All Products
Search
Document Center

Security Center:Use the application protection feature

更新時間:Sep 12, 2024

The application protection feature can monitor processes on which the runtime application self-protection (RASP) agent is installed and prevent malicious behaviors and threats in real time to ensure the continuous and stable running of applications. This topic describes how to add an application to the application protection feature.

Description of the RASP agent

Supported applications

The application protection feature detects attacks by using the RASP agent that is installed for applications. The application protection feature protects only Java processes that meet the following conditions. (You can install the RASP agent only on those Java processes.)

  • Java Development Kit (JDK): The JDK version is JDK 6 or later. JDK 13 and JDK 14 are not supported.

  • Middleware: The RASP agent does not have specific requirements for the type and version of middleware. The following types of middleware are supported: Tomcat, Spring Boot, JBoss, WildFly, Jetty, Resin, Oracle WebLogic Server, WebSphere Application Server, Liberty, Netty, GlassFish, and middleware developed by Chinese vendors.

  • Operating system: The Linux 64-bit or Windows 64-bit operating systems are used.

Resource usage thresholds

When the resource usage of a server, container, or Java virtual machine (JVM) exceeds a specific threshold, the system does not install the RASP agent until the resource usage falls below the threshold. This helps ensure that the application protection feature runs as expected. This limit does not apply to the manual access method. The following list describes the related thresholds:

  • The CPU usage of a host or a container exceeds 98%, or the remaining memory is less than 200 MB.

  • The remaining JVM heap memory is less than 150 MB, or the metadata space is less than 5 MB.

Prerequisites

  • The Security Center agent on your server is online.

    To check whether the Security Center agent on your server is online, perform the following steps: Go to the Assets > Host page. Click the Servers tab. Find your server and view the icons in the Agent column. The image..png icon indicates that the Security Center agent is online. If the Security Center agent is offline, you can troubleshoot the issue. For more information, see Troubleshoot why the Security Center agent is offline.

  • The AliyunYundunWAFFullAccess and AliyunYundunSASFullAccess policies are attached to the Resource Access Management (RAM) user that is used. For more information about how to grant permissions to a RAM user, see Grant permissions to RAM users.

Step 1: Check which applications can be added to the application protection feature

The application protection feature is available only for Java applications in the Running state. Before you purchase a quota for the application protection feature, you can perform the following operations to view the number and details of qualified applications. An application that can be added is considered a qualified application.

  1. Log on to the Security Center console. In the top navigation bar, select the region of the assets that you want to manage. You can select China or Outside China.

  2. In the left-side navigation pane, choose Protection Configuration > Application Protection.

  3. In the Protection Statistics section, click Immediate Scan.

    After you click Immediate Scan, the Security Center agent collects information about the processes on your assets.

    Note

    The Security Center agent can collect the information only once per day in the Basic, Value-added Plan, Anti-virus, or Advanced edition of Security Center.

  4. View the number of application processes on your assets. You can click the number to view the list of application processes. The list provides the server information, process name, process identifier (PID), and startup parameters of each qualified application process.

    Important

    When an application is added to the application protection feature, the quota for the feature is deducted by one. The number of processes dynamically changes. The number displayed in the scan result is the number of processes that are running when the scan begins. You can estimate the quota that you need to purchase for the application protection feature based on the number of processes.

    image.png

Step 2: Purchase a quota for the application protection feature

You can use the application protection feature only if you have a sufficient quota. When you purchase Security Center, select the required edition and the quota for the application protection feature. For more information, see Purchase Security Center.

Note

The quota for the application protection feature that is provided by the free trial of Security Center is 10, and the quota is free of charge. If you have not purchased Security Center, you can apply for a free trial of Security Center. For more information, see Apply for a 7-day free trial of Security Center.

Step 3: Add applications for protection

The application protection feature protects web service processes by application group. Before you can use the application protection feature, you must create an application group, add the application processes that you want to protect to an application group, and configure a unified protection policy for the application group.

Create an application group

  1. Log on to the Security Center console. In the top navigation bar, select the region of the assets that you want to manage. You can select China or Outside China.

  2. In the left-side navigation pane, choose Protection Configuration > Application Protection.

  3. On the page that appears, click the Application Configurations tab. Then, click Create Application Group.

  4. In the Create Application Group step of the panel that appears, enter a name and description for the application group that you want to create. Then, click Next.

    We recommend that you enter a name based on the processes that you want to protect. The name must be unique. After you complete the preceding step, the application group is created.

Use the automatic access or manual access method

Access methods

The application protection feature supports the automatic access and manual access methods. The following table describes the methods.

Method

Description

Scenario

Automatic access for servers and containers (recommended)

The automatic access method allows you to add servers to add all qualified applications on the servers for protection. After you add a server to the application protection feature, the feature uses JVM Attach capabilities to identify and add the qualified Java processes that are listening on ports on the server or a container. This way, the applications are protected.

If you use the automatic access method, the system dynamically loads and unloads the application protection capabilities when the applications are running. This ensures business continuity without the need to restart the processes.

If a server is not added to an application group by using the automatic access method, you can use the automatic access method to add the server.

Note

If the processes that run on your server are automatically added to an application group and you want to migrate the processes to a different application group, you can disable the application protection feature for the server, remove the server from the current application group, and then use the automatic access method to add the server to the new application group.

Manual access for servers

The manual access method allows you to add a single application for protection. You must manually add an application to the application protection feature and restart the application.

  • If the WebSphere framework is used for your application, you must use the manual access method.

  • If specific processes on your server are automatically added to an application group and you want to add other processes that are not protected on the server to a different application group, you can use this method.

  • If you want to add a server to multiple application groups, you must use the manual access method.

  • If your Java process is not listening on a port, you can use the manual access method.

Manual access for containers

Automatic access

Important
  • The first time you add applications to the application protection feature, we recommend that you perform the operation during off-peak hours.

  • A server can be automatically added to only one application group. If you use the automatic access method, you can select only 64-bit servers that are not automatically added to an existing application group.

  • You can use the automatic access method for servers that are added by using the manual access method. If you uninstall the RASP agent from the servers, the servers are automatically added to the application protection feature.

  • The automatic access method is supported for Java processes that are listening on ports. If the Java processes are not listening on ports, you must use the manual access method.

  1. On the Automatic Access tab of the Automatic/Manual Access page, click Select Asset for Application Protection.

  2. In the Select Asset dialog box, select the assets that you want to add and click OK.

    After you select a server, the application protection feature automatically identifies and adds the Java processes on the server or on a container hosted on the server. You do not need to restart the processes. You can select up to 50 servers at a time.

  3. Perform the following operations based on the number of servers that you want to add:

    • If you want to add only one server, turn on the switch in the Application Protection column of the server. After the RASP agent is installed, click Next.

      自动接入控制台截图

    • If you want to add multiple servers, select the servers, click Batch Enable Protection, and then click Next.

      You can select up to 50 servers at a time.

    After you turn on the switch in the Application Protection column for a server or select multiple servers and click Batch Enable Protection, Security Center automatically identifies and adds the Java processes on the selected servers to application protection. During this process, Installing is displayed in the Application Protection column. This process may require approximately 10 minutes to complete. The period of time varies based on your network environment. If multiple Java processes are running on a server, Security Center adds the processes at a time.

    After the Java processes are added, the switch in the Application Protection column is turned on. You can view the protection status of the application instances in the Protection Status column. A Java process in an application group is considered an application instance. The following list describes the valid values of the Protection Status column

    • Not Added: The application protection feature is disabled for the server.

    • Failed: All processes on the server failed to be added to the application protection feature.

    • Partial Added: Several processes on the server are added to the application protection feature, but other processes on the server failed to be added to the application protection feature.

    • All Added: All qualified processes on the server are added to the application protection feature or no qualified processes exist on the server.

      Note

      When All Added is displayed in the Protection Status column and no qualified processes exist on the server or the processes on the server are not supported by the application protection feature, the list in the Access Details panel is empty. Subsequently, if a qualified process runs on the server, the process is automatically added.

    You can click Details in the Actions column to view the status of the added Java processes.

    接入详情

Manual access for servers

On the Manual Access tab of the Automatic/Manual Access page, follow the instructions on the Host Access Guide tab to install the RASP agent and then restart your applications. Click Next.

Before you restart your applications, you must complete related deployment based on the runtime environment of the applications. The following table describes the parameter settings for deployment in different runtime environments. If your middleware is not included in the following table, you must replace {appId} with the application ID that is displayed on the Host Access Guide tab when you configure the parameters. The following figure shows the position of an application ID. 应用ID位置

Runtime environment

Parameter description

Tomcat on Linux

Add the following configurations to the {Tomcat installation directory}/bin/setenv.sh file:

export CATALINA_OPTS="$CATALINA_OPTS -javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar"

If the <Tomcat installation directory>/bin/ directory does not contain the setenv.sh configuration file, create the file in the <Tomcat installation directory>/bin/ directory.

Tomcat on Windows

Add the following configurations to the <Tomcat installation directory>\bin\setenv.bat file:

set CATALINA_OPTS=%CATALINA_OPTS% "-javaagent:C:\Program Files (x86)\Alibaba\Aegis\rasp\apps\{appId}\rasp.jar" 

If the <Tomcat installation directory>\bin\ directory does not contain the setenv.bat configuration file, create the file in the <Tomcat installation directory>\bin\ directory.

Jetty

Add the following configurations to the {JETTY_HOME}/start.ini configuration file:

--exec -javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar

Spring Boot

Add the -javaagent parameter to the startup command for the Spring Boot process.

java -javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar

For example, the following command is the original startup command of the Spring Boot process:

java -jar app.jar

Before you start the Spring Boot process to install the RASP agent, you must change the startup command to the following command:

java -javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar -jar app.jar
Important

Make sure that the -javaagent parameter is placed before the -jar parameter.

JBoss or WildFly

  • Standalone Mode

    Open the <JBoss installation directory>/bin/standalone.sh file and add the following content below # Display our environment:

    JAVA_OPTS="${JAVA_OPTS} -javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar"
  • Domain Mode

    Open the <JBoss installation directory>/domain/configuration/domain.xml file and find the <server-groups> tag. Then, find the <jvm> tag in the <server-group> tag based on which you want to install the RASP agent and add the following content:

    <jvm-options>
       <option value="-javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar"/>
    </jvm-options>

Liberty

Go to the <Liberty installation directory>/${server.config.dir} directory. The default directory is /opt/ibm/wlp/usr/servers/defaultServer/jvm.options. When you create or modify the jvm.options file, add the following content to the file:

-javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar

Resin

  • Resin3

    Open the <Resin installation directory>/conf/resin.conf file. Find the <jvm-arg> tag in the <server-default> tag and add the following content:

    <jvm-arg>-javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar</jvm-arg>
  • Resin4

    Open the <Resin installation directory>/conf/cluster-default.xml file. Find the <jvm-arg-line> tag in the <server-default> tag and add the following content:

    <jvm-arg>-javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar</jvm-arg>

You can also click Push RASP Agent on the Push Record tab to push the RASP agent to the server or container on which your applications run and install the agent on the server or container.

Manual access for containers

On the Manual Access tab of the Automatic/Manual Access page, follow the instructions on the Add Container tab to install the RASP agent and then restart your applications. Click Next.

Before you restart a container, you must complete related deployment based on the runtime environment of the container. The following table describes the parameter settings for deployment in different runtime environments. If your middleware is not included in the following table, you must replace {manager.key} with the value of Dmanager.key that is displayed on the Add Container tab when you configure the parameters.

Runtime environment

Parameter description

SpringBoot

To install the RASP agent when an image is being packaged, modify the startup parameters in the Dockerfile and change the startup command for your applications.

Startup command before the change:

CMD ["java","-jar","/app.jar"]

Startup command after the change:

CMD ["java","-javaagent:/rasp/rasp.jar","-Dmanager.key={manager.key}","-jar","/app.jar"]

Tomcat

  • To install the RASP agent when an image is being packaged, add the following configurations to the Dockerfile:

    ENV JAVA_OPTS="-javaagent:/rasp/rasp.jar -Dmanager.key={manager.key}"
  • To install the RASP agent when the container is being started, add the following parameter to the startup command:

    docker --env JAVA_OPTS="-javaagent:/rasp/rasp.jar -Dmanager.key={manager.key}"

For example, the original startup command of a container is docker -itd --name=test -P image name. Before you start the container to install the RASP agent, you must change the startup command to docker -itd --env JAVA_OPTS="-javaagent:/rasp/rasp.jar -Dmanager.key={manager.key}" --name=test -P image name.

Weblogic

You can also click Push RASP Agent on the Push Record tab to push the RASP agent to the server or container on which your applications run and install the agent on the server or container.

Configure a protection policy

In the Configure Protection Mode After No False Alerts Generated step, configure a protection policy and click OK.

Important

The default protection mode is Monitor. We recommend that you use the Monitor mode for two to five days. If no false positives are reported during this period of time, you can change the protection mode to Block. If a false positive is reported, you can configure a whitelist rule to block the detection type for which the false positive is reported. For more information, see Add alerts to a whitelist.

Category

Parameter

Description

Protection Policy

Application Group Name

The name of the application group. You cannot change the name in this step.

Protection Mode

The protection mode of the application group. Valid values:

  • Monitor: monitors your applications to detect attacks but does not block attacks. If an attack is detected, an alert is generated. For this alert, Handling Method is Monitor.

  • Block: monitors your applications to detect attacks and blocks detected attacks, and monitors high-risk operations on application instances. If an attack is blocked, an alert is generated. For this alert, Handling Method is Block.

  • Disable: disables the application protection feature for the application instances in the application group. No attacks are detected or blocked.

Protection Policy Group

The default protection policy group is Normal Running Group. You can select a different protection policy group from the drop-down list. For more information about protection policy groups, see Step 5: Manage protection policy groups.

Threat Type

The check types supported by the selected protection policy group.

Detection Policy

Weakness Detection

Specifies whether to enable the weakness detection feature for the current application group. For more information, see Detect application weaknesses.

In-memory Webshell Detection

Specifies whether to enable the in-memory webshell detection feature for the current application group. For more information, see Use the in-memory webshell prevention feature.

Common Settings

Detection Timeout Period

The maximum period for attack detection. Valid values: 1 to 60000. Unit: milliseconds. Default value: 300. After the specified period elapses, the original business logic continues even if the detection logic is not complete. We recommend that you use the default value.

Method to Obtain Source IP Address

  • The method to obtain source IP addresses. If you select Default, the system obtains source IP addresses based on the values of standard request headers that record source IP addresses. The standard request headers include X-Real-IP, True-Client-IP, and X-Forwarded-For. The system checks these headers in the above order. If the value for X-Real-IP is unavailable, it uses True-Client-IP. If both X-Real-IP and True-Client-IP are not available, the system falls back to X-Forwarded-For.

  • If you select Enter Custom Header, the system preferentially obtains source IP addresses based on the values of custom headers. When multiple custom headers are set, the system obtains the source IP addresses in the listed order. If the system cannot obtain source IP addresses based on all the values of custom headers, the value Default takes effect.

Note

You can set a maximum of five values of custom headers.

Runtime Circuit Breaking Settings

After the runtime circuit breaking feature is enabled, the RASP agent will automatically stop its real-time protection capabilities, in-memory webshell detection, and weakness detection when the resource usage of a server or process exceeds the configured threshold for either CPU or memory. When the resource usage falls below all configured thresholds, RASP will automatically resume its protective feature.

This feature ensures that your business can operate stably during peak hours and is disabled by default. If your application is performance-sensitive, particularly in computational tasks, you may want to enable this feature. Here are the configuration details:

  • CPU Utilization in Server or Container Exceeds: You can set CPU Utilization to a value that ranges from 10% to 99%, with a recommended configuration of 95%.

  • JVM Heap Memory Usage Exceeds: You can set the JVM Heap Memory Usage to a value that ranges from 5% to 99%, with a recommended configuration of 98%.

  • JVM Heap Remaining Memory Falls Short: You can set the JVM Heap Remaining Memory to a value that ranges from 10 to 99,999 MB, with a recommended configuration of 100 MB.

Important
  • The circuit breaking feature is only supported in the RASP agent V0.8.8 and later. Versions earlier than V0.8.8 can be automatically upgraded to the latest version after you restart the application process.

  • Instances in the Circuit Breaking state still consume the quota for the application protection feature.

Step 4: Check whether the application is added to the application protection feature

If the PID of an application process is displayed in the authorized instance list of the application group, the application is added to the application protection group. To view the protected applications, perform the following steps:

  1. On the Application Configurations tab of the Application Protection page, find the application group that you want to manage and click the number in the Online Instances column.

  2. In the panel that appears, view the applications that are added to the application protection feature.

    If the PID of the application process that you want to protect is displayed in the application list, the application is protected.

    image.png

Step 5: Manage protection policy groups

To meet the security requirements in different business scenarios, the application protection feature manages the attack detection policies in the following pre-defined protection policy groups at different levels: Business First Group, Normal Running Group, and Protection First Group.

The detection modes of all policies in the pre-defined protection policy groups are the same. For example, the detection mode of all policies in Business First Group is loose. You can use the pre-defined protection policy groups or create a protection policy group based on your business requirements.

Detection mode description

To balance the false positive rate and security protection effectiveness in different business scenarios, the application protection feature provides the following detection modes: loose, standard, and strict. The loose, standard, and strict modes are listed in ascending order based on the false positive rate and security protection effectiveness.

  • Loose: Security Center detects only threats of known attack characteristics with a low false positive rate.

  • Standard: Security Center detects threats of common attack characteristics and provides generalization reasoning capabilities. This is the default mode and is suitable for routine O&M.

  • Strict: Security Center identifies more attacks that are difficult to detect. False positives may be generated.

Create a protection policy group

  1. On the Application Configurations tab of the Application Protection page, click Protection Policy Group Management.

  2. Click Create Protection Policy Group.

  3. In the Create Protection Policy Group panel, enter a name and description for the protection policy group and click Select to the right of Threat Type.

    In the Select Threat Type panel, select the type of the threat that you want to detect, configure the Detection Mode parameter, and then click OK.

    For example, if a large number of false positives for SQL injections are generated in existing alerts, you can change the detection mode for SQL injections to Loose.

  4. Click OK.

What to do next

Manage the quota for the application protection feature

  • View the remaining quota for the application protection feature

    When an application instance is protected, the quota for the application protection feature is deducted by one. You can use the application protection feature only when you have a sufficient quota. After you purchase a quota for the application protection feature, you can view the remaining quota on the Application Configurations tab of the Application Protection page.

    image.png

    If the remaining quota is insufficient or exhausted, take note of the following items:

    • If the automatic access method is used, servers cannot be automatically added to the application protection feature.

      Note

      If the quota for the application protection feature is exhausted when the automatic access method is used to add applications, the applications can be added but the status of the excess application instances is unauthorized.

    • If the quota for the application protection feature is exhausted, you can manually add applications to the application protection feature but the status of the application instances is unauthorized. The unauthorized application instances are not protected.

    If the quota for the application protection feature is insufficient, we recommend that you follow the instructions in this topic to increase the quota.

  • Increase the quota for the application protection feature

    If the number of application instances that require protection exceeds the remaining quota, you can purchase an additional quota. To purchase an additional quota, perform the following steps: Go to the Application Protection page and click the Application Configurations tab. Then, click Upgrade to the right of Remaining Quota. In the panel that appears, configure the Quota for Application Protection parameter.

Modify the protection policies of an application group

To modify the protection policies of an application group, perform the following steps:

  1. On the Application Configurations tab of the Application Protection page, find the application group whose protection policies you want to modify and click Protection Policy in the Actions column.

  2. In the Protection Policy panel, select a protection policy group from the Protection Policy Group drop-down list.

  3. Click OK.

Disable the application protection feature

Disable the application protection feature for an application

On the Application Configurations tab of the Application Protection page, find the application group that you want to manage and click Access Management in the Actions column. In the Access Management panel, uninstall the RASP agent based on the method that you use to add your application process.

  • Automatic Access (The Security Center agent is online): On the Automatic Access tab, select the server from which you want to uninstall the RASP agent and click Batch Disable Protection. You can also turn off the switch in the Application Protection column for the server.

    Important

    If you no longer need to protect a server, you can remove the server after you turn off the switch in the Application Protection column.

    On the Automatic Access tab, find the server that you want to remove and click Delete in the Actions column. You can also select multiple servers and click Batch Delete to remove the servers from the application group at a time.

  • Automatic Access (The Security Center agent is offline): When the Security Center agent is offline, the RASP agent cannot be uninstalled automatically through the console. You can perform the following steps to manually uninstall the RASP agent.

    1. Open the terminal or command-line interface on the server and run the crontab -e command.

    2. In the list of scheduled tasks, remove tasks related to application protection. The application protection task appears is shown in the following code:

      * * * * * bash -c /usr/local/aegis/rasp/apps/664dd403cd24364f9e******/attach/runJavaFinder.sh http://update-vpc.aegis.aliyuncs.com/rasp/plugin/v1/error/report aa97bdc587ac7ab37028506359****** 6901ad53-a454-4681-afdb-c894d2******
    3. Save the cron scheduled tasks and exit.

      • If you are using vi or vim editor, press Esc to ensure you are in normal mode, then enter :wq and press Enter to save and exit.

      • If you are using the nano editor, press Ctrl+O to save changes, and press Ctrl+X to exit.

    4. Restart the process during off-peak hours.

  • Manual Access: To uninstall the RASP agent, remove the JVM parameters that are used to add your application process and then restart the application.

Disable the application protection feature for an application group

To disable the application protection feature for all applications in an application group, you can perform the following steps: On the Application Configurations tab of the Application Protection page, find the application group that you want to manage, click Protection Policy in the Actions column, change the value of the Protection Mode parameter to Disable, and click OK.

Delete an application group

Important

After you delete an application group, the application protection feature is disabled for all application instances in the application group. Before you delete an application group, make sure that you no longer need to protect the application instances in the application group.

Before you delete an application group, make sure that no authorized instances exist in the application group or the switch in the Application Protection column is turned off for all servers that are displayed on the Application Protection tab.

On the Application Configurations tab of the Application Protection page, find the application group that you want to delete and click Delete in the Actions column. In the message that appears, click OK.

View the version of the RASP agent

On the Application Configurations tab of the Application Protection page, find the application group that you want to manage and click the number in the Add Instances column. If the image.png icon is displayed to the right of the RASP Version column of an application instance, a new version of the RASP agent is available. We recommend that you restart the application to automatically upgrade the RASP agent. image.png

View the state of the application instance

On the Application Configurations tab of the Application Protection page, click the number in the Add Instances column of the target application group to check the list of instances added to the application protection feature.

The following list describes the status of an application instance:

  • Online and authorized: The application instance is protected by the application protection feature.

  • Online and unauthorized: The application instance is added to the application protection feature but is not protected because the quota for the application protection feature is insufficient. You can click Upgrade to the right of Remaining Quota to purchase an additional quota.

  • Offline: The application instance is not added to the application protection feature.

  • Online Circuit Breaking Feature: Runtime Circuit Breaking Settings has been enabled for the application group where this instance resides. When the resource usage of this instance reaches the threshold for circuit breaking, application protection for this instance is disabled. Instances in this state still consume the quota for the application protection feature. When the resource usage of this instance drops below all circuit breaking thresholds, application protection resumes, and the instance status changes to "Online - Authorized."

    image

References