<< PREVIOUS  NEXT >>

 

NOTE:

Follow the steps in this section if VSP-Host is configured

VSP HOST PROFILE TEMPLATE CREATION


 

To create a template profile for containers, follow the below steps:

  1. Navigate to Manage > Host > Host Protection in the left navigation pane

    Picture 1053

  2. Click TEMPLATE

    Picture 1073742012

  3. Provide the below information

    1. Name – Name of the profile

    2. Library Monitoring – Select the box to enable Library Monitoring

    3. Auto Allowlist – Select the box to auto-allowlist files with the reputation “SAFE”

    4. Auto Allowlist Unknown files from Reference Host Scan - Auto allowlist files with reputation "UNKNOWN"

    5. Auto Allowlist Unknown files from Reference Host Scans and Incidents - Auto allowlist files with reputation "UNKNOWN" and source "INCIDENTS"

    6. Allow New Publisher/Package - Auto allowlist any new publisher/package detected due to new software installation OR new instance association with the profile

      1. When enabled, the publisher/package is automatically added to the allowlist with the source as "SCAN". When Maintenance Mode is stopped, the newly added Publishers/Packages are listed in the respective lists. If Maintenance Mode is cancelled, only when the Publishers/Packages are accessed, they are listed in the respective lists with the source as "Incident" without any incidents reported in CMS

      2. When disabled and the Maintenance Mode is stopped, the newly added Publishers/Packages are listed in the respective lists. If Maintenance Mode is cancelled, only when the Publishers/Packages are accessed, incidents are reported with the Publishers/Packages listed in the respective lists with the source as "Incident"

      3. The user can modify the allowlist as required at any point. The modified list is published to the Probe

    7. Default Monitoring Mode – Select the monitoring mode as Protect or Detect. This is applicable for all hosts except the reference host used to create the allowlist. Ensure that the monitoring mode is explicitly set for the reference host once the host scan is complete and the allowlist is published. For subsequent hosts associated with the profile, the default Mode is applied automatically

    8. App Control Policy Name – Select the appropriate App Control policy from the drop-down list. This is an optional field. Select None from the drop-down if no profile needs to be configured

    9. Protection Profile Name – Select the appropriate Protection profile from the drop-down list. Based on the selected Host OS, Protection Profiles relevant for that OS are populated. This is an optional field. Select None from the drop-down if no profile needs to be configured

    10. Exclusions for Allowlist – This is the list of directories that need to be excluded from process and library monitoring. Processes and libraries launched from these directories are not reported as incidents. Add the directories individually and press return key. Normal regex syntax can be utilized. This is a local list applicable only to the profile being created

 

NOTE:

The mounted folders are auto-excluded during the initial system scan

 

  NOTE:

  Follow the below workflow to generate Process Profile:

  1. Create a pod template process profile with the required settings. The created template is used for all new VSP-protected pods/containers that come up

  2. Run the application container through VSP VDT and CD tools to enable VSP protection for a given application container

  3. Launch the VSP-protected pod/container

  4. When the VSP controller is launched, it will first register with VSP CMS automatically by sending information about the VSP-protected application containers

  5. A process profile will be generated automatically using the pod template as a reference

    1. Applications that share the same pod name (in K8s) OR replicas of the same container are automatically assigned to the same process profile

  6. When the VSP Host Monitoring Module (HMM) is started, it automatically downloads the application container's allowlist generated during the VSP VDT phase

  7. VSP HMM uses the application container's allowlist and the process profile settings to determine any unknown processes/libraries

  1. Click SAVE

    Picture 1073742014

 

<< PREVIOUS  NEXT >>