User Guide -...

Application Recognition Service

User Guide

Issue 02

Date 2017-06-09

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2017. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respectiveholders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees orrepresentations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.Address: Huawei Industrial Base

Bantian, LonggangShenzhen 518129People's Republic of China

Website: http://e.huawei.com

Issue 02 (2017-06-09) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

i

http://e.huawei.com

Contents

1 Introduction.................................................................................................................................... 11.1 Concepts......................................................................................................................................................................... 11.1.1 ARS............................................................................................................................................................................. 11.1.2 Local Processes............................................................................................................................................................11.1.3 Process Status.............................................................................................................................................................. 11.2 Application Scenarios.....................................................................................................................................................11.3 Functions........................................................................................................................................................................ 11.4 Accessing and Using ARS..............................................................................................................................................21.4.1 How to Access ARS.................................................................................................................................................... 21.4.2 How to Use ARS......................................................................................................................................................... 21.4.3 Related Services.......................................................................................................................................................... 2

2 Management................................................................................................................................... 32.1 Installing an ARS Agent.................................................................................................................................................32.2 Viewing ARS Information..............................................................................................................................................52.3 Enabling ARS................................................................................................................................................................. 62.4 Configuring Policies....................................................................................................................................................... 72.5 Managing Local Processes............................................................................................................................................. 82.5.1 Querying Local Processes........................................................................................................................................... 82.5.2 Managing Local Process Statuses..............................................................................................................................102.5.3 Managing the Historical Records of Local Processes............................................................................................... 112.6 Disabling ARS..............................................................................................................................................................132.7 Uninstalling an ARS Agent.......................................................................................................................................... 14

3 FAQs...............................................................................................................................................163.1 What Are Local Processes?.......................................................................................................................................... 163.2 What Are Hash Values of Local Processes?.................................................................................................................16

A Change History........................................................................................................................... 17

Application Recognition ServiceUser Guide Contents


ii

1 Introduction

1.1 Concepts

1.1.1 ARSApplication Recognition Service (ARS) is an intelligent process management service thathelps ensure the security of Elastic Cloud Servers (ECSs). ARS monitors the running ofprograms based on a customizable whitelist mechanism.

1.1.2 Local ProcessesLocal processes are all programs that are running on ECSs.

1.1.3 Process StatusARS uses a set of rules to determine whether the status of a process is Unknown, Trusted, orUntrusted.

1.2 Application ScenariosARS provides the process status management function for ECSs on which ARS clients areinstalled. ARS monitors local processes and records malware, such as Trojan horses and bruteforce software, to ensure ECS security.

1.3 FunctionsARS allows you to:

l Enable/Disable ARS and configure ARS policies.

You can use the ARS management console to enable or disable ARS for an ECS andconfigure periodical checks on local processes.

l Manage local processes.

Application Recognition ServiceUser Guide 1 Introduction


1

You can use the ARS management console to change the current statuses of localprocesses. You can also delete historical records and change the historical statuses oflocal processes.

1.4 Accessing and Using ARS

1.4.1 How to Access ARSYou can use the management console to access ARS. If you have registered a public cloudaccount, log in to the management console and choose Security > Application RecognitionService on the homepage.

1.4.2 How to Use ARSYou can view information about local processes, such as their statuses, file hash values, andstart time, on an ARS-enabled ECS. This enables you to identify risky processes on an ECS ina timely manner.

In addition, you can change processes' statuses based on their states of security.

1.4.3 Related Services

ECSARS manages processes for ECSs on which ARS clients are installed.

CTSCloud Trace Service (CTS) provides you with a history of ARS operations. After enablingCTS, you can view all generated traces to review and audit performed ARS operations. Fordetails, see the Cloud Trace Service User Guide.

Table 1-1 ARS operations that CTS supports

Operation Resource Type Trace Name

Configuring policies ars setConfigArs

Setting process statuses ars setProcessArs

Managing historical records ofprocesses

ars operateHistoryInfoArs

Application Recognition ServiceUser Guide 1 Introduction


2

2 Management

2.1 Installing an ARS Agent

Scenario

Before using ARS on an ECS, you must install an ARS agent. This section describes how todownload and install an ARS agent on an ECS.

Prerequisitesl You have obtained a login account and password for the management console.

l Agent Status of the ECS is Unregistered.

Downloading an ARS Agent

Step 1 Log in to the management console.

Step 2 Choose Security > Application Recognition Service to navigate to the ECS List page.

Step 3 Check Agent Status of the ECS. If its Agent Status is Unregistered, you must download andinstall an ARS agent.

Figure 2-1 Agent status

Step 4 Click Download an ARS client above the ECS list and select the agent version thatcorresponds to the OS of the ECS. After reading the ARS application scenarios, select I haveread and understand Application scenarios of Application Recognition Service, and clickOK.

Application Recognition ServiceUser Guide 2 Management


3

Figure 2-2 Downloading an ARS agent

Step 5 After the agent installation package is downloaded, upload it to the ECS. An elastic IPaddress (EIP) must have already been bound to this ECS.

To use ARS, you need to bind an EIP to your ECS; otherwise, you cannot upload the agentinstallation program to the ECS.

----End

Installing an ARS AgentYou must log in to an ECS before you can install an ARS agent on it. To log in to an ECS,click its name, and then click Remote Login in the displayed ECS management console.

Step 1 Log in to the ECS and run the su - root command to switch to user root.

Step 2 Run the following command to switch to the directory containing the installation package:

cd directory containing the installation package

Step 3 Run one of the following commands to run the installation script:l For an .rpm installation package, run the rpm -ivh name of the installation package

command.l For a .deb installation package, run the dpkg -i name of the installation package

command.

For example, if the name of the installation package is hostguard-0.0.1-x86_64.rpm, run thefollowing command:

rpm -ivh hostguard-0.0.1-x86_64.rpm

If information similar to the following is displayed, the ARS agent has been successfullyinstalled:

NOTE

l The agent installation path is /usr/local/hostguard.l After the agent is successfully installed, the Agent service automatically starts.

Preparing... ########################## [100%] 1:hostguard ########################## [100%]Hostguard is running.Hostguard installed.



4

Step 4 Run the following command to check the Agent service running status:

service hostguard status

If information similar to the following is displayed, the Agent service is running properly:

Hostguard is running

----End

2.2 Viewing ARS Information

ScenarioThis section describes how to view general ARS information about ECSs, including ECSnames, ECS statuses, agent statuses, and ARS statuses.

PrerequisitesYou have obtained a login account and password for the management console.

Procedure



Step 3 View general ARS information about ECSs.

NOTE

You can filter query results by selecting a status from the All ECS statuses drop-down list and enteringa keyword for ECS name.

Figure 2-3 ECS list

Table 2-1 Parameter description

Parameter Description

ECS Name Displays ECS names.



5


ECS Status Displays the current status of an ECS. An ECS may be in any of thefollowing statuses:l Runningl Creatingl Faultyl Turned off

Agent Status Displays the current status of an agent. An agent may be in any of thefollowing statuses:l Unregistered: The agent has not been installed or successfully

started.l Online: The agent is running properly.l Offline: The agent has been successfully installed but

communication with the ECS has failed.l Stopped: The ECS has been shut down.

ARS Status Displays the status of ARS, including:

l : ARS is enabled.

l : ARS is disabled.

l : ARS is unavailable.

----End

2.3 Enabling ARS

Scenario

This section describes how to enable ARS for one or multiple ECSs.


l Agent Status of each ECS is Online and its ARS Status is .

Procedurel Enabling ARS for one ECS



Step 3 In the row containing the ECS for which you want to enable ARS, click to set

Recognition Status to .



6

Figure 2-4 Enabling ARS for one ECS

Step 4 In the dialog box that is displayed, click OK.

----End

l Enabling ARS for multiple ECSs



Step 3 Select the ECSs for which you want to enable ARS and click Enable ARS.

Figure 2-5 Enabling ARS for multiple ECSs


----End

2.4 Configuring Policies

Scenario

This section describes how to configure periodical process checks for one or multiple ECSs. If

periodical process check is not enabled, you can click on the View local processes pageto manually refresh the process information on an ECS.


l ARS Status of each ECS is .

Procedurel Configuring periodical process check for one ECS




7


Step 3 In the row containing the ECS for which you want to configure policies, click ConfigurePolicy in the Operation column.

Figure 2-6 Configuring a policy for one ECS

Step 4 In the dialog box that is displayed, set Periodic Process Check to Enable and specifyInterval as required.

Step 5 Click OK.

----End

l Configuring periodical process check for multiple ECSs



Step 3 Select the ECSs for which you want to configure policies, and click Configure Policy.

Figure 2-7 Configuring policies for multiple ECSs

Step 4 In the dialog box that is displayed, set Periodic Process Check to Enable and specifyInterval as required.

Step 5 Click OK.

----End

2.5 Managing Local Processes

2.5.1 Querying Local Processes

ScenarioThis section describes how to view information about local processes on an ECS, includingtheir process statuses, process file paths, execution permissions, usernames, process file hashvalues, and start time.



8



Procedure



Step 3 In the row containing the desired ECS, click View local processes in the Operation columnto open the local process list.

Step 4 View information about local processes on the ECS. Table 2-2 describes the parameters.

NOTE

l You can click in the upper right corner to manually refresh information about the localprocesses.

l You can select a status from All process statuses to filter local processes.

Figure 2-8 Local process list

Table 2-2 Parameter description


Process Status Displays the current status of a process.

Process File Path Displays the file path of a process.

ExecutionPermission

Displays the execution permissions of the process file.

Username Displays the user who last executes the process.

Process File HashValue

Displays the current hash value of the process file.

Start Time Displays the most recent time that the process started.



9

----End

2.5.2 Managing Local Process Statuses

Scenario

This section describes how to change statuses of local processes.



Procedurel Changing the status of one process




Step 4 In the row containing the process for which you want to change the status, click the desiredstatus in the Operation column.

NOTE

The status of a process may be Trusted, Unknown, or Untrusted. You can switch a process from itscurrent status to either of the other two statuses. For example, you can change a Trusted process to anUnknown or Untrusted one.

Figure 2-9 Changing the status of one process


----End

l Changing the statuses of multiple processes




10



Step 4 Change the statuses of multiple processes.

NOTE

The status of a process may be Trusted, Unknown, or Untrusted. You can switch a process from itscurrent status to either of the other two statuses. For example, you can change a Trusted process to anUnknown or Untrusted one.

If... Then...

You want to change the statuses ofmultiple processes to Trusted

1. Select the desired processes.2. Click Set to Trusted above the process list.

You want to change the statuses ofmultiple processes to Untrusted

1. Select the desired processes.2. Click Set to Untrusted above the process list.

You want to change the statuses ofmultiple processes to Unknown

1. Select the desired processes.2. Click Set to Unknown above the process list.

Figure 2-10 shows how to change the statuses of multiple processes to Trusted.

Figure 2-10 Changing the statuses of multiple processes to Trusted


----End

2.5.3 Managing the Historical Records of Local Processes

Scenario

This section describes how to query and delete the historical records of local processes orchange their historical statuses.





11

Procedurel Querying the historical records of a local process




Step 4 In the row containing the process to be queried, click to display its historical records.NOTE

A maximum of 10 historical records can be displayed.

Figure 2-11 Querying historical records

----End

l Managing one historical record




Step 4 In the row containing the target process, click to display its historical records.

Step 5 Manage a historical record by deleting it or changing its historical status.

Figure 2-12 Managing one historical record



12


----End

l Deleting multiple historical records




Step 4 Select the historical records to be deleted.

Step 5 Click Delete above the list of historical records.

Figure 2-13 Deleting multiple historical records


----End

2.6 Disabling ARS

Scenario

This section describes how to disable ARS for one or multiple ECSs.



Procedurel Disabling ARS for one ECS





13

Step 3 In the row containing the ECS for which you want to disable ARS, click to set

Recognition Status to .

Figure 2-14 Disabling ARS for one ECS


----End

l Disabling ARS for multiple ECSs



Step 3 Select the ECSs for which you want to disable ARS, and click Disable ARS.

Figure 2-15 Disabling ARS for multiple ECSs


----End

2.7 Uninstalling an ARS Agent

Procedure

Step 1 Log in to the ECS from which you want to uninstall the ARS agent and run the su - rootcommand to switch to user root.

Step 2 Run one of the following commands under any directory to uninstall the ARS agent:

l For an .rpm installation package, run the rpm -e --nodeps hostguard command.

l For a .deb installation package, run the dpkg -P hostguard command.

If information similar to the following is displayed, the ARS agent has been successfullyuninstalled:



14

Stopping Hostguard...Hostguard stoppedHostguard uninstalled.

----End



15

3 FAQs

3.1 What Are Local Processes?Local processes are all programs that are running on ECSs.

3.2 What Are Hash Values of Local Processes?A hash value uniquely identifies the historical status of a process.

Application Recognition ServiceUser Guide 3 FAQs


16

A Change History

Released On Description

2017-06-09 This is the second official release.Changed ARS description.

2017-03-30 This is the first official release.

Application Recognition ServiceUser Guide A Change History


17

User Guide -...

Documents

Transcript of User Guide -...