Policy Management Overview

What Is a Policy Group?

HSS comes in multiple editions, including enterprise, premium, WTP, and container editions. They each have a default protection policy group. A policy group is a collection of policies. These policies can be applied to servers to centrally manage and configure the sensitivity, rules, and scope of HSS detection and protection.

You can create custom policy groups for HSS premium and container editions. If you have multiple servers protected by the premium or container edition but have different protection requirements for them, you can create custom policy groups for different servers and deploy different policy groups. For details, see Creating a Custom Policy Group.

What Policies Are Does a Policy Group Contain?

Policy groups vary by edition, as shown in Table 1. You can customize policies for asset management, baseline inspection, and intrusion detection as needed. For details, see Configuring Policies.

Table 1 Policies

Function Type

Policy

Action

Supported OS

Enterprise Edition

Premium Edition

WTP Edition

Container Edition

Assets

Asset discovery

Scan and display all software in one place, including software name, path, and major applications, helping you identify abnormal assets.

Linux and Windows

x

Y

Y

Y

Baseline Inspection

Weak password detection

Change weak passwords to stronger ones based on HSS scan results and suggestions.

Linux

Y

Y

Y

Y

Container information collection

Collect information about all containers on a server, including ports and directories, and report alarms for risky information.

Linux

x

x

x

Y

Configuration check

Check the unsafe Tomcat, Nginx, and SSH login configurations found by HSS.

Linux and Windows

x

Y

Y

Y

Intrusions

AV detection

Check server assets and report, isolate, and kill the detected viruses.

The generated alarms are displayed under Intrusion Detection > Alarms > Server Alarms > Event Types > Malware.

After AV detection is enabled, the resource usage is as follows:

The CPU usage does not exceed 40% of a single vCPU. The actual CPU usage depends on the server status.

Windows

Y

Y

Y

x

Cluster intrusion detection

Detect container high-privilege changes, creation in key information, and virus intrusion.

Linux

x

x

x

Y

Container escape

Check for and generate alarms on container escapes.

Linux

x

x

x

Y

Container information module

You can configure a trusted container whitelist based on the container name, organization name to which the image belongs, and namespace. The container whitelist does not detect or generate alarms.

Linux

x

x

x

Y

Web shell detection

Scan web directories on servers for web shells.

Linux and Windows

Y

Y

Y

Y

Container file monitoring

Detect file access that violates security policies. Security O&M personnel can check whether hackers are intruding and tampering with sensitive files.

Linux

x

x

x

Y

Container process whitelist

Check for process startups that violate security policies.

Linux

x

x

x

Y

Suspicious image behaviors

Configure the blacklist and whitelist and customize permissions to ignore abnormal behaviors or report alarms.

Linux

x

x

x

Y

Fileless attack detection

Scan for process injection, dynamic library injection, and memory file process behavior in user assets.

Linux

Y

Y

Y

Y

HIPS detection

Check registries, files, and processes, and report alarms for operations such as abnormal changes.

Windows

Y

Y

Y

Y

File protection

Check the files in the Linux OS, applications, and other components to detect tampering.

Linux

Y

Y

Y

Y

Login security check

Detect brute-force attacks on SSH, FTP, and MySQL accounts.

If the number of brute-force attacks (consecutive incorrect password attempts) from an IP address reaches 5 within 30 seconds, the IP address will be blocked.

By default, suspicious SSH attackers are blocked for 12 hours. Other types of suspicious attackers are blocked for 24 hours. You can check whether the IP address is trustworthy based on its attack type and how many times it has been blocked. You can manually unblock the IP addresses you trust.

Linux and Windows

Y

Y

Y

Y

Malicious file detection

  • Reverse shell: Monitor user process behaviors in real time to detect reverse shells caused by invalid connections.

  • Detect actions on abnormal shells, including moving, copying, and deleting shell files, and modifying the access permissions and hard links of the files.

Linux

Y

Y

Y

Y

Port scan detection

Detect scanning or sniffing on specified ports and report alarms.

Linux

x

Y

Y

Y

Abnormal process behaviors

All the running processes on all your servers are monitored for you. You can create a process whitelist to ignore alarms on trusted processes, and can receive alarms on unauthorized process behavior and intrusions.

Linux

Y

Y

Y

Y

Root privilege escalation

Detect the root privilege escalation for files in the current system.

Linux

Y

Y

Y

Y

Real-time process

Monitor the executed commands in real time and generate alarms if high-risk commands are detected.

Linux and Windows

Y

Y

Y

Y

Rootkit detection

Detect server assets and report alarms for suspicious kernel modules, files, and folders.

Linux

Y

Y

Y

Y

Self-protection

Self-protection

Protect HSS files, processes, and software from malicious programs, which may uninstall HSS agents, tamper with HSS files, or stop HSS processes.

  • Self-protection depends on antivirus detection, HIPS detection, and ransomware protection. It takes effect only when more than one of the three functions are enabled.

  • Enabling the self-protection policy has the following impacts:

    • The HSS agent cannot be uninstalled on the control panel of a server, but can be uninstalled on the HSS console.

    • HSS processes cannot be terminated.

    • In the agent installation path C:\Program Files\HostGuard, you can only access the log and data directories (and the upgrade directory, if your agent has been upgraded).

Windows

x

Y

Y

x