Access rules define the scope of server processes connected to Application Protection in automatic access mode. You can configure three types of policies: blacklist, whitelist, and automatic full access. This topic describes the configuration logic, priority, and operational instructions for each rule. These rules are suitable for security O&M scenarios that require fine-grained control over the protection scope and a reduction in false positives.
Blacklist and whitelist rules
How rules take effect
-
Blacklists and whitelists apply only to the automatic access mode and do not affect the manual access mode.
-
Blacklists have a higher priority than whitelists. If a process matches the conditions for both a blacklist and a whitelist, Application Protection does not connect it.
-
Blacklists and whitelists take effect immediately if they are configured before a process is connected. If they are configured after a process is connected, the rules take effect after the process restarts or during the next automatic access. Deleting a blacklist rule takes effect immediately.
Use cases
|
List type |
Description |
Use case |
Process types |
|
Blacklist |
|
|
|
|
Whitelist |
|
Protect only critical processes to follow the principle of least privilege. |
|
Add a blacklist or whitelist
The following steps describe how to add a blacklist. The steps to add a whitelist are similar.
-
Log on to the Security Center console.
-
In the left-side navigation pane, choose . In the upper-left corner of the console, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
-
On the Application Configurations tab, click Management Settings in the upper-right corner.
-
In the Management Settings panel, on the Manage Access Rule tab, click the Blacklist tab, and then click Add Blacklist.
-
In the Add Blacklist dialog box, configure the following parameters and click OK.
Parameter
Description
Rule Name
Enter a name for the blacklist rule.
Rule Switch
The rule is enabled by default.
Effective Application Type
Select the application language to which the blacklist applies: Java or PHP.
Match Condition
Select a condition to match for the blacklist rule. Valid values:
-
cmdline: Matches processes to exclude based on their command-line parameters. The supported match operators are: contains, does not contain, contains one of multiple values, and does not contain any of the values.
-
Environment Variables : Matches processes to exclude based on the environment variables they access. The only supported match operator is equals.
-
-D parameter : Matches processes to exclude based on the system properties set at Java program startup. The only supported match operator is equals.
NoteThis option is available only when Effective Application Type is set to Java.
-
Container Name: Matches processes to exclude based on the name of the container to which they belong. The supported match operators are: contains, does not contain, contains one of multiple values, and does not contain any of the values.
NoteThis option is available only when Effective Application Type is set to PHP.
Click Add Condition to add multiple match conditions. The logical relationship between conditions is AND, meaning a process must meet all conditions to match the rule.
Examples:
-
To exclude processes whose startup parameters contain the string
tomcat:-
For Condition, select cmdline.
-
For Match Mode, select Include.
-
For Content to Match, enter tomcat.
-
-
To exclude processes whose startup parameters do not contain the strings
apacheortest:-
For Condition, select cmdline.
-
For Match Mode, select Does Not Contain Any Value.
-
For Content to Match, enter apache,test.
-
Match Mode
Select a match operator for the rule.
Match Field
Enter the field to match.
NoteThis parameter is required only when Match Condition is set to Environment Variables or -D parameter .
Content to Match
Enter the content to match.
Destination Application Groups
Select the application groups to which this blacklist rule applies. The application type of the selected groups must match the type specified for Effective Application Type.
-
Edit or delete a blacklist or whitelist
-
Log on to the Security Center console.
-
In the left-side navigation pane, choose . In the upper-left corner of the console, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
-
On the Application Configurations tab, click Management Settings in the upper-right corner.
-
In the Management Settings panel, on the Manage Access Rule tab, go to the Blacklist or Application Access Whitelist sub-tab. Find the rule you want to manage and click Edit or Delete in the Actions column.
You can delete a rule only if no application group is using it. Before deleting a rule, you must first remove it from all associated application groups.
Automatic full access (Java processes only)
Supported scenarios
When you enable pay-as-you-go for Application Protection, if you do not configure custom on-demand binding, the system, by default, adds the Java processes in all your assets to Application Protection for management and uses the Slow Access method.
If you have enabled Application Protection but no processes are connected, a dialog box appears with two options: Automatic Full Access and Custom Access. If you select Automatic Full Access, the system uses the Slow Access method by default. You can click Configure Now to change the access method to Fast Access, Regular Access, or Slow Access.
Access methods
|
Access method |
Description |
|
Fast Access |
Suitable for environments with a small number of processes and low requirements for application stability. Installation time is short. |
|
Regular Access |
Suitable for environments with a moderate number of processes and low requirements for application stability. Installation time is average. |
|
Slow Access |
Suitable for environments with a large number of processes and high requirements for application stability. Installation time is long. |
Stop automatic full access
After you enable Automatic Full Access, you can stop the process at any time. Go to the Application Analysis tab under . Then, click Stop Accessing in the access status prompt.
After you stop the process, you cannot initiate automatic full access again. Application Protection will not connect servers with an access status of Queuing. Servers with an access status of In Progress will continue the installation.
After stopping the process, you can click View Details in the prompt to check the connection status of the Java processes on your assets.