このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

You can monitor application security for Ruby apps running in Docker, Kubernetes, Amazon ECS, and AWS Fargate.

Prerequisites

Enabling Application & API Protection

Get started

  1. Update your Gemfile to include the Datadog library:

    gem 'datadog', '~> 2.0' # Use 'ddtrace' if you're using v1.x
    

    To check that your service’s language and framework versions are supported for Application & API Protection capabilities, see Compatibility.

    For more information about upgrading to v2 from a dd-trace 1.x version, see the Ruby tracer upgrade guide.

  2. Enable Application & API Protection by enabling the APM tracer. The following options describe a quick setup that covers the most common cases. Read the Ruby tracer documentation for more details.

    You can enable Application & API Protection either in your code:

    Enable the APM tracer by adding an initializer in your application code:

    # config/initializers/datadog.rb
    
    require 'datadog/appsec'
    
    Datadog.configure do |c|
      # enable the APM tracer but disable trace processing - for security-only use
      c.tracing.instrument :rails
      c.tracing.enabled = false
    
      # enable Application & API Protection
      c.appsec.enabled = true
      c.appsec.instrument :rails
    end
    

    Or enable the APM tracer through auto-instrumentation by updating your Gemfile to auto-instrument:

    gem 'datadog', '~> 2.0', require: 'datadog/auto_instrument'
    

    And also enable appsec and disable tracing:

    # config/initializers/datadog.rb
    
    require 'datadog/appsec'
    
    Datadog.configure do |c|
      # the APM tracer is enabled by auto-instrumentation
      c.tracing.enabled = false
    
      # enable Application & API Protection
      c.appsec.enabled = true
      c.appsec.instrument :rails
    end
    

    Enable the APM tracer by adding the following to your application’s startup:

    require 'sinatra'
    require 'datadog'
    require 'datadog/appsec'
    
    Datadog.configure do |c|
      # enable the APM tracer but disable trace processing - for security-only use
      c.tracing.instrument :sinatra
      c.tracing.enabled = false
    
      # enable Application & API Protection for Sinatra
      c.appsec.enabled = true
      c.appsec.instrument :sinatra
    end
    

    Or enable the APM tracer through auto-instrumentation:

    require 'sinatra'
    require 'datadog/auto_instrument'
    
    Datadog.configure do |c|
      # the APM tracer is enabled by auto-instrumentation
      c.tracing.enabled = false
    
      # enable Application & API Protection for Sinatra
      c.appsec.enabled = true
      c.appsec.instrument :sinatra
    end
    

    Enable the APM tracer by adding the following to your config.ru file:

    require 'datadog'
    require 'datadog/appsec'
    
    Datadog.configure do |c|
      # enable the APM tracer but disable trace processing - for security-only use
      c.tracing.instrument :rack
      c.tracing.enabled = false
    
      # enable Application & API Protection for Rack
      c.appsec.enabled = true
      c.appsec.instrument :rack
    end
    
    use Datadog::Tracing::Contrib::Rack::TraceMiddleware
    use Datadog::AppSec::Contrib::Rack::RequestMiddleware
    

    Or one of the following methods, depending on where your application runs:

    Update your configuration container for APM by adding the following arguments in your docker run command:

    docker run [...] -e DD_APPSEC_ENABLED=true -e DD_APM_TRACING_ENABLED=false [...]
    

    Add the following environment variable values to your container Dockerfile:

    ENV DD_APPSEC_ENABLED=true
    ENV DD_APM_TRACING_ENABLED=false
    

    Update your configuration yaml file container for APM and add the environment variables:

    spec:
      template:
        spec:
          containers:
            - name: <CONTAINER_NAME>
              image: <CONTAINER_IMAGE>/<TAG>
              env:
                - name: DD_APPSEC_ENABLED
                  value: "true"
                - name: DD_APM_TRACING_ENABLED
                  value: "false"
    

    Update your ECS task definition JSON file, by adding these in the environment section:

    "environment": [
      ...,
      {
        "name": "DD_APPSEC_ENABLED",
        "value": "true"
      },
      {
        "name": "DD_APM_TRACING_ENABLED",
        "value": "false"
      }
    ]
    

    Initialize Application & API Protection in your code or set the environment variables in your service invocation:

    env DD_APPSEC_ENABLED=true DD_APM_TRACING_ENABLED=false rails server
    

    ライブラリは、アプリケーションからセキュリティデータを収集し、Agent に送信します。Agent は、そのデータを Datadog に送信し、すぐに使える検出ルールによって、攻撃者のテクニックや潜在的な誤構成にフラグが立てられるため、是正措置を講じることができます。

  3. Application Security Management の脅威検出を実際に確認するには、既知の攻撃パターンをアプリケーションに送信してください。例えば、次の curl スクリプトを含むファイルを実行して、Security Scanner Detected ルールをトリガーします。

    for ((i=1;i<=250;i++)); 
    do
    # Target existing service’s routes
    curl https://your-application-url/existing-route -A dd-test-scanner-log;
    # Target non existing service’s routes
    curl https://your-application-url/non-existing-route -A dd-test-scanner-log;
    done

    : dd-test-scanner-log の値は、最新のリリースでサポートされています。

    アプリケーションを有効にして実行すると、数分後に Datadog の Application Trace and Signals Explorer に脅威情報が表示されます。

Further Reading

PREVIEWING: deforest/consolidated-security-nav-branch