Enabling App and API Protection for Go

This product is not supported for your selected Datadog site. ().
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

You can monitor App and API Protection for Go apps running in Docker, Kubernetes, and Amazon ECS.

Prérequis

Activation en un seul clic
Si votre service est exécuté avec un Agent disposant d'une configuration à distance et d'une version de la bibliothèque de tracing prenant en charge cette fonctionnalité, passez votre curseur sur l'option Not Enabled dans la colonne ASM Status, puis cliquez sur Enable ASM. Il n'est pas nécessaire de relancer le service avec le flag DD_APPSEC_ENABLED=true ou le flag --enable-appsec.

Prerequisite

Enabling Application & API Protection (AAP)

Get started

  1. Install Orchestrion:

$ go install github.com/DataDog/orchestrion@latest


2. **Register Orchestrion as a Go module** in your project directory:
```console
$ orchestrion pin

  1. Datadog has a series of pluggable packages which provide out-of-the-box support for instrumenting a series of Go libraries and frameworks. A list of these packages can be found in the compatibility requirements page. Import these packages into your application and follow the configuration instructions listed alongside each integration.

  2. Recompile your program with Orchestrion:

    $ orchestrion go build my-program

More options on how to use orchestrion can be found in the Orchestrion usage.

Note: If you are building without CGO on linux. Please read Building Go applications with CGO disabled for more information.

  1. Redeploy your Go service and enable AAP by setting the DD_APPSEC_ENABLED environment variable to true:

    $ env DD_APPSEC_ENABLED=true ./my-program

    Or one of the following methods, depending on where your application runs:

      Add the following environment variable value to your Docker command line:

      $ docker run -e DD_APPSEC_ENABLED=true [...]

      Add the following environment variable value to your application container’s Dockerfile:

      ENV DD_APPSEC_ENABLED=true

      A more detailed guide on how to create a fitting dockerfile is available [here][3].

      Update your application’s deployment configuration file for APM and add the AAP environment variable:

      spec:
  template:
    spec:
      containers:
        - name: <CONTAINER_NAME>
          image: <CONTAINER_IMAGE>/<TAG>
          env:
            - name: DD_APPSEC_ENABLED
              value: "true"

      Update your application’s ECS task definition JSON file, by adding this in the environment section:

      "environment": [
  ...,
  {
    "name": "DD_APPSEC_ENABLED",
    "value": "true"
  }
]

    4. Verify setup

    To verify that App and API Protection is working correctly:

    1. Send some traffic to your application

    2. Check the Application Signals Explorer in Datadog

    3. Look for security signals and vulnerabilities

      La bibliothèque recueille des données de sécurité à partir de votre application et les envoie à l’Agent, qui les transmet à son tour à Datadog. Les règles de détection prêtes à l’emploi signalent alors les attaques et les problèmes potentiels de configuration, afin que vous puissiez agir en conséquence.

    4. Pour tester la détection des menaces Application Security Management, envoyez des patterns d’attaque connus à votre application. Par exemple, exécutez un fichier contenant le script curl suivant afin de déclencher la règle de détection de scanner de sécurité :

      for ((i=1;i<=250;i++)); 
      do
      # Target existing service’s routes
      curl https://your-application-url/existing-route -A Arachni/v1.0;
      # Target non existing service’s routes
      curl https://your-application-url/non-existing-route -A Arachni/v1.0;
      done

      Quelques minutes après avoir activé votre application et envoyé les patterns d’attaque, des informations sur les menaces s’affichent dans l’Application Trace and Signals Explorer de Datadog.

    Building without CGO

    If you are building your Go application without CGO, you can still enable AAP by following these steps:

    1. Add the appsec build tag when compiling your application:
      $ CGO_ENABLED=0 orchestrion go build -tags appsec my-program

    Using CGO_ENABLED=0 usually guarantees a statically-linked binary. This will NOT be the case in this setup.

    1. Install libc.so.6 and libpthread.so.0 on your system, as these libraries are required by the Datadog WAF: This can be done by installing the glibc package on your system via your package manager. Read more on Creating a Dockerfile for AAP

    2. Redeploy your Go service with the DD_APPSEC_ENABLED=true environment variable set, as described above.

    Using AAP without APM tracing

    If you want to use Application & API Protection without APM tracing functionality, you can deploy with tracing disabled:

    1. Configure your tracing library with the DD_APM_TRACING_ENABLED=false environment variable in addition to the DD_APPSEC_ENABLED=true environment variable.
    2. This configuration will reduce the amount of APM data sent to Datadog to the minimum required by App and API Protection products.

    For more details, see [Standalone App and API Protection][standalone_billing_guide]. [standalone_billing_guide]: /security/application_security/guide/standalone_application_security/

    Further Reading

    Documentation, liens et articles supplémentaires utiles:

    Go Security API docsDOCUMENTATION more more Adding user information to tracesDOCUMENTATION more more Tracer source codeSOURCE CODE more more Orchestrion source codeSOURCE CODE more more OOTB App and API Protection RulesDOCUMENTATION more more Troubleshooting App and API ProtectionDOCUMENTATION more more
    PREVIEWING: eliottness/exhaustive-doc