All Products
Search
Document Center

Security Center:Use the application protection feature

Last Updated:May 28, 2024

The application protection feature can monitor processes on which the runtime application self-protection (RASP) agent is installed and prevent malicious behaviors and threats in real time to ensure the continuous and stable running of applications. This topic describes how to add an application to the application protection feature.

Description of the RASP agent

Supported applications

The application protection feature detects attacks by using the RASP agent that is installed for applications. The application protection feature protects only Java processes that meet the following conditions. (You can install the RASP agent only on those Java processes.)

  • Java Development Kit (JDK): The JDK version is JDK 6 or later. JDK 13 and JDK 14 are not supported.

  • Middleware: The RASP agent does not have specific requirements for the type and version of middleware. The following types of middleware are supported: Tomcat, Spring Boot, JBoss, WildFly, Jetty, Resin, Oracle WebLogic Server, WebSphere Application Server, Liberty, Netty, GlassFish, and middleware developed by Chinese vendors.

  • Operating system: The Linux 64-bit or Windows 64-bit operating systems are used.

Resource usage thresholds

When the resource usage of a server, container, or Java virtual machine (JVM) exceeds a specific threshold, the system does not install the RASP agent until the resource usage falls below the threshold. This helps ensure that the application protection feature runs as expected. This limit does not apply to the manual access method. The following list describes the related thresholds:

  • The CPU usage of a host or a container exceeds 98%, or the remaining memory is less than 200 MB.

  • The remaining JVM heap memory is less than 150 MB, or the metadata space is less than 5 MB.

Prerequisites

  • The Security Center agent on your server is online.

    To check whether the Security Center agent on your server is online, perform the following steps: Go to the Assets > Host page. Click the Servers tab. Find your server and view the icons in the Agent column. The image..png icon indicates that the Security Center agent is online. If the Security Center agent is offline, you can troubleshoot the issue. For more information, see Troubleshoot why the Security Center agent is offline.

  • The AliyunYundunWAFFullAccess and AliyunYundunSASFullAccess policies are attached to the Resource Access Management (RAM) user that is used. For more information about how to grant permissions to a RAM user, see Grant permissions to RAM users.

Step 1: Check which applications can be added to the application protection feature

The application protection feature is available only for Java applications in the Running state. Only users of Security Center Enterprise and Ultimate can enable and use the asset fingerprints feature and view the applications that can be added to the application protection feature. An application that can be added is considered a qualified application.

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.

  2. In the left-side navigation pane, choose Assets > Host.

  3. On the Process tab of the Host page, find the processes for which java is displayed in the Process Name column.

    Important

    When an application is added to the feature, the quota for application protection is deducted by one. The number of processes dynamically changes. The number displayed in the search result in the left side of the tab is the number of processes that are initiated during vulnerability scan. You can estimate the quota that you need to purchase for application protection based on the number of processes.

    image.png

Step 2: Purchase a quota for application protection

You can use the application protection feature only if you have a sufficient quota. When you purchase Security Center, select the required edition and the quota for application protection. For more information, see Purchase Security Center.

Note

The quota for application protection that is provided by the free trial of Security Center is 10, and the quota is free of charge. If you have not purchased Security Center, you can apply for a free trial of Security Center. For more information, see Apply for a 7-day free trial of Security Center.

Step 3: Add applications for protection

The application protection feature protects web service processes by application group. Before you can use the application protection feature, you must create an application group, add the application processes that you want to protect to an application group, and configure a unified protection policy for the application group.

Create an application group

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.

  2. In the left-side navigation pane, choose Protection Configuration > Application Protection.

  3. On the page that appears, click the Application Configurations tab. Then, click Create Application Group.

  4. In the Create Application Group step of the panel that appears, enter a name and description for the application group that you want to create. Then, click Next.

    We recommend that you enter a name based on the processes that you want to protect. The name must be unique. After you complete the preceding step, the application group is created.

Use the automatic access or manual access method

Access methods

The application protection feature supports the automatic access and manual access methods. The following table describes the methods.

Method

Description

Scenario

Automatic access for servers and containers (recommended)

The automatic access method allows you to add servers to add all qualified applications on the servers for protection. After you add a server to the application protection feature, the feature uses JVM Attach capabilities to identify and add the qualified Java processes on the server or a container when the applications corresponding to the processes are running. This way, the applications are protected.

If you use the automatic access method, the system dynamically loads and unloads the application protection capabilities when the applications are running. This ensures business continuity without the need to restart the processes.

If a server is not added to an application group by using the automatic access method, you can use the automatic access method to add the server.

Note

If the processes that run on your server are automatically added to an application group and you want to migrate the processes to a different application group, you can disable the application protection feature for the server, remove the server from the current application group, and then use the automatic access method to add the server to the new application group.

Manual access for servers

The manual access method allows you to add a single application for protection. You must manually add an application to the application protection feature and restart the application.

  • If the WebSphere framework is used for your application, you must use the manual access method.

  • If specific processes on your server are automatically added to an application group and you want to add other processes that are not protected on the server to a different application group, you can use this method.

  • If you want to add a server to multiple application groups, you must use the manual access method.

Manual access for containers

Automatic access

Important
  • The first time you add applications to the application protection feature, we recommend that you perform the operation during off-peak hours.

  • A server can be automatically added to only one application group. If you use the automatic access method, you can select only 64-bit servers that are not automatically added to an existing application group.

  • You can use the automatic access method for servers that are added by using the manual access method. If you uninstall the RASP agent from the servers, the servers are automatically added to the application protection feature.

  1. On the Automatic Access tab of the Automatic/Manual Access page, click Select Asset for Application Protection.

  2. In the Select Asset dialog box, select the assets that you want to add and click OK.

    After you select a server, the application protection feature automatically identifies and adds the Java processes on the server or on a container hosted on the server. You do not need to restart the processes. You can select up to 100 servers at a time.

    Note

    After you select a server, the OK button changes to Synchronizing, which indicates that Security Center is loading the server to the list of selected servers.

  3. Perform the following operations based on the number of servers that you want to add:

    • If you want to add only one server, turn on the switch in the Application Protection column of the server. After the RASP agent is installed, click Next.

      自动接入控制台截图

    • If you want to add multiple servers, select the servers, click Batch Enable Protection, and then click Next.

      You can select up to 100 servers at a time.

    After you turn on the switch in the Application Protection column for a server or select multiple servers and click Batch Enable Protection, Security Center automatically identifies and adds the Java processes on the selected servers to application protection. During this process, Installing is displayed in the Application Protection column. This process may require approximately 10 minutes to complete. The period of time varies based on your network environment. If multiple Java processes are running on a server, Security Center adds the processes at a time.

    After the Java processes are added, the switch in the Application Protection column is turned on. You can view the protection status of the application instances in the Protection Status column. A Java process in an application group is considered an application instance. The following list describes the valid values of the Protection Status column

    • Not Added: The application protection feature is disabled for the server.

    • Failed: All processes on the server failed to be added to the application protection feature.

    • Partial Added: Several processes on the server are added to the application protection feature, but other processes on the server failed to be added to the application protection feature.

    • All Added: All qualified processes on the server are added to the application protection feature or no qualified processes exist on the server.

      Note

      When All Added is displayed in the Protection Status column and no qualified processes exist on the server or the processes on the server are not supported by the application protection feature, the list in the Access Details panel is empty. Subsequently, if a qualified process runs on the server, the process is automatically added.

    You can click Details in the Actions column to view the status of the added Java processes.

    接入详情

Manual access for servers

On the Manual Access tab of the Automatic/Manual Access page, follow the instructions on the Host Access Guide tab to install the RASP agent and then restart your applications. Click Next.

Before you restart your applications, you must complete related deployment based on the runtime environment of the applications. The following table describes the parameter settings for deployment in different runtime environments. If your middleware is not included in the following table, you must replace {appId} with the application ID that is displayed on the Host Access Guide tab when you configure the parameters. The following figure shows the position of an application ID. 应用ID位置

Runtime environment

Parameter setting

Tomcat on Linux

Add the following configurations to the {Tomcat installation directory}/bin/setenv.sh file:

export CATALINA_OPTS="$CATALINA_OPTS -javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar"

If the <Tomcat installation directory>/bin/ directory does not contain the setenv.sh configuration file, create the file in the <Tomcat installation directory>/bin/ directory.

Tomcat on Windows

Add the following configurations to the <Tomcat installation directory>\bin\setenv.bat file:

set CATALINA_OPTS=%CATALINA_OPTS% "-javaagent:C:\Program Files (x86)\Alibaba\Aegis\rasp\apps\{appId}\rasp.jar" 

If the <Tomcat installation directory>\bin\ directory does not contain the setenv.bat configuration file, create the file in the <Tomcat installation directory>\bin\ directory.

Jetty

Add the following configurations to the {JETTY_HOME}/start.ini configuration file:

--exec -javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar

Spring Boot

Add the -javaagent parameter to the startup command for the Spring Boot process.

java -javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar

For example, the following command is the original startup command of the Spring Boot process:

java -jar app.jar

Before you start the Spring Boot process to install the RASP agent, you must change the startup command to the following command:

java -javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar -jar app.jar

JBoss or WildFly

  • Standalone Mode

    Open the <JBoss installation directory>/bin/standalone.sh file and add the following content below # Display our environment:

    JAVA_OPTS="${JAVA_OPTS} -javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar"
  • Domain Mode

    Open the <JBoss installation directory>/domain/configuration/domain.xml file and find the <server-groups> tag. Then, find the <jvm> tag in the <server-group> tag based on which you want to install the RASP agent and add the following content:

    <jvm-options>
       <option value="-javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar"/>
    </jvm-options>

Liberty

Go to the <Liberty installation directory>/${server.config.dir} directory. The default directory is /opt/ibm/wlp/usr/servers/defaultServer/jvm.options. When you create or modify the jvm.options file, add the following content to the file:

-javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar

Resin

  • Resin3

    Open the <Resin installation directory>/conf/resin.conf file. Find the <jvm-arg> tag in the <server-default> tag and add the following content:

    <jvm-arg>-javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar</jvm-arg>
  • Resin4

    Open the <Resin installation directory>/conf/cluster-default.xml file. Find the <jvm-arg-line> tag in the <server-default> tag and add the following content:

    <jvm-arg>-javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar</jvm-arg>

You can also click Push RASP Agent on the Push Record tab to push the RASP agent to the server or container on which your applications run and install the agent on the server or container.

Manual access for containers

On the Manual Access tab of the Automatic/Manual Access page, follow the instructions on the Add Container tab to install the RASP agent and then restart your applications. Click Next.

Before you restart a container, you must complete related deployment based on the runtime environment of the container. The following table describes the parameter settings for deployment in different runtime environments. If your middleware is not included in the following table, you must replace {manager.key} with the value of Dmanager.key that is displayed on the Add Container tab when you configure the parameters.

Runtime environment

Parameter setting

SpringBoot

To install the RASP agent when an image is being packaged, modify the startup parameters in the Dockerfile and change the startup command for your applications.

Startup command before the change:

CMD ["java","-jar","/app.jar"]

Startup command after the change:

CMD ["java","-javaagent:/rasp/rasp.jar","-Dmanager.key={manager.key}","-jar","/app.jar"]

Tomcat

  • To install the RASP agent when an image is being packaged, add the following configurations to the Dockerfile:

    ENV JAVA_OPTS="-javaagent:/rasp/rasp.jar -Dmanager.key={manager.key}"
  • To install the RASP agent when the container is being started, add the following parameter to the startup command:

    docker --env JAVA_OPTS="-javaagent:/rasp/rasp.jar -Dmanager.key={manager.key}"

For example, the original startup command of a container is docker -itd --name=test -P image name. Before you start the container to install the RASP agent, you must change the startup command to docker -itd --env JAVA_OPTS="-javaagent:/rasp/rasp.jar -Dmanager.key={manager.key}" --name=test -P image name.

Weblogic

You can also click Push RASP Agent on the Push Record tab to push the RASP agent to the server or container on which your applications run and install the agent on the server or container.

Configure a protection policy

In the Configure Protection Mode After No False Alerts Generated step, configure a protection policy and click OK.

Important

The default protection mode is Monitor. We recommend that you use the Monitor mode for two to five days. If no false positives are reported during this period of time, you can change the protection mode to Block. If a false positive is reported, you can configure a whitelist rule to block the detection type for which the false positive is reported. For more information, see Add alerts to a whitelist.

Parameter

Description

Application Group Name

The name of the application group. You cannot change the name in this step.

Protection Mode

The protection mode of the application group. Valid values:

  • Monitor: monitors your applications to detect attacks but does not block attacks. If an attack is detected, an alert is generated. For this alert, Handling Method is Monitor.

  • Block: monitors your applications to detect attacks and blocks detected attacks, and monitors high-risk operations on application instances. If an attack is blocked, an alert is generated. For this alert, Handling Method is Block.

  • Disable: disables the application protection feature for the application instances in the application group. No attacks are detected or blocked.

Protection Policy Group

The default protection policy group. Default value: Normal Running Group. You can select another protection policy group from the drop-down list. For more information about protection policy groups, see Use the application protection feature.

Check Type

The check types supported by the selected protection policy group.

Step 4: Check whether the application is added to the application protection feature

If the process identifier (PID) of an application process is displayed in the authorized instance list of the application group, the application is added to the application protection group. To view the protected applications, perform the following steps:

  1. On the Application Configurations tab of the Application Protection page, find the application group that you want to manage and click the number in the Online Instances column.

  2. In the panel that appears, view the applications that are added to the application protection feature.

    If the PID of the application process that you want to protect is displayed in the application list, the application is protected.

    image.png

Step 5: Manage protection policy groups

To meet the security requirements in different business scenarios, the application protection feature manages the attack detection policies in the following pre-defined protection policy groups at different levels: Business First Group, Normal Running Group, and Protection First Group.

The detection modes of all policies in the pre-defined protection policy groups are the same. For example, the detection mode of all policies in Business First Group is loose. You can use the pre-defined protection policy groups or create a protection policy group based on your business requirements.

Detection mode description

To balance the false positive rate and security protection effect in different business scenarios, the application protection feature provides the following detection modes: loose, standard, and strict. The loose, standard, and strict modes are listed in ascending order based on the false positive rate and security protection effect.

  • Loose: Security Center detects only threats of known attack characteristics with a low false positive rate.

  • Standard: Security Center detects threats of common attack characteristics and provides generalization reasoning capabilities. This is the default mode and is suitable for routine O&M.

  • Strict: Security Center identifies more attacks that are difficult to detect. False positives may be generated.

Create a protection policy group

  1. On the Application Configurations tab of the Application Protection page, click Protection Policy Group Management.

  2. Click Create Protection Policy Group.

  3. In the Create Protection Policy Group panel, enter a name and description for the protection policy group and click Select to the right of Threat Type.

    In the Select Threat Type panel, select the type of the threat that you want to detect, configure the Detection Mode parameter, and then click OK.

    For example, if a large number of false positives for SQL injections are generated in existing alerts, you can change the detection mode for SQL injections to Loose.

  4. Click OK.

References

Manage the quota for application protection

  • View the remaining quota for application protection

    When an application instance is protected, the quota for application protection is deducted by one. You can use the application protection feature only when you have a sufficient quota. After you purchase a quota for application protection, you can view the remaining quota on the Application Configurations tab of the Application Protection page.

    image.png

    If the remaining quota is insufficient or exhausted, take note of the following items:

    • If the automatic access method is used, servers cannot be automatically added to the application protection feature.

      Note

      If the quota for application protection is exhausted when the automatic access method is used to add applications, the applications can be added but the status of the excess application instances is unauthorized.

    • If the quota for application protection is exhausted, you can manually add applications to the application protection feature but the status of the application instances is unauthorized. The unauthorized application instances are not protected.

    If the quota for application protection is insufficient, we recommend that you follow the instructions in this topic to increase the quota.

  • Increase the quota for application protection

    If the number of application instances that require protection exceeds the remaining quota, you can purchase an additional quota. To purchase an additional quota, perform the following steps: Go to the Application Protection page and click the Application Configurations tab. Then, click Upgrade to the right of Remaining Quota. In the panel that appears, configure the Quota for Application Protection parameter.

Modify the protection policies of an application group

To modify the protection policies of an application group, perform the following steps:

  1. On the Application Configurations tab of the Application Protection page, find the application group whose protection policies you want to modify and click Protection Policy in the Actions column.

  2. In the Protection Policy panel, select a protection policy group from the Protection Policy Group drop-down list.

    Parameter

    Description

    Protection Policy

    Application Group Name

    The application group name. You cannot modify the name.

    Protection Mode

    The protection mode of the application group. Valid values:

    • Monitor: monitors your applications to detect attacks but does not block attacks. If an attack is detected, an alert is generated. For this alert, Handling Method is Monitor.

    • Block: monitors your applications to detect attacks and blocks detected attacks, and monitors high-risk operations on application instances. If an attack is blocked, an alert is generated. For this alert, Handling Method is Block.

    • Disable: disables the application protection feature for the application instances in the application group. No attacks are detected or blocked.

    Protection Policy Group

    You can select a protection policy group from the drop-down list. For more information, see Use the application protection feature.

    Check Type

    The check types supported by the selected protection policy group.

    Detection Policy

    Weakness Detection

    Specifies whether to enable the weakness detection feature for the current application group. For more information, see Detect application weaknesses.

    In-memory Webshell Detection

    Specifies whether to enable the in-memory webshell detection feature for the current application group.

    Common Settings

    Detection Timeout Period

    The maximum period for attack detection. Valid values: 1 to 60000. Unit: milliseconds. Default value: 300. After the specified period elapses, the original business logic continues even if the detection logic is not complete. We recommend that you use the default value.

    Method to Obtain Source IP Address

    • The method to obtain source IP addresses. If you select Default, the system obtains source IP addresses based on the values of standard request headers that record source IP addresses. The standard request headers include X-Real-IP, True-Client-IP, and X-Forwarded-For.

    • If you select Enter Custom Header, the system preferentially obtains source IP addresses based on the values of custom headers. If the system cannot obtain source IP addresses based on the values of custom headers, the value Default takes effect.

  3. Click OK.

Disable the application protection feature

Disable the application protection feature for an application

On the Application Configurations tab of the Application Protection page, find the application group that you want to manage and click Access Management in the Actions column. In the Access Management panel, uninstall the RASP agent based on the method that you use to add your application process.

  • Automatic Access: On the Automatic Access tab, select the server from which you want to uninstall the RASP agent and click Batch Disable Protection. You can also turn off the switch in the Application Protection column for the server.

    Important

    If you no longer need to protect a server, you can remove the server after you turn off the switch in the Application Protection column.

    On the Automatic Access tab, find the server that you want to remove and click Delete in the Actions column. You can also select multiple servers and click Batch Delete to remove the servers from the application group at a time.

  • Manual Access: To uninstall the RASP agent, remove the JVM parameters that are used to add your application process and then restart the application.

Disable the application protection feature for an application group

To disable the application protection feature for all applications in an application group, you can perform the following steps: On the Application Configurations tab of the Application Protection page, find the application group that you want to manage, click Protection Policy in the Actions column, change the value of the Protection Mode parameter to Disable, and click OK.

Deletes an application group

Important

After you delete an application group, the application protection feature is disabled for all application instances in the application group. Before you delete an application group, make sure that you no longer need to protect the application instances in the application group.

Before you delete an application group, make sure that no authorized instances exist in the application group or the switch in the Application Protection column is turned off for all servers that are displayed on the Application Protection tab.

On the Application Configurations tab of the Application Protection page, find the application group that you want to delete and click Delete in the Actions column. In the message that appears, click OK.

View the version of the RASP agent

On the Application Configurations tab of the Application Protection page, find the application group that you want to manage and click the number in the Added Instance column. If the image.png icon is displayed to the right of the RASP Version column of an application instance, a new version of the RASP agent is available. We recommend that you restart the application to automatically upgrade the RASP agent. image.png

The following list describes the status of an application instance:

  • Online and authorized: The application instance is protected by the application protection feature.

  • Online and unauthorized: The application instance is added to the application protection feature but is not protected because the quota for application protection is insufficient. You can click Upgrade to the right of Remaining Quota to purchase an additional quota.

  • Offline: The application instance is not added to the application protection feature.

References