Enabling App and API Protection for Go

This product is not supported for your selected Datadog site. ().
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

You can monitor App and API Protection for Go apps running in Docker, Kubernetes, and Amazon ECS.

前提条件

1 クリック有効化
サービスがリモート構成を有効にした Agent とそれをサポートするトレーシングライブラリのバージョンで実行されている場合、ASM Status 列の Not Enabled インジケーターにカーソルを合わせ、Enable ASM をクリックします。DD_APPSEC_ENABLED=true または --enable-appsec のフラグを使ってサービスを再起動する必要はありません。

Prerequisite

Enabling Application & API Protection (AAP)

Get started

  1. Install Orchestrion:

$ go install github.com/DataDog/orchestrion@latest


2. **Register Orchestrion as a Go module** in your project directory:
```console
$ orchestrion pin

  1. Datadog has a series of pluggable packages which provide out-of-the-box support for instrumenting a series of Go libraries and frameworks. A list of these packages can be found in the compatibility requirements page. Import these packages into your application and follow the configuration instructions listed alongside each integration.

  2. Recompile your program with Orchestrion:

    $ orchestrion go build my-program

More options on how to use orchestrion can be found in the Orchestrion usage.

Note: If you are building without CGO on linux. Please read Building Go applications with CGO disabled for more information.

  1. Redeploy your Go service and enable AAP by setting the DD_APPSEC_ENABLED environment variable to true:

    $ env DD_APPSEC_ENABLED=true ./my-program

    Or one of the following methods, depending on where your application runs:

      Add the following environment variable value to your Docker command line:

      $ docker run -e DD_APPSEC_ENABLED=true [...]

      Add the following environment variable value to your application container’s Dockerfile:

      ENV DD_APPSEC_ENABLED=true

      A more detailed guide on how to create a fitting dockerfile is available [here][3].

      Update your application’s deployment configuration file for APM and add the AAP environment variable:

      spec:
  template:
    spec:
      containers:
        - name: <CONTAINER_NAME>
          image: <CONTAINER_IMAGE>/<TAG>
          env:
            - name: DD_APPSEC_ENABLED
              value: "true"

      Update your application’s ECS task definition JSON file, by adding this in the environment section:

      "environment": [
  ...,
  {
    "name": "DD_APPSEC_ENABLED",
    "value": "true"
  }
]

    4. Verify setup

    To verify that App and API Protection is working correctly:

    1. Send some traffic to your application

    2. Check the Application Signals Explorer in Datadog

    3. Look for security signals and vulnerabilities

      ライブラリは、アプリケーションからセキュリティデータを収集し、Agent に送信します。Agent は、そのデータを Datadog に送信し、すぐに使える検出ルールによって、攻撃者のテクニックや潜在的な誤構成にフラグが立てられるため、是正措置を講じることができます。

    4. Application Security Management の脅威検出の動作を見るには、既知の攻撃パターンをアプリケーションに送信してください。例えば、次の curl スクリプトを含むファイルを実行して、Security Scanner Detected ルールをトリガーします。

      for ((i=1;i<=250;i++)); 
      do
      # Target existing service’s routes
      curl https://your-application-url/existing-route -A Arachni/v1.0;
      # Target non existing service’s routes
      curl https://your-application-url/non-existing-route -A Arachni/v1.0;
      done

      アプリケーションを有効にして実行すると、数分後に Datadog の Application Trace and Signals Explorer に脅威情報が表示されます

    Building without CGO

    If you are building your Go application without CGO, you can still enable AAP by following these steps:

    1. Add the appsec build tag when compiling your application:
      $ CGO_ENABLED=0 orchestrion go build -tags appsec my-program

    Using CGO_ENABLED=0 usually guarantees a statically-linked binary. This will NOT be the case in this setup.

    1. Install libc.so.6 and libpthread.so.0 on your system, as these libraries are required by the Datadog WAF: This can be done by installing the glibc package on your system via your package manager. Read more on Creating a Dockerfile for AAP

    2. Redeploy your Go service with the DD_APPSEC_ENABLED=true environment variable set, as described above.

    Using AAP without APM tracing

    If you want to use Application & API Protection without APM tracing functionality, you can deploy with tracing disabled:

    1. Configure your tracing library with the DD_APM_TRACING_ENABLED=false environment variable in addition to the DD_APPSEC_ENABLED=true environment variable.
    2. This configuration will reduce the amount of APM data sent to Datadog to the minimum required by App and API Protection products.

    For more details, see [Standalone App and API Protection][standalone_billing_guide]. [standalone_billing_guide]: /security/application_security/guide/standalone_application_security/

    Further Reading

    お役に立つドキュメント、リンクや記事:

    Go Security API docsDOCUMENTATION more more Adding user information to tracesDOCUMENTATION more more Tracer source codeSOURCE CODE more more Orchestrion source codeSOURCE CODE more more OOTB App and API Protection RulesDOCUMENTATION more more Troubleshooting App and API ProtectionDOCUMENTATION more more
    PREVIEWING: eliottness/exhaustive-doc