Enabling Application & API Protection for .NET

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

You can monitor application security for .NET apps running in Docker, Kubernetes, Amazon ECS, and AWS Fargate.

Prerequisites

Enabling Application & API Protection

Get started

  1. Update your Datadog .NET library to at least version 2.2.0 (at least version 2.16.0 for Software Composition Analysis detection features) for your target operating system architecture.

    To check that your service’s language and framework versions are supported for Application & API Protection capabilities, see Compatibility.

  2. Enable Application & API Protection by setting the environment variables. For security-only use without APM tracing, set both DD_APPSEC_ENABLED=true and DD_APM_TRACING_ENABLED=false. For example, on Windows self-hosted, run the following PowerShell snippet as part of your application start up script:

    $target=[System.EnvironmentVariableTarget]::Process
[System.Environment]::SetEnvironmentVariable("DD_APPSEC_ENABLED","true",$target)
[System.Environment]::SetEnvironmentVariable("DD_APM_TRACING_ENABLED","false",$target)

    Or one of the following methods, depending on where your application runs:

      In a Windows console:

      rem Set environment variables
SET CORECLR_ENABLE_PROFILING=1
SET CORECLR_PROFILER={846F5F1C-F9AE-4B07-969E-05C26BC060D8}
SET DD_APPSEC_ENABLED=true
SET DD_APM_TRACING_ENABLED=false

rem Start application
dotnet.exe example.dll

      Run the following PowerShell command as administrator to configure the necessary environment variables in the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment and restart IIS.

      $target=[System.EnvironmentVariableTarget]::Machine
[System.Environment]::SetEnvironmentVariable("DD_APPSEC_ENABLED","true",$target)
[System.Environment]::SetEnvironmentVariable("DD_APM_TRACING_ENABLED","false",$target)
net stop was /y
net start w3svc

      Or, for IIS services exclusively, on WAS and W3SVC with Powershell as an administrator, run:

      $appsecPart = "DD_APPSEC_ENABLED=true DD_APM_TRACING_ENABLED=false"
[string[]] $defaultvariable = @("CORECLR_ENABLE_PROFILING=1", "CORECLR_PROFILER={846F5F1C-F9AE-4B07-969E-05C26BC060D8}", $appsecPart)

function Add-AppSec {

    param (
        $path
    )
    $v = (Get-ItemProperty -Path $path).Environment
    If ($v -eq $null) {
        Set-ItemProperty -Path $path -Name "Environment" -Value $defaultvariable
    }
    ElseIf (-not ($v -match $appsecPart)) {
        $v += " " + $appsecPart;
        Set-ItemProperty -Path $path -Name "Environment" -Value $v
    }
}
Add-AppSec -path "HKLM:SYSTEM\CurrentControlSet\Services\WAS\"
Add-AppSec -path "HKLM:SYSTEM\CurrentControlSet\Services\W3SVC\"

net stop was /y
net start w3svc

      Or, to avoid editing registry keys, edit the application settings in the web.config file of your application:

      <configuration>
  <appSettings>
        <add key="DD_APPSEC_ENABLED" value="true"/>
        <add key="DD_APM_TRACING_ENABLED" value="false"/>
  </appSettings>
</configuration>

      This can also be done at the IIS application pools level in the applicationHost.config file, usually in C:\Windows\System32\inetsrv\config\:

      <system.applicationHost>

    <applicationPools>
        <add name="DefaultAppPool">
            <environmentVariables>
                <add name="DD_APPSEC_ENABLED" value="true" />
                <add name="DD_APM_TRACING_ENABLED" value="false" />
            </environmentVariables>
            (...)

      Add the following to your application configuration:

      DD_APPSEC_ENABLED=true
DD_APM_TRACING_ENABLED=false

      Update your configuration container for APM by adding the following arguments in your docker run command:

      docker run [...] -e DD_APPSEC_ENABLED=true -e DD_APM_TRACING_ENABLED=false [...]

      Add the following environment variable values to your container Dockerfile:

      ENV DD_APPSEC_ENABLED=true
ENV DD_APM_TRACING_ENABLED=false

      Update your deployment configuration file for APM and add the Application & API Protection environment variables:

      spec:
  template:
    spec:
      containers:
        - name: <CONTAINER_NAME>
          image: <CONTAINER_IMAGE>/<TAG>
          env:
            - name: DD_APPSEC_ENABLED
              value: "true"
            - name: DD_APM_TRACING_ENABLED
              value: "false"

      Update your ECS task definition JSON file, by adding these in the environment section:

      "environment": [
  ...,
  {
    "name": "DD_APPSEC_ENABLED",
    "value": "true"
  },
  {
    "name": "DD_APM_TRACING_ENABLED",
    "value": "false"
  }
]

      Add the following lines to your container Dockerfile:

      ENV DD_APPSEC_ENABLED=true
ENV DD_APM_TRACING_ENABLED=false

    • Restart the application using a full stop and start.

      この構成が完了すると、ライブラリは、アプリケーションからセキュリティデータを収集し、Agent に送信します。Agent は、そのデータを Datadog に送信し、すぐに使える検出ルールによって、攻撃者のテクニックや潜在的な誤構成にフラグが立てられるため、是正措置を講じることができます。

    • Application Security Management の脅威検出の動作を見るには、既知の攻撃パターンをアプリケーションに送信してください。例えば、次の curl スクリプトを含むファイルを実行して、Security Scanner Detected ルールをトリガーします。

      for ((i=1;i<=250;i++)); 
      do
      # Target existing service’s routes
      curl https://your-application-url/existing-route -A dd-test-scanner-log;
      # Target non existing service’s routes
      curl https://your-application-url/non-existing-route -A dd-test-scanner-log;
      done

      : dd-test-scanner-log の値は、最新のリリースでサポートされています。

      アプリケーションを有効にして実行すると、数分後に Application Signals Explorer に脅威情報が表示されVulnerability Explorer に脆弱性情報が表示されます**。

    Further Reading

    お役に立つドキュメント、リンクや記事:

    Adding user information to tracesDOCUMENTATION more more .NET Datadog library source codeSOURCE CODE more more OOTB App & API Protection RulesDOCUMENTATION more more Troubleshooting App & API ProtectionDOCUMENTATION more more
    PREVIEWING: deforest/consolidated-security-nav-branch