Use the application protection feature - Security Center

The application protection feature can monitor processes on which the runtime application self-protection (RASP) agent is installed and prevent malicious behaviors and threats in real time to ensure the continuous and stable running of applications. This topic describes how to add Java and PHP applications to the application protection feature.

RASP agent

Limits

The application protection feature, which detects attacks by using the RASP agent installed for applications, supports Java and PHP processes that meet specific conditions. The RASP agent can only be installed in processes that fulfill the following criteria:

Java processes
- JDK support range: Supports JDK 6 and above, excluding JDK 13 and 14, and versions below JDK 8 update 40 (1.8.0_40).
- Middleware support range: No specific requirements for middleware types and versions, including Tomcat, SpringBoot, Jboss, WildFly, Jetty, Resin, Weblogic, Websphere, Liberty, Netty, GlassFish, domestic middleware, etc.
- Operating system support: Linux (64-bit) and Windows (64-bit).
PHP processes
- PHP version support range: Versions 7.0 to 8.3, supporting both ts and non-ts versions.
- SAPI (Server Application Programming Interface) support range: PHP-FPM (FastCGI Process Manager) and Apache PHP module.
- Operating system support: Only Linux x86 architecture (64-bit).
- System library dependencies: glibc 2.14 and above, libstdc++ 3.4.19 and above.

Automatic access resource usage threshold

When the resource usage of a server, container, or Java virtual machine (JVM) exceeds a specific threshold, the system does not install the RASP agent until the resource usage falls below the threshold. This helps ensure that the application protection feature runs as expected. This limit does not apply to the manual access method. The following list describes the related thresholds:

The CPU usage of a server or a container exceeds 98%, or the remaining memory is less than 200 MB.
The remaining JVM heap memory is less than 150 MB, or the metadata space is less than 5 MB.

Prerequisites

The Security Center agent on your server is online.
To check whether the Security Center agent on your server is online, perform the following steps: Go to the Assets > Host page. Click the Servers tab. Find your server and view the icons in the Agent column. The icon indicates that the Security Center agent is online. If the Security Center agent is offline, you can troubleshoot the issue. For more information, see Troubleshoot why the Security Center agent is offline.
The AliyunYundunWAFFullAccess and AliyunYundunSASFullAccess policies are attached to the Resource Access Management (RAM) user that is used. For more information about how to grant permissions to a RAM user, see Grant permissions to RAM users.

1. Check the applications that can be added to the application protection feature

Application protection supports Java and PHP applications that are running. Before purchasing application protection licenses, you can follow these steps to view the number and details of accessible applications:

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose Protection Configuration > Application Protection.
In the Protection Statistics section, click Immediate Scan.
After you click Immediate Scan, the Security Center agent collects information about the processes on your assets.
Note
The Security Center agent can collect the information only once per day in the Basic, Value-added Plan, Anti-virus, or Advanced edition of Security Center.
View the number of application processes on your assets. You can click the number to view the list of application processes. The list provides the server information, process name, process identifier (PID), and startup parameters of each qualified application process.
Important
- When an application process is added to the application protection feature, the quota for the feature is deducted by one. The number of processes dynamically changes. Only the processes that are running during the scan are counted. You can estimate the quota that you need to purchase for the application protection feature based on the number of processes.
- Scan data is saved and displayed for up to 7 days. Data older than 7 days is automatically cleared. New scans overwrite existing data.

2. Purchase quota for application protection

You can use the application protection feature only if you have a sufficient quota. When you purchase Security Center, select the required edition and the quota for the application protection feature. For more information, see Purchase Security Center.

Note

The Security Center free trial supports 10 application protection quotas for free. If you have not purchased Security Center, you can apply for a free trial. For more information, see Apply for a 7-day free trial of Security Center.
When adding PHP processes, one master process (i.e., central process) will consume one quota.

3. Add applications to the feature

The application protection feature protects web service processes by application group. Before you can use the application protection feature, you must create an application group, add the application processes that you want to protect to an application group, and configure a unified protection policy for the application group.

3.1 Create an application group

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose Protection Configuration > Application Protection.
On the page that appears, click the Application Configurations tab. Then, click Create Application Group.
In the Create Application Group page, enter the name of the application group to be created, select application language as Java or PHP, add remarks, then click Next.
We recommend that you enter a name based on the processes that you want to protect. The application group name cannot be duplicated. The application language cannot be modified after selection.
After you complete the preceding step, the application group is created.

3.2 Automatic access or manual access

Access methods

The application protection feature supports the automatic access and manual access methods. The following table describes the methods.

Method	Description	Scenario

Method

Description

Scenario

Automatic access for servers and containers (only supports Java applications)

The automatic access method allows you to add servers to add all qualified applications on the servers for protection. After you add a server to the application protection feature, the feature uses JVM Attach capabilities to identify and add the qualified Java processes that are listening on ports on the server or a container. This way, the applications are protected.

If you use the automatic access method, the system dynamically loads and unloads the application protection capabilities when the applications are running. This ensures business continuity without the need to restart the processes.

If a server is not added to an application group by using the automatic access method, you can use the automatic access method to add the server.

Note

If the processes that run on your server are automatically added to an application group and you want to migrate the processes to a different application group, you can disable the application protection feature for the server, remove the server from the current application group, and then use the automatic access method to add the server to the new application group.

Manual access

The manual access method allows you to add a single application for protection. You must manually add an application to the application protection feature and restart the application.

You use PHP applications.
If the WebSphere framework is used for your Java application, you must use the manual access method.
If specific processes on your server are automatically added to an application group and you want to add other processes that are not protected on the server to a different application group, you can use this method.
If you want to add a server to multiple application groups, you must use the manual access method.
If your Java process is not listening on a port, you can use the manual access method.

Automatic access (Java applications)

Important

The first time you add applications to the application protection feature, we recommend that you perform the operation during off-peak hours. We also recommend that you use the canary release policy to add applications in batches and observe the metrics. If you use the automatic access method to add application processes, RASP inserts monitoring or protection code to trace the application processes. In this case, CPU resources are highly utilized for approximately 30 seconds due to the impact of deoptimization. The average duration of high CPU utilization is 10 to 20 seconds. For large applications, the impact may last for several minutes. After the applications are added, the CPU utilization is automatically decreased.
A server can be automatically added to only one application group. If you use the automatic access method, you can select only 64-bit servers that are not automatically added to an existing application group.
You can use the automatic access method for servers that are added by using the manual access method. If you uninstall the RASP agent from the servers, the servers are automatically added to the application protection feature.
The automatic access method is supported for Java processes that are listening on ports. If the Java processes are not listening on ports, you must use the manual access method.

On the Automatic Access tab of the Automatic/Manual Access page, click Select Asset for Application Protection.
In the Select Asset panel, select the assets you want to add, and click OK.
After you select a server, the application protection feature automatically identifies and adds the Java processes on the server or on a container hosted on the server. You do not need to restart the processes. You can select up to 50 servers at a time.
Perform the following operations based on the number of servers that you want to add:
- If you want to add only one server, turn on the switch in the Application Protection column of the server. After the RASP agent is installed, click Next.
- If you want to add multiple servers, select the servers, click Batch Enable Protection, and then click Next.
  You can select up to 50 servers at a time.
After you turn on the switch in the Application Protection column for a server or select multiple servers and click Batch Enable Protection, Security Center automatically identifies and adds the Java processes on the selected servers to application protection. During this process, Installing is displayed in the Application Protection column. This process may require approximately 10 minutes to complete. The period of time varies based on your network environment. If multiple Java processes are running on a server, Security Center adds the processes at a time.
After the Java processes are added, the switch in the Application Protection column is turned on. You can view the protection status of the application instances in the Protection Status column. A Java process in an application group is considered an application instance. The following list describes the valid values of the Protection Status column:
- Not Added: The application protection feature is disabled for the server.
- Failed: All processes on the server failed to be added to the application protection feature.
- Partial Added: Several processes on the server are added to the application protection feature, but other processes on the server failed to be added to the application protection feature.
- All Added: All qualified processes on the server are added to the application protection feature or no qualified processes exist on the server.
- Note
  When All Added is displayed in the Protection Status column and no qualified processes exist on the server or the processes on the server are not supported by the application protection feature, the list in the Access Details panel is empty. Subsequently, if a qualified process runs on the server, the process is automatically added.
You can click Details in the Actions column to view the status of the added Java processes.
Note
If you configure an application access whitelist for the application group, the processes that do not match the whitelist rules are skipped.

Manual access (Java applications)

You can follow the steps below to manually add Java applications that run on servers or on containers to the application protection feature. The following list describes the methods that you can use to manually add applications that run on containers to the application protection feature:

Manual access for containers (point-and-click push): If you confirm the applications and servers you want to add, you can use this method to directly push the installation package of the RASP agent.
Manual access for containers (package download and installation): If you want another user to help install the RASP agent, you can use this method to download the installation package and distribute the package to the user for installation.

Manual access for servers

Manual access for containers (point-and-click push)

Manual access for containers (package download and installation)

In the Access Management panel, click the Manual Access tab. On the Host Access Guide tab, click Point-and-click Push.
In the Push RASP Agent dialog box, select the servers on which you want to install the RASP agent and click OK.

Configure the JVM parameters for the servers based on the runtime environment of the applications. You can configure the JVM parameters based on the information in the Security Center console or in the following table.

When you configure the parameters based on the following table, replace {appId} in the code with the application ID that is displayed on the Host Access Guide tab. The following figure shows the position of an application ID. 应用ID位置

Runtime environment	Parameter setting
Tomcat on Linux	Add the following configurations to the {Tomcat installation directory}/bin/setenv.sh file: `export CATALINA_OPTS="$CATALINA_OPTS -javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar"` If the <Tomcat installation directory>/bin/ directory does not contain the setenv.sh configuration file, create the file in the <Tomcat installation directory>/bin/ directory.
Tomcat on Windows	Add the following configurations to the <Tomcat installation directory>\bin\setenv.bat file: `set CATALINA_OPTS=%CATALINA_OPTS% "-javaagent:C:\Program Files (x86)\Alibaba\Aegis\rasp\apps\{appId}\rasp.jar"` If the <Tomcat installation directory>\bin\ directory does not contain the setenv.bat configuration file, create the file in the <Tomcat installation directory>\bin\ directory.
Jetty	Add the following configurations to the {JETTY_HOME}/start.ini configuration file: `--exec -javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar`
Spring Boot	Add the -javaagent parameter to the startup command for the Spring Boot process. `java -javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar` For example, the following command is the original startup command of the Spring Boot process: `java -jar app.jar` Before you start the Spring Boot process to install the RASP agent, you must change the startup command to the following command: `java -javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar -jar app.jar` Important Make sure that the -javaagent parameter is placed before the -jar parameter.
JBoss or WildFly	Standalone Mode Open the <JBoss installation directory>/bin/standalone.sh file and add the following content below # Display our environment: `JAVA_OPTS="${JAVA_OPTS} -javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar"` Domain Mode Open the <JBoss installation directory>/domain/configuration/domain.xml file and find the <server-groups> tag. Then, find the <jvm> tag in the <server-group> tag based on which you want to install the RASP agent and add the following content: `<jvm-options> <option value="-javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar"/> </jvm-options>`
Liberty	Go to the <Liberty installation directory>/${server.config.dir} directory. The default directory is /opt/ibm/wlp/usr/servers/defaultServer/jvm.options. When you create or modify the jvm.options file, add the following content to the file: `-javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar`
Resin	Resin3 Open the <Resin installation directory>/conf/resin.conf file. Find the <jvm-arg> tag in the <server-default> tag and add the following content: `<jvm-arg>-javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar</jvm-arg>` Resin4 Open the <Resin installation directory>/conf/cluster-default.xml file. Find the <jvm-arg-line> tag in the <server-default> tag and add the following content: `<jvm-arg>-javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar</jvm-arg>`

Restart the applications that you want to add to the application protection feature on your on-premises device.
The application protection feature takes effect immediately after the applications are restarted. On the Application Configurations page, you can view the servers that are added to the application group.

In the Access Management panel, click the Manual Access tab. On the Add Container tab, click Point-and-click Push.
You can also click Push RASP Agent on the Push Record tab to push the RASP agent to the server or container on which your applications run and install the agent on the server or container.
In the Push RASP Agent dialog box, select the servers on which you want to install the RASP agent and click OK.

Start the RASP agent.

Method 1: Add parameters to the Dockerfile.

Go to the directory in which the Dockerfile resides and create a directory named rasp.
```
cd <Directory of the Dockerfile>
mkdir rasp
```
Copy the RASP files that are pushed to the server to the rasp directory.
You can obtain the application group ID on the Add Container tab in the Security Center console.
```
cp -r /usr/local/aegis/rasp/apps/<Application group ID>/* ./rasp
```
Modify the Dockerfile and package the downloaded installation package into the container image. Then, add the required content to the Dockerfile.
```
COPY rasp /rasp/
```
Important
You must grant specific users the read and execute permissions on the /rasp/ directory and the files in the /rasp/ directory.

Modify the JVM startup parameters in the Dockerfile and add javaagent:/rasp/rasp.jar to the Dockerfile.

The following table describes the parameter settings in different runtime environments. You must replace {manager.key} in the code with the value of Dmanager.key that is displayed on the Add Container tab.

Runtime environment	Parameter setting
SpringBoot	To install the RASP agent when an image is being packaged, modify the startup parameters in the Dockerfile and change the startup command for your applications. Startup command before the change: `CMD ["java","-jar","/app.jar"]` Startup command after the change: `CMD ["java","-javaagent:/rasp/rasp.jar","-Dmanager.key={manager.key}","-jar","/app.jar"]`
Tomcat	To install the RASP agent when an image is being packaged, add the following configurations to the Dockerfile: `ENV JAVA_OPTS="-javaagent:/rasp/rasp.jar -Dmanager.key={manager.key}"` To install the RASP agent when the container is being started, add the following parameter to the startup command: `docker --env JAVA_OPTS="-javaagent:/rasp/rasp.jar -Dmanager.key={manager.key}"` For example, the original startup command of a container is `docker -itd --name=test -P image name`. Before you start the container to install the RASP agent, you must change the startup command to `docker -itd --env JAVA_OPTS="-javaagent:/rasp/rasp.jar -Dmanager.key={manager.key}" --name=test -P image name`.
Weblogic

Recreate an image and start the container.

Method 2: Mount volumes to the container.
1. When you create a container, mount the installation directory of the RASP agent of the server to the specified directory of the container.
```
docker run -itd --privileged=true -v /usr/local/aegis/rasp/apps/<Application group ID>:/rasp/ Image ID
```
2. Run the following command to access the container:
```
docker exec -it <Container ID> /bin/bash
```
3. Add the following JVM parameter to the startup script of the server to start the RASP agent:
  You must configure the parameter based on your business environment. You must replace {manager.key} with the value of Dmanager.key that is displayed on the Add Container tab.
```
-javaagent:/rasp/rasp.jar -Dmanager.key={manager.key}
```

In the Access Management panel, click the Manual Access tab. On the Add Container tab, select Custom Installation from the drop-down list in the Download and Install RASP Agent step.
You can also click Push RASP Agent on the Push Record tab to push the RASP agent to the server or container on which your applications run and install the agent on the server or container.
In the drop-down list, select Do Not Access Proxy or Self-managed Proxy Cluster to determine whether to add the server on which you want to install the RASP agent to the Security Center by using the proxy access feature.
If you select Self-managed Proxy Cluster, you must select a proxy cluster that you want to use to add the server to Security Center. For more information, see Add servers to Security Center by using the proxy access feature.
Click Download to the right of the installation package of the RASP agent to download the package.

Start the RASP agent.

Method 1: Add parameters to the Dockerfile.

Go to the directory of the Dockerfile.
```
cd <Directory of the Dockerfile>
```
Upload the downloaded installation package of the RASP agent to the directory of the Dockerfile. Then, decompress the package to the directory.
```
unzip <Name of the installation package> -d .
```
Note
After the installation package is decompressed, a directory named rasp is generated.
Modify the Dockerfile and package the downloaded installation package into the container image. Then, add the required content to the Dockerfile.
```
COPY rasp /rasp/
```
Important
You must grant specific users the read and execute permissions on the /rasp/ directory and the files in the /rasp/ directory.

Modify the JVM startup parameters in the Dockerfile and add javaagent:/rasp/rasp.jar to the Dockerfile.

Runtime environment	Parameter setting
SpringBoot	To install the RASP agent when an image is being packaged, modify the startup parameters in the Dockerfile and change the startup command for your applications. Startup command before the change: `CMD ["java","-jar","/app.jar"]` Startup command after the change: `CMD ["java","-javaagent:/rasp/rasp.jar","-Dmanager.key={manager.key}","-jar","/app.jar"]`
Tomcat	To install the RASP agent when an image is being packaged, add the following configurations to the Dockerfile: `ENV JAVA_OPTS="-javaagent:/rasp/rasp.jar -Dmanager.key={manager.key}"` To install the RASP agent when the container is being started, add the following parameter to the startup command: `docker --env JAVA_OPTS="-javaagent:/rasp/rasp.jar -Dmanager.key={manager.key}"` For example, the original startup command of a container is `docker -itd --name=test -P image name`. Before you start the container to install the RASP agent, you must change the startup command to `docker -itd --env JAVA_OPTS="-javaagent:/rasp/rasp.jar -Dmanager.key={manager.key}" --name=test -P image name`.
Weblogic

Recreate an image and start the container.

Method 2: Mount volumes to the container.
1. Upload the downloaded installation package of the RASP agent to the specified directory on the server and decompress the package.
  You must replace user.path with the directory that you use.
```
unzip  zhh-php1-China.zip -d /<user.path>/
```
2. When you create a container, mount the installation directory of the RASP agent of the server to the specified directory of the container.
```
docker run -itd  -v /<user.path>/rasp:/rasp/ Image ID 
```
3. Run the following command to access the container:
```
docker exec -it <Container ID> /bin/bash
```
4. Add the following JVM parameter to the startup script of the server to start the RASP agent:
  You must configure the parameter based on your business environment. You must replace {manager.key} with the value of Dmanager.key that is displayed on the Add Container tab.
```
-javaagent:/rasp/rasp.jar -Dmanager.key={manager.key}
```

Manual access (PHP applications)

Follow these steps to manually add PHP applications run on servers or on containers to the application protection feature. Choose between quick push and installation and custom installation as follows:

Quick push and installation: When you have clearly defined the applications and servers you want to add, you can use this method to push the installation package of the RASP agent.
Custom installation: If you want another user to help install the RASP agent, you can use this method to download the installation package and distribute the package to the user for installation.

Access to servers (quick push and installation)

Access to servers (custom installation)

Access to containers (quick push and installation)

Access to containers (custom installation)

In the Manual Access tab, under the Host Access Guide sub-tab, select PHP Version and Quick Push and Installation, and click Point-and-click Push.
Note
Ensure the PHP version matches that of your PHP applications. Otherwise, the RASP agent will fail to load.
In the Push RASP Agent dialog box, select the servers on which you want to install the RASP agent, and click Confirm.
In the Push Record sub-tab, wait for the corresponding server status to change to Pushed.
On the Host Access Guide sub-tab, refer to the console or the following steps to modify the php.ini configuration file in the servers based on the runtime environment of the application.
1. Execute the following command to open the php.ini file.
  Note
  - The editor used in the current step is nano.
  - The php.ini file is usually located in /etc/php/7.0/fpm/php.ini or /etc/php/7.0/apache2/php.ini. Please modify the path in the following command based on your specific environment.
```
sudo nano /etc/php/7.0/fpm/php.ini
```
  or
```
sudo nano /etc/php/7.0/apache2/php.ini
```
2. Add the following content at the end of the php.ini file or under the appropriate [Extensions] section.
  You need to use the application ID displayed on the Host Access Guide tab in the console to replace {appId} in the table below. The location of the application ID is shown in the following figure:
```
[alirasp]
extension=/usr/local/aegis/rasp/apps/{appId}/php-7.0/alirasp.so
alirasp.root_dir=/usr/local/aegis/rasp/apps/{appId}/php-7.0
```
3. Save and close the php.ini file.
  If you are using the nano editor, you can save by pressing Ctrl + X, then press Y to confirm saving, and press Enter to exit.
Restart your application. After the restart, the RASP agent can take effect immediately.
Note
The following commands are for reference only. The servers that need restarting will depend on those installed in your actual environment.
- Nginx server restart command
```
sudo systemctl restart nginx
```
- Apache server restart command
```
 sudo systemctl restart apache2
```
  or
```
sudo systemctl restart httpd
```

In the Manual Access tab, under the Host Access Guide sub-tab, select PHP Version and Custom Installation, and click Download on the right side of the RASP installation package.
Note
Ensure the PHP version matches that of your PHP applications. Otherwise, the RASP agent will fail to load.
Upload the downloaded RASP installation package to the server and execute the following command to unzip the installation package.
user.path is the storage path of the RASP installation package on the server.
```
unzip <Installation package name> -d <user.path>
```
Refer to the console or the following steps to modify the php.ini configuration file in the server based on the application runtime environment.
1. Execute the following command to open the php.ini file.
  Note
  - The editor currently in use is nano.
  - The php.ini file is typically found at /etc/php/7.0/fpm/php.ini or /etc/php/7.0/apache2/php.ini. You should modify the path in the subsequent command to suit your particular environment.
```
sudo nano /etc/php/7.0/fpm/php.ini
```
  or
```
sudo nano /etc/php/7.0/apache2/php.ini
```
2. Add the following content to the end of the php.ini file, or under the appropriate [Extensions] section.
  Substitute <user.path> in the code below with the path to the directory where the installation package has been extracted.
```
[alirasp]
extension=<user.path>/alirasp.so
alirasp.root_dir=<user.path>
```
  Note
  Ensure that the extracted directory, its parent directory, and all contained files have read and execute permissions for the PHP worker start user.
3. Save and close the php.ini file.
  When using the nano editor, save your changes by pressing Ctrl + X, confirm with Y, and press Enter to exit.
Restart your application. After the restart, the RASP agent can take effect immediately.
Note
The following commands are for reference only. The servers that need restarting will depend on those installed in your actual environment.
- Nginx server restart command
```
sudo systemctl restart nginx
```
- Apache server restart command
```
 sudo systemctl restart apache2
```
  or
```
sudo systemctl restart httpd
```

On the Manual Access tab, under the Add Container sub-tab, select the PHP Version and Quick Push and Installation, then click Point-and-click Push.
Note
Ensure the PHP version matches that of your PHP applications. Otherwise, the RASP agent will fail to load.
In the Push RASP Agent dialog box, select the servers on which you want to install the RASP agent and click OK.
In the Push Record sub-tab, wait until the server status updates to Pushed.
On the Add Container sub-tab, follow the console instructions or the steps below to install the agent:
- Method 1: Add parameters to the Dockerfile.
  1. Navigate to the directory containing the Dockerfile and create a rasp directory with the following command:
```
cd <Directory where Dockerfile is located>
mkdir rasp
```
  2. Execute the following command to copy the RASP files that have been pushed to the server into the newly created rasp directory.
    You can find the application group ID from the Add Container tab in the Security Center console.
```
cp -r /usr/local/aegis/rasp/apps/<Application Group ID>/php-7.0/* ./rasp
```
  3. Add the following content to the Dockerfile to include the RASP installation package in the container image:
```
COPY rasp /rasp/
```
    Note
    Ensure the specified user has read and execute permissions for the /rasp/ directory and its files.
  4. In the Dockerfile, update the PHP php.ini configuration to include the RASP extension, as shown below:
```
[alirasp]
extension=/rasp/alirasp.so
alirasp.root_dir=/rasp
```
  5. Rebuild the image and launch the container.
- Method 2: Mount volumes to the container.
  1. When creating the container, mount the rasp directory from the server to the specified directory in the container using the command below:
```
docker run -itd --privileged=true -v /usr/local/aegis/rasp/apps/<Application Group ID>/php-7.0:/rasp/ image ID
```
  2. In the Dockerfile, update the PHP php.ini configuration to include the RASP extension, as shown below:
```
[alirasp]
extension=/rasp/alirasp.so
alirasp.root_dir=/rasp
```
  3. Rebuild the image and start the container.

On the Manual Access tab, under the Add Container sub-tab, select the PHP Version and Custom Installation, click Download on the right side of the RASP installation package.
Note
Ensure the PHP version matches that of your PHP applications. Otherwise, the RASP agent will fail to load.
In the Add Container section, follow the console instructions or the steps below to install the agent based on your application runtime environment.
- Method 1: Add parameters to the Dockerfile.
  1. Navigate to the directory containing the Dockerfile.
```
cd <directory where Dockerfile is located>
```
  2. Upload the RASP installation package to the same directory and extract it using the command below.
```
unzip <installation package name> -d.
```
    Note
    Extracting the package will create a directory named 'rasp'.
  3. Add the following content to your Dockerfile to include the RASP installation package in the container image:
```
COPY rasp /rasp/
```
    Note
    Assign read and execute permissions to the specified user for the /rasp/ directory and its files.
  4. Update the php.ini configuration in the Dockerfile and include the RASP extension as shown below:
```
[alirasp]
extension=/rasp/alirasp.so
alirasp.root_dir=/rasp
```
  5. Rebuild the image and launch the container.
- Method 2: Mount volumes to the container.
  1. Upload the RASP installation package to the server and unzip it using the command below.
    The 'user.path' represents the storage path for the RASP installation package.
```
unzip <installation package name> -d <user.path>
```
  2. When creating the container, mount rasp directory of the server to the designated directory within the container using the following command:
```
docker run -itd  -v /{user.path}/rasp:/rasp/ image ID
```
  3. Modify the php.ini configuration in the Dockerfile to add the RASP extension as below:
```
[alirasp]
extension=/rasp/alirasp.so
alirasp.root_dir=/rasp
```
  4. Rebuild the image and start the container.

3.3 Configure a protection policy

In the Configure Protection Mode After No False Alerts Generated step, configure a protection policy and click OK.

Important

The default protection mode is Monitor. We recommend that you use the Monitor mode for two to five days. If no false positives are reported during this period of time, you can change the protection mode to Block. If a false positive is reported, you can configure a whitelist rule to block the detection type for which the false positive is reported. For more information, see Add alerts to a whitelist.

Category	Parameter	Description

Category	Parameter	Description
Protection Policy	Application Group Name	The name of the application group. You cannot change the name in this step.
	Protection Status	Select whether to enable or disable protection for the current application group. Protection is enabled by default.
	Protection Mode	The protection mode of the application group. Valid values: Monitor: monitors your applications to detect attacks but does not block attacks. If an attack is detected, an alert is generated. For this alert, Handling Method is Monitor. Block: monitors your applications to detect attacks and blocks detected attacks, and monitors high-risk operations on application instances. If an attack is blocked, an alert is generated. For this alert, Handling Method is Block. Disable: disables the application protection feature for the application instances in the application group. No attacks are detected or blocked.
	Protection Policy Group	The default protection policy group is Normal Running Group. You can select a different protection policy group from the drop-down list. For more information about protection policy groups, see 5. Manage protection policy groups.
	Threat Type	The check types supported by the selected protection policy group.
Detection Policy	Weakness Detection	Specifies whether to enable the weakness detection feature for the current application group. For more information, see Detect application weaknesses. Note PHP applications do not support this feature.
Detection Policy	In-memory Webshell Detection	Specifies whether to enable the in-memory webshell detection feature for the current application group. For more information, see Use the in-memory webshell prevention feature. Note PHP applications do not support this feature.
Common Settings	Detection Timeout Period	The maximum period for attack detection. Valid values: 1 to 60000. Unit: milliseconds. Default value: 300. After the specified period elapses, the original business logic continues even if the detection logic is not complete. We recommend that you use the default value.
	Method to Obtain Source IP Address	The method to obtain source IP addresses. If you select Default, the system obtains source IP addresses based on the values of standard request headers that record source IP addresses in the sequence of X-Real-IP, True-Client-IP, and X-Forwarded-For. If the value of X-Real-IP is unavailable, the system uses the value of True-Client-IP. If the values of X-Real-IP and True-Client-IP are unavailable, the system uses the value of X-Forwarded-For. If you select Enter Custom Header, the system preferentially obtains source IP addresses based on custom headers. If you configure multiple custom headers, the system obtains the source IP addresses in the listed sequence. If the system cannot obtain source IP addresses based on the custom headers, the default method takes effect. Note You can specify up to five custom headers.
	Runtime Circuit Breaking Settings	This feature is only effective for Java applications. After the runtime circuit breaking feature is enabled, the RASP agent automatically stops providing real-time protection, in-memory webshell detection (Java applications only), and weakness detection (Java applications only) when the CPU utilization or memory usage of a server or process exceeds the threshold. When the resource usage falls below the configured thresholds, RASP automatically continues to provide the capabilities. This feature ensures that your workloads can run stably during peak hours and is disabled by default. If your applications are performance-sensitive, such as computational applications, you can enable this feature. Java applications CPU Utilization in Server or Container Exceeds: You can set the parameter to a value that ranges from 10% to 99%. We recommend that you set the parameter to 95%. JVM Heap Memory Usage Exceeds: You can set the parameter to a value that ranges from 5% to 99%. We recommend that you set the parameter to 98%. JVM Heap Remaining Memory Falls Short: You can set the parameter to a value that ranges from 10 to 99,999 MB. We recommend that you set the parameter to 100 MB. Important The circuit breaking feature is supported only for the RASP agent V0.8.8 or later. The RASP agent that runs a version earlier than V0.8.8 can be automatically upgraded to the latest version after you restart the application process. Instances in the Circuit Breaking state still consume the quota for the application protection feature. PHP applications CPU Utilization in Server or Container Exceeds: You can set the parameter to a value that ranges from 10% to 99%. We recommend that you set the parameter to 95%. Memory Usage in Server or Container Exceeds: You can set the parameter to a value that ranges from 5% to 99%. We recommend that you set the parameter to 98%. Remaining Memory in Server or Container Falls Short: You can set the parameter to a value that ranges from 10 to 99,999 MB. We recommend that you set the parameter to 100 MB.

3.4 Configure an application access whitelist (Java application)

If your business applications are sensitive and you do not want to add the applications to the application protection feature or you want to add specific processes to the application protection feature in a canary release, you can configure an application access whitelist and configure rules to define the processes to be added to the application protection feature. Only processes that match the whitelist rules are added to the application protection feature. If you do not configure whitelist rules, all processes that run on the server asset are automatically added to the application protection feature. Take note of the following items:

The whitelist takes effect only if the version of the RASP agent is 0.9.4 or later.
If you configure a whitelist before server assets are added to the application protection feature, the whitelist takes effect when the server assets are automatically added to the application protection feature. If you configure a whitelist after server assets are added to the application protection feature, the whitelist takes effect after the processes that are added to the application protection feature are restarted. If specific processes fail or are skipped, the whitelist takes effect after the processes are automatically added to the application protection feature.

The following section describes how to configure an application access whitelist. If you do not need to configure an application access whitelist, skip the steps.

On the Automatic Access tab in the Create Application Group panel, click Application Access Whitelist.
On the Application Access Whitelist tab of the Whitelists page, click Create Whitelist.

In the Create Whitelist panel, configure the following parameters and click OK.

Parameter	Description

Parameter	Description
Rule Name	The name of the whitelist rule.
Whitelist Mode	The whitelist mode that is used by the whitelist rule. Valid values: cmdline: uses command line parameters match the processes that need to be added to the whitelist. The following matching methods are supported: Contain Contains One of Multiple Values Does Not Contain Does Not Contain Any Value Environment Variables : uses the variables of the environments that the processes want to access to match the processes that need to be added to the application protection feature. The supported matching method is Equal To. -D parameter : uses the system properties that you configure to start a Java program to match the processes that need to be added to the application protection feature. The supported matching method is Equal To. Sample configurations: Add only tomcat-related processes. Set the Whitelist Mode parameter to cmdline. Set the Match Mode parameter to Contain. Set the Content to Match parameter to tomcat. Add non-apache or non-test processes. Set the Whitelist Mode parameter to cmdline. Set the Match Mode parameter to Does Not Contain Any Value. Set the Content to Match parameter to apache,test.
Match Mode	The match mode of the rule.
Match Field	The match field of the rule. Note This parameter is required only if you set the Whitelist Mode parameter to Environment Variables or -D parameter .
Content to Match	The content to be matched.
Destination Application Groups	The application group to which you want to apply the whitelist rule.

4. Verify the application access status

Java application

If the PID of an application process is displayed in the authorized instance list of the application group, the application is added to the application protection group. To view the protected applications, perform the following steps:

On the Application Configurations tab of the Application Protection page, find the application group that you want to manage and click the number in the Online Instances column.
On the panel that appears, view the applications that are added to the application protection feature.
If the PID of the application process that you want to protect is displayed in the application list, the application is protected.

PHP application

Method 1: View in the console.
On the Application Configurations tab of the Application Protection page, click Add Instances, and review the Instance Details panel for information about the corresponding PHP instance.
Method 2: Execute command.
Launch the terminal and run the following command. If the output includes alirasp, this confirms that RASP is successfully loaded.
```
php -m|grep alirasp
```
Method 3: Check on the phpinfo() page.
1. Create a PHP file on the server (e.g., info.php) with the following command:
```
 <?php
   phpinfo();
   ?>
```
2. Place this file in the root directory of the web server, such as /var/www/html/.
3. Navigate to the page (for example, http://your-server-ip/info.php) and search for alirasp in the output. The presence of alirasp extension signifies that RASP has been successfully loaded.

5. Manage protection policy groups

To meet the security requirements in different business scenarios, the application protection feature manages the attack detection policies in the following pre-defined protection policy groups at different levels: Business First Group, Normal Running Group, and Protection First Group.

The detection modes of all policies in the pre-defined protection policy groups are the same. For example, the detection mode of all policies in Business First Group is loose. You can use the pre-defined protection policy groups or create a protection policy group based on your business requirements.

Detection mode description

To balance the false positive rate and security protection effectiveness in different business scenarios, the application protection feature provides the following detection modes: loose, standard, and strict. The loose, standard, and strict modes are listed in ascending order based on the false positive rate and security protection effectiveness.

Loose: Security Center detects only threats of known attack characteristics with a low false positive rate.
Standard: Security Center detects threats of common attack characteristics and provides generalization reasoning capabilities. This is the default mode and is suitable for routine O&M.
Strict: Security Center identifies more attacks that are difficult to detect. False positives may be generated.

Create a protection policy group

On the Application Configurations tab of the Application Protection page, click Protection Policy Group Management.
Click Create Protection Policy Group.
In the Create Protection Policy Group panel, input the group name, select the application language, and choose Threat Type to the right of Select for configuration.
In the Select Threat Type panel, select the type of the threat that you want to detect, configure the Detection Mode parameter, and then click OK.
For example, if a large number of false positives for SQL injections are generated in existing alerts, you can change the detection mode for SQL injections to Loose.
Click OK.

What to do next

Manage the quota for the application protection feature

View the remaining quota for the application protection feature
When an application instance is protected, the quota for the application protection feature is deducted by one. You can use the application protection feature only when you have a sufficient quota. After you purchase a quota for the application protection feature, you can view the remaining quota on the Application Configurations tab of the Application Protection page.
If the remaining quota is insufficient or exhausted, take note of the following items:
- If the automatic access method is used, servers cannot be automatically added to the application protection feature.
  Note
  If the quota for the application protection feature is exhausted when the automatic access method is used to add applications, the applications can be added but the status of the excess application instances is unauthorized.
- If the quota for the application protection feature is exhausted, you can manually add applications to the application protection feature but the status of the application instances is unauthorized. The unauthorized application instances are not protected.
If the quota for the application protection feature is insufficient, we recommend that you follow the instructions in this topic to increase the quota.
Increase the quota for the application protection feature
If the number of application instances that require protection exceeds the remaining quota, you can purchase an additional quota. To purchase an additional quota, perform the following steps: Go to the Application Protection page and click the Application Configurations tab. Then, click Upgrade to the right of Remaining Quota. In the panel that appears, configure the Quota for Application Protection parameter.

Modify the protection policies of an application group

To modify the protection policies of an application group, perform the following steps:

On the Application Configurations tab of the Application Protection page, find the application group whose protection policies you want to modify and click Protection Policy in the Actions column.
In the Protection Policy panel, select a protection policy group from the Protection Policy Group drop-down list.
Click OK.

Disable the application protection feature

Disable the application protection feature for Java applications

On the Application Configurations tab of the Application Protection page, find the application group that you want to manage and click Access Management in the Actions column. In the Access Management panel, uninstall the RASP agent based on the method that you use to add your application process.

Automatic Access (The Security Center agent is online): On the Automatic Access tab, select the server from which you want to uninstall the RASP agent and click Batch Disable Protection. You can also turn off the switch in the Application Protection column for the server.
Important
If you no longer need to protect a server, you can remove the server after you turn off the switch in the Application Protection column.
On the Automatic Access tab, find the server that you want to remove and click Delete in the Actions column. You can also select multiple servers and click Batch Delete to remove the servers from the application group at a time.
Automatic Access (The Security Center agent is offline): If the Security Center agent is offline, the RASP agent cannot be automatically uninstalled in the console. In this case, you must perform the following steps to manually uninstall the RASP agent.
1. Open the terminal or CLI on the server and run the crontab -e command.
2. In the list of scheduled tasks, remove tasks related to application protection. The following sample code shows an application protection task:
```
* * * * * bash -c /usr/local/aegis/rasp/apps/664dd403cd24364f9e******/attach/runJavaFinder.sh http://update-vpc.aegis.aliyuncs.com/rasp/plugin/v1/error/report aa97bdc587ac7ab37028506359****** 6901ad53-a454-4681-afdb-c894d2******
```
3. Save the cron scheduled tasks and exit.
  - If you use the vi or vim editor, press Esc to ensure that you are in normal mode, enter :wq, and then press Enter to save the settings and exit.
  - If you use the nano editor, press Ctrl+O to save the changes and press Ctrl+X to exit.
4. Restart the process during off-peak hours.
Manual Access: To uninstall the RASP agent, remove the JVM parameters that are used to add your application process and then restart the application.

Disable the application protection feature for PHP applications

To uninstall the RASP agent from the target application, remove the ini configuration added during the setup process as outlined in the access guide. The specific content to be deleted is:
```
[alirasp]

extension=/alirasp.so

alirasp.root_dir=
```
Restart the application to disable RASP agent.
Note
The following commands are for reference only. The servers that need restarting will depend on those installed in your actual environment.
- Nginx server restart command
```
sudo systemctl restart nginx
```
- Apache server restart command
```
 sudo systemctl restart apache2
```
  or
```
sudo systemctl restart httpd
```

Disable the application protection feature for an application group

To disable the application protection feature for all applications in an application group, you can perform the following steps: On the Application Configurations tab of the Application Protection page, find the application group that you want to manage, toggle in the Protection Status column to disable protection.

Delete an application group

Important

After you delete an application group, the application protection feature is disabled for all application instances in the application group. Before you delete an application group, make sure that you no longer need to protect the application instances in the application group.

Before you delete an application group, make sure that no authorized instances exist in the application group or the switch in the Application Protection column is turned off for all servers that are displayed on the Application Protection tab.

On the Application Configurations tab of the Application Protection page, find the application group that you want to delete and click Delete in the Actions column.

View the version of the RASP agent

On the Application Configurations tab of the Application Protection page, find the application group that you want to manage and click the number in the Add Instances column. If the icon is displayed to the right of the RASP Version column of an application instance, a new version of the RASP agent is available. We recommend that you restart the application to automatically upgrade the RASP agent.

View instance status

On the Application Configurations tab of the Application Protection page, find the application group that you want to manage and click the number in the Add Instances column.

The following list describes the status of an application instance:

Authorized: The application instance is protected by the application protection feature.
Unauthorized: The application instance is added to the application protection feature but is not protected because the quota for the application protection feature is insufficient. You can click Upgrade to the right of Remaining Quota to purchase an additional quota.
Authorized (Circuit Breaking): Runtime Circuit Breaking Settings is enabled for the application group to which this instance belongs. When the resource usage of this instance reaches the threshold for circuit breaking, this instance is not protected by the application protection. Instances in this state still consume the quota for the application protection feature. When the resource usage of this instance drops below all circuit breaking thresholds, application protection resumes, and the instance status changes to "Online - Authorized."

About Alibaba Cloud

Our Global Network

Quick Start

Global Offices

Olympic Games Paris 2024 New

Stade Roland Garros – Glitz from the Past New

Place de la Concorde – “Breaking” the Barriers New

Vaires-sur-Marne Nautical Stadium – Sports with Sustainability New

International Broadcast Center – Images, Sounds, and Data that Captivate Billions New

Customer Success Stories New

Trust Center

Security & Compliance Center

Cloud Compliance Resources

Security Compliance FAQs

Product & Feature Update New

Cloud Forward

Press Room

Alibaba Cloud e-Magazine New

Alibaba Cloud in Analyst Research

Notice

Go Global Service New

Go Global Alliance with Alibaba Cloud

Asia Accelerator Hot

Information Compliance

China Gateway - MLPS 2.0 Compliance New

China Gateway - Networking

China Gateway - Global Application Acceleration New

China Gateway - Security

China Gateway - Data Security New

ICP Support Hot

China Gateway - Omnichannel Data Mid-End New

China Gateway - Organizational Data Mid-End New

China Gateway - Business Mid-End New

China Gateway - AI Service for Conversational Chatbots New

China Gateway - Online Education

China Gateway - Domain Registration

Work at Alibaba Cloud

Experienced Professionals

Students and Graduates

Free Trial

Pricing

Promo Center

Price Reduction

Pay Less and Deploy More

FinOps

Elastic Compute Service (ECS)

Simple Application Server (SAS)

Elastic GPU Service

Elastic Desktop Service (EDS)

Object Storage Service (OSS)

Cloud Enterprise Network (CEN)

Web Application Firewall (WAF)

Domain Names

Lingma

Container Compute Service (ACS)

Secure Access Service Edge (SASE)

Intelligent Media Services(IMS)

Edge Security Acceleration (ESA)(Original DCDN)

Intelligent Media Management

DingTalk Enterprise

YiDA

Alibaba Cloud Model Studio

Apsara Prime - For Easy Cloud Product Selection

Alibaba Cloud ECS - Cater All Your Cloud Hosting Needs

1TB CDN—Get Free 1 TB Outbound Traffic Plan Now

Security—Under Attack? Get Free Security Support

Short Message Service - Free Testing is Available

Elastic Compute Service (ECS) Hot

CloudBox

Compute Nest

Dedicated Host Hot

ECS Bare Metal Instance

Elastic GPU Service Featured

Simple Application Server (SAS) Hot

Auto Scaling

Cloud Phone Beta

Elastic Desktop Service (EDS) Featured

Batch Compute

Elastic High Performance Computing (E-HPC)

Super Computing Cluster (SCC)