All Products
Search
Document Center

Security Center:Use the application protection feature

更新時間:Dec 03, 2024

The application protection feature can monitor processes on which the runtime application self-protection (RASP) agent is installed and prevent malicious behaviors and threats in real time to ensure the continuous and stable running of applications. This topic describes how to add an application to the application protection feature.

RASP agent

Supported applications

The application protection feature detects attacks by using the RASP agent that is installed for applications. The application protection feature protects only Java processes that meet the following conditions. (You can install the RASP agent only on those Java processes.)

  • Java Development Kit (JDK): The JDK version is JDK 6 or later. JDK 13 and JDK 14 are not supported.

  • Middleware: The RASP agent does not have specific requirements for the type and version of middleware. The following types of middleware are supported: Tomcat, Spring Boot, JBoss, WildFly, Jetty, Resin, Oracle WebLogic Server, WebSphere Application Server, Liberty, Netty, GlassFish, and middleware developed by Chinese vendors.

  • Operating system: The Linux 64-bit or Windows 64-bit operating systems are used.

Resource usage thresholds

When the resource usage of a server, container, or Java virtual machine (JVM) exceeds a specific threshold, the system does not install the RASP agent until the resource usage falls below the threshold. This helps ensure that the application protection feature runs as expected. This limit does not apply to the manual access method. The following list describes the related thresholds:

  • The CPU usage of a server or a container exceeds 98%, or the remaining memory is less than 200 MB.

  • The remaining JVM heap memory is less than 150 MB, or the metadata space is less than 5 MB.

Application access whitelist

An application access whitelist defines the server processes that are automatically added to the application protection feature. After you configure an application access whitelist for an application group, only processes that match the rule are protected by the application protection feature. Take note of the following items:

  • The whitelist takes effect only if the version of the RASP agent is 0.9.4 or later.

  • If you configure a whitelist before server assets are added to the application protection feature, the whitelist takes effect when the server assets are automatically added to the application protection feature. If you configure a whitelist after server assets are added to the application protection feature, the whitelist takes effect after the processes that are added to the application protection feature are restarted. If specific processes fail or are skipped, the whitelist takes effect after the processes are automatically added to the application protection feature.

Prerequisites

  • The Security Center agent on your server is online.

    To check whether the Security Center agent on your server is online, perform the following steps: Go to the Assets > Host page. Click the Servers tab. Find your server and view the icons in the Agent column. The image..png icon indicates that the Security Center agent is online. If the Security Center agent is offline, you can troubleshoot the issue. For more information, see Troubleshoot why the Security Center agent is offline.

  • The AliyunYundunWAFFullAccess and AliyunYundunSASFullAccess policies are attached to the Resource Access Management (RAM) user that is used. For more information about how to grant permissions to a RAM user, see Grant permissions to RAM users.

1. Check the applications that can be added to the application protection feature

The application protection feature is available only for Java applications in the Running state. Before you purchase a quota for the application protection feature, you can perform the following operations to view the number and details of qualified applications. An application that can be added is considered a qualified application.

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.

  2. In the left-side navigation pane, choose Protection Configuration > Application Protection.

  3. In the Protection Statistics section, click Immediate Scan.

    After you click Immediate Scan, the Security Center agent collects information about the processes on your assets.

    Note

    The Security Center agent can collect the information only once per day in the Basic, Value-added Plan, Anti-virus, or Advanced edition of Security Center.

  4. View the number of application processes on your assets. You can click the number to view the list of application processes. The list provides the server information, process name, process identifier (PID), and startup parameters of each qualified application process.

    Important

    When an application is added to the application protection feature, the quota for the feature is deducted by one. The number of processes dynamically changes. Only the processes that are running during the scan are counted. You can estimate the quota that you need to purchase for the application protection feature based on the number of processes.

    image.png

2: Purchase a quota for the application protection feature

You can use the application protection feature only if you have a sufficient quota. When you purchase Security Center, select the required edition and the quota for the application protection feature. For more information, see Purchase Security Center.

Note

The quota for the application protection feature that is provided by the free trial of Security Center is 10, and the quota is free of charge. If you have not purchased Security Center, you can apply for a free trial of Security Center. For more information, see Apply for a 7-day free trial of Security Center.

3: Add applications to the application protection feature

The application protection feature protects web service processes by application group. Before you can use the application protection feature, you must create an application group, add the application processes that you want to protect to an application group, and configure a unified protection policy for the application group.

3.1 Create an application group

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.

  2. In the left-side navigation pane, choose Protection Configuration > Application Protection.

  3. On the page that appears, click the Application Configurations tab. Then, click Create Application Group.

  4. In the Create Application Group step of the panel that appears, enter a name and description for the application group that you want to create. Then, click Next.

    We recommend that you enter a name based on the processes that you want to protect. The name must be unique. After you complete the preceding step, the application group is created.

3.2 Use the automatic access or manual access method

Access methods

The application protection feature supports the automatic access and manual access methods. The following table describes the methods.

Method

Description

Scenario

Automatic access for servers and containers (recommended)

The automatic access method allows you to add servers to add all qualified applications on the servers for protection. After you add a server to the application protection feature, the feature uses JVM Attach capabilities to identify and add the qualified Java processes that are listening on ports on the server or a container. This way, the applications are protected.

If you use the automatic access method, the system dynamically loads and unloads the application protection capabilities when the applications are running. This ensures business continuity without the need to restart the processes.

If a server is not added to an application group by using the automatic access method, you can use the automatic access method to add the server.

Note

If the processes that run on your server are automatically added to an application group and you want to migrate the processes to a different application group, you can disable the application protection feature for the server, remove the server from the current application group, and then use the automatic access method to add the server to the new application group.

Manual access

The manual access method allows you to add a single application for protection. You must manually add an application to the application protection feature and restart the application.

  • If the WebSphere framework is used for your application, you must use the manual access method.

  • If specific processes on your server are automatically added to an application group and you want to add other processes that are not protected on the server to a different application group, you can use this method.

  • If you want to add a server to multiple application groups, you must use the manual access method.

  • If your Java process is not listening on a port, you can use the manual access method.

Automatic access

Important
  • The first time you add applications to the application protection feature, we recommend that you perform the operation during off-peak hours. We also recommend that you use the canary release policy to add applications in batches and observe the metrics. If you use the automatic access method to add application processes, RASP inserts monitoring or protection code to trace the application processes. In this case, CPU resources are highly utilized for approximately 30 seconds due to the impact of deoptimization. The average duration of high CPU utilization is 10 to 20 seconds. For large applications, the impact may last for several minutes. After the applications are added, the CPU utilization is automatically decreased.

  • A server can be automatically added to only one application group. If you use the automatic access method, you can select only 64-bit servers that are not automatically added to an existing application group.

  • You can use the automatic access method for servers that are added by using the manual access method. If you uninstall the RASP agent from the servers, the servers are automatically added to the application protection feature.

  • The automatic access method is supported for Java processes that are listening on ports. If the Java processes are not listening on ports, you must use the manual access method.

  1. On the Automatic Access tab of the Automatic/Manual Access page, click Select Asset for Application Protection.

  2. In the Select Asset dialog box, select the assets that you want to add and click OK.

    After you select a server, the application protection feature automatically identifies and adds the Java processes on the server or on a container hosted on the server. You do not need to restart the processes. You can select up to 50 servers at a time.

  3. Perform the following operations based on the number of servers that you want to add:

    • If you want to add only one server, turn on the switch in the Application Protection column of the server. After the RASP agent is installed, click Next.

      自动接入控制台截图

    • If you want to add multiple servers, select the servers, click Batch Enable Protection, and then click Next.

      You can select up to 50 servers at a time.

    After you turn on the switch in the Application Protection column for a server or select multiple servers and click Batch Enable Protection, Security Center automatically identifies and adds the Java processes on the selected servers to application protection. During this process, Installing is displayed in the Application Protection column. This process may require approximately 10 minutes to complete. The period of time varies based on your network environment. If multiple Java processes are running on a server, Security Center adds the processes at a time.

    After the Java processes are added, the switch in the Application Protection column is turned on. You can view the protection status of the application instances in the Protection Status column. A Java process in an application group is considered an application instance. The following list describes the valid values of the Protection Status column

    • Not Added: The application protection feature is disabled for the server.

    • Failed: All processes on the server failed to be added to the application protection feature.

    • Partial Added: Several processes on the server are added to the application protection feature, but other processes on the server failed to be added to the application protection feature.

    • All Added: All qualified processes on the server are added to the application protection feature or no qualified processes exist on the server.

      Note

      When All Added is displayed in the Protection Status column and no qualified processes exist on the server or the processes on the server are not supported by the application protection feature, the list in the Access Details panel is empty. Subsequently, if a qualified process runs on the server, the process is automatically added.

    You can click Details in the Actions column to view the status of the added Java processes.

    Note

    If you configure an application access whitelist for the application group, the processes that do not match the whitelist rules are skipped.

    接入详情

Manual access

You can perform the following steps to manually add applications that run on servers or on containers to the application protection feature. The following list describes the methods that you can use to manually add applications that run on containers to the application protection feature.

  • Manual access for containers (point-and-click push): If you confirm the applications and servers you want to add, you can use this method to directly push the installation package of the RASP agent.

  • Manual access for containers (package download and installation): If you want another user to help install the RASP agent, you can use this method to download the installation package and distribute the package to the user for installation.

Manual access for servers

  1. In the Access Management panel, click the Manual Access tab. On the Host Access Guide tab, click Point-and-click Push.

  2. In the Push RASP Agent dialog box, select the servers on which you want to install the RASP agent and click OK.

  3. Configure the JVM parameters for the servers based on the runtime environment of the applications. You can configure the JVM parameters based on the information in the Security Center console or in the following table.

    When you configure the parameters based on the following table, replace {appId} in the code with the application ID that is displayed on the Host Access Guide tab. The following figure shows the position of an application ID. 应用ID位置

    Runtime environment

    Parameter setting

    Tomcat on Linux

    Add the following configurations to the {Tomcat installation directory}/bin/setenv.sh file:

    export CATALINA_OPTS="$CATALINA_OPTS -javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar"

    If the <Tomcat installation directory>/bin/ directory does not contain the setenv.sh configuration file, create the file in the <Tomcat installation directory>/bin/ directory.

    Tomcat on Windows

    Add the following configurations to the <Tomcat installation directory>\bin\setenv.bat file:

    set CATALINA_OPTS=%CATALINA_OPTS% "-javaagent:C:\Program Files (x86)\Alibaba\Aegis\rasp\apps\{appId}\rasp.jar" 

    If the <Tomcat installation directory>\bin\ directory does not contain the setenv.bat configuration file, create the file in the <Tomcat installation directory>\bin\ directory.

    Jetty

    Add the following configurations to the {JETTY_HOME}/start.ini configuration file:

    --exec -javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar

    Spring Boot

    Add the -javaagent parameter to the startup command for the Spring Boot process.

    java -javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar

    For example, the following command is the original startup command of the Spring Boot process:

    java -jar app.jar

    Before you start the Spring Boot process to install the RASP agent, you must change the startup command to the following command:

    java -javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar -jar app.jar
    Important

    Make sure that the -javaagent parameter is placed before the -jar parameter.

    JBoss or WildFly

    • Standalone Mode

      Open the <JBoss installation directory>/bin/standalone.sh file and add the following content below # Display our environment:

      JAVA_OPTS="${JAVA_OPTS} -javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar"
    • Domain Mode

      Open the <JBoss installation directory>/domain/configuration/domain.xml file and find the <server-groups> tag. Then, find the <jvm> tag in the <server-group> tag based on which you want to install the RASP agent and add the following content:

      <jvm-options>
         <option value="-javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar"/>
      </jvm-options>

    Liberty

    Go to the <Liberty installation directory>/${server.config.dir} directory. The default directory is /opt/ibm/wlp/usr/servers/defaultServer/jvm.options. When you create or modify the jvm.options file, add the following content to the file:

    -javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar

    Resin

    • Resin3

      Open the <Resin installation directory>/conf/resin.conf file. Find the <jvm-arg> tag in the <server-default> tag and add the following content:

      <jvm-arg>-javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar</jvm-arg>
    • Resin4

      Open the <Resin installation directory>/conf/cluster-default.xml file. Find the <jvm-arg-line> tag in the <server-default> tag and add the following content:

      <jvm-arg>-javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar</jvm-arg>
  4. Restart the applications that you want to add to the application protection feature on your on-premises device.

    The application protection feature takes effect immediately after the applications are restarted. On the Application Configurations page, you can view the servers that are added to the application group.

Manual access for containers (point-and-click push)

  1. In the Access Management panel, click the Manual Access tab. On the Add Container tab, click Point-and-click Push.

    You can also click Push RASP Agent on the Push Record tab to push the RASP agent to the server or container on which your applications run and install the agent on the server or container.

  2. In the Push RASP Agent dialog box, select the servers on which you want to install the RASP agent and click OK.

  3. Start the RASP agent.

    • Method 1: Add parameters to the Dockerfile.

      1. Go to the directory in which the Dockerfile resides and create a directory named rasp.

        cd <Directory of the Dockerfile>
        mkdir rasp
      2. Copy the RASP files that are pushed to the server to the rasp directory.

        You can obtain the application group ID on the Add Container tab in the Security Center console.

        cp -r /usr/local/aegis/rasp/apps/<Application group ID>/* ./rasp
      3. Modify the Dockerfile and package the downloaded installation package into the container image. Then, add the required content to the Dockerfile.

        COPY rasp /rasp/
        Important

        You must grant specific users the read and execute permissions on the /rasp/ directory and the files in the /rasp/ directory.

      4. Modify the JVM startup parameters in the Dockerfile and add javaagent:/rasp/rasp.jar to the Dockerfile.

        The following table describes the parameter settings in different runtime environments. You must replace {manager.key} in the code with the value of Dmanager.key that is displayed on the Add Container tab.

        Runtime environment

        Parameter setting

        SpringBoot

        To install the RASP agent when an image is being packaged, modify the startup parameters in the Dockerfile and change the startup command for your applications.

        Startup command before the change:

        CMD ["java","-jar","/app.jar"]

        Startup command after the change:

        CMD ["java","-javaagent:/rasp/rasp.jar","-Dmanager.key={manager.key}","-jar","/app.jar"]

        Tomcat

        • To install the RASP agent when an image is being packaged, add the following configurations to the Dockerfile:

          ENV JAVA_OPTS="-javaagent:/rasp/rasp.jar -Dmanager.key={manager.key}"
        • To install the RASP agent when the container is being started, add the following parameter to the startup command:

          docker --env JAVA_OPTS="-javaagent:/rasp/rasp.jar -Dmanager.key={manager.key}"

        For example, the original startup command of a container is docker -itd --name=test -P image name. Before you start the container to install the RASP agent, you must change the startup command to docker -itd --env JAVA_OPTS="-javaagent:/rasp/rasp.jar -Dmanager.key={manager.key}" --name=test -P image name.

        Weblogic

      5. Recreate an image and start the container.

    • Method 2: Mount volumes to the container.

      1. When you create a container, mount the installation directory of the RASP agent of the server to the specified directory of the container.

        docker run -itd --privileged=true -v /usr/local/aegis/rasp/apps/<Application group ID>:/rasp/ Image ID
      2. Run the following command to access the container:

        docker exec -it <Container ID> /bin/bash
      3. Add the following JVM parameter to the startup script of the server to start the RASP agent:

        You must configure the parameter based on your business environment. You must replace {manager.key} with the value of Dmanager.key that is displayed on the Add Container tab.

        -javaagent:/rasp/rasp.jar -Dmanager.key={manager.key}

Manual access for containers (package download and installation)

  1. In the Access Management panel, click the Manual Access tab. On the Add Container tab, select Custom Installation from the drop-down list in the Download and Install RASP Agent step.

    You can also click Push RASP Agent on the Push Record tab to push the RASP agent to the server or container on which your applications run and install the agent on the server or container.

    image

  2. In the drop-down list, select Do Not Access Proxy or Self-managed Proxy Cluster to determine whether to add the server on which you want to install the RASP agent to the Security Center by using the proxy access feature.

    If you select Self-managed Proxy Cluster, you must select a proxy cluster that you want to use to add the server to Security Center. For more information, see Add servers to Security Center by using the proxy access feature.

  3. Click Download to the right of the installation package of the RASP agent to download the package.

  4. Start the RASP agent.

    • Method 1: Add parameters to the Dockerfile.

      1. Go to the directory of the Dockerfile.

        cd <Directory of the Dockerfile>
      2. Upload the downloaded installation package of the RASP agent to the directory of the Dockerfile. Then, decompress the package to the directory.

        unzip <Name of the installation package> -d .
        Note

        After the installation package is decompressed, a directory named rasp is generated.

      3. Modify the Dockerfile and package the downloaded installation package into the container image. Then, add the required content to the Dockerfile.

        COPY rasp /rasp/
        Important

        You must grant specific users the read and execute permissions on the /rasp/ directory and the files in the /rasp/ directory.

      4. Modify the JVM startup parameters in the Dockerfile and add javaagent:/rasp/rasp.jar to the Dockerfile.

        The following table describes the parameter settings in different runtime environments. You must replace {manager.key} in the code with the value of Dmanager.key that is displayed on the Add Container tab.

        Runtime environment

        Parameter setting

        SpringBoot

        To install the RASP agent when an image is being packaged, modify the startup parameters in the Dockerfile and change the startup command for your applications.

        Startup command before the change:

        CMD ["java","-jar","/app.jar"]

        Startup command after the change:

        CMD ["java","-javaagent:/rasp/rasp.jar","-Dmanager.key={manager.key}","-jar","/app.jar"]

        Tomcat

        • To install the RASP agent when an image is being packaged, add the following configurations to the Dockerfile:

          ENV JAVA_OPTS="-javaagent:/rasp/rasp.jar -Dmanager.key={manager.key}"
        • To install the RASP agent when the container is being started, add the following parameter to the startup command:

          docker --env JAVA_OPTS="-javaagent:/rasp/rasp.jar -Dmanager.key={manager.key}"

        For example, the original startup command of a container is docker -itd --name=test -P image name. Before you start the container to install the RASP agent, you must change the startup command to docker -itd --env JAVA_OPTS="-javaagent:/rasp/rasp.jar -Dmanager.key={manager.key}" --name=test -P image name.

        Weblogic

      5. Recreate an image and start the container.

    • Method 2: Mount volumes to the container.

      1. Upload the downloaded installation package of the RASP agent to the specified directory on the server and decompress the package.

        You must replace user.path with the directory that you use.

        unzip  zhh-php1-China.zip -d /<user.path>/
      2. When you create a container, mount the installation directory of the RASP agent of the server to the specified directory of the container.

        docker run -itd  -v /<user.path>/rasp:/rasp/ Image ID 
      3. Run the following command to access the container:

        docker exec -it <Container ID> /bin/bash
      4. Add the following JVM parameter to the startup script of the server to start the RASP agent:

        You must configure the parameter based on your business environment. You must replace {manager.key} with the value of Dmanager.key that is displayed on the Add Container tab.

        -javaagent:/rasp/rasp.jar -Dmanager.key={manager.key}

3.3 Configure a protection policy

In the Configure Protection Mode After No False Alerts Generated step, configure a protection policy and click OK.

Important

The default protection mode is Monitor. We recommend that you use the Monitor mode for two to five days. If no false positives are reported during this period of time, you can change the protection mode to Block. If a false positive is reported, you can configure a whitelist rule to block the detection type for which the false positive is reported. For more information, see Add alerts to a whitelist.

Category

Parameter

Description

Protection Policy

Application Group Name

The name of the application group. You cannot change the name in this step.

Protection Mode

The protection mode of the application group. Valid values:

  • Monitor: monitors your applications to detect attacks but does not block attacks. If an attack is detected, an alert is generated. For this alert, Handling Method is Monitor.

  • Block: monitors your applications to detect attacks and blocks detected attacks, and monitors high-risk operations on application instances. If an attack is blocked, an alert is generated. For this alert, Handling Method is Block.

  • Disable: disables the application protection feature for the application instances in the application group. No attacks are detected or blocked.

Protection Policy Group

The default protection policy group is Normal Running Group. You can select a different protection policy group from the drop-down list. For more information about protection policy groups, see 5: Manage protection policy groups.

Threat Type

The check types supported by the selected protection policy group.

Detection Policy

Weakness Detection

Specifies whether to enable the weakness detection feature for the current application group. For more information, see Detect application weaknesses.

In-memory Webshell Detection

Specifies whether to enable the in-memory webshell detection feature for the current application group. For more information, see Use the in-memory webshell prevention feature.

Common Settings

Detection Timeout Period

The maximum period for attack detection. Valid values: 1 to 60000. Unit: milliseconds. Default value: 300. After the specified period elapses, the original business logic continues even if the detection logic is not complete. We recommend that you use the default value.

Method to Obtain Source IP Address

  • The method to obtain source IP addresses. If you select Default, the system obtains source IP addresses based on the values of standard request headers that record source IP addresses in the sequence of X-Real-IP, True-Client-IP, and X-Forwarded-For. If the value of X-Real-IP is unavailable, the system uses the value of True-Client-IP. If the values of X-Real-IP and True-Client-IP are unavailable, the system uses the value of X-Forwarded-For.

  • If you select Enter Custom Header, the system preferentially obtains source IP addresses based on custom headers. If you configure multiple custom headers, the system obtains the source IP addresses in the listed sequence. If the system cannot obtain source IP addresses based on the custom headers, the default method takes effect.

    Note

    You can specify up to five custom headers.

Runtime Circuit Breaking Settings

After the runtime circuit breaking feature is enabled, the RASP agent automatically stops providing real-time protection capabilities, in-memory webshell detection, and weakness detection when the CPU utilization or memory usage of a server or process exceeds the threshold. When the resource usage falls below the configured thresholds, RASP automatically continues to provide the capabilities.

This feature ensures that your workloads can run stably during peak hours and is disabled by default. If your applications are performance-sensitive, such as computational applications, you can enable this feature.

  • CPU Utilization in Server or Container Exceeds: You can set the parameter to a value that ranges from 10% to 99%. We recommend that you set the parameter to 95%.

  • JVM Heap Memory Usage Exceeds: You can set the parameter to a value that ranges from 5% to 99%. We recommend that you set the parameter to 98%.

  • JVM Heap Remaining Memory Falls Short: You can set the parameter to a value that ranges from 10 to 99,999 MB. We recommend that you set the parameter to 100 MB.

Important
  • The circuit breaking feature is supported only for the RASP agent V0.8.8 or later. The RASP agent that runs a version earlier than V0.8.8 can be automatically upgraded to the latest version after you restart the application process.

  • Instances in the Circuit Breaking state still consume the quota for the application protection feature.

3.4 Configure an application access whitelist

If your business applications are sensitive and you do not want to add the applications to the application protection feature or you want to add specific processes to the application protection feature in a canary release, you can configure an application access whitelist and configure rules to define the processes to be added to the application protection feature. Only processes that match the whitelist rules are added to the application protection feature. If you do not configure whitelist rules, all processes that run on the server asset are automatically added to the application protection feature. The following section describes how to configure an application access whitelist. If you do not need to configure an application access whitelist, skip the steps.

  1. On the Automatic Access tab in the Create Application Group panel, click Application Access Whitelist.

  2. On the Application Access Whitelist tab of the Whitelists page, click Create Whitelist.

  3. In the Create Whitelist panel, configure the following parameters and click OK.

    Parameter

    Description

    Rule Name

    The name of the whitelist rule.

    Whitelist Mode

    The whitelist mode that is used by the whitelist rule. Valid values:

    • cmdline: uses command line parameters match the processes that need to be added to the whitelist. The following matching methods are supported:

      • Contain

      • Contains One of Multiple Values

      • Does Not Contain

      • Does Not Contain Any Value

    • Environment Variables : uses the variables of the environments that the processes want to access to match the processes that need to be added to the application protection feature. The supported matching method is Equal To.

    • -D parameter : uses the system properties that you configure to start a Java program to match the processes that need to be added to the application protection feature. The supported matching method is Equal To.

    Sample configurations:

    • Add only tomcat-related processes.

      • Set the Whitelist Mode parameter to cmdline.

      • Set the Match Mode parameter to Contain.

      • Set the Content to Match parameter to tomcat.

    • Add non-apache or non-test processes.

      • Set the Whitelist Mode parameter to cmdline.

      • Set the Match Mode parameter to Does Not Contain Any Value.

      • Set the Content to Match parameter to apache,test.

    Match Mode

    The match mode of the rule.

    Match Field

    The match field of the rule.

    Note

    This parameter is required only if you set the Whitelist Mode parameter to Environment Variables or -D parameter .

    Content to Match

    The content to be matched.

    Destination Application Groups

    The application group to which you want to apply the whitelist rule.

4: Check whether the application is added to the application protection feature

If the PID of an application process is displayed in the authorized instance list of the application group, the application is added to the application protection group. To view the protected applications, perform the following steps:

  1. On the Application Configurations tab of the Application Protection page, find the application group that you want to manage and click the number in the Online Instances column.

  2. On the panel that appears, view the applications that are added to the application protection feature.

    If the PID of the application process that you want to protect is displayed in the application list, the application is protected.

    image.png

5: Manage protection policy groups

To meet the security requirements in different business scenarios, the application protection feature manages the attack detection policies in the following pre-defined protection policy groups at different levels: Business First Group, Normal Running Group, and Protection First Group.

The detection modes of all policies in the pre-defined protection policy groups are the same. For example, the detection mode of all policies in Business First Group is loose. You can use the pre-defined protection policy groups or create a protection policy group based on your business requirements.

Detection mode description

To balance the false positive rate and security protection effectiveness in different business scenarios, the application protection feature provides the following detection modes: loose, standard, and strict. The loose, standard, and strict modes are listed in ascending order based on the false positive rate and security protection effectiveness.

  • Loose: Security Center detects only threats of known attack characteristics with a low false positive rate.

  • Standard: Security Center detects threats of common attack characteristics and provides generalization reasoning capabilities. This is the default mode and is suitable for routine O&M.

  • Strict: Security Center identifies more attacks that are difficult to detect. False positives may be generated.

image.png

Create a protection policy group

  1. On the Application Configurations tab of the Application Protection page, click Protection Policy Group Management.

  2. Click Create Protection Policy Group.

  3. In the Create Protection Policy Group panel, enter a name and description for the protection policy group and click Select to the right of Threat Type.

    In the Select Threat Type panel, select the type of the threat that you want to detect, configure the Detection Mode parameter, and then click OK.

    For example, if a large number of false positives for SQL injections are generated in existing alerts, you can change the detection mode for SQL injections to Loose.

    image.png

  4. Click OK.

What to do next

Manage the quota for the application protection feature

  • View the remaining quota for the application protection feature

    When an application instance is protected, the quota for the application protection feature is deducted by one. You can use the application protection feature only when you have a sufficient quota. After you purchase a quota for the application protection feature, you can view the remaining quota on the Application Configurations tab of the Application Protection page.

    image.png

    If the remaining quota is insufficient or exhausted, take note of the following items:

    • If the automatic access method is used, servers cannot be automatically added to the application protection feature.

      Note

      If the quota for the application protection feature is exhausted when the automatic access method is used to add applications, the applications can be added but the status of the excess application instances is unauthorized.

    • If the quota for the application protection feature is exhausted, you can manually add applications to the application protection feature but the status of the application instances is unauthorized. The unauthorized application instances are not protected.

    If the quota for the application protection feature is insufficient, we recommend that you follow the instructions in this topic to increase the quota.

  • Increase the quota for the application protection feature

    If the number of application instances that require protection exceeds the remaining quota, you can purchase an additional quota. To purchase an additional quota, perform the following steps: Go to the Application Protection page and click the Application Configurations tab. Then, click Upgrade to the right of Remaining Quota. In the panel that appears, configure the Quota for Application Protection parameter.

Modify the protection policies of an application group

To modify the protection policies of an application group, perform the following steps:

  1. On the Application Configurations tab of the Application Protection page, find the application group whose protection policies you want to modify and click Protection Policy in the Actions column.

  2. In the Protection Policy panel, select a protection policy group from the Protection Policy Group drop-down list.

  3. Click OK.

Disable the application protection feature

Disable the application protection feature for an application

On the Application Configurations tab of the Application Protection page, find the application group that you want to manage and click Access Management in the Actions column. In the Access Management panel, uninstall the RASP agent based on the method that you use to add your application process.

  • Automatic Access (The Security Center agent is online): On the Automatic Access tab, select the server from which you want to uninstall the RASP agent and click Batch Disable Protection. You can also turn off the switch in the Application Protection column for the server.

    Important

    If you no longer need to protect a server, you can remove the server after you turn off the switch in the Application Protection column.

    On the Automatic Access tab, find the server that you want to remove and click Delete in the Actions column. You can also select multiple servers and click Batch Delete to remove the servers from the application group at a time.

  • Automatic Access (The Security Center agent is offline): If the Security Center agent is offline, the RASP agent cannot be automatically uninstalled in the console. In this case, you must perform the following steps to manually uninstall the RASP agent.

    1. Open the terminal or CLI on the server and run the crontab -e command.

    2. In the list of scheduled tasks, remove tasks related to application protection. The following sample code shows an application protection task:

      * * * * * bash -c /usr/local/aegis/rasp/apps/664dd403cd24364f9e******/attach/runJavaFinder.sh http://update-vpc.aegis.aliyuncs.com/rasp/plugin/v1/error/report aa97bdc587ac7ab37028506359****** 6901ad53-a454-4681-afdb-c894d2******
    3. Save the cron scheduled tasks and exit.

      • If you use the vi or vim editor, press Esc to ensure that you are in normal mode, enter :wq, and then press Enter to save the settings and exit.

      • If you use the nano editor, press Ctrl+O to save the changes and press Ctrl+X to exit.

    4. Restart the process during off-peak hours.

  • Manual Access: To uninstall the RASP agent, remove the JVM parameters that are used to add your application process and then restart the application.

Disable the application protection feature for an application group

To disable the application protection feature for all applications in an application group, you can perform the following steps: On the Application Configurations tab of the Application Protection page, find the application group that you want to manage, click Protection Policy in the Actions column, change the value of the Protection Mode parameter to Disable, and click OK.

Delete an application group

Important

After you delete an application group, the application protection feature is disabled for all application instances in the application group. Before you delete an application group, make sure that you no longer need to protect the application instances in the application group.

Before you delete an application group, make sure that no authorized instances exist in the application group or the switch in the Application Protection column is turned off for all servers that are displayed on the Application Protection tab.

On the Application Configurations tab of the Application Protection page, find the application group that you want to delete and click Delete in the Actions column.

View the version of the RASP agent

On the Application Configurations tab of the Application Protection page, find the application group that you want to manage and click the number in the Add Instances column. If the image.png icon is displayed to the right of the RASP Version column of an application instance, a new version of the RASP agent is available. We recommend that you restart the application to automatically upgrade the RASP agent.image.png

View the state of the application instance

On the Application Configurations tab of the Application Protection page, find the application group that you want to manage and click the number in the Add Instances column.

The following list describes the status of an application instance:

  • Online and authorized: The application instance is protected by the application protection feature.

  • Online and unauthorized: The application instance is added to the application protection feature but is not protected because the quota for the application protection feature is insufficient. You can click Upgrade to the right of Remaining Quota to purchase an additional quota.

  • Offline: The application instance is not added to the application protection feature.

  • Online Circuit Breaking Feature: Runtime Circuit Breaking Settings is enabled for the application group to which this instance belongs. When the resource usage of this instance reaches the threshold for circuit breaking, this instance is not protected by the application protection. Instances in this state still consume the quota for the application protection feature. When the resource usage of this instance drops below all circuit breaking thresholds, application protection resumes, and the instance status changes to "Online - Authorized."

image

References