Enable security protection for applications - Security Center

By integrating the RASP (Runtime Application Self-Protection) agent, application protection can safeguard against malicious activities and security threats in real-time, ensuring uninterrupted and stable application performance. This document describes the initial steps for integrating Java and PHP applications with application protection.

RASP agent description

Protection limitations

Application protection, through the installation of the RASP agent in applications, detects and defends against attacks. It supports Java or PHP processes that meet the following criteria, allowing the RASP agent to be installed only in business processes that satisfy these conditions:

Java processes
- JDK support range: Compatible with JDK 6 and later versions, excluding JDK 13 and 14, along with JDK 8 versions prior to 1.8.0_40.
- Middleware support range: No specific requirements for middleware types and versions, including Tomcat, SpringBoot, Jboss, WildFly, Jetty, Resin, Weblogic, Websphere, Liberty, Netty, GlassFish, domestic middleware, etc.
- Operating system support: Linux (64-bit) and Windows (64-bit).
PHP processes
- PHP version support range: Versions 7.0 to 8.3, both ts and non-ts versions supported.
- SAPI (Server Application Programming Interface) support range: PHP-FPM (FastCGI Process Manager) and Apache PHP module.
- Operating system support: Linux x86 architecture (64-bit) only.
- System library dependencies: glibc 2.14 or higher, libstdc++ 3.4.19 or higher.

Automatic access resource usage threshold description

Automatic access will pause the installation of the RASP agent if a host, container, or JVM exceeds certain resource usage thresholds, to ensure the normal operation of the application protection function. Manual access is not subject to these limitations. The specific thresholds for halting agent installation are:

Host or container CPU usage above 98%, or remaining memory below 200 MB.
JVM heap memory below 150 MB, metadata space below 5 MB.

Prerequisites

The Security Center client on the server where the application is to be accessed must be online.

You can check if the Agent is online by observing the status icon on the Servers tab within the Host page, located under Assets. An icon signifies that the client is online. Should the client be offline, please consult client offline troubleshooting for assistance.
If you are using the application protection feature as a RAM user, make sure that the RAM user is granted the AliyunYundunWAFFullAccess and AliyunYundunSASFullAccess policies. For detailed instructions on granting permissions, see Authorize RAM Users.

1. View which applications can be accessed

Application protection is available for running Java and PHP applications. Before purchasing application protection quotas, you can follow these steps to view the number and details of accessible applications.

Log on to the Security Center console. In the upper-left corner of the console, select the region where your assets are located: either China or Outside China.
In the left-side navigation pane, select Protection Configuration > Application Protection.
In the Protection Statistics area, you can click Immediate Scan.

After you click the Immediate Scan button, the Security Center client will collect information about the processes running on your assets.

Note
The Basic, Value-added Service, Anti-virus, and Advanced editions support only one immediate scan operation per day.
View the number of application processes on your assets. Click the number to view the list of application processes. The list provides server information, process name, PID, and startup parameters for each accessible application process.
Important
- Protecting an application process consumes one application protection quota. The number of processes is dynamic, reflecting the status at the time of the scan. Estimate the number of quotas needed based on this number.
- If you have previously performed a scan, the system will display scan data from the past seven days. Data older than seven days is cleared. After a scan, the latest data collected will overwrite existing data.

2. Purchase application protection quotas

To integrate applications into application protection, ensure you acquire the necessary application protection quotas. When subscribing to Security Center, choose the desired version and the appropriate number of application protection quotas. For detailed instructions, see Purchase Security Center.

Note

The Security Center free trial includes 10 complimentary application protection quotas. If you haven't yet purchased Security Center, you can sign up for a free trial. For detailed eligibility criteria and instructions, see Activate 7-day Free Trial.
Accessing PHP processes, one master process will consume one quota.

3. Access application protection

Application protection enforces policies by application group, securing web service processes within the group. You must first create an application group, integrate application processes, and then configure a unified protection policy for the group's business processes.

3.1 Create an application group

Log on to the Security Center console. In the upper-left corner of the console, select the region where your assets are located: either China or Outside China.
In the left-side navigation pane, select Protection Configuration > Application Protection.
In the Application Configurations tab, click Create Application Group.
In the Create Application Group wizard, input the desired name for the new application group, choose the application language (Java or PHP), add any remarks, and then click Next.

It is recommended to name the application group based on the web service processes requiring protection. The name must be unique, and the application language cannot be changed after selection.

After completing this operation, an application group is created in the Security Center.

3.2 Automatic access or manual access

Access method description

RASP supports both automatic and manual access methods. Choose the appropriate method based on the following table.

Access Method

Description

Scenarios

Automatic access for hosts and containers (Java applications only)

Access is server-based. After server access, application protection uses JVM Attach capabilities to automatically identify and integrate Java processes with listening ports (including containers) on the server during runtime.

This method dynamically loads and unloads the application protection feature during runtime without restarting processes, ensuring business continuity.

Servers not automatically added to other groups can use automatic access.

Note

If some server processes have been automatically added to a specific group and you need to re-add them to another group, first disable protection for that server, remove it from the current group, and then enable automatic access in the new group.

Manual access

Access is application-based, requiring manual deployment and application restart.

Your business uses PHP applications.
Your Java business uses the WebSphere framework, which requires manual access and does not support automatic access.
If some server processes have been automatically added to a specific group, you need to add the unprotected processes on that host to other groups.
If you need to add the same server to multiple groups, use the manual access method.
Your Java application does not have a listening port.

Automatic access (Java applications)

Important

It is recommended to avoid peak business hours for the first automatic access, execute in batches using a canary release policy, and monitor business indicators. During access, RASP inserts monitoring or protection code into processes, which may temporarily increase CPU usage for about 30 seconds, averaging 10-20 seconds. For large applications, the impact may last a few minutes. After access, normal operation resumes automatically.
A host can only be automatically added to one group and cannot be added to multiple groups simultaneously. When accessing servers, only 64-bit hosts not already added to other groups can be selected.
Hosts added using manual access can enable automatic access. When you uninstall the RASP agent from servers, application protection will automatically add the servers again.
Automatic access only adds Java applications with listening ports. If Java applications lack listening ports, you must manually add them.

On the Automatic/Manual Access wizard page, under the Automatic Access tab, click Select Asset for Application Protection.
In the Select Asset panel, choose the assets you want to access, and then click OK.

After selecting the host to be accessed, application protection will automatically identify and integrate Java service processes (including containers) on the host into protection without restarting the processes. You can select up to 50 servers at a time.
Based on the number of servers to be accessed, perform the following:
- When you need to access a single server, enable the switch in the Application Protection column for that server. Once the RASP agent is installed, click Next .
- When you need to access multiple servers, select the desired servers, click Batch Protection , and then click Next .
  
  You can select up to 50 servers at a time for batch protection.
After enabling the Application Protection feature for an individual server or selecting multiple servers and clicking Batch Protection , Security Center will automatically detect and incorporate Java processes on the server into the protection regime (indicated by the "Installing" status). The integration process may take approximately 10 minutes, depending on your network environment. If there are multiple Java processes active on your server, Security Center will add them to protection simultaneously.

Upon successful access, the Application Protection switch will indicate an "On" state. You can check the access status of application instances in the Protection Status column. Below is a description of the Protection Status:
- Not Added: This status means the application protection switch on the server is turned off.
- Failed: This signifies that all protected applications on the server have been unable to establish a connection.
- Partial Added: This status signifies that certain protected applications on the server have been accessed successfully, while access to others has not been established.
- All Added signifies that either all Java applications on the server with protection capabilities are integrated into the application protection system, or there are no accessible processes on the server.
  
  Note
  When the application protection access status indicates All Added, the access details list will be empty if the server has no accessible processes or if the business processes fall outside the supported range. Should an accessible process subsequently emerge on the server, it will be automatically incorporated into the application protection.
In the Actions column, click Details to view the status of the integrated Java processes.

Note
If you have configured an access whitelist for the application group, processes that do not match the access whitelist rules will be skipped.

Manual access (Java applications)

Follow these steps to manually integrate Java applications on hosts or containers into application protection. The following describes how to choose the manual access method for containers:

Manual access for containers (point-and-click push): Use this method to directly complete the installation package push when the servers and application scope are clearly defined.
Manual access for containers (custom download and installation): If you need assistance from others to install the RASP agent, use this method to download the installation package and distribute it for installation and deployment.

Manual access for hosts

On the Manual Access tab, under the Host Access Guide section, click the Point-and-click Push option.
In the Push RASP Agent dialog box, select the server where the agent will be deployed, and click Confirm.

Refer to the console or the following table to add JVM parameters to the application server based on the application runtime environment type.

When following the instructions in the table below, replace the {appId} with your application ID, which can be found on the Host Access Guide tab within the console, as illustrated in the figure below. 应用ID位置

Runtime Environment	Parameter Configuration Description
Tomcat (Linux)	Add the following content to the <Tomcat installation directory>/bin/setenv.sh file. `export CATALINA_OPTS="$CATALINA_OPTS -javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar"` If the <Tomcat installation directory>/bin/ directory does not contain the setenv.sh configuration file, create the file in the <Tomcat installation directory>/bin/ directory.
Tomcat (Windows)	Add the following content to the <Tomcat installation directory>\bin\setenv.bat file. `set CATALINA_OPTS=%CATALINA_OPTS% "-javaagent:C:\Program Files (x86)\Alibaba\Aegis\rasp\apps\{appId}\rasp.jar"` If the <Tomcat installation directory>\bin\ directory does not contain the setenv.bat configuration file, create the file in the <Tomcat installation directory>\bin\ directory.
Jetty	Add the following configurations to the {JETTY_HOME}/start.ini configuration file. `--exec -javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar`
Spring Boot	Add the -javaagent parameter to the startup command for the Spring Boot process. `java -javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar` For example, the original startup command of the Spring Boot process is: `java -jar app.jar` The startup command for the Spring Boot process when the RASP agent needs to be installed is: `java -javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar -jar app.jar` Important The -javaagent parameter should always be placed before the -jar parameter.
JBoss or WildFly	Standalone Mode Open the <JBoss installation directory>/bin/standalone.sh file and add the following content below # Display our environment: `JAVA_OPTS="${JAVA_OPTS} -javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar"` Domain Mode Open the <JBoss installation directory>/domain/configuration/domain.xml file, find the <server-groups> tag, and add the following content to the <jvm> tag in the <server-group> tag where the RASP agent needs to be installed: `<jvm-options> <option value="-javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar"/> </jvm-options>`
Liberty	Create or modify the jvm.options file in the <Liberty installation directory>/${server.config.dir} path (default path: /opt/ibm/wlp/usr/servers/defaultServer/jvm.options), and add the following content to the file: `-javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar`
Resin	Resin3 Open the <Resin installation directory>/conf/resin.conf file, find the <server-default> tag, and add the following content to the <jvm-arg> tag: `<jvm-arg>-javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar</jvm-arg>` Resin4 Open the <Resin installation directory>/conf/cluster-default.xml file, find the <server-default> tag, and add the following content to the <jvm-arg-line> tag: `<jvm-arg>-javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar</jvm-arg>`

Restart the applications to be added locally.

Once the application restarts, RASP protection becomes immediately active. You can view the Access Instances list within the application group on the Application Configuration page.

Manual access for containers (point-and-click push installation)

On the Manual Access tab, under the Container Access Guide sub-tab, click Point-and-click Push.

You can click the Push Record tab and then select Push RASP Agent to initiate the installation of the RASP agent on the host or container where the application resides.
In the Push RASP Agent dialog box, select the server where the agent will be deployed, and click Confirm.

Start the RASP agent.

Method 1: Write to Dockerfile

Run the following command to go to the directory where the Dockerfile is located and create a rasp directory.
```
cd <Dockerfile所在目录>
mkdir rasp
```
Run the following command to copy the RASP files pushed to the server to the newly created rasp directory.

You can retrieve the application group ID value from the Container Access Guide tab within the Security Center console.
```
cp -r /usr/local/aegis/rasp/apps/<应用分组ID>/* ./rasp
```
Modify the Dockerfile to package the downloaded rasp installation package into the container image. The Dockerfile needs to add the following content.
```
COPY rasp /rasp/
```
Important
You need to grant specific users read and execute permissions on the /rasp/ directory and the files in the directory.

Modify the JVM startup parameters in the Dockerfile and add -javaagent:/rasp/rasp.jar.

You need to substitute the {manager.key} in the table below with the Dmanager.key value shown on the Container Access Guide tab.

Runtime Environment	Parameter Configuration Description
SpringBoot	When packaging the image, install the RASP agent, and modify the startup parameters in the Dockerfile. The startup command for the application is modified as follows: Before modification: `CMD ["java","-jar","/app.jar"]` After modification: `CMD ["java","-javaagent:/rasp/rasp.jar","-Dmanager.key={manager.key}","-jar","/app.jar"]`
Tomcat	When packaging the image, install the RASP agent, and add the following content to the Dockerfile. `ENV JAVA_OPTS="-javaagent:/rasp/rasp.jar -Dmanager.key={manager.key}"` When starting the container, install the RASP agent, and add the following parameters at startup. `docker --env JAVA_OPTS="-javaagent:/rasp/rasp.jar -Dmanager.key={manager.key}"` For example, if your container startup command is `docker -itd --name=test -P image_name`, you need to modify the command to install the RASP agent when starting the container to `docker -itd --env JAVA_OPTS="-javaagent:/rasp/rasp.jar -Dmanager.key={manager.key}" --name=test -P image_name`.
Weblogic

Recreate the image and start the container.

Method 2: Data volume mount
1. Run the following command to mount the rasp directory on the server to the specified directory of the container when creating the container.
```
docker run -itd --privileged=true -v /usr/local/aegis/rasp/apps/<应用分组ID>:/rasp/ image_id
```
2. Run the following command to access the container.
```
docker exec -it <container_id> /bin/bash
```
3. Add the following JVM parameters to the startup script of the application server to start the RASP agent.
  
  You must configure certain parameters to suit your business environment. Replace {manager.key} with the Dmanager.key value found on the Container Access Guide tab.
```
-javaagent:/rasp/rasp.jar -Dmanager.key={manager.key}
```

Manual access for containers (custom download and installation)

On the Manual Access tab, within the Container Access Guide section, choose Custom Download And Installation from the dropdown menu under the Download And Install RASP Agent category.

You can click the Push Record tab and then select Push RASP Agent to deploy and install the RASP agent on the host or container where the application resides.
In the drop-down list, select No Proxy Access or Self-built Proxy Cluster, depending on whether the server that requires the RASP agent installation accesses the Security Center via a proxy.

After choosing Self-built Proxy Cluster, select the server's proxy cluster for access. For details on proxy access, see Proxy Access.
Click Download to the right of the RASP installation package to retrieve the necessary files.

Start the RASP agent.

Method 1: Write to Dockerfile

Run the following command to go to the directory where the Dockerfile is located.
```
cd <Dockerfile所在目录>
```
Upload the downloaded RASP installation package to the directory where the Dockerfile is located, and unzip the RASP installation package to that directory.
```
unzip <安装包名称> -d .
```
Note
After the installation package is decompressed, a directory named rasp is generated.
Modify the Dockerfile to package the downloaded rasp installation package into the container image. The Dockerfile needs to add the following content.
```
COPY rasp /rasp/
```
Important
You need to grant specific users read and execute permissions on the /rasp/ directory and the files in the directory.

Modify the JVM startup parameters in the Dockerfile and add -javaagent:/rasp/rasp.jar.

You need to substitute the {manager.key} in the table below with the Dmanager.key value shown on the Container Access Guide tab.

Runtime Environment	Parameter Configuration Description
SpringBoot	When packaging the image, install the RASP agent, and modify the startup parameters in the Dockerfile. The startup command for the application is modified as follows: Before modification: `CMD ["java","-jar","/app.jar"]` After modification: `CMD ["java","-javaagent:/rasp/rasp.jar","-Dmanager.key={manager.key}","-jar","/app.jar"]`
Tomcat	When packaging the image, install the RASP agent, and add the following content to the Dockerfile. `ENV JAVA_OPTS="-javaagent:/rasp/rasp.jar -Dmanager.key={manager.key}"` When starting the container, install the RASP agent, and add the following parameters at startup. `docker --env JAVA_OPTS="-javaagent:/rasp/rasp.jar -Dmanager.key={manager.key}"` For example, if your container startup command is `docker -itd --name=test -P image_name`, you need to modify the command to install the RASP agent when starting the container to `docker -itd --env JAVA_OPTS="-javaagent:/rasp/rasp.jar -Dmanager.key={manager.key}" --name=test -P image_name`.
Weblogic

Recreate the image and start the container.

Method 2: Data volume mount
1. Upload the downloaded RASP installation package to the specified directory on the server, and perform the decompression operation.
  
  Replace user.path with the correct path based on your specific environment.
```
unzip  zhh-php1-China.zip -d /<user.path>/
```
2. Run the following command to mount the rasp directory on the server to the specified directory of the container when creating the container.
```
docker run -itd  -v /<user.path>/rasp:/rasp/ image_id 
```
3. Run the following command to access the container.
```
docker exec -it <container_id> /bin/bash
```
4. Add the following JVM parameters to the startup script of the application server to start the RASP agent.
  
  You must configure certain parameters to suit your business environment. Replace {manager.key} with the Dmanager.key value found on the Container Access Guide tab.
```
-javaagent:/rasp/rasp.jar -Dmanager.key={manager.key}
```

Manual access (PHP applications)

To manually integrate PHP applications on hosts or containers with application protection, follow these steps. Choose between point-and-click push installation or custom download and installation:

Point-and-click push installation: Use this method to quickly push the installation package when the servers and application scope are clearly defined.
Custom download and installation: If installation requires assistance, download the installation package and provide it to the relevant personnel for installation and deployment.

Access hosts (point-and-click push installation)

On the Manual Access tab, under the Host Access Guide sub-tab, select your application's PHP Version and the Quick Push and Installation option, then click Point-and-click Push.

Note
The selected PHP version must match the actual version used in your business to prevent the RASP agent from failing to load.
In the Push RASP Agent dialog box, select the server where the agent will be deployed, and click Confirm.
In the Push Record sub-tab, wait for the corresponding server's status to change to Pushed.
On the Host Access Guide sub-tab, consult the console or follow the steps below to update the php.ini configuration file on the application server, according to the type of application runtime environment.
1. Execute the command below to open the php.ini file.
  Note
  - The editor used here is nano.
  - The php.ini file is typically found at /etc/php/7.0/fpm/php.ini or /etc/php/7.0/apache2/php.ini. Modify the path in the subsequent command to suit your particular environment.
```
sudo nano /etc/php/7.0/fpm/php.ini
```
  or
```
sudo nano /etc/php/7.0/apache2/php.ini
```
2. Add the content below to the end of the php.ini file, or place it within the relevant [Extensions] section.
  
  You need to replace the {appId} in the table below with the application ID found on the Host Access Guide tab within the console, as indicated in the figure that follows.
```
[alirasp]
extension=/usr/local/aegis/rasp/apps/{appId}/php-7.0/alirasp.so
alirasp.root_dir=/usr/local/aegis/rasp/apps/{appId}/php-7.0
```
3. Save the php.ini file and close it.
  
  If you are using the nano editor, save your work by pressing Ctrl + X, then press Y to confirm the save, and press Enter to exit.
Restart your application for the RASP to take effect immediately.

Note
The following commands are for reference only; restart the services based on those installed in your environment.
- Nginx service restart command
```
sudo systemctl restart nginx
```
- Apache service restart command
```
 sudo systemctl restart apache2
```
  or
```
 systemctl restart httpd
```

Access hosts (custom download and installation)

On the Manual Access tab, under the Host Access Guide section, select your application's PHP Version and the Custom Installation options. Then, click Download on the right to obtain the RASP installation package.

Note
The selected PHP version must match the actual version used in your business to prevent the RASP agent from failing to load.
Upload the RASP installation package to the server and unzip it using the command below.

The user.path is where the RASP installation package is stored on the server.
```
unzip <安装包名称> -d <user.path>
```
Refer to the console or use the steps below to update the php.ini configuration file on the application server, depending on the type of application runtime environment.
1. Execute the command below to open the php.ini file.
  Note
  - The editor used here is nano.
  - The php.ini file is typically found at /etc/php/7.0/fpm/php.ini or /etc/php/7.0/apache2/php.ini. Modify the path in the subsequent command to suit your particular environment.
```
sudo nano /etc/php/7.0/fpm/php.ini
```
  or
```
sudo nano /etc/php/7.0/apache2/php.ini
```
2. Add the following content to the end of the php.ini file, or include it in the relevant [Extensions] section.
  
  Replace <user.path> with the directory where the installation package was unzipped.
```
[alirasp]
extension=<user.path>/alirasp.so
alirasp.root_dir=<user.path>
```
  Note
  Verify that the PHP worker startup user has read and enter permissions for both the decompressed directory, its parent directory, and the files contained within.
3. Save and close the php.ini file.
  
  If you are using the nano editor, you can save your work by pressing Ctrl + X, then Y to confirm the save, and press Enter to exit.
Restart your application for the RASP to take effect immediately.

Note
The following commands are for reference only; restart the services based on those installed in your environment.
- Nginx service restart command
```
sudo systemctl restart nginx
```
- Apache service restart command
```
 sudo systemctl restart apache2
```
  or
```
 systemctl restart httpd
```

Access containers (point-and-click push installation)

On the Manual Access tab, within the Container Access Guide section, select your application's PHP Version and the Quick Push and Installation option. Then, click Point-and-click Push.

Note
The selected PHP version must match the actual version used in your business to prevent the RASP agent from failing to load.
In the Push RASP Agent dialog box, select the server where the agent will be deployed, and click Confirm.
In the Push Record sub-tab, wait for the corresponding server's status to change to Pushed.
On the Container Access Guide sub-tab, follow the console instructions or the steps below to deploy the agent.
- Method 1: Write to Dockerfile
  1. Navigate to the directory containing the Dockerfile and create a rasp directory with the command below.
```
cd <Dockerfile所在目录>
mkdir rasp
```
  2. Copy the RASP files pushed to the server into the rasp directory using the command below.
    You can retrieve the application group ID value from the Container Access Guide tab in the Security Center console.
```
cp -r /usr/local/aegis/rasp/apps/<application group ID>/php-7.0/* ./rasp
```
  3. Modify the Dockerfile to include the rasp installation package in the container image. Add the following content to the Dockerfile.
```
COPY rasp /rasp/
```
    Note
    You need to grant specific users read and execute permissions for the /rasp/ directory and its files.
  4. Update the PHP php.ini configuration within the Dockerfile to include the RASP extension, as shown below:
```
[alirasp]
extension=/rasp/alirasp.so
alirasp.root_dir=/rasp
```
  5. Rebuild the image and start the container.
- Method 2: Data Volume Mount
  1. When creating the container, mount the rasp directory from the server to the specified directory in the container using the command below.
```
docker run -itd --privileged=true -v /usr/local/aegis/rasp/apps/<application group ID>/php-7.0:/rasp/ image ID
```
  2. Within the Dockerfile, update the PHP php.ini configuration to include the RASP extension, as shown below:
```
[alirasp]
extension=/rasp/alirasp.so
alirasp.root_dir=/rasp
```
  3. Rebuild the image and start the container.

Access containers (custom download and installation)

On the Manual Access tab, under the Container Access Guide sub-tab, select your application's PHP Version and Custom Installation options. Then click Download on the right to retrieve the RASP installation package.

Note
The selected PHP version must match the actual version used in your business to prevent the RASP agent from failing to load.
On the Container Access Guide sub-tab, consult the console or follow the steps below to deploy the agent according to the type of application runtime environment.
- Method 1: Write to Dockerfile
  1. Navigate to the directory containing the Dockerfile.
```
cd <Dockerfile所在目录>
```
  2. Upload the RASP installation package to the Dockerfile directory and unzip it there using the command below.
```
unzip <installation package name> -d.
```
    Note
    Once the installation package has been decompressed, a directory called rasp will be created.
  3. Modify the Dockerfile to include the rasp installation package in the container image. Add the following content to the Dockerfile.
```
COPY rasp /rasp/
```
    Note
    You must grant specific users read and execute permissions for the /rasp/ directory and its files.
  4. Within the Dockerfile, update the PHP php.ini configuration to include the RASP extension, as shown below:
```
[alirasp]
extension=/rasp/alirasp.so
alirasp.root_dir=/rasp
```
  5. Rebuild the image and start the container.
- Method 2: Data Volume Mount
  1. Upload the RASP installation package to the server and unzip it using the command below.
    The user.path is the storage path for the RASP installation package on the server.
```
unzip <installation package name> -d <user.path>
```
  2. When creating the container, mount the rasp directory from the server to the specified directory in the container using the command below.
```
docker run -itd  -v /{user.path}/rasp:/rasp/ image ID
```
  3. Within the Dockerfile, update the PHP php.ini configuration to include the RASP extension, as shown below:
```
[alirasp]
extension=/rasp/alirasp.so
alirasp.root_dir=/rasp
```
  4. Rebuild the image and start the container.

3.3 Set protection policies

On the Configure Protection Mode After No False Alerts Generated wizard page, configure the protection policies and click OK.

Important

The default protection mode is set to Monitor. It is advisable to operate in Monitor mode for 2-5 days. Should there be no false alerts during this time, you can switch to Block mode. In the event of false alerts, configure whitelist rules to prevent detection of those false positives. For detailed instructions, see Add Alerts to Whitelist.

Category	Configuration Item	Description
Protection Policy	Application Group Name	Displays the name of the application group. Modifications are not supported here.
	Protection Mode	Select the protection mode for the application group. Options: Monitor: Only monitors attack behaviors without blocking them. When attack behaviors are detected, alerts with the handling method of Monitor will be generated. Block: Monitors and blocks attack behaviors, and also monitors some high-risk operations of application instances. Alerts with the handling method of Block will be generated while blocking attack behaviors. Disable: Disables the protection function for application instances within the current application group, neither detecting nor blocking any attack behaviors.
	Protection Policy Group	The default protection policy group is Normal Running Group. You can select other protection policy groups from the drop-down list. For more information about protection policy groups, refer to 5. Manage Protection Policy Groups.
	Threat Type	Displays the detection types supported by the selected protection policy group.
Detection Policy	Weakness Detection	Select whether to enable weakness detection for the current application group. For more information, refer to Discover Application Weaknesses. Note PHP applications do not support this feature.
Detection Policy	In-memory Webshell Detection	Select whether to enable in-memory web shell detection for the current application group. For more information, refer to In-memory Web Shell Prevention. Note PHP applications do not support this feature.
Common Settings	Detection Timeout Period	The maximum time for attack detection, with a range of 1 to 60,000 milliseconds, and a default setting of 300 milliseconds. If the attack detection exceeds the set time, the original business logic will continue to execute even if the detection logic is not completed. It is recommended to use the default value unless there are special reasons.
	Method to Obtain Source IP Address	Select Default, and the system will obtain the source IP based on the conventional source IP header values in the order of X-Real-IP, True-Client-IP, and X-Forwarded-For. If the value of X-Real-IP is not obtained, the value of True-Client-IP will be used as the source IP. If neither X-Real-IP nor True-Client-IP is obtained, the value of X-Forwarded-For will be used as the source IP. Select Enter Custom Header, and the system will prioritize obtaining the source IP based on the custom header values. When multiple header values are set, the system will try to obtain the source IP in order. If none of the custom header values are matched, the default rule will take effect. Note Up to 5 custom header values can be set.
	Runtime Circuit Breaking Settings	After enabling this feature, when the resource usage of the server or process exceeds any of the CPU or memory circuit breaking values, the real-time protection, in-memory web shell detection (supported only for Java applications), and weakness detection (supported only for Java applications) capabilities of RASP will automatically stop. When the resource usage of the server or process is below all set circuit breaking values, the protection capabilities of RASP will automatically resume. This feature ensures that your workloads can run stably during peak hours and is disabled by default. If your applications are performance-sensitive, such as computational applications, you can enable this feature. The configuration description is as follows: Java application group CPU Utilization in Server or Container Exceeds: The range can be set from 10% to 99%, with a recommended configuration of 95%. JVM Heap Memory Usage Exceeds: The range can be set from 5% to 99%, with a recommended configuration of 98%. JVM Heap Remaining Memory Less Than: The range can be set from 10 to 99,999 MB, with a recommended configuration of 100 MB. Important The circuit breaking feature is supported only for RASP agents version 0.8.8 and later. Agents with versions earlier than 0.8.8 can be automatically upgraded to the latest version after restarting the application process. When the protection capability is circuit broken, instances in the Protection Circuit Breaking state still occupy quotas. PHP application group CPU Utilization in Server or Container Exceeds: The range can be set from 10% to 99%, with a recommended configuration of 95%. Host Or Container Environment Memory Usage Exceeds: The range can be set from 5% to 99%, with a recommended configuration of 98%. Host Or Container Environment Remaining Memory Less Than: The range can be set from 10 to 99,999 MB, with a recommended configuration of 100 MB.

3.4 Configure automatic access whitelist (Java applications)

If you require heightened security for your business and prefer not to include it in application protection, or if you want to conduct a canary release for certain business processes, you can establish an access whitelist. By setting whitelist rules, you can specify which processes should be incorporated into application protection. Only those processes that conform to the whitelist rules will be included. Without any configured whitelist rules, all processes on the asset will be automatically included.

The access whitelist operates as follows:

It applies only to RASP agent versions 0.9.4 and above.
When an access whitelist is set up prior to the integration of the host asset, it becomes active during automatic integration. If the whitelist is configured after integration, the already integrated processes will be affected after the application is restarted. For processes that did not integrate or were omitted, the whitelist will be applied during the subsequent automatic integration.

To configure an access whitelist, follow these steps. If configuration is unnecessary, this step can be omitted.

On the Create Application Group panel, under the Automatic Access tab, click Application Access Whitelist.
On the Whitelists page, under the Application Access Whitelist tab, you can click Create Whitelist.

On the Create Whitelist panel, set the following parameters and then click OK.

Configuration Item	Description
Rule Name	Enter the name of the access whitelist rule.
Whitelist Mode	Select the whitelist mode used by the whitelist rule. Options: cmdline: Matches the processes to be integrated based on command line parameters. The supported matching methods for this mode include the following: Contains Contains One of Multiple Values Does Not Contain Does Not Contain Any Value Environment Variables : Matches the processes to be integrated based on the environment variables accessed by the process. The supported matching method for this mode is Equal To. -D parameter : Matches the processes to be integrated based on the system properties set when the Java program is started. The supported matching method for this mode is Equal To. The configuration examples are as follows: Integrate only tomcat-related processes Select Whitelist Mode as cmdline. Select Match Mode as Contains. Enter tomcat as the Content to Match. Integrate non-apache and non-test processes Select Whitelist Mode as cmdline. Select Match Mode as Does Not Contain Any Value. Enter apache,test as the Content to Match.
Match Mode	Select the matching method for the rule.
Matching Field	Enter the matching field for the rule. Note This parameter needs to be configured only when Whitelist Mode is selected as Environment Variables or -D parameter .
Content to Match	Enter the matching content for the rule.
Destination Application Groups	Select the application group for which the access whitelist rule is effective.

4. Verify application access status

Java applications

If the PID of the application process appears in the authorized instance list of the application group, this confirms successful integration of the application into application protection. Follow these steps to view the list of integrated applications:

On the Application Protection page, under the Application Configurations tab, click the number listed in the Online Instances column for the desired application group.
In the instance details panel, review the list of integrated applications.

If the PID of the application process on the target server is listed, the application is successfully integrated into application protection.

PHP applications

Method 1: View in the console.

In the Security Center console, navigate to the Application Protection page. Under the Application Configuration tab, click Access Instances . On the Instance Details panel, verify if there is information pertaining to the relevant PHP instance.
Method 2: Verify via the command line.

Open the server terminal and execute the command below. If the output includes alirasp, this confirms the successful loading of RASP.
```
php -m|grep alirasp
```
Method 3: Verify using the phpinfo() page.
1. Create a PHP file on the server, such as info.php, containing the following content:
```
 <?php
   phpinfo();
   ?>
```
2. Place the file in the web server's root directory, such as /var/www/html/.
3. Access the page (for example, http://your-server-ip/info.php), and search for information related to alirasp in the output. If you find the alirasp extension information, this confirms that RASP has been successfully loaded.

5. Manage protection policy groups

The application protection feature caters to varying security needs across different business scenarios by managing attack detection policies within predefined protection policy groups. These groups include the Business First Group (default loose rule group), Normal Running Group (default standard rule group), and Protection First Group (default strict rule group).

All policies within these predefined groups share the same detection modes. For instance, policies in the Business First Group are set to a loose detection mode. You can either utilize these predefined groups or create a custom protection policy group to align with your specific business requirements.

Detection mode description

To strike a balance between minimizing false positives and maximizing security protection effectiveness, the application protection feature offers three detection modes: loose, standard, and strict. These modes are organized in ascending order of false positive rate and security protection effectiveness.

Loose: Targets only well-known attack patterns, ensuring a low rate of false positives.
Standard (default): Detects common attack patterns and provides generalized reasoning capabilities, making it suitable for everyday operations and maintenance.
Strict: Capable of identifying a broader range of sophisticated attacks, which may result in more false positives.

Create a protection policy group

On the Application Protection page, under the Application Configurations tab, you can click Protection Policy Group Management.
Click Create Protection Policy Group.
In the Create Protection Policy Group panel, enter the name for the protection policy group, select the application's language, and click Threat Type to the right of the Select option to set up the detection type.

In the Select Threat Type panel, choose the necessary detection types and configure the Detection Mode. Once selected, click OK.

For instance, should you encounter numerous false positives for SQL injection in current alerts, you can adjust the SQL injection check item's detection mode to Loose.
Click the OK button.

Related operations

Quota management

View the remaining quota for application protection

Each protected application process instance uses one quota. Make sure you have enough remaining quota when employing the application protection feature. You can check your available quota on the Application Protection page under the Application Configurations tab after purchasing additional quotas.

If the remaining quota is zero:
- During automatic access, host assets cannot be selected for access.
  
  Note
  If the quota is depleted during automatic access, application processes will integrate normally, but any additional instances will be unauthorized and unprotected.
- For manual access, application processes will integrate normally, but the instance status will be unauthorized and unprotected.
If the quota is insufficient, consider increasing your application protection quota as described below.
Increase the quota for application protection

If you need to protect more application instances than your remaining quota allows, navigate to the Application Protection page, select the Application Configurations tab, click on Remaining Quota on the right, and then click Upgrade to purchase additional application protection quotas.

Modify the protection policies of an application group

Follow these steps to modify the protection policies of an application group:

On the Application Protection page, under the Application Configurations tab, click Protection Policy in the operation column for the desired application group.
In the Protection Policy panel, choose the desired Protection Policy Group from the drop-down list to activate it.
Click the OK button.

Disable application protection

Disable protection for a single application (Java applications)

On the Application Protection page, navigate to the Application Configurations tab. Here, click Access Management in the operation column for the desired application group. In the Access Management panel, follow the instructions below to uninstall the RASP probe according to your application's connection type:

Automatic access (Security Center client online): On the Automatic Access tab, select the servers from which you want to uninstall instances, and click Batch Disable Protection. Alternatively, disable the switch in the Application Protection column to remove the RASP agent from the server.

Important
If you no longer require protection for a specific server, ensure that the Application Protection switch is turned off before you delete the server.

On the Automatic Access tab, you can click Delete in the operation column next to the desired server, or select multiple servers and click Batch Delete, to remove them from the application group.
For automatic access (Security Center client offline): If the Security Center client is offline, manually uninstall the RASP agent by following these steps:
1. In the server's terminal or command-line interface, run the command crontab -e.
2. Remove application protection-related tasks from the scheduled tasks list. These tasks are as follows:
```
* * * * * bash -c /usr/local/aegis/rasp/apps/664dd403cd24364f9e******/attach/runJavaFinder.sh http://update-vpc.aegis.aliyuncs.com/rasp/plugin/v1/error/report aa97bdc587ac7ab37028506359****** 6901ad53-a454-4681-afdb-c894d2******
```
3. Save and exit the cron file.
  - When using the vi or vim editor, press the Esc key to switch to normal mode. Then, type :wq and press Enter to save your changes and exit.
  - When using the nano editor, press Ctrl+O to save your changes, and then press Ctrl+X to exit.
4. Restart the process during off-peak hours.
For manual access: To uninstall the RASP agent for the target application, delete the JVM parameters specified in the access guide and restart the application to remove the application protection integration.

Disable protection for a single application (PHP applications)

To uninstall the RASP agent for the target PHP application, remove the ini configuration added during setup as follows:
```
[alirasp]

extension=/alirasp.so

alirasp.root_dir=
```
Restart your application to disable RASP protection.

Note
The following commands are for reference only; restart the services based on those installed in your environment.
- Nginx service restart command
```
sudo systemctl restart nginx
```
- Apache service restart command
```
 sudo systemctl restart apache2
```
  or
```
 systemctl restart httpd
```

Disable protection for an application group

When you need to disable protection for all applications within a group, navigate to the Application Protection page, select the Application Configurations tab, click on Protection Policy in the operation column for the desired group, set the protection mode to Disable, and then click OK.

Delete an application group

Important

Deleting an application group will invalidate protection for all instances within it. Confirm that you no longer require any RASP agents in the group before proceeding with deletion.

Before you can delete an application group, ensure that it has no authorized instances, or that the Application Protection feature is disabled for all servers with automatic access.

On the Application Protection page, under the Application Configurations tab, you can click Delete in the operation column next to the desired application group.

View agent version

On the Application Protection page, under the Application Configurations tab, click the number in the Add Instances column corresponding to the desired application group to see a list of integrated instances. If the RASP Version column next to the application instance shows an icon, this signifies that a newer version of the agent is available. To update the agent version automatically, it is advisable to restart the application.

View instance status

On the Application Protection page, under the Application Configurations tab, you can click the number in the Add Instances column corresponding to the desired application group to see a list of integrated instances.

The statuses of instances are as follows:

Authorized: The instance has normal protection.
Unauthorized: The instance has been successfully integrated but is not protected due to insufficient application protection quotas. You can click Remaining Quota on the right side and then click Upgrade to purchase additional application protection quotas.
Authorized (Circuit Breaking): The application group to which the instance belongs has enabled the Runtime Circuit Breaking Configuration. The resource usage of the instance has met the circuit breaking conditions, and application protection has stopped protecting the instance. Instances in this state will occupy quotas. When the resource usage of the instance decreases to below all circuit breaking conditions, application protection will resume protecting the instance, and the instance status will change to Authorized.

Security Center:Access application protection

RASP agent description

Protection limitations

Automatic access resource usage threshold description

Prerequisites

1. View which applications can be accessed

2. Purchase application protection quotas

3. Access application protection

3.1 Create an application group

3.2 Automatic access or manual access

Automatic access (Java applications)

Manual access (Java applications)

Manual access for hosts

Manual access for containers (point-and-click push installation)

Manual access for containers (custom download and installation)

Manual access (PHP applications)

Access hosts (point-and-click push installation)

Access hosts (custom download and installation)

Access containers (point-and-click push installation)

Access containers (custom download and installation)

3.3 Set protection policies

3.4 Configure automatic access whitelist (Java applications)

4. Verify application access status

Java applications

PHP applications

5. Manage protection policy groups

Detection mode description

Create a protection policy group

Related operations

Quota management

Modify the protection policies of an application group

Disable application protection

Disable protection for a single application (Java applications)

Disable protection for a single application (PHP applications)

Disable protection for an application group

Delete an application group

View agent version

View instance status

References