
On a server, you only need to install the agent once.
+
After the installation, you are advised to restart the servers before enabling HSS and binding quotas.
+
+
Possible Cause
Now both the HSS (New) and HSS (Old) consoles are in use. The agent and protection statuses of a server can be properly displayed on only one of the consoles.
+
For example, if you have installed the agent on server A on the old console and try installing it again on the new console, a message will be displayed indicating the installation has succeeded, but the installation status on the new console will still be Not installed.
+
+
Solution
Use only one console. Do not switch between the old and new consoles.
+
You can upgrade the agent to use HSS (New). The upgrade is free of charge and does not affect services.
+
HSS (New) added application protection capabilities, which are not available in the old version. You are advised to use the new version.
+
+
+
Disabling Protection
+
+
+
diff --git a/docs/hss/umn/hss_01_0396.html b/docs/hss/umn/hss_01_0396.html
new file mode 100644
index 00000000..d1832ddd
--- /dev/null
+++ b/docs/hss/umn/hss_01_0396.html
@@ -0,0 +1,48 @@
+
+
+Enterprise/Premium Edition
+The professional, enterprise, and premium editions provides different levels of protection for your servers. You can apply for and enable them as needed.
+
Check Frequency
HSS performs a full scan in the early morning every day.
+
After you enable server protection, you can view scan results after the automatic scan in the next early morning, or perform a manual scan immediately.
+
+
Prerequisite
The agent has been installed on the servers to be protected, the agent status is Online, and the protection status is Unprotected.
+
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane, choose Asset Management > Servers & Quota. Click the Servers tab.
- Enable protection for one or multiple servers.
Figure 1 Enabling protection
+- Enabling protection for a server
Click
Enable in the
Operation column of a server. In the dialog box that is displayed, confirm the server information.
Figure 2 Confirming the protection information about a server
+
+
Table 1 Protection parametersParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Edition
+ |
+Select the enterprise or premium edition.
+- Enterprise edition: It provides support for the DJCP MLPS certification. Main features include asset fingerprint management, vulnerability management, malicious program detection, web shell detection, and abnormal process behavior detection.
- Premium edition: It helps you with the DJCP MLPS certification and provides advanced features, including application protection, ransomware prevention, high-risk command detection, privilege escalation detection, and abnormal shell detection.
+ |
+Enterprise
+ |
+
+
+
+
+
- Enabling protection in batches
Select multiple servers and click
Enable above the server list. In the dialog box that is displayed, confirm the server information.
Table 1 lists the parameters.
Figure 3 Confirm information about multiple servers
+
+ - Confirm the information and click OK. If the protection status of the target servers is Protected, the protection has been enabled.
+
+
Server Management
+
+
+
diff --git a/docs/hss/umn/hss_01_0398.html b/docs/hss/umn/hss_01_0398.html
new file mode 100644
index 00000000..bc4418d8
--- /dev/null
+++ b/docs/hss/umn/hss_01_0398.html
@@ -0,0 +1,27 @@
+
+
+Enabling Container Security Protection
+You can enable the container security edition for your containers.
+
To enable protection for a container node, you need to allocate a quota to the node. If the protection is disabled or the node is deleted, the quota can be allocated to another node.
+
Check Frequency
HSS performs a full check in the early morning every day.
+
After you enable server protection, you can view scan results after the automatic scan at 04:10 in the next morning.
+
+
Prerequisite
- The Agent Status of a server is Online. To check the status, choose .
- You have created a node on CCE.
- The Protection Status of the node is Unprotected.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane, choose Asset Management > Containers & Quota.
Figure 1 Accessing the container node management page
+ - Enable protection for one or multiple servers.
- Enabling protection for a server
- In the Operation column of a server, click Enable Protection.
- In the dialog box that is displayed, confirm the information.
A container security quota protects one cluster node.
+
+ - Confirm the information and click OK. If the Protection Status in the container list changes to Protected, it indicates the protection has been enabled.
+ - Enabling protection in batches
- In the node list, select servers, and click Enable Protection above the list.
- In the dialog box that is displayed, confirm the information.
A container security quota protects one cluster node.
+
+ - Confirm the information and click OK. If the Protection Status in the container list changes to Protected, it indicates the protection has been enabled.
+
+
+
+
Disabling the Enterprise/Premium Edition
+You can disable protection for a server. A quota that has been unbound from a server can be bound to another one.
+
Precautions
Disabling protection does not affect services, but will increase security risks. You are advised to keep your servers protected.
+
+
Disabling Protection
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane, choose Asset Management > Servers & Quota. Click the Servers tab.
- Disable protection for one or multiple servers.
- Disabling protection for a server
- Click Disable in the Operation column of a server.
Figure 1 Disabling protection for a server
+ - In the dialog box that is displayed, confirm the information and click OK.
Figure 2 Confirming information about a single server
+ - Check the protection status in the server list. If it is Unprotected, the protection has been disabled.
Disabling protection does not affect services, but will increase security risks. You are advised to keep your servers protected.
+
+
+ - Disabling protection in batches
- Select multiple servers and click Disable above the server list.
Figure 3 Disabling protection in batches
+ - In the dialog box that is displayed, confirm the information and click OK.
Figure 4 Confirming information about multiple servers
+ - Check the protection status in the server list. If it is Unprotected, the protection has been disabled.
Disabling protection does not affect services, but will increase security risks. You are advised to keep your servers protected.
+
+
+
+
+
+
Disabling WTP
+You can disable the WTP edition for a server. A quota that has been unbound from a server can be bound to another one.
+
Precautions
Disabling protection does not affect services, but will increase security risks. You are advised to keep your servers protected.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane, choose Protection > Web Tamper Protection. On the Web Tamper Protection page, click the Servers tab.
Figure 1 Entering the page for protected directory settings
+ - Click Disable in the Operation column of a server.
The WTP edition cannot be disabled for servers in batches.
+
+
- In the dialog box that is displayed, confirm the information and click OK.
Figure 2 Confirming information about disabling WTP
+ - Choose and click the Servers tab. Check the protection status in the server list. If it is Unprotected, the protection has been disabled.
Disabling protection does not affect services, but will increase security risks. You are advised to keep your servers protected.
+
+
+
+
Disabling Protection for Container Edition
+You can disable the container edition for a server. A quota that has been unbound from a server can be bound to another one.
+
Before You Start
Disabling protection does not affect services, but will increase security risks. You are advised to keep your servers protected.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane, choose Asset Management > Containers & Quota.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+
+Figure 1 Accessing the container node management page
+ - Disable protection for one or multiple servers.
- Disabling protection for a server
- In the node list, click Disable Protection in the Operation column of a server.
- In the dialog box that is displayed, confirm the information and click OK.
- Choose and click the Container Nodes tab. Check the protection status in the server list. If it is Unprotected, the protection has been disabled.
Disabling protection does not affect services, but will increase security risks. You are advised to keep your servers protected.
+
+
+ - Disabling protection in batches
- In the node list, select servers, and click Disable Protection above the list.
- In the dialog box that is displayed, confirm the information and click OK.
- Choose and click the Container Nodes tab. Check the protection status in the server list. If it is Unprotected, the protection has been disabled.
Disabling protection does not affect services, but will increase security risks. You are advised to keep your servers protected.
+
+
+
+
+
+
Ransomware Protection
+
+
+
diff --git a/docs/hss/umn/hss_01_0405.html b/docs/hss/umn/hss_01_0405.html
new file mode 100644
index 00000000..c0769aa2
--- /dev/null
+++ b/docs/hss/umn/hss_01_0405.html
@@ -0,0 +1,11 @@
+
+
+What Are the Differences Between Ransomware Protection Backup and Cloud Backup?
+The backup mechanism of ransomware protection inherits that of CBR (Cloud Backup and Restoration). Backup files of ransomware protection can be centrally managed and viewed in CBR.
+
What Do I Do If the Upgrade Fails?
+About the Upgrade
- Servers are displayed on both the old and new console of HSS, regardless of whether their agents have been upgraded. The server statuses are properly displayed on the console that you are using.
- Agent upgrade is free of charge.
- The upgrade does not affect the workloads on your cloud servers.
- After the upgrade, the billing stops on the old console and starts on the new console.
- After the upgrade, your servers will be protected by HSS (New).
+
+
Possible Causes
After the automatic upgrade is complete, it takes 5 to 10 minutes for the agent status to be refreshed.
+
+
Possible causes for abnormal agent statuses are as follows:
+
- Access to port 10180 is restricted. The agent upgrade requires accessed to port 10180.
- The available memory of the server is insufficient. The agent upgrade occupies certain memory. If the available memory is less than 300 MB, the upgrade will be affected.
+
+
Locating and Fixing the Problem
- Restricted Access to Port 10180
Ensure the server where the agent is to be installed or upgraded can communicate with the network segment. The security group of your server must allow outbound access to port 10180 on the 100.125.X.X/16 network segment.
+
- The available memory is insufficient.
- Troubleshooting Procedure
- Linux
- Use a remote management tool, such as SecureFX or WinSCP, to log in to the server.
- Run the following command to check the memory usage of the server:
free -m
+ - Check the value of free in the command output, as shown in Figure 1.
If the value of
available is smaller than 300, the memory is insufficient.
Figure 1 Querying the memory
+
+ - Windows
- Use a remote management tool, such as mstsc and RDP, to log in to the server.
- Open the Task Manager.
- Choose Performance > Memory, and view the available memory on the Memory page.
If the available memory is less than 300 MB, the memory is insufficient.
+
+
+ - Solution
- Close the applications with high memory usage.
+
+
+
+
Server Security Dashboard
+
+
+
diff --git a/docs/hss/umn/hss_01_0412.html b/docs/hss/umn/hss_01_0412.html
new file mode 100644
index 00000000..8c3f52e8
--- /dev/null
+++ b/docs/hss/umn/hss_01_0412.html
@@ -0,0 +1,71 @@
+
+
+Vulnerability Scan
+HSS can scan for Linux, Windows, Web-CMS, and application vulnerabilities. Automatic, scheduled (vulnerability policy configuration), and manual scans are supported.
+
- Automatic scan
When collecting asset fingerprints, HSS automatically scans vulnerabilities. For Linux, Windows, and Web-CMS vulnerabilities, HSS scans them based on the software collection period. For application vulnerabilities, HSS scans them based on the middleware collection period. For details about the asset fingerprint collection period, see Collecting Server Asset Fingerprints.
+If vulnerabilities have been manually scanned or a scheduled vulnerability scanning task has been triggered within the asset fingerprint collection period, HSS will automatically scan vulnerabilities when collecting asset fingerprints next time. This collection mode is affected by the other two scanning modes, and the scanning period is not fixed. You are advised to use the other two scan methods.
+ - Scheduled scan
By default, HSS performs a full server vulnerability scan once a week. To ensure service security, you are advised to set a proper scan period and scan server scope to periodically scan server vulnerabilities.
+ - Manual scan
If you want to view the vulnerability fixing status or real-time vulnerabilities of a server, you are advised to manually scan for vulnerabilities.
+
+
This section describes how to manually scan for vulnerabilities and configure a scheduled scan policy.
+
Constraints
- If the agent version of the Windows OS is 4.0.18 or later, application vulnerability scan is supported.
- The Server Status is Running, Agent Status is Online, and Protection Status is Protected. Otherwise, vulnerability scan cannot be performed.
- For details about the types of vulnerabilities that can be scanned by different HSS editions, see Types of Vulnerabilities That Can Be Scanned and Fixed.
- For details about the OSs supported, see Table 1.
+
Table 1 OSs supporting vulnerability scanOS Type
+ |
+Supported OS
+ |
+
|---|
+
+Windows
+ |
+- Windows Server 2019 Datacenter 64-bit English (40 GB)
- Windows Server 2019 Datacenter 64-bit Chinese (40 GB)
- Windows Server 2016 Standard 64-bit English (40 GB)
- Windows Server 2016 Standard 64-bit Chinese (40 GB)
- Windows Server 2016 Datacenter 64-bit English (40 GB)
- Windows Server 2016 Datacenter 64-bit Chinese (40 GB)
- Windows Server 2012 R2 Standard 64-bit English (40 GB)
- Windows Server 2012 R2 Standard 64-bit Chinese (40 GB)
- Windows Server 2012 R2 Datacenter 64-bit English (40 GB)
- Windows Server 2012 R2 Datacenter 64-bit Chinese (40 GB)
+ |
+
+Linux
+ |
+- EulerOS 2.2, 2.3, 2.5, 2.8, and 2.9 (64-bit)
- CentOS 7.4, 7.5, 7.6, 7.7, 7.8 and 7.9 (64-bit)
- Ubuntu 16.04, 18.04, 20.04, 22.04 (64-bit)
- Debian 9, 10, and 11 (64-bit)
- Kylin V10 (64-bit)
- UnionTech OS V20 server E and V20 server D (64-bit)
+ |
+
+
+
+
+
+
Manual Vulnerability Scan
- Log in to the management console.
- In the navigation pane, choose Prediction > Vulnerabilities.
- Click Scan in the upper right corner of the Vulnerabilities page.
- In the Scan for Vulnerability dialog box displayed, select the vulnerability type and scope to be scanned. For more information, see Table 2.
+
Table 2 Parameters for manual scan vulnerabilitiesParameter
+ |
+Description
+ |
+
|---|
+
+Type
+ |
+Select one or more types of vulnerabilities to be scanned. Possible values are as follows:
+- Linux
- Windows
- Web-CMS
- Application
+ |
+
+Scan
+ |
+Select the servers to be scanned. Possible values are as follows:
+- All servers
- Selected servers
You can select a server group or search for the target server by server name, ID, EIP, or private IP address.
+
+ NOTE: The following servers cannot be selected for vulnerability scan:
+ - Servers that are not in the Running state
- Servers whose agent status is Offline
+
+ |
+
+
+
+
- Click OK.
- Click Manage Task in the upper right corner of the Vulnerabilities page. On the Manage Task slide-out panel displayed, click the Scan Tasks tab to view the status and scan result of the vulnerability scan task.
Click the number next to the red figure in the Scan Result column to view information about the servers that fail to be scanned.
+ You can also choose and scan a single server for vulnerabilities on the Servers tab. The procedure is as follows:
+
- Click a server name.
- Choose Vulnerabilities.
- Choose the vulnerability type to be scanned and click Scan.
+
+
+
+
Handling Server Alarms
+The Events page displays the alarms generated in the last 30 days.
+
The status of a handled alarm changes from Unhandled to Handled.
+
Limitations and Constraints
- To skip the checks on high-risk command execution, privilege escalations, reverse shells, abnormal shells, or web shells, manually disable the corresponding policies in the policy groups on the Policies page. HSS will not check the servers associated with disabled policies.
- Other detection items cannot be manually disabled.
- Servers that are not protected by HSS do not support operations related to alarms and events.
+
+
Procedure
This section describes how you should handle alarms to enhance server security.
+
Do not fully rely on alarm handling to defend against attacks, because not every issue can be detected in a timely manner. You are advised to take more measures to prevent threats, such as checking for and fixing vulnerabilities and unsafe settings.
+
+
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane on the left, choose Detection > Alarms and click Server Alarms.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+
+Figure 1 Server alarms
+
+Table 1 Alarm statisticsParameter
+ |
+Description
+ |
+
|---|
+
+Enterprise Project
+ |
+Select an enterprise project and view alarm details by enterprise project.
+ |
+
+Time range
+ |
+You can select a fixed time period or customize a time period to filter alarms. Only alarms generated within 30 days can be queried.
+The options are as follows:
+- Last 24 hours
- Last 3 days
- Last 7 days
- Last 30 days
- Custom
+ |
+
+Server Alarms
+ |
+Affected Servers
+ |
+Number of servers for which alarms are generated.
+ |
+
+Alarms to be Handled
+ |
+Number of alarms to be handled.
+By default, all alarms to be handled are displayed.
+ |
+
+Handled Alarms
+ |
+Number of handled alarms.
+ |
+
+Blocked IP Addresses
+ |
+Number of blocked IP addresses. You can click the number to check blocked IP address list.
+The blocked IP address list displays the server name, attack source IP address, login type, blocking status, number of blocks, blocking start time, and the latest blocking time.
+If a valid IP address is blocked by mistake (for example, after O&M personnel enter incorrect passwords for multiple times), you can manually unblock it. If a server is frequently attacked, you are advised to fix its vulnerabilities in a timely manner and eliminate risks.
+ NOTICE: - After a blocked IP address is unblocked, HSS will no longer block the operations performed by the IP address.
- A maximum of 10,000 IP addresses can be blocked for each type of software.
If your Linux server does not support ipset, a maximum of 50 IP addresses can be clocked for MySQL and vsftp.
+If your Linux server does not support ipset or hosts.deny, a maximum of 50 IP addresses can be blocked for SSH.
+
+
+ |
+
+Isolated Files
+ |
+HSS can isolate detected threat files. Files that have been isolated are displayed on a slide-out panel on the Server Alarms page. You can click Isolated Files on the upper right corner to check them.
+You can recover isolated files. For details, see Managing Isolated Files.
+ |
+
+Container Alarms
+ |
+Affected Servers
+ |
+Number of servers for which alarms are generated.
+ |
+
+Alarms to be Handled
+ |
+Number of alarms to be handled.
+By default, all alarms to be handled are displayed.
+ |
+
+Handled Alarms
+ |
+Number of handled alarms
+ |
+
+Threats
+ |
+Displays the statistics on alarms by severity.
+
+ |
+
+Top 5 Events
+ |
+Displays the top 5 alarm types and their quantities.
+ |
+
+
+
+
- Handle alarms.
Alarms are displayed on the Server Alarms page. Here you can check up to 30 days of historical alarms.
+
Check and handle alarms as needed. The status of a handled alarm changes from Unhandled to Handled. HSS will no longer collect its statistics or display them on the Dashboard page.
+
+- Handling all alarms
- Select all of the alarms and click Handle All.
Ensure that you have selected the minimum alarm event type. Otherwise, the Handle All button is unavailable.
+
+ - In the dialog box that is displayed, select a handling method, confirm the information, and click OK. For more information, see Table 2.
An alarm in the Handled state cannot be batch handled.
+
+
+ - Handling alarms in batches
- Select an event type, select multiple alarms, and click Batch Handle.
- In the dialog box that is displayed, select a handling method, confirm the information, and click OK. For more information, see Table 2.
+ - Handling a single alarm
- Select an event type and click Handle in the Operation column of an alarm.
- In the dialog box that is displayed, select a handling method, confirm the information, and click OK. For more information, see Table 2.
+
+
+Table 2 Alarm handling methodsAction
+ |
+Description
+ |
+
|---|
+
+Ignore
+ |
+Ignore the current alarm. Any new alarms of the same type will still be reported by HSS.
+ |
+
+Isolate and kill
+ |
+If a program is isolated and killed, it will be terminated immediately and no longer able to perform read or write operations. Isolated source files of programs or processes are displayed on the Isolated Files slide-out panel and cannot harm your servers.
+You can click Isolated Files on the upper right corner to check the files. For details, see Managing Isolated Files.
+For details about events that can be isolated and killed, see Server Alarms.
+ NOTE: When a program is isolated and killed, the process of the program is terminated immediately. To avoid impact on services, check the detection result, and cancel the isolation of or unignore misreported malicious programs (if any).
+
+ |
+
+Mark as handled
+ |
+Mark the event as handled. You can add remarks for the event to record more details.
+ |
+
+Add to Login Whitelist
+ |
+Add false alarmed items of the Brute-force attack and Abnormal login types to the Login Whitelist.
+HSS will no longer report alarm on the Login Whitelist. A whitelisted login event will not trigger alarms.
+The following alarm events can be added to the Login Whitelist:
+- Brute-force attacks
- Abnormal logins
+ |
+
+Add to alarm whitelist
+ |
+Add false alarmed items to the login whitelist.
+HSS will no longer report alarm on the whitelisted items. A whitelisted alarm will not trigger alarms.
+For details about events that can be isolated and killed, see Server Alarms.
+ |
+
+
+
+
+
+
Handling Container Alarms
+HSS displays alarm and event statistics and their summary all on one page. You can have a quick overview of alarms, including the numbers of containers with alarms, handled alarms, and unhandled alarms.
+
The Events page displays the alarms generated in the last 30 days.
+
The status of a handled alarm changes from Unhandled to Handled.
+
Constraints
Servers that are not protected by HSS do not support operations related to alarms and events.
+
+
Procedure
This section describes how you should handle alarms to enhance server security.
+
Do not fully rely on alarm handling to defend against attacks, because not every issue can be detected in a timely manner. You are advised to take more measures to prevent threats, such as checking for and fixing vulnerabilities and unsafe settings.
+
+
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane on the left, choose Detection > Alarms, and click Container Alarms.
Figure 1 Viewing container alarms
+
+Table 1 Alarm statisticsAlarm Event
+ |
+Description
+ |
+
|---|
+
+Containers with Alarms
+ |
+Number of containers for which alarms are generated.
+ |
+
+Alarms to be Handled
+ |
+Number of alarms to be handled.
+By default, all unhandled alarms are displayed on the Events page.
+ |
+
+Handled Alarms
+ |
+Number of handled alarms.
+ |
+
+
+
+
- Handle alarms.
Alarms are displayed on the Container Alarms page. Here you can check up to 30 days of historical alarms.
+
Check and handle alarms as needed. The status of a handled alarm changes from Unhandled to Handled. HSS will no longer collect its statistics.
+
+- Handling selected alarms in batches
- Select an event type, select multiple alarms, and click Batch Handle.
- In the dialog box that is displayed, select a handling method, confirm the information, and click OK. For more information, see Table 2.
+ - Handling a single alarm
- Select an event type, and click Handle in the Operation column of an alarm.
- In the dialog box that is displayed, select a handling method, confirm the information, and click OK. For more information, see Table 2.
+
+
+Table 2 Handling alarm eventsAction
+ |
+Description
+ |
+
|---|
+
+Ignore
+ |
+Ignore the current alarm. Any new alarms of the same type will still be reported by HSS.
+ |
+
+Mark as handled
+ |
+Mark the event as handled. You can add remarks for the event to record more details.
+ |
+
+
+
+
+
+
Change History
+
+
Released On
+ |
+Description
+ |
+
|---|
+
+2024-05-20
+ |
+This is the fifth official release.
+Modified:
+- The time range of server security alarms can be customized.
- Optimized the use of "bait file" in ransomware protection.
+ |
+
+2024-03-25
+ |
+This is the fourth official release.
+- Added section "System User Whitelist".
- Optimized section "Server Fingerprints" and "Container Fingerprints". Updated navigation and screenshots.
- Optimized section "Specifications of Different Editions". Updated content about asset fingerprints and container intrusion detection.
- Optimized section "Vulnerability Management".
- Deleted "How Does Container Security Process Logs?" FAQ
+ |
+
+2023-12-20
+ |
+This issue is the third official release.
+Deleted descriptions about the basic edition.
+ |
+
+2023-12-07
+ |
+This issue is the second official release.
+- Added the function description of the basic edition.
- Added the operation of enabling the backup function with ransomware protection.
- Added the description of the file integrity function.
- Added the parameter description of the default baseline library.
- Added operations for configuring alarm notification.
- Deleted sections related to plug-in management.
+ |
+
+2023-09-30
+ |
+This issue is the first official release.
+ |
+
+
+
+
+
What Do I Do If HSS Frequently Reports Brute-force Alarms?
+An alarm indicates that an attack was detected. It does not mean your cloud servers have been intruded. If you receive an alarm, handle it and take countermeasures in a timely manner.
+
Possible Causes
No access control is configured for the ports used for remotely connecting to your servers. As a result, viruses on the network frequently attacked your ports.
+
+
Solution
Take any of the following measures.
+
- Configure the SSH login whitelist.
The SSH login whitelist allows logins from only whitelisted IP address, effectively preventing account cracking.
+ - Enable 2FA.
2FA requires users to provide verification codes before they log in. The codes will be sent to their mobile phones or email boxes.
+Choose Installation & Configuration. On the Two-Factor Authentication tab, select servers and click Enable 2FA.
+ - Use non-default ports.
Change the default remote management ports 22 and 3389 to other ports.
+ - Configure security group rules to prevent the attacking IP addresses from accessing your service ports.
You are advised to allow only specified IP addresses to access open remote management ports (for example, for SSH and remote desktop login).
+
+You can configure security group rules to control access to your servers. For a port used for remote login, you can set IP addresses that are allowed to remotely log in to your ECSs.
+To allow IP address 192.168.20.2 to remotely access Linux ECSs in a security group over the SSH protocol and port 22, you can configure the following security group rule.
+
+Table 1 Setting IP addresses to remotely connect to ECSsDirection
+ |
+Protocol/Application
+ |
+Port
+ |
+Source
+ |
+
|---|
+
+Inbound
+ |
+SSH (22)
+ |
+22
+ |
+For example, 192.168.20.2/32
+ |
+
+
+
+
- Set a strong password.
HSS baseline checks include the password policy check and weak password detection, which can find accounts that use weak passwords on your servers. You can view and handle password risks on the console.
+
+
+
How Does HSS Intercept Brute Force Attacks?
HSS can detect brute-force attacks on SSH, RDP, FTP, SQL Server, and MySQL accounts.
+
By default, HSS will block an IP address if it has five or more brute-force attack attempts detected within 30 seconds, or 15 or more brute-force attack attempts detected within 3600 seconds.
+
If you have enabled , you can configure a login security policy to specify the brute force cracking determination mode and blocking duration.
+
To view the IP addresses blocked by HSS, choose and click the value above Blocked IP Addresses.
+
+
Security Configurations
+
+
+
diff --git a/docs/hss/umn/hss_01_0427.html b/docs/hss/umn/hss_01_0427.html
new file mode 100644
index 00000000..a0eb47c0
--- /dev/null
+++ b/docs/hss/umn/hss_01_0427.html
@@ -0,0 +1,16 @@
+
+
+How Often Does HSS Detect, Isolate, and Kill Malicious Programs?
+Detection period: real-time detection
+
Isolation and killing period:
+
- If you have enabled automatic isolation and killing, the system will scan and kill viruses in real time.
- If you have not enabled automatic isolation and killing, you need to manually check and handle alarms.
+
- HSS can detect, isolate and kill malicious programs (by cloud scan) and abnormal process behaviors. For more information, see Editions.
- HSS isolation and killing can be automatically or manually performed.
- For more information about automatic isolation and killing, see "Isolating and Killing Malicious Programs" in "Security Configuration".
- For more information about manual isolation and killing, see "Isolating and Killing Files" in "Managing Isolated Files".
+
+
+
What Do I Do If an IP Address Is Blocked by HSS?
+Check whether the blocked IP address is a malicious IP address or a normal one.
+
- If it is normal, add it to the whitelist.
- If it is malicious, no further operations are required.
+
How Do I Defend Against Ransomware Attacks?
+Generally, ransomware is spread through Trojan implantation, emails, files, vulnerabilities, bundles, and storage media.
+
To defend against ransomware intrusions, prevent brute-force attacks and handle HSS alarms in a timely manner.
+
What Can I Do If I Cannot Remotely Log In to a Server via SSH?
+Symptoms
You can log in to a server via the console but not via SSH.
+
+
+
Solution
- Check whether your login IP address was blocked because it was regarded as a source of brute-force attacks.
- If yes, perform the following steps:
- Log in to the console.
- In the navigation pane, choose .
- Select the Server Alarms tab. Click the View Details in the Blocked IP Addresses area. The Blocked IP Addresses page is displayed.
- Select the target attack source IP address and click Unblock above the list to unblock the IP address.
+ - If your login IP address was not blocked for this reason, go to 2.
+ - Check whether your login IP address is blocked because it is not whitelisted and the SSH login IP whitelist is enabled.
- If your login IP address was not blocked for this reason, add the IP address to the SSH login IP address whitelist.
- If your login IP address was not blocked for this reason, contact technical support.
+
+
+
How Do I Use 2FA?
+This FAQ shows you how to use 2FA.
+
Logging In and Passing 2FA Authentication
- Logging in to a Linux server
- Use PuTTY or Xshell to log in to your server.
Select Keyboard Interactive and enter the user identity information.
+- PuTTY
Set the authentication mode to Keyboard Interactive and click OK.
+ - Xshell
In the New Session Properties dialog box, choose , choose Keyboard Interactive from the Method drop-down list, and click OK.
+
+ - Enter the account and password of the server.
- Enter the 2FA verification code sent to your terminal.
Figure 1 Entering a verification code
+
+ - Logging in to a Windows server
- Click Start, enter Remote Desktop Connection in the search box, and press Enter to open the remote desktop connection.
- Enter the IP address of the host in the Computer text box and click Connect.
- Enter the reserved mobile number or email address to receive 2FA verification code.
- Enter the verification code, server account name, and password on the login page, and click
to log in to the server.
+
+
+
Why Can't I Receive a Verification Code After 2FA Is Enabled?
+- The two-factor authentication function does not take effect immediately after being enabled.
Wait for 5 minutes and try again.
+ - To enable two-factor authentication, you need to disable the SELinux firewall.
Disable the SELinux firewall and try again.
+ - Linux servers require user passwords for login.
To switch from the key login mode to password login mode, perform the following steps:
+- Use the key to log in to the Linux ECS and set the password of user root.
sudo passwd root
+If the key file is lost or damaged, reset the password of user root.
+ - Modify the SSH configuration file on the ECS as user root.
su root
+vi /etc/ssh/sshd_config
+Modify the following settings:
+- Change PasswordAuthentication no to PasswordAuthentication yes.
Alternatively, delete the comment tag (#) before PasswordAuthentication yes.
+ - Change PermitRootLogin no to PermitRootLogin yes.
Alternatively, delete the comment tag (#) before PermitRootLogin yes.
+
+ - Restart sshd for the modification to take effect.
service sshd restart
+ - Restart the ECS. Then, you can log in to the ECS as user root using the password.
To prevent unauthorized users from using the key file to access the Linux ECS, delete the /root/.ssh/authorized_keys file or clear the authorized_keys file.
+
+
+
+
Why Does My Login Fail After I Enable 2FA?
+The login failed probably because file configurations or the login mode was incorrect.
+
Correcting File Configurations
Check whether the configuration file is correct.
+
+
Configuration file path: /etc/ssh/sshd_config
+
Configuration items:
+
PermitEmptyPasswords no
+
UsePAM yes
+
ChallengeResponseAuthentication yes
+
If you use the root account for login,the following configuration item is required:
+
PermitRootLogin yes
+
+
Correcting the Login Mode
If you attempted to log in in either of the following ways, your login would fail.
+
+
- Used CloudShell to log in to an ECS.
- Attempted to log in to a Linux server through a CBH instance.
+
Failure cause: 2FA is implemented through a built-in module, which cannot be displayed if you log in in the preceding ways. As a result, the login authentication fails.
+
Solution: Perform login authentication by referring to How Do I Use 2FA?
+
How Do I Add a Mobile Phone Number or Email Address for Receiving 2FA Verification Notifications?
+You can set your mobile phone number only if you have selected SMS/Email for Method. Set your mobile phone number in the SMN topic you choose.
+
In the SMN Topic drop-down list, only the SMN topics with confirmed subscriptions are displayed.
+
- You can click View to go to the SMN console and create a topic. Click Add Subscription and enter a mobile phone number or email address.
- You can also add or modify the mobile phone number or email address under an existing topic.
- Adding a mobile phone number or email address
Click View Topics. Click Add Subscription and enter a mobile phone number or email address.
+ - Deleting a mobile phone number or email address
Click View Topics. Click a topic name to go to the details page. Click the Subscriptions tab and delete one or more target endpoints.
+
+
+
Managing Application Protection Policies
+You can add, edit, and delete application protection policies, and select and configure detection rules for the policies.
+
Constraints
- Currently, only Linux servers are supported.
- So far, only Java applications can be protected.
- The premium, WTP, and container editions support operations related to application protection.
+
+
Adding a Protection Policy
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- Choose and click Protection Policies. For details about the parameters, see Table 1.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+
+Figure 1 Viewing the protection policies
+
+Table 1 Protection policy parametersParameter
+ |
+Description
+ |
+
|---|
+
+Policy Name
+ |
+Protection policy name
+ |
+
+Detection Rule
+ |
+Detection rules supported by a policy.
+ |
+
+Associated Servers
+ |
+Number of servers bound to a policy.
+ |
+
+
+
+
- Click Add Policy. In the dialog box that is displayed, enter the policy name, select the rules to be detected, and configure details about some detection rules. For details about the parameters, see Table 2.
Figure 2 Adding a protection policy
+
+Table 2 Application protection policy parametersParameter
+ |
+Description
+ |
+
|---|
+
+Policy Name
+ |
+User-defined policy name
+ |
+
+Enabled
+ |
+Whether to enable a detection rule for the current policy. You can select detection rules to enable them as required.
+ |
+
+Detection Rule ID
+ |
+ID of a detection rule
+ |
+
+Action
+ |
+Protection action of a detection rule.
+- Detect: Detects objects based on the target rule and reports alarms for detected risk events.
- Detect and block: Detects objects based on the target rule, reports alarms for detected risk events, and directly blocks or intercepts detected risk items.
NOTICE: Blocking or interception may interrupt services. Exercise caution when enabling this function
+
+
+ |
+
+Description
+ |
+Description about the detected object and behavior of the target protection policy.
+ |
+
+
+
+
- Click Configure in the Operation column of a detection rule to modify the rule content. Table 3 describes the supported detection rules.
+
Table 3 Detection rules that can be configured onlyRule
+ |
+Description
+ |
+Example
+ |
+
|---|
+
+XXE
+ |
+User-defined XXE blacklist protocol
+ |
+.xml;.dtd;
+ |
+
+XSS
+ |
+User-defined XSS shielding rules
+ |
+xml;doctype;xmlns;import;entity
+ |
+
+WebShellUpload
+ |
+User-defined suffix of files in the blacklist.
+ |
+.jspx;.jsp;.jar;.phtml;.asp;.php;.ascx;.ashx;.cer
+ |
+
+FileDirAccess
+ |
+User-defined path of files in the blacklist.
+ |
+/etc/passwd;/etc/shadow;/etc/gshadow;
+ |
+
+
+
+
- Confirm the configured policy and selected detection rules, and click OK. You can check whether the rule is added on the Protection Policy tab page.
+
+
Editing a Protection Policy
- Log in to the management console and go to the HSS page.
- Choose and click Protection Policies. For details about the parameters, see Table 4.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+
+Figure 3 Viewing the protection policies
+
+Table 4 Protection policy parametersParameter
+ |
+Description
+ |
+
|---|
+
+Policy Name
+ |
+Protection policy name
+ |
+
+Detection Rule
+ |
+Detection rules supported by a policy.
+ |
+
+Associated Servers
+ |
+Number of servers bound to a policy.
+ |
+
+
+
+
- Click Edit in the Operation column of a policy to configure the policy name, supported detection rules, and rule content.
+
Table 5 Application protection policy parametersParameter
+ |
+Description
+ |
+
|---|
+
+Policy Name
+ |
+User-defined policy name
+ |
+
+Enabled
+ |
+Whether to enable a detection rule for the current policy. You can select detection rules to enable them as required.
+ |
+
+Detection Rule ID
+ |
+ID of a detection rule
+ |
+
+Action
+ |
+Protection action of a detection rule.
+- Detect: Detects objects based on the target rule and reports alarms for detected risk events.
- Detect and block: Detects objects based on the target rule, reports alarms for detected risk events, and directly blocks or intercepts detected risk items.
NOTICE: Blocking or interception may interrupt services. Exercise caution when enabling this function
+
+
+ |
+
+Description
+ |
+Description about the detected object and behavior of the target protection policy.
+ |
+
+
+
+
- Confirm the configured rule and selected detection items and click OK. You can check whether the target policy is modified on the Protection Policy tab page.
+
+
Deleting a Policy
- Log in to the management console and go to the HSS page.
- Choose and click Protection Policies. For details about the parameters, see Table 6.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+
+Figure 4 Viewing the protection policies
+
+Table 6 Protection policy parametersParameter
+ |
+Description
+ |
+
|---|
+
+Policy Name
+ |
+Protection policy name
+ |
+
+Detection Rule
+ |
+Detection rules supported by a policy.
+ |
+
+Associated Servers
+ |
+Number of servers bound to a policy.
+ |
+
+
+
+
- Click Delete in the Operation column of the target policy. In the dialog box that is displayed, confirm the policy information and click OK.
If the policy to be deleted is associated with a server, bind the server to another protection policy first. Otherwise, the Delete button of the target policy is hidden.
+
+
+
+
Upgrading the Agent
+HSS keeps improving its service capabilities, including but not limited to new features and defect fixes. Please upgrade your agent to the latest version in a timely manner to enjoy better service.
+
Upgrading the Agent on a Single Server
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane, choose Installation & Configuration. Click the Agents tab.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+
+Figure 1 Viewing agent management
+ - Click Online to view the list of servers where the agent has been installed. For details, see Table 1.
+
Table 1 Online agent parametersParameter
+ |
+Description
+ |
+
|---|
+
+Server Name/ID
+ |
+Server name and ID
+ |
+
+IP Address
+ |
+EIP or private IP address of a server
+ |
+
+OS
+ |
+Server OS. Its value can be:
+
+ |
+
+Agent status
+ |
+Agent status of a server. Its value can be:
+
+ |
+
+
+
+
- Click Upgrade in the Operation column of the target server. In the dialog box displayed, confirm the upgrade details and click OK.
- After the upgrade completes, check the agent version. If the latest version agent is used, the upgrade is successful.
+
+
Upgrading the Agent on Multiple Servers
- Log in to the management console.
- In the navigation pane, choose Installation & Configuration. Click the Agents tab.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+
+Figure 2 Viewing agent management
+ - Click Online to view the list of servers where the agent has been installed. For details, see Table 2.
+
Table 2 Online agent parametersParameter
+ |
+Description
+ |
+
|---|
+
+Server Name/ID
+ |
+Server name and ID
+ |
+
+IP Address
+ |
+EIP or private IP address of a server
+ |
+
+OS
+ |
+Server OS. Its value can be:
+
+ |
+
+Agent status
+ |
+Agent status of a server. Its value can be:
+
+ |
+
+
+
+
- Select the target servers whose agent you want to upgrade.
- If you check the box before Server Name/ID, all servers on the page will be selected.
- If you check the box before Select all, all servers you have will be selected.
+
+Figure 3 Selecting all servers whose agent needs to be upgraded
+ - Click Upgrade Agent above the server list. In the dialog box displayed, confirm server information and click OK.
- After the upgrade completes, check the agent version. If the latest version agent is used, the upgrade is successful.
+
+
Server Fingerprints
+
+
+
diff --git a/docs/hss/umn/hss_01_0464.html b/docs/hss/umn/hss_01_0464.html
new file mode 100644
index 00000000..3ff3b692
--- /dev/null
+++ b/docs/hss/umn/hss_01_0464.html
@@ -0,0 +1,17 @@
+
+
+Container Fingerprints
+
+
+
diff --git a/docs/hss/umn/hss_01_0465.html b/docs/hss/umn/hss_01_0465.html
new file mode 100644
index 00000000..303bd3eb
--- /dev/null
+++ b/docs/hss/umn/hss_01_0465.html
@@ -0,0 +1,123 @@
+
+
+Viewing Container Asset Fingerprints
+HSS can collect container asset fingerprints, including container accounts, ports, and processes. You can centrally check container asset information and detect risky assets in a timely manner based on the container fingerprints. This section describes how to view collected container asset information.
+
Constraints
- Only the HSS container edition supports the container fingerprint function.
- Only Linux is supported.
+
+
Viewing Asset Fingerprints Data of All Containers
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- Choose Asset Management > Container Fingerprints > Asset Fingerprints. On the Asset Fingerprints page that is displayed, view the fingerprint data of all containers.
If you find risky assets after counting, remove them in a timely manner. You are advised to handle the ports as follows:
+- If HSS detects open high-risk ports or unused ports, check whether they are really used by your services. If they are not, disable them. For dangerous ports, you are advised to further check their program files, and delete or isolate their source files if necessary.
- If a detected high-risk port is actually a normal port used for services, you can ignore it. Ignored alarms will neither be recorded as unsafe items and nor trigger alarms.
+ If your servers are managed by enterprise projects, you can select the target enterprise project to view or operate the asset and detection information.
+
+Figure 1 Viewing container assets
+
+Table 1 Container asset fingerprintsItem
+ |
+Description
+ |
+Automatic Detection Period
+ |
+
|---|
+
+Account Information
+ |
+Check and manage all accounts on your containers to keep them secure.
+Real-time account information includes the account name, number of servers, server name, IP address, login permission, root permission, user group, user directory, shell started by the user, container name, container ID, and the last scan time.
+ |
+Automatic check every hour
+ |
+
+Open Ports
+ |
+Check open ports on your containers, including risky and unknown ports.
+You can easily find high-risk ports on containers by checking local ports, protocol types, server names, IP addresses, statuses, PIDs, and program files.
+- Manually disabling high-risk ports
If dangerous or unnecessary ports are found enabled, check whether they are mandatory for services, and disable them if they are not. For dangerous ports, you are advised to further check their program files, and delete or isolate their source files if necessary.
+It is recommended that you handle the ports with the Dangerous risk level promptly and handle the ports with the Unknown risk level based on the actual service conditions.
+ - Ignore risks: If a detected high-risk port is actually a normal port used for services, you can ignore it. The port will no longer be regarded risky or generate alarms.
+ |
+Automated check every 30 seconds
+ |
+
+Processes
+ |
+Check processes on your containers and find abnormal processes.
+You can easily identify abnormal processes on your containers based process paths, server names, IP addresses, startup parameters, startup time, users who run the processes, file permissions, PIDs, and file hashes.
+If a suspicious process has not been detected in the last 30 days, its information will be automatically deleted from the process list.
+ |
+Automatic check every hour
+ |
+
+Installed Software
+ |
+Check and manage all software installed on your containers, and identify insecure versions.
+You can check real-time and historical software information to determine whether the software is risky.
+- Real-time software information includes the software name, number of servers, server names, IP addresses, software versions, software update time, and the last scan time.
- Historical software change records include the server names, IP addresses, change statuses, software versions, software update time, and the last scan time.
+ |
+Automatic check every day
+ |
+
+Auto-startup
+ |
+Check for auto-started items and quickly locate Trojans.
+Real-time information about auto-started items includes their names, types (auto-started service, startup folder, pre-loaded dynamic library, Run registry key, or scheduled task), number of servers, server names, IP addresses, paths, file hashes, users, container name, container ID, and the last scan time.
+ |
+Automatic check every hour
+ |
+
+Websites
+ |
+You can check statistics about web directories and sites that can be accessed from the Internet. You can view the directories and permissions, access paths, external ports, certificate information (to be provided later), and key processes of websites.
+ |
+Once a week (04:10 a.m. every Monday)
+ |
+
+Web Framework
+ |
+You can check statistics about frameworks used for web content presentation, including their versions, paths, and associated processes.
+ |
+Once a week (04:10 a.m. every Monday)
+ |
+
+Middleware
+ |
+You can also check information about servers, versions, paths, and processes associated with middleware.
+ |
+Once a week (04:10 a.m. every Monday)
+ |
+
+Web Services
+ |
+You can check details about the software used for web content access, including versions, paths, configuration files, and associated processes of all software.
+ |
+Once a week (04:10 a.m. every Monday)
+ |
+
+Web Applications
+ |
+You can check details about software used for web content push and release, including versions, paths, configuration files, and associated processes of all software.
+ |
+Once a week (04:10 a.m. every Monday)
+ |
+
+Databases
+ |
+You can check details about software that provides data storage, including versions, paths, configuration files, and associated processes of all software.
+ |
+Once a week (04:10 a.m. every Monday)
+ |
+
+
+
+
+
+
Viewing Asset Fingerprint Data of a Single Container
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane, choose Asset Management > Servers & Quota. Click the Servers tab.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+
+ - Click the name of the target server. On the server details page that is displayed, click the tab.
- Click a fingerprint in the fingerprint list to view its asset information. For more information, see Table 1.
+
+
Adding a Privileged Process
+If WTP is enabled, the content in the protected directories is read-only. To allow certain processes to modify files in the directories, add them to the privileged process list.
+
Only the modification made by privileged processes can take effect. Modifications made by other processes will be automatically rolled back.
+
Exercise caution when adding privileged processes. Do not let untrustworthy processes access your protected directories.
+
Constraints
- Only the servers that are protected by the HSS WTP edition support the operations described in this section.
- For Linux OSs, only x86 OSs with kernel 4.18 support this function.
- The privileged process takes effect only for Agent 3.2.4 or later.
- A maximum of 10 privileged processes can be added to each server.
+
+
Prerequisites
The Protection Status of the server must be Protected. To view the status, choose . Click the Servers tab.
+
+
Adding a Privileged Process
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- Choose Prevention > Web Tamper Protection, click Configure Protection.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+
+Figure 1 Entering the page for protected directory settings
+ - Click Privileged Process Settings and then Settings.
Figure 2 Setting a privileged process
+ - On the Privileged Process Settings page, click Add Privileged Process.
Figure 3 Adding a Privileged Process
+ - In the Add Privileged Process dialog box, enter the path of the privileged process.
The process file path must contain the process name and extension, for example, C:/Path/Software.type. If the process has no extension, ensure the process name is unique.
+ - Click OK.
+
+
Related Operations
Modifying or deleting existing privileged processes
+
In the Operation column of a process file path, click Edit to modify the privileged processes or click Delete to delete it if it is unnecessary.
+
- After you edit or delete the process file path, the privileged process cannot modify the files in the protected directory. To avoid impact on services, exercise caution when performing these operations.
- Unnecessary privileged processes should be deleted in a timely manner as they may be exploited by attackers.
+
+
+
How Do I Disable the SELinux Firewall?
+Security-Enhanced Linux (SELinux) is a kernel module and security subsystem of Linux.
+
SELinux minimizes the resources that can be accessed by service processes in the system (the principle of least privilege).
+
Closure Description
- After the SELinux is disabled, services are not affected.
- SELinux can be disabled temporarily or permanently as required.
+
+
Scenario
To use the two-factor authentication function of HSS, you need to permanently disable the SELinux firewall.
+
+
Procedure
- Remotely log in to the destination server.
You can log in to the ECS management console and click Remote Login in the ECS list.
+If your server has an EIP bound, you can also use a remote management tool, such as PuTTY or Xshell, to log in to the server and install the agent on the server as user root.
+
+ - Run the shutdown command in the command window.
- Temporarily disable SELinux
Run the following command in the CLI to temporarily disable SELinux:
setenforce 0
+
After the system is restarted, the SELinux will be enabled again.
+
+
- Permanently disable SELinux
- Run the following command in the directory window to edit the config file of SELinux:
vi /etc/selinux/config
+ - Locate SELINUX=enforcing, press i to enter the editing mode, and change the parameter to SELINUX=disabled.
Figure 1 Editing the SELinux status
+ - After the modification, press Esc and run the following command to save the file and exit:
:wq
+
+
+ - Run the permanent shutdown command, save the settings, and exit. Run the following command to restart the server immediately:
shutdown -r now
+ The permanent shutdown command takes effect only after the server is restarted.
+
+ - After the restart, run the following command to verify that SELinux is disabled:
getenforce
+
+
+
Collecting Server Asset Fingerprints
+HSS can collect server asset fingerprints, including information about ports, processes, web applications, web services, web frameworks, and auto-started items. You can centrally check server asset information and detect risky assets in a timely manner based on the server fingerprints. This section describes server asset fingerprints and their collection method.
+
Prerequisite
HSS enterprise edition, premium edition, WTP edition, or container edition has been enabled for the server.
+
+
Server Asset Fingerprint Collection Items
Table 1 lists the collection items of server asset fingerprints. Each asset fingerprint is automatically collected periodically. If you are using HSS premium edition or later, you can customize the asset fingerprint collection period. For details, see Asset Discovery.
+
+
Table 1 Asset fingerprintsItem
+ |
+Description
+ |
+Supported OS
+ |
+Automatic Detection Period
+ |
+
|---|
+
+Account Information
+ |
+Check and manage all accounts on your servers to keep them secure.
+You can check real-time and historical account information to find suspicious accounts.
+- Real-time account information includes the account name, number of servers, server name/IP address, login permission, root permission, user group, user directory, shell started by the user, and the last scan time.
- Historical account change records include the server name/IP address, change status, login permission, root permission, user group, user directory, shell started by the user, and the last scan time.
+ |
+Linux and Windows
+ |
+Automatic check every hour
+ |
+
+Open Ports
+ |
+Check open ports on your servers, including risky and unknown ports.
+You can easily identify high-risk ports by checking local ports, protocol types, server names, IP addresses, statuses, PIDs, and program files.
+- Manually disabling high-risk ports
If dangerous or unnecessary ports are found enabled, check whether they are mandatory for services, and disable them if they are not. For dangerous ports, you are advised to further check their program files, and delete or isolate their source files if necessary.
+It is recommended that you handle the ports at the Dangerous risk level promptly and handle the ports at the Unknown risk level based on the actual service conditions.
+ - Ignore risks: If a detected high-risk port is actually a normal port used for services, you can ignore it. The port will no longer be regarded risky or generate alarms.
+ |
+Linux and Windows
+ |
+Automated check every 30 seconds
+ |
+
+Processes
+ |
+Check processes on your servers and find abnormal processes.
+You can easily identify abnormal processes based process paths, server names, IP addresses, startup parameters, startup time, users who run the processes, file permissions, PIDs, and file hashes.
+If a suspicious process has not been detected in the last 30 days, its information will be automatically deleted from the process list.
+ |
+Linux and Windows
+ |
+Automatic check every hour
+ |
+
+Installed Software
+ |
+Check and manage all software installed on your containers, and identify insecure versions.
+You can check real-time and historical software information to determine whether the software is risky.
+- Real-time software information includes the software name, number of servers, server names, IP addresses, software versions, software update time, and the last scan time.
- Historical software change records include the server names, IP addresses, change statuses, software versions, software update time, and the last scan time.
+ |
+Linux and Windows
+ |
+Automatic check every day
+ |
+
+Auto-startup
+ |
+Check for auto-startup items and quickly locate Trojans.
+- Real-time information about auto-started items includes their names, types (auto-started service, startup folder, pre-loaded dynamic library, Run registry key, or scheduled task), number of servers, server names, IP addresses, paths, file hashes, users, and the last scan time.
- The historical change records of auto-started items include server names, IP addresses, change statuses, paths, file hashes, users, and the last scan time.
+ |
+Linux and Windows
+ |
+Automatic check every hour
+ |
+
+Websites
+ |
+You can check statistics about web directories and sites that can be accessed from the Internet. You can view the directories and permissions, access paths, external ports, certificate information (to be provided later), and key processes of websites.
+ |
+Linux
+ |
+Once a week (04:10 a.m. every Monday)
+ |
+
+Web Frameworks
+ |
+You can check statistics about frameworks used for web content presentation, including their versions, paths, and associated processes.
+ |
+Linux
+ |
+Once a week (04:10 a.m. every Monday)
+ |
+
+Middleware
+ |
+You can check information about servers, versions, paths, and processes associated with middleware.
+ |
+Linux and Windows
+ |
+Once a week (04:10 a.m. every Monday)
+ |
+
+Kernel Module
+ |
+You can check information about all the program module files running in kernels, including associated servers, version numbers, module descriptions, driver file paths, file permissions, and file hashes.
+ |
+Linux
+ |
+Once a week (04:10 a.m. every Monday)
+ |
+
+Web Services
+ |
+You can check details about the software used for web content access, including versions, paths, configuration files, and associated processes of all software.
+ |
+Linux
+ |
+Once a week (04:10 a.m. every Monday)
+ |
+
+Web Applications
+ |
+You can check details about software used for web content push and release, including versions, paths, configuration files, and associated processes of all software.
+ |
+Linux and Windows (only Tomcat is supported)
+ |
+Once a week (04:10 a.m. every Monday)
+ |
+
+Databases
+ |
+You can check details about software that provides data storage, including versions, paths, configuration files, and associated processes of all software.
+ |
+Linux and Windows (only MySQL is supported)
+ |
+Once a week (04:10 a.m. every Monday)
+ |
+
+
+
+
+
+
Collecting the Latest Asset Fingerprints of a Single Server
If you want to obtain the latest data of assets such as web applications, web services, web frameworks, websites, middleware, kernel modules, and databases, in real time, you can manually collect fingerprint information.
+
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane, choose Asset Management > Servers & Quota. Click the Servers tab.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+
+ - Click the name of the target server. On the server details page that is displayed, choose .
- Click a fingerprint in the fingerprint list, and click Discover Assets on the upper area of the list on the right.
Currently, only the information about web applications, web services, web frameworks, websites, middleware, kernel modules, and databases can be manually collected and updated in real time. Information about other types is automatically collected and updated every day.
+
+ - After the automatic execution is complete, the last scan time is updated and the latest server asset information is displayed.
+
+
Collecting Container Asset Fingerprints
+HSS can collect container asset fingerprints, including container accounts, ports, and processes. You can centrally check container asset information and detect risky assets in a timely manner based on the container fingerprints. This section describes how to collect container asset fingerprints.
+
Prerequisite
HSS container edition has been enabled for the server.
+
+
Container Asset Fingerprint Collection Items
Table 1 lists the collection items of container asset fingerprints. The fingerprint items are automatically collected periodically. You can customize the asset fingerprint collection period. For details, see Asset Discovery.
+
+
Table 1 Container asset fingerprintsItem
+ |
+Description
+ |
+Automatic Detection Period
+ |
+
|---|
+
+Account Information
+ |
+Check and manage all accounts on your containers to keep them secure.
+Real-time account information includes the account name, number of servers, server name, IP address, login permission, root permission, user group, user directory, shell started by the user, container name, container ID, and the last scan time.
+ |
+Automatic check every hour
+ |
+
+Open Ports
+ |
+Check open ports on your containers, including risky and unknown ports.
+You can easily find high-risk ports on containers by checking local ports, protocol types, server names, IP addresses, statuses, PIDs, and program files.
+- Manually disabling high-risk ports
If dangerous or unnecessary ports are found enabled, check whether they are mandatory for services, and disable them if they are not. For dangerous ports, you are advised to further check their program files, and delete or isolate their source files if necessary.
+It is recommended that you handle the ports with the Dangerous risk level promptly and handle the ports with the Unknown risk level based on the actual service conditions.
+ - Ignore risks: If a detected high-risk port is actually a normal port used for services, you can ignore it. The port will no longer be regarded risky or generate alarms.
+ |
+Automated check every 30 seconds
+ |
+
+Processes
+ |
+Check processes on your containers and find abnormal processes.
+You can easily identify abnormal processes on your containers based process paths, server names, IP addresses, startup parameters, startup time, users who run the processes, file permissions, PIDs, and file hashes.
+If a suspicious process has not been detected in the last 30 days, its information will be automatically deleted from the process list.
+ |
+Automatic check every hour
+ |
+
+Installed Software
+ |
+Check and manage all software installed on your containers, and identify insecure versions.
+You can check real-time and historical software information to determine whether the software is risky.
+- Real-time software information includes the software name, number of servers, server names, IP addresses, software versions, software update time, and the last scan time.
- Historical software change records include the server names, IP addresses, change statuses, software versions, software update time, and the last scan time.
+ |
+Automatic check every day
+ |
+
+Auto-startup
+ |
+Check for auto-started items and quickly locate Trojans.
+Real-time information about auto-started items includes their names, types (auto-started service, startup folder, pre-loaded dynamic library, Run registry key, or scheduled task), number of servers, server names, IP addresses, paths, file hashes, users, container name, container ID, and the last scan time.
+ |
+Automatic check every hour
+ |
+
+Websites
+ |
+You can check statistics about web directories and sites that can be accessed from the Internet. You can view the directories and permissions, access paths, external ports, certificate information (to be provided later), and key processes of websites.
+ |
+Once a week (04:10 a.m. every Monday)
+ |
+
+Web Framework
+ |
+You can check statistics about frameworks used for web content presentation, including their versions, paths, and associated processes.
+ |
+Once a week (04:10 a.m. every Monday)
+ |
+
+Middleware
+ |
+You can also check information about servers, versions, paths, and processes associated with middleware.
+ |
+Once a week (04:10 a.m. every Monday)
+ |
+
+Web Services
+ |
+You can check details about the software used for web content access, including versions, paths, configuration files, and associated processes of all software.
+ |
+Once a week (04:10 a.m. every Monday)
+ |
+
+Web Applications
+ |
+You can check details about software used for web content push and release, including versions, paths, configuration files, and associated processes of all software.
+ |
+Once a week (04:10 a.m. every Monday)
+ |
+
+Databases
+ |
+You can check details about software that provides data storage, including versions, paths, configuration files, and associated processes of all software.
+ |
+Once a week (04:10 a.m. every Monday)
+ |
+
+
+
+
+
+
Collecting the Latest Asset Fingerprints of a Single Container
If you want to view the latest data of assets such as web applications, web services, web frameworks, websites, middleware, and databases in real time, you can manually collect the fingerprint information.
+
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane, choose Asset Management > Servers & Quota. Click the Servers tab.
- Click the name of the target server. On the server details page that is displayed, choose .
- Click a fingerprint in the fingerprint list, and click Discover Assets on the upper area of the list on the right.
Currently, only Web Applications, Web Services, Web Frameworks, Websites, Middleware, and Databases support real-time manual collection and update. Information about other types is automatically collected and updated every day.
+
+ - After the automatic execution is complete, the last scan time is updated and the latest container asset information is displayed.
+
+
Managing the System User Whitelist
+HSS generates risky account alarms when non-root users are added to the root user group. You can add the trusted non-root users to the system user whitelist. HSS does not generate risky account alarms for users in the system user whitelist.
+
Procedure
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane on the left, choose . The Whitelists page is displayed.
- (Optional) In the upper left corner of the Whitelists page, select the enterprise project to which the server belongs or All projects for Enterprise Project.
If you have not enabled the enterprise project function, skip this step.
+ - Click the System User Whitelist tab and click Add.
Figure 1 Configuring the system user whitelist
+
+ - In the Add to System User Whitelist dialog box, enter the server ID, system username, and remarks.
- Click OK.
+
+
Related Operations
Modifying a System User Whitelist
+
- (Optional) In the upper left corner of the Whitelists page, select the enterprise project to which the server belongs or All projects for Enterprise Project.
If you have not enabled the enterprise project function, skip this step.
+ - In the row of the target system user whitelist, click Modify in the Operation column.
- In the Modify System User Whitelist dialog box, modify the information and click OK.
+
Deleting a System User Whitelist
+
- In the row of the target system user whitelist, click Delete in the Operation column.
You can also select multiple system user whitelists and click Delete in the upper left corner of the system user whitelist list.
+ - In the dialog box displayed, click OK.
+
+
Viewing Vulnerability Handling History
+For vulnerabilities that have been handled, you can refer to this section to view the vulnerability handling history (handler and handling time).
+
Viewing the Handling History of a Vulnerability
- Log in to the management console.
- In the navigation pane, choose Prediction > Vulnerabilities.
- In the list of handled vulnerabilities, click a vulnerability name. The vulnerability details slide-out panel is displayed.
Figure 1 Selecting Handled from the drop-down list
+ - Click the Handling History tab to view the handling history of the vulnerability.
Figure 2 Handling history
+
+
+
Managing the Vulnerability Whitelist
+If you evaluate that some vulnerabilities do not affect your services and do not want to view the vulnerabilities in the vulnerability list, you can whitelist the vulnerabilities. After they are whitelisted, the vulnerabilities will be ignored in the vulnerability list and no alarms will be reported. The vulnerabilities will not be scanned and the vulnerability information will not be displayed when the next vulnerability scan task is executed.
+
This section describes how to whitelist a vulnerability, modify a vulnerability whitelist rule, and remove a vulnerability whitelist rule from the vulnerability whitelist.
+
Whitelisting Vulnerabilities
- Log in to the management console.
- In the navigation pane, choose Prediction > Vulnerabilities.
+
+
+
Editing a Vulnerability Whitelist
- Log in to the management console.
- In the navigation pane, choose Prediction > Vulnerabilities.
- In the upper right corner of the Vulnerabilities page, click Configure Policy. The Configure Policy slide-out panel is displayed.
- In the row containing the desired vulnerability whitelist rule, click Edit in the Operation column.
- On the editing page, modify the information and click OK.
+
+
Removing a Vulnerability Whitelist Rule from the Vulnerability Whitelist
- Log in to the management console.
- In the navigation pane, choose Prediction > Vulnerabilities.
- In the upper right corner of the Vulnerabilities page, click Configure Policy. The Configure Policy slide-out panel is displayed.
- In the row containing the desired vulnerability whitelist rule, click Delete in the Operation column.
- In the dialog box displayed, confirm the information and click OK.
+
+
What Do I Do If My Remote Server Port Is Not Updated in Brute-force Attack Records?
+Symptom
The remote port of a server has been changed, but the brute-force attack records still displays the old port.
+
+
Solution
The remote port configuration is synchronized to HSS through the agent. If the remote port is changed, perform the following operations to restart the agent:
+
- Windows: Log in to the server as an administrator. Open Task Manager, right-click HostGuard and choose Restart from the shortcut menu.
- Linux: Run the service hostguard restart command as user root.
+
+
Risk Statistics
+On the dashboard page of the HSS console, you can learn the security status and risks of all your servers and containers in real time, including the risk index, risk trend, top 5 event types, and service quota.
+
If you have enabled the enterprise project function, you can select your enterprise project from the Enterprise project drop-down list to check server risk overview of the project. If you select All projects, the risk overview of servers in all the projects in this region is displayed.
+
+
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane, choose Dashboard.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+
+
+
Asset Risk Index (Last 24 Hours)
Figure 1 Asset risk index (last 24 hours)
+
You can check the risks in protected servers and containers in the last 24 Hours.
+
To handle the risks, click Handle Now. The Risks pane will be displayed on the right. You can handle risks by referring to the corresponding guidance. You can handle the following types of risks:
+
- Intrusions
- Vulnerabilities
- Unsafe Settings
+
To check your asset security, click Scan.
+
+
Protection Status (Last 24 Hours)
Figure 2 Protection Status
+
You can check the numbers of protected and unprotected servers and nodes.
+
To enable protection for a server, click Enable Protection.
+
+
Risks (Latest 24 Hours)
Figure 3 Risks
+
You can check the number of server asset risks, server vulnerabilities, server baselines, and container risks, and their comparison with the previous day.
+
+
Risk Statistics
Figure 4 Risk trend
+
You can check the risk trend in the last 24 hours, last 3 days, last 7 days, and last 30 days.
+
+
Table 1 Risk statisticsCategory
+ |
+Event
+ |
+
|---|
+
+Asset risks
+ |
+- Accounts
- Open ports
- Processes
- Installed software
- Auto-started items
- Web applications
- Web services
- Web frameworks
- Websites
- Middleware
- Databases
- Kernel modules
+ |
+
+Server vulnerabilities
+ |
+- Linux vulnerabilities
- Windows vulnerabilities
- Web-CMS vulnerabilities
- Application vulnerabilities
+ |
+
+Server baseline risks
+ |
+- Password complexity policy check
- Common weak password check
- Unsafe configuration check
+ |
+
+Container risks
+ |
+- Local image vulnerabilities
- Private image vulnerabilities
- Malicious files in images
- Image baseline
+ |
+
+
+
+
+
+
Intrusions (Last 24 Hours)
Figure 5 Intrusions (last 24 hours)
+
You can check the total number of intrusions detected on servers and containers, and the severities of the intrusions.
+
These intrusion statistics are updated at 00:00 every day.
+
+
Top 5 Events
Figure 6 Top 5 events
+
For servers protected by the enterprise, premium, or container security edition, you can check the top five types of intrusion events detected in the last 24 hours, last 3 days, last 7 days, or last 30 days; and the number of each type of events.
+
If no data is displayed due to connection problems, fix your network and click 
to retrieve data again.
+
+
Real-time Alarms
You can check real-time alarms.
+
Check the latest five unhandled intrusion events in the last 24 hours, including their severities, alarm names, occurrence time, and statuses.
+
- To check alarm details, click an alarm name.
- To handle an alarm, click Handle in its Operation column. After the alarm is handled, it will be removed from the list. The list refreshes and displays the latest five intrusion events that have not been handled in the last 24 hours.
- To check more alarm events, click View More.
+
+
Security Report
+
+
+
diff --git a/docs/hss/umn/hss_01_0554.html b/docs/hss/umn/hss_01_0554.html
new file mode 100644
index 00000000..38625c34
--- /dev/null
+++ b/docs/hss/umn/hss_01_0554.html
@@ -0,0 +1,56 @@
+
+
+Checking a Security Report
+You can subscribe to daily, weekly, monthly, and custom reports. The reports show your server security trends and key security events and risks.
+
- If you have enabled the enterprise project function, you can select your enterprise project from the Enterprise project drop-down list and subscribe to the security report of the project. You can also select All projects and subscribe to the security report of servers in all the projects in this region.
- After you subscribe to a report, it will be available for review and download the next day.
+
+
Constraints
The enterprise, premium, WTP, or container edition is enabled.
+
+
Security Report Overview
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane on the left, choose Reports. The security report overview page is displayed.
You can use default security report templates directly, which are
default monthly security report and
default weekly security report.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+
+
Figure 1 Checking a security report
+ - Click Download to go to the preview page. You can check the information of the target report and download or send it.
+
+
Checking Report History
The report history stores the report sending details.
+
- In the upper right corner of the security report overview page, click Report History to check the report sending records.
- Check the report history on the displayed page, as shown in the following picture. For more information, see Table 1.
Figure 2 Report sending details
+
+Table 1 Parameter descriptionParameter
+ |
+Description
+ |
+
|---|
+
+Report Name
+ |
+Name of a sent report.
+ |
+
+Statistical Period
+ |
+Statistical period of a sent report.
+ |
+
+Report Type
+ |
+Statistical period type of a sent report.
+- Weekly Reports
- Monthly Reports
- Daily Reports
- Custom Reports
+ |
+
+Sent
+ |
+Time when the report is sent.
+ |
+
+
+
+
- Click Download in the Operation column to check historical reports. You can also preview and download the reports.
+
+
Subscribing to a Security Report
+This section provides guidance for you to quickly subscribe to weekly or monthly security reports using preset templates on the console. For details about how to customize a security report, see Creating a Security Report.
+
Constraints
The enterprise, premium, WTP, or container edition is enabled.
+
+
Precaution
- A security report is generated for all protected servers. You cannot specify a server and generate a security report for it.
- Subscription to security reports is free of charge, but the report content varies depending on the quota edition you use.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane on the left, choose Reports. The security report overview page is displayed.
You can use default security report templates directly, which are
default monthly security report and
default weekly security report.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+
+
Figure 1 Checking a security report
+ - You can subscribe to monthly or weekly security reports. For details about how to edit a report, see Editing a Report.
Figure 2 Enabling security reports
+
+
+
Creating a Security Report
+If the type and content of the existing report template cannot meet your requirements, you can customize a report.
+
Constraints
The enterprise, premium, WTP, or container edition is enabled.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane on the left, choose Reports. The security report overview page is displayed.
You can use default security report templates directly, which are
default monthly security report and
default weekly security report.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+
+
Figure 1 Checking a security report
+ - Create a report.
- Create a monthly or weekly security report based on templates.
- Click Copy in the weekly or monthly report card to access the basic information configuration page.
Figure 2 Creating a report based on a template
+
+ - You can also customize the report period.
- Click Create Report to access the basic information configuration page.
Figure 3 Customizing a report
+
+
+ - Edit basic information of a report. For more information, see Table 1.
Figure 4 Editing basic information of a report
+
+Table 1 Parameter descriptionParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Report Name
+ |
+Default report name
+ |
+ecs security report
+ |
+
+Report Type
+ |
+Statistical period type of a report:
+- Daily: 00:00 to 24:00 every day
- Weekly Reports: 00:00 on Monday to 24:00 on Sunday
- Monthly Reports: 00:00 on the first day to 24:00 on the last day of each month
- Custom: custom statistical period, which ranges from one day to three months
- All types of reports will be sent to the recipients the day after it is generated.
+ |
+Monthly Reports
+ |
+
+Schedule Delivery
+ |
+Time when a report is automatically sent
+ |
+-
+ |
+
+Send Report To
+ |
+Security report recipients.
+- Recipients specified in SMN topic: If you use SMN topic settings, you can create a topic and specify recipients for HSS.
- No need to send to email: The report is not sent to the specified email address.
+ |
+Recipients specified in SMN topic
+ |
+
+
+
+
- After confirming that the information is correct, click Next in the lower right corner of the page to configure the report.
- Select the report items to be generated in the left pane. You can preview the report items in the right pane. After confirming the report items, click Save, and enable security report subscription.
+
+
Managing Security Reports
+This section describes how to modify, cancel, or disable a subscribed report.
+
Constraints
The enterprise, premium, WTP, or container edition is enabled.
+
+
Editing a Report
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane on the left, choose Reports. The security report overview page is displayed.
You can use default security report templates directly, which are
default monthly security report and
default weekly security report.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+
+
Figure 1 Checking a security report
+ - Click Edit in the lower right corner of the target report.
Figure 2 Editing a report
+ - Edit basic information of a report. For more information, see Table 1.
Figure 3 Editing basic information of a report
+
+Table 1 Parameter descriptionParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Report Name
+ |
+Default report name.
+ |
+default monthly security report
+ |
+
+Report Type
+ |
+Name of the statistical period type of a report, which cannot be edited.
+ |
+Monthly Reports
+ |
+
+Schedule Delivery
+ |
+Time when a report is automatically sent.
+ |
+-
+ |
+
+Send Report To
+ |
+Mode to send the generated security reports:
+- Recipients specified in SMN topic: If you use SMN topic settings, you can create a topic and specify recipients for HSS.
- No need to send to email: The report is not sent to the specified email address.
+ |
+Recipients specified in SMN topic
+ |
+
+
+
+
- Confirm the information and click Next in the lower right corner of the page to configure the report.
- Select or deselect the report items in the pane on the left. You can preview the report items on the right. After confirming the report items, click Save. The report is changed successfully.
+
+
Unsubscribing from a Report
- Log in to the management console and go to the HSS page.
- In the navigation pane on the left, choose Reports. The security report overview page is displayed.
You can use default security report templates directly, which are
default monthly security report and
default weekly security report.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+
+
Figure 4 Checking a security report
+ - Toggle off the target report (
).
+
+
Deleting a Report
Default security report templates default monthly security report and default weekly security report cannot be deleted.
+
+
- Log in to the management console and go to the HSS page.
- In the navigation pane on the left, choose Reports. The security report overview page is displayed.
You can use default security report templates directly, which are
default monthly security report and
default weekly security report.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+
+
Figure 5 Checking a security report
+ - Click Delete in the lower right corner of the target report.
+
+
Free Scan on Unprotected Servers
+Servers that are not protected by HSS are scanned for free. A security report on their vulnerabilities, unsafe passwords, and asset risks will be generated.
+
If you need to perform baseline check, application protection, web tamper protection, ransomware protection, intrusion detection, policy management, file integrity detection, and isolation and killing, you can enable HSS.
+
Free Scan
- Servers that are not protected by HSS are scanned for free in the early morning on each Monday.
- A free health check report is generated on the first day of each month. You can only view the report online but cannot download it.
- In the report, up to five results can be displayed for each check item. If a check item has fewer than five results, only half of them will be displayed.
- You can purchase HSS to enjoy advanced functions, such as real-time protection, report download, online vulnerability fix, and compliance assistance.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- Choose Dashboard and click the Free Health Check tab. Check the statistics of assets that are not protected.
Only unprotected servers are displayed on this page.
+
+ - In the Operation column of a server, click View Report to view the health check report online.
+
+
Installing an Agent
+Install the agent on a server. Only then can the server be protected by HSS.
+
Installing an Agent on a Server
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane, choose Installation & Configuration. Click the Agents tab.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+
+Figure 1 Viewing agent management
+ - Click Offline to check the servers where the agent is not installed or is offline. Table 1 describes the parameters.
+
Table 1 Offline agent parametersParameter
+ |
+Description
+ |
+
|---|
+
+Server Name/ID
+ |
+Server name and ID
+ |
+
+IP Address
+ |
+EIP or private IP address of a server
+ |
+
+OS
+ |
+Server OS. Its value can be:
+
+ |
+
+Agent Status
+ |
+Agent status of a server. Its value can be:
+- Offline
- Not installed
- Installation failed
+ |
+
+
+
+
- Click View Cause in the Operation column of a server to check why an agent is offline.
- Click Install Agent in the Operation column. Download the agent package suitable for your server architecture and OS. For details about how to install the agent on a Linux server, see Installing an Agent on Linux. For details about how to install the agent on a Windows server, see Installing the Agent for Windows.
+
+
Installing an Agent on Linux
+To enable workload protection for cloud servers, install the agent first.
+
This topic describes how to install the agent on a server running Linux.
+
CentOS 6.x is no longer updated or maintained on the Linux official website, and HSS no longer supports CentOS 6.x or earlier.
+
+
Default Installation Path
The agent installation path on servers running the Linux OS cannot be customized. The default path is:
+
/usr/local/hostguard/
+
+
Prerequisites
- To install the agent on a server on another cloud, ensure the server runs Linux and can access the Internet.
- The Security-Enhanced Linux (SELinux) firewall has been disabled. The firewall affects agent installation and should remain disabled until the agent is installed.
+
+
Installation Precautions
- For details about the OSs supported by the agent, see Supported OSs.
+
- Ensure the outbound rule of your security group allows access to the port 10180 on the 100.125.0.0/16 network segment. (This is the default setting.)
- If any third-party security software has been installed on your server, the HSS agent may fail to be installed. In this case, disable or uninstall the software before installing the agent.
- The available capacity of the disk where the agent is installed must be greater than 300 MB. Otherwise, the agent installation may fail.
- After the installation, it takes 5 to 10 minutes to update the agent status. You can check it on the "Servers" tab of the "Asset Management > Servers & Quota" page.
+
+
Installing an Agent Using Commands
This procedure involves logging in to the server and running commands. It takes 3 to 5 minutes for the console to update the agent status after agent installation.
+
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane, choose Installation & Configuration.
- Click the Agents tab. Click Offline. In the Operation column of a server, click Install Agent.
Figure 1 Installing an Agent
+ - In the displayed dialog box, copy the command suitable for your system architecture and OS.
- Remotely log in to the server where the agent is to be installed.
- You can log in to the ECS management console and click Remote Login in the ECS list.
- If your server has an EIP bound, you can also use a remote management tool, such as Xftp, SecureFX, WinSCP, PuTTY, or Xshell, to log in to the server and install the agent on the server as user root.
+ - Paste the copied installation command and run it as user root to install the agent on the server.
If information similar to the following is displayed, the agent is successfully installed:
+Preparing... ########################## [100%]
+1:hostguard ########################## [100%]
+Hostguard is running.
+Hostguard installed.
+ - Run the service hostguard status command to check the running status of the agent.
If the following information is displayed, the agent is running properly:
+Hostguard is running
+
+
+
Exporting the Server List
+This section describes how to export the server protection list to your local PC.
+
Procedure
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane on the left, choose .
- In the upper right corner of the server list, click Export to export the server list details.
The details of up to 1,000 servers can be exported at a time.
+
+Figure 1 Exporting the server list
+
+
+
Exporting the vulnerability list
+You can refer to this section to export the vulnerability list.
+
Prerequisite
- HSS enterprise or later edition has been enabled for the server.
- The Server Status is Running, Agent Status is Online, and Protection Status is Protected.
+
+
Exporting the Vulnerability List (Vulnerability View)
- Log in to the management console.
- In the navigation pane, choose Prediction > Vulnerabilities.
- Click Export above the vulnerability list to export the vulnerability list.
Up to 30,000 vulnerability records can be exported at a time.
+ - View the export status in the upper part of the Vulnerabilities page. After the export is successful, obtain the exported information from the default file download address on the local host.
Do not close the browser page during the export. Otherwise, the export task will be interrupted.
+
+
+
+
Exporting the Vulnerability List (Server View)
- Log in to the management console.
- In the navigation pane, choose Prediction > Vulnerabilities.
- In the upper right corner of the Vulnerabilities page, click the Server view tab.
- Click Export above the vulnerability list to export the vulnerability list.
Up to 30,000 vulnerability records can be exported at a time.
+ - View the export status in the upper part of the Vulnerabilities page. After the export is successful, obtain the exported information from the default file download address on the local host.
Do not close the browser page during the export. Otherwise, the export task will be interrupted.
+
+
+
+
Viewing WTP Reports
+Once WTP is enabled, HSS will comprehensively check protected directories you specified. You can check records about detected tampering attacks.
+
Constraints
Only the servers that are protected by the HSS WTP edition support the operations described in this section.
+
+
Prerequisites
Agent Status of the server is Online, and its WTP Status is Enabled.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- Choose Prevention > Web Tamper Protection and click the Servers tab. Click View Report in the Operation column of a server. Click More > View Report in the Operation column of a server.
Figure 1 Viewing a protection report
+ - View details on the report page.
+
+
Editions and Features
+HSS comes in the enterprise, premium, Web Tamper Protection (WTP), and container editions, providing asset management, vulnerability management, baseline check, intrusion detection, ransomware protection, web tamper protection, and container image security functions. For details about the features of the editions, see Edition Details.
+
Features
HSS provides asset management, baseline check, ransomware prevention, and intrusion detection features, enhancing server security in all aspects. For details about the features of different editions, see Edition Details.
+
+
Table 1 HSS functions and featuresFeature
+ |
+Description
+ |
+
|---|
+
+Asset management
+ |
+Provide centralized asset overview, asset fingerprint management, server management, and container management. You can check your asset running status, asset fingerprints, and asset types; and manage assets by server or container.
+ |
+
+Vulnerability management
+ |
+Detect vulnerabilities and risks in Linux, Windows, Web content management systems (Web-CMS), and applications.
+ |
+
+Baseline check
+ |
+Scan for unsafe settings, weak passwords, and password complexity policies in server OS and key software.
+A security practice baseline can be used for scans. You can customize baseline sub-items used in scan.
+You can repair and verify the detected risks.
+ |
+
+Container image security
+ |
+Scan the images that are running or displayed in your image list, and provide suggestions on how to fix vulnerabilities and malicious files.
+ |
+
+Application protection
+ |
+Protect running applications. You simply need to add probes to applications, without having to modify application files.
+Currently, only Linux servers are supported, and only Java applications can be connected.
+ |
+
+Web page tampering prevention
+ |
+Detect and prevent tampering of files in specified directories, including web pages, documents, and images, and quickly restore them using valid backup files.
+ |
+
+Ransomware prevention
+ |
+Detect known ransomware and support user-defined ransomware backup and restoration policies.
+ |
+
+File integrity monitoring
+ |
+Check the files in the Linux OS, applications, and other components to detect tampering.
+ |
+
+Intrusion detection
+ |
+Identify and prevent intrusion to servers, discover risks in real time, detect and kill malicious programs, and identify web shells and other threats.
+ |
+
+Container intrusion detection
+ |
+Scan running containers for malicious programs including miners and ransomware; detect non-compliant security policies, file tampering, and container escape; and provide suggestions.
+ |
+
+Whitelist management
+ |
+To reduce false alarms, import events to and export events from the whitelist. Whitelisted events will not trigger alarms.
+ |
+
+Policy management
+ |
+You can group policies and servers to batch apply policies to servers, easily adapting to your business scenarios.
+ |
+
+Security report
+ |
+Check weekly or monthly server security trend, key security events, and risks.
+ |
+
+Security configuration
+ |
+Configure common login locations, common login IP addresses, the SSH login IP address whitelist, and automatic isolation and killing of malicious programs.
+ |
+
+
+
+
+
+
Recommended Editions
- If your servers store important data assets, have high security risks, use publicly available EIPs, or there are databases running on your servers, you are advised to enable the premium or Web Tamper Protection edition.
- For servers that need to protect websites and applications from tampering, the WTP edition is recommended.
- For containers that need to enhance image security, container runtime security, container edition is recommended.
- You are advised to deploy HSS on all your servers so that if a virus infects one of them, it will not be able to spread to others and damage your entire network.
+
+
+
+
Edition Details
+
Table 2 EditionsFunction
+ |
+Item
+ |
+Description
+ |
+Enterprise
+ |
+Premium
+ |
+WTP
+ |
+Container
+ |
+Supported OS
+ |
+Check Frequency
+ |
+
|---|
+
+Assets
+ |
+Collect statistics on asset status and usage of all servers.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+Real-time check
+ |
+
+Servers & Quota
+ |
+Manage all server assets, including their protection status, quotas, and policy allocation.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+Note: Only Linux agents can be installed in batches.
+ |
+-
+ |
+
+Containers & Quota
+ |
+Manage container nodes and container images.
+ |
+×
+ |
+×
+ |
+×
+ |
+√
+ |
+Linux
+ |
+-
+ |
+
+Asset Fingerprints
+ |
+Account
+ |
+Check and manage server accounts all in one place.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+Automatic check every hour
+ |
+
+Open ports
+ |
+Check open ports all in one place and identify high-risk and unknown ports.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+Automated check every 30 seconds
+ |
+
+Processes
+ |
+Check running applications all in one place and identify malicious applications.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+Automatic check every hour
+ |
+
+Installed software
+ |
+Check and manage server software all in one place and identify insecure versions.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+Automatic check every day
+ |
+
+Auto-startup
+ |
+Check auto-startup entries and collect statistics on entry changes in a timely manner.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+Automatic check every hour
+ |
+
+Web applications
+ |
+Check details about software used for web content push and release, including versions, paths, configuration files, and associated processes of all software.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux
+ |
+Once a week (04:10 a.m. every Monday)
+ |
+
+Web services
+ |
+Check details about the software used for web content access, including versions, paths, configuration files, and associated processes of all software.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux
+ |
+Once a week (04:10 a.m. every Monday)
+ |
+
+Web framework
+ |
+Check statistics about frameworks used for web content presentation, including their versions, paths, and associated processes.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux
+ |
+Once a week (04:10 a.m. every Monday)
+ |
+
+Websites
+ |
+You can check statistics about web directories and sites that can be accessed from the Internet. You can view the directories and permissions, access paths, external ports, and key processes of websites.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux
+ |
+Once a week (04:10 a.m. every Monday)
+ |
+
+Middleware
+ |
+Check information about servers, versions, paths, and processes associated with middleware.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux
+ |
+Once a week (04:10 a.m. every Monday)
+ |
+
+Databases
+ |
+Check details about software that provides data storage, including versions, paths, configuration files, and associated processes of all software.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux
+ |
+Once a week (04:10 a.m. every Monday)
+ |
+
+Kernel module
+ |
+Check information about all the program module files running in kernels, including associated servers, version numbers, module descriptions, driver file paths, file permissions, and file hashes.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux
+ |
+Once a week (04:10 a.m. every Monday)
+ |
+
+Vulnerability Management
+ |
+Linux vulnerability detection
+ |
+Based on the vulnerability database, check and handle vulnerabilities in the software (such as kernel, OpenSSL, vim, glibc) you obtained from official Linux sources and have not compiled.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux
+ |
+- Automatic scan (reporting based on the software asset collection period)
- Scheduled scan (once a week by default)
- Manual scan
+ |
+
+Windows vulnerability detection
+ |
+Detect vulnerabilities in Windows OS based on the official patch releases of Microsoft.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Windows
+ |
+- Automatic scan (reporting based on the software asset collection period)
- Scheduled scan (once a week by default)
- Manual scan
+ |
+
+Web-CMS vulnerability detection
+ |
+Scan for Web-CMS vulnerabilities in web directories and files.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+- Automatic scan (reporting based on the software asset collection period)
- Scheduled scan (once a week by default)
- Manual scan
+ |
+
+Application vulnerability detection
+ |
+Detect vulnerabilities in JAR packages, ELF files, and other files of open source software, such as Log4j and spring-core.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux
+ |
+- Once a week (05:00 a.m. every Monday)
- Manual scan
+ |
+
+Unsafe settings check
+ |
+Password policy check
+ |
+Check password complexity policies and modify them based on suggestions provided by HSS to improve password security.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux
+ |
+- Automatic check in the early morning every day
- Manual scan
+ |
+
+Weak password check
+ |
+Change weak passwords to stronger ones based on HSS scan results and suggestions.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux
+ |
+- Automatic check in the early morning every day
- Manual scan
+ |
+
+Unsafe configurations
+ |
+Check the unsafe Tomcat, Nginx, and SSH login configurations found by HSS.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+- Automatic check in the early morning every day
- Manual scan
+ |
+
+Container image security
+ |
+Container image vulnerability management
+ |
+Detect and manage vulnerabilities in local images and private image repositories based on a vulnerability database, and handle critical vulnerabilities in a timely manner.
+ |
+×
+ |
+×
+ |
+×
+ |
+√
+ |
+Linux
+ |
+- Automatic check in the early morning every day
- Manual scan
+ |
+
+Malicious image file detection
+ |
+Scan images for malicious files (such as Trojans, worms, viruses, and adware) and identify risks.
+ |
+×
+ |
+×
+ |
+×
+ |
+√
+ |
+Linux
+ |
+Real-time check
+ |
+
+Image baseline check
+ |
+Check for insecure configurations based on 18 types of container baselines.
+ |
+×
+ |
+×
+ |
+×
+ |
+√
+ |
+Linux
+ |
+Real-time check
+ |
+
+Application protection
+ |
+SQL injection
+ |
+Detect and defend against SQL injection attacks, and check web applications for related vulnerabilities.
+ |
+×
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux
+ |
+Real-time check
+ |
+
+OS command injection
+ |
+Detect and defend against remote OS command injection attacks and check web applications for related vulnerabilities.
+ |
+×
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux
+ |
+Real-time check
+ |
+
+XSS
+ |
+Detect and defend against stored cross-site scripting (XSS) injection attacks.
+ |
+×
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux
+ |
+Real-time check
+ |
+
+Log4jRCE vulnerability
+ |
+Detect and defend against remote code execution.
+ |
+×
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux
+ |
+Real-time check
+ |
+
+Web shell upload
+ |
+Detect and defend against attacks that upload dangerous files, change file names, or change file name extension types; and check web applications for related vulnerabilities.
+ |
+×
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux
+ |
+Real-time check
+ |
+
+XXE attack
+ |
+Detect and defend against XML External Entity Injection (XXE) attacks, and check web applications for related vulnerabilities.
+ |
+×
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux
+ |
+Real-time check
+ |
+
+Deserialization input
+ |
+Detect deserialization attacks that exploit unsafe classes.
+ |
+×
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux
+ |
+Real-time check
+ |
+
+File directory traversal
+ |
+Check whether sensitive directories or files are accessed.
+ |
+×
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux
+ |
+Real-time check
+ |
+
+Struts2 OGNL
+ |
+Detect OGNL code execution.
+ |
+×
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux
+ |
+Real-time check
+ |
+
+Command execution using JSP
+ |
+Detect command execution using JSP.
+ |
+×
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux
+ |
+Real-time check
+ |
+
+File deletion using JSP
+ |
+Detects file deletion using JSP.
+ |
+×
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux
+ |
+Real-time check
+ |
+
+Database connection exception
+ |
+Detect authentication and communication exceptions thrown by database connections.
+ |
+×
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux
+ |
+Real-time check
+ |
+
+0-day vulnerability
+ |
+Check whether the stack hash of a command is in the whitelist of the web application.
+ |
+×
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux
+ |
+Real-time check
+ |
+
+SecurityManager permission exception
+ |
+Detect exceptions thrown by SecurityManager.
+ |
+×
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux
+ |
+Real-time check
+ |
+
+Web page tampering prevention
+ |
+Static WTP
+ |
+Protect the static web page files on your website servers from malicious modification.
+ |
+×
+ |
+×
+ |
+√
+ |
+×
+ |
+Linux and Windows
+ |
+Real-time check
+ |
+
+Dynamic WTP
+ |
+Protect the dynamic web page files in your website databases from malicious modification.
+ |
+×
+ |
+×
+ |
+√
+ |
+×
+ |
+Linux
+ |
+Real-time check
+ |
+
+Ransomware prevention
+ |
+Ransomware prevention
+ |
+Help you identify and detect known ransomware attacks and restore services using ransomware backups.
+ |
+×
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+Real-time check
+ |
+
+File integrity monitoring
+ |
+File Integrity
+ |
+Check the files in the Linux OS, applications, and other components to detect tampering.
+ |
+×
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux
+ |
+Real-time check
+ |
+
+Intrusion detection
+ |
+Malicious program
+ |
+Check and handle detected malicious programs all in one place, including web shells, Trojan, mining software, worms, and viruses.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+Real-time check
+ |
+
+Virus
+ |
+Check servers in real time and report alarms for viruses detected on servers.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+Real-time check
+ |
+
+Trojan
+ |
+Detect programs that are hidden in normal programs and have special functions such as damaging and deleting files, sending passwords, and recording keyboards. If a program is detected, an alarm is reported immediately.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+Real-time check
+ |
+
+Botnet
+ |
+Detect whether zombie programs that have been spread exist in servers and report alarms immediately after detecting them.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+Real-time check
+ |
+
+Web shell
+ |
+Detect web shell attacks in the server system in real time and report alarms immediately after detecting them.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+Real-time check
+ |
+
+Rootkit
+ |
+Detect server assets and report alarms for suspicious kernel modules, files, and folders.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux
+ |
+Real-time check
+ |
+
+Ransomware
+ |
+Check ransomware embedded in media such as web pages, software, emails, and storage media.
+Ransomware is used to encrypt and control your data assets, such as documents, emails, databases, source code, images, and compressed files, to leverage victim extortion.
+ |
+×
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+Real-time check
+ |
+
+Hacker tool
+ |
+Check whether non-standard tool used to control the server exist and report alarms immediately after detecting them.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+Real-time check
+ |
+
+Web shell
+ |
+Check whether the files (often PHP and JSP files) detected by HSS in your web directories are web shells.
+- Web shell information includes the Trojan file path, status, first discovery time, and last discovery time. You can choose to ignore warning on trusted files.
- You can use the manual detection function to scan for web shells on servers.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+Real-time check
+ |
+
+Mining
+ |
+Detect whether mining software exists on servers in real time and report alarms for the detected software.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+Real-time check
+ |
+
+Remote code execution
+ |
+Check whether the server is remotely called in real time and report an alarm immediately once remote code execution is detected.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+Real-time check
+ |
+
+Reverse shell
+ |
+Monitor user process behaviors in real time to detect reverse shells caused by invalid connections.
+Reverse shells can be detected for protocols including TCP, UDP, and ICMP.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux
+ |
+Real-time check
+ |
+
+File privilege escalation
+ |
+Check the file privilege escalations in your system.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux
+ |
+Real-time check
+ |
+
+Process privilege escalation
+ |
+The following process privilege escalation operations can be detected: - Root privilege escalation by exploiting SUID program vulnerabilities
- Root privilege escalation by exploiting kernel vulnerabilities
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux
+ |
+Real-time check
+ |
+
+Change in critical file
+ |
+Receive alarms when critical system files are modified.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+Real-time check
+ |
+
+File/Directory change
+ |
+System files and directories are monitored. If a file or directory is modified, an alarm is generated, indicating that the file or directory may be tampered with.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+Real-time check
+ |
+
+Abnormal process behavior
+ |
+Check the processes on servers, including their IDs, command lines, process paths, and behavior.
+Send alarms on unauthorized process operations and intrusions.
+The following abnormal process behavior can be detected:
+- Abnormal CPU usage
- Processes accessing malicious IP addresses
- Abnormal increase in concurrent process connections
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+Real-time check
+ |
+
+High-risk command execution
+ |
+Receive real-time alarms on high-risk commands.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+Real-time check
+ |
+
+Abnormal shell
+ |
+Detect actions on abnormal shells, including moving, copying, and deleting shell files, and modifying the access permissions and hard links of the files.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux
+ |
+Real-time check
+ |
+
+Suspicious crontab task
+ |
+Check and list auto-started services, scheduled tasks, pre-loaded dynamic libraries, run registry keys, and startup folders.
+You can get notified immediately when abnormal automatic auto-start items are detected and quickly locate Trojans.
+ |
+×
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+Real-time check
+ |
+
+Windows defender protection disabled
+ |
+Detect the preparations for ransomware encryption: Disable the Windows defender real-time protection function through the registry. Once the function is disabled, an alarm is reported immediately.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Windows
+ |
+Real-time check
+ |
+
+Backup deletion
+ |
+Detect the preparations for ransomware encryption: Delete backup files or files in the Backup folder. Once backup deletion is detected, an alarm is reported immediately.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Windows
+ |
+Real-time check
+ |
+
+Suspicious registry operation
+ |
+Detect operations such as disabling the system firewall through the registry and using the ransomware Stop to modify the registry and write specific strings in the registry. An alarm is reported immediately when such operations are detected.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Windows
+ |
+Real-time check
+ |
+
+Brute-force attack defense
+ |
+Check for brute-force attack attempts and successful brute-force attacks.
+- Your accounts are protected from brute-force attacks. HSS will block the attacking hosts when detecting such attacks.
- Trigger an alarm if a user logs in to the server by a brute-force attack.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+Real-time check
+ |
+
+Abnormal login
+ |
+Check and handle remote logins.
+If a user's login location is not any common login location you set, an alarm will be triggered.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+Real-time check
+ |
+
+Invalid account
+ |
+Scan accounts on servers and list suspicious accounts in a timely manner.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+Real-time check
+ |
+
+User account added
+ |
+Detect the commands used to create hidden accounts. Hidden accounts cannot be found in the user interaction interface or be queried by commands.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Windows
+ |
+Real-time check
+ |
+
+Password theft
+ |
+Detect the abnormal obtaining of hash value of system accounts and passwords on servers and report alarms.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Windows
+ |
+Real-time check
+ |
+
+Port scan
+ |
+Detect scanning or sniffing on specified ports and report alarms.
+ |
+×
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux
+ |
+Real-time check
+ |
+
+Host scan
+ |
+Detect the network scan activities based on server rules (including ICMP, ARP, and nbtscan) and report alarms.
+ |
+×
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux
+ |
+Real-time check
+ |
+
+Container intrusion detection
+ |
+Vulnerability escape
+ |
+An escape alarm is reported if a container process behavior that matches the behavior of known vulnerabilities is detected.
+ |
+×
+ |
+×
+ |
+×
+ |
+√
+ |
+Linux
+ |
+Real-time check
+ |
+
+File escape
+ |
+An alarm is reported if a container process is found accessing a key file directory (for example, /etc/shadow or /etc/crontab). Directories that meet the container directory mapping rules can also trigger such alarms.
+ |
+×
+ |
+×
+ |
+×
+ |
+√
+ |
+Linux
+ |
+Real-time check
+ |
+
+Abnormal container process
+ |
+- Malicious container program
Monitor container process behavior and process file fingerprints. An alarm is reported if it detects a process whose behavior characteristics match those of a predefined malicious program.
+ - Abnormal process
An alarm is reported if a process not in the whitelist is running in the container.
+
+ |
+×
+ |
+×
+ |
+×
+ |
+√
+ |
+Linux
+ |
+Real-time check
+ |
+
+Abnormal container startup
+ |
+The service monitors container startups and reports an alarm if it detects that a container with too many permissions is started.
+Container check items include:
+- Privileged container startup (privileged:true)
- Too many container capabilities (capability:[xxx])
- Seccomp not enabled (seccomp=unconfined)
- Container privilege escalation (no-new-privileges:false)
- High-risk directory mapping (mounts:[...])
+ |
+×
+ |
+×
+ |
+×
+ |
+√
+ |
+Linux
+ |
+Real-time check
+ |
+
+High-risk system call
+ |
+You can run tasks in kernels by Linux system calls. The container edition reports an alarm if it detects a high-risk call.
+ |
+×
+ |
+×
+ |
+×
+ |
+√
+ |
+Linux
+ |
+Real-time check
+ |
+
+Container image blocking
+ |
+If a container contains insecure images specified in the suspicious image behavior policy, before the container is started, an alarm will be generated and the insecure images will be blocked.
+ |
+×
+ |
+×
+ |
+×
+ |
+√
+ |
+Linux
+ |
+Real-time check
+ |
+
+Sensitive file access
+ |
+The service monitors the container image files associated with file protection policies, and reports an alarm if the files are modified.
+ |
+×
+ |
+×
+ |
+×
+ |
+√
+ |
+Linux
+ |
+Real-time check
+ |
+
+Whitelist management
+ |
+Alarm whitelist
+ |
+You can add an alarm to the whitelist when handling it.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+Real-time check
+ |
+
+Login Whitelist
+ |
+Some alarms can be added to the alarm whitelist.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+Real-time check
+ |
+
+Policy management
+ |
+Querying and editing rule configurations
+ |
+You can define and issue different detection policies for different servers or server groups, implementing refined security operations.
+- Check the policy group list.
- Create a policy group based on default and existing policy groups.
- Define a policy.
- Edit or delete a policy.
- Modify or disable policies in a group.
- Apply policies to servers in batches on the Servers & Quota page.
+ |
+√ (Only the default enterprise policy group is supported.)
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+Real-time check
+ |
+
+Security report
+ |
+Server security report
+ |
+Check weekly or monthly server security trend, key security events, and risks.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+-
+ |
+
+Security configuration
+ |
+Agent management
+ |
+You can view the agent status of all servers and upgrade, uninstall, and install agents.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+Real-time check
+ |
+
+Common login location
+ |
+For each server, you can configure the locations where users usually log in from. The service will generate alarms on logins originated from locations other than the configured common login locations. A server can be added to multiple login locations.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+Real-time check
+ |
+
+Common login IP address
+ |
+For each server, you can configure the IP addresses where users usually log in from. The service will generate alarms on logins originated from IP addresses other than the configured common IP addresses.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+Real-time check
+ |
+
+Configuring an SSH login IP address whitelist
+ |
+The SSH login whitelist controls SSH access to servers to prevent account cracking.
+After you configure the whitelist, SSH logins will be allowed only from whitelisted IP addresses.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux
+ |
+Real-time check
+ |
+
+Malicious program isolation and removal
+ |
+HSS automatically isolates and kills identified malicious programs, such as web shells, Trojans, and worms, removing security risks.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+Real-time check
+ |
+
+2FA
+ |
+Prevent brute-force attacks by using password and SMS/email authentication.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+-
+ |
+
+Alarm configuration
+ |
+After alarm notification is enabled, you can receive alarm notifications sent by HSS to learn about security risks facing your servers, containers, and web pages.
+ |
+√
+ |
+√
+ |
+√
+ |
+√
+ |
+Linux and Windows
+ |
+-
+ |
+
+
+
+
+
+
Deleting a Policy Group
+Preset policy groups cannot be deleted. You can delete custom policy groups of premium edition and container edition.
+
Constraints
After a policy group is deleted, the Policy Group column of the servers that were associated with the group will be blank. You need to deploy a policy group for a server again by referring to Deploying a Policy.
+
+
Procedure
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation tree on the left, choose
- Click Delete in the Operation column of the target policy.
You can also select multiple policies and click Delete in the upper left corner of the policy list to delete multiple policy groups in batches.
+ - Click OK.
+
+
Exporting the Baseline Check Report
+This section describes how to export a baseline check report.
+
Constraints
Only enterprise edition, premium edition, web tamper protection edition, and container edition are supported.
+
+
Procedure
- Log in to the management console.
- In the navigation pane on the left, choose Prediction > Baseline Checks.
- Click the Unsafe Configurations or Common Weak Password Detection tab and click
in the upper right corner of the list to download the filtered risk alarms.- On the Unsafe Configurations page, you can click the image in the corresponding column to search for and download alarms based on risk level and type.
- On the Common Weak Password Detection tab, enter the server name, IP address, or account name in the upper right corner of the list, and click
to search for and download the target content. - A maximum of 5,000 risk check reports can be downloaded at a time from the Unsafe Configurations and Common Weak Password Detection pages.
+
+
+
Querying Real-Time Traces
+Scenarios
After you enable CTS and the management tracker is created, CTS starts recording operations on cloud resources. CTS stores operation records generated in the last seven days.
+
This section describes how to query and export operation records of the last seven days on the CTS console.
+
+
+
Viewing Real-Time Traces in the Trace List
- Log in to the management console.
- Click
in the upper left corner and choose Management & Deployment > Cloud Trace Service. The CTS console is displayed. - Choose Trace List in the navigation pane on the left.
- Set filters to search for your desired traces, as shown in Figure 1. The following filters are available:
Figure 1 Filters
+- Trace Type, Trace Source, Resource Type, and Search By: Select a filter from the drop-down list.
- If you select Resource ID for Search By, specify a resource ID.
- If you select Trace name for Search By, specify a trace name.
- If you select Resource name for Search By, specify a resource name.
+ - Operator: Select a user.
- Trace Status: Select All trace statuses, Normal, Warning, or Incident.
- Time range: You can query traces generated during any time range in the last seven days.
- Click Export to export all traces in the query result as a CSV file. The file can contain up to 5000 records.
+
- Click Query.
- On the Trace List page, you can also export and refresh the trace list.
- Click Export to export all traces in the query result as a CSV file. The file can contain up to 5000 records.
- Click
to view the latest information about traces.
+ - Click
on the left of a trace to expand its details.
+
+
+ - Click View Trace in the Operation column. The trace details are displayed.
+ - For details about key fields in the trace structure, see section "Trace References" > "Trace Structure" and section "Trace References" > "Example Traces" in the CTS User Guide.
+
+
