Constraints and Limitations

Server Protection Restrictions

HSS can protect:

Elastic Cloud Server (ECS)
On-premises data center (IDC)

Container Protection Restrictions

HSS can only protect CCE clusters. The restrictions on CCE cluster protection are as follows:

Supported container runtime: Docker and Containerd
Supported cluster editions: CCE standard and Turbo editions
Node resource requirements: at least 50 MiB memory and 200m CPU available
Resource usage restriction: When a cluster is connected to HSS, HSS will create a namespace in the cluster.

OS Restrictions

Currently, the HSS agent and system vulnerability scan functions are not supported in certain OSs.

For details about the OS restrictions of HSS, see:

Note

CentOS 6.x is no longer updated or maintained on the Linux official website, and HSS no longer supports CentOS 6.x or earlier.
The meanings of the symbols in the table are as follows:
- √: supported
- ×: not supported

Table 1 HSS restrictions on Windows (x86)
OS	Agent	System Vulnerability Scan
Windows Server 2012 R2 Standard 64-bit English (40 GB)	√	√
Windows Server 2012 R2 Standard 64-bit Chinese (40 GB)	√	√
Windows Server 2012 R2 Datacenter 64-bit English (40 GB)	√	√
Windows Server 2012 R2 Datacenter 64-bit Chinese (40 GB)	√	√
Windows Server 2016 Standard 64-bit English (40 GB)	√	√
Windows Server 2016 Standard 64-bit Chinese (40 GB)	√	√
Windows Server 2016 Datacenter 64-bit English (40 GB)	√	√
Windows Server 2016 Datacenter 64-bit Chinese (40 GB)	√	√
Windows Server 2019 Datacenter 64-bit English (40 GB)	√	√
Windows Server 2019 Datacenter 64-bit Chinese (40 GB)	√	√
Windows Server 2022 Datacenter 64-bit English (40 GB)	√	×
Windows Server 2022 Datacenter 64-bit Chinese (40 GB)	√	×

Table 2 HSS restrictions on Linux (x86)
OS	Agent	System Vulnerability Scan
CentOS 7.4 (64-bit)	√	√
CentOS 7.5 (64-bit)	√	√
CentOS 7.6 (64-bit)	√	√
CentOS 7.7 (64-bit)	√	√
CentOS 7.8 (64-bit)	√	√
CentOS 7.9 (64-bit)	√	√
CentOS 8.1 (64-bit)	√	×
CentOS 8.2 (64-bit)	√	×
CentOS 8 (64-bit)	√	×
CentOS 9 (64-bit)	√	×
Debian 9 (64-bit)	√	√
Debian 10 (64-bit)	√	√
Debian 11.0.0 (64-bit)	√	√
Debian 11.1.0 (64-bit)	√	√
Debian 12.0.0 (64-bit)	√	×
EulerOS 2.2 (64-bit)	√	√
EulerOS 2.3 (64-bit)	√	√
EulerOS 2.5 (64-bit)	√	√
EulerOS 2.7 (64-bit)	√	×
EulerOS 2.9 (64-bit)	√	√
EulerOS 2.10 (64-bit)	√	√
EulerOS 2.11 (64-bit)	√	√
EulerOS 2.12 (64-bit)	√	√
Fedora 28 (64-bit)	√	×
Fedora 31 (64-bit)	√	×
Fedora 32 (64-bit)	√	×
Fedora 33 (64-bit)	√	×
Fedora 34 (64-bit)	√	×
Ubuntu 16.04 (64-bit)	√	√
Ubuntu 18.04 (64-bit)	√	√
Ubuntu 20.04 (64-bit)	√	√
Ubuntu 22.04 (64-bit)	√	√
Ubuntu 24.04 (64-bit)	√ NOTE: Currently, brute-force attack detection is not supported.	×
Red Hat 7.4 (64-bit)	√	×
Red Hat 7.6 (64-bit)	√	×
Red Hat 8.0 (64-bit)	√	×
Red Hat 8.7 (64-bit)	√	×
OpenEuler 20.03 LTS (64-bit)	√	√
OpenEuler 20.03 LTS SP4 (64-bit)	√	×
OpenEuler 22.03 LTS SP3 (64-bit)	√	×
OpenEuler 22.03 LTS (64-bit)	√	×
OpenEuler 22.03 LTS SP4 (64-bit)	√	×
AlmaLinux 8.4 (64-bit)	√	√
AlmaLinux 9.0 (64-bit)	√	×
Rocky Linux 8.4 (64-bit)	√	×
Rocky Linux 8.5 (64-bit)	√	×
Rocky Linux 9.0 (64-bit)	√	×
HCE 1.1 (64-bit)	√	√
HCE 2.0 (64-bit)	√	√
SUSE 12 SP5 (64-bit)	√	√
SUSE 15 (64-bit)	√	×
SUSE 15 SP1 (64-bit)	√	√
SUSE 15 SP2 (64-bit)	√	√
SUSE 15 SP3 (64-bit)	√	×
SUSE 15.5 (64-bit)	√	×
SUSE 15 SP6 (64-bit)	√ NOTE: Currently, brute-force attack detection is not supported.	×
Kylin V10 (64-bit)	√	√
Kylin V10 SP3 (64-bit)	√	×
UnionTech OS 1050u2e	√ NOTE: Currently, file escape detection is not supported.	√

Table 3 HSS restrictions on Linux (Arm)
OS	Agent	System Vulnerability Scan
CentOS 7.4 (64-bit)	√	√
CentOS 7.5 (64-bit)	√	√
CentOS 7.6 (64-bit)	√	√
CentOS 7.7 (64-bit)	√	√
CentOS 7.8 (64-bit)	√	√
CentOS 7.9 (64-bit)	√	√
CentOS 8.0 (64-bit)	√	×
CentOS 8.1 (64-bit)	√	×
CentOS 8.2 (64-bit)	√	×
CentOS 9 (64-bit)	√	×
EulerOS 2.8 (64-bit)	√	√
EulerOS 2.9 (64-bit)	√	√
EulerOS 2.10 (64-bit)	√	√
EulerOS 2.11 (64-bit)	√	√
EulerOS 2.12 (64-bit)	√	√
Fedora 29 (64-bit)	√	×
Ubuntu 18.04 (64-bit)	√	×
Ubuntu 20.04 (64-bit)	√	√
Ubuntu 22.04 (64-bit)	√	√
Ubuntu 24.04 (64-bit)	√ NOTE: Currently, brute-force attack detection is not supported.	×
Kylin V7 (64-bit)	√	×
Kylin V10 (64-bit)	√	√
Kylin V10 SP3 (64-bit)	√	×
HCE 2.0 (64-bit)	√	√
UnionTech OS V20 (64-bit)	√	√ NOTE: Only UnionTech OS V20 server editions E and D support system vulnerability scan.
UnionTech OS V20 1050e (64-bit)	√	√
UnionTech OS V20 1060e (64-bit)	√	√
OpenEuler 22.03 LTS (64-bit)	√	×

Agent Restrictions

If third-party security software is installed on the server, uninstall the software before installing the HSS agent. If the third-party security software is incompatible with the HSS agent, the HSS protection functions will be affected.
After the agent is installed on the server or container node, the agent may modify the following system files or configurations:
- Linux system files:
  - /etc/hosts.deny
  - /etc/hosts.allow
  - /etc/rc.local
  - /etc/ssh/sshd_config
  - /etc/pam.d/sshd
  - /etc/docker/daemon.json
  - /etc/sysctl.conf
  - /sys/fs/cgroup/cpu/ (A subdirectory will be created for the HSS process in this directory.)
  - /sys/kernel/debug/tracing/instances (A CSA instance will be created in this directory.)
- Linux system configurations: iptables rules
- Windows system configurations:
  - Firewall rules
  - System login event audit policy and the configuration of login security layer and authentication mode
  - Windows Remote Management trusted server list

Restrictions on Brute-force Attack Defense

Authorize the Windows firewall when you enable protection for a Windows server. Do not disable the Windows firewall while you use HSS.

If the Windows firewall is disabled, HSS cannot block the source IP addresses of brute-force attacks. This problem may persist even if the Windows firewall is enabled after being disabled.

Parent topic: Introduction

Предыдущая статья

HSS Permissions Management

Следующая статья

Related Services

Была ли эта статья полезна?

Поддержка Юридические документы