Enabling App and API Protection for Go

This product is not supported for your selected Datadog site. ().
이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

You can monitor App and API Protection for Go apps running in Docker, Kubernetes, and Amazon ECS.

사전 필수 조건

1-클릭 활성화
서비스가 원격 구성이 활성화된 Agent와 이를 지원하는 추적 라이브러리 버전으로 실행 중인 경우 ASM 상태 열의 Not Enabled 표시 위로 마우스를 가져간 다음 Enable ASM를 클릭합니다. DD_APPSEC_ENABLED=true 또는 --enable-appsec 플래그를 사용하여 서비스를 다시 시작할 필요가 없습니다.

Prerequisite

Enabling Application & API Protection (AAP)

Get started

  1. Install Orchestrion:

$ go install github.com/DataDog/orchestrion@latest


2. **Register Orchestrion as a Go module** in your project directory:
```console
$ orchestrion pin

  1. Datadog has a series of pluggable packages which provide out-of-the-box support for instrumenting a series of Go libraries and frameworks. A list of these packages can be found in the compatibility requirements page. Import these packages into your application and follow the configuration instructions listed alongside each integration.

  2. Recompile your program with Orchestrion:

    $ orchestrion go build my-program

More options on how to use orchestrion can be found in the Orchestrion usage.

Note: If you are building without CGO on linux. Please read Building Go applications with CGO disabled for more information.

  1. Redeploy your Go service and enable AAP by setting the DD_APPSEC_ENABLED environment variable to true:

    $ env DD_APPSEC_ENABLED=true ./my-program

    Or one of the following methods, depending on where your application runs:

      Add the following environment variable value to your Docker command line:

      $ docker run -e DD_APPSEC_ENABLED=true [...]

      Add the following environment variable value to your application container’s Dockerfile:

      ENV DD_APPSEC_ENABLED=true

      A more detailed guide on how to create a fitting dockerfile is available [here][3].

      Update your application’s deployment configuration file for APM and add the AAP environment variable:

      spec:
  template:
    spec:
      containers:
        - name: <CONTAINER_NAME>
          image: <CONTAINER_IMAGE>/<TAG>
          env:
            - name: DD_APPSEC_ENABLED
              value: "true"

      Update your application’s ECS task definition JSON file, by adding this in the environment section:

      "environment": [
  ...,
  {
    "name": "DD_APPSEC_ENABLED",
    "value": "true"
  }
]

    4. Verify setup

    To verify that App and API Protection is working correctly:

    1. Send some traffic to your application
    2. Check the Application Signals Explorer in Datadog
    3. Look for security signals and vulnerabilities

    라이브러리가 애플리케이션에서 보안 데이터를 수집해 에이전트로 전송하고, 이 데이터는 다시 Datadog로 전송됩니다. 그러면 기본 감지 규칙에 의해 공격자 기술과 잠재 구성 오류가 플래그되어 문제 해결을 위한 단계를 밟을 수 있습니다.

    1. 애플리케이션 보안 관리에서 감지 활동을 잘 하고 있는지 확인하려면 알려진 공격 패턴을 애플리케이션으로 보내세요. 예를 들어 다음 curl 스크립트가 포함된 파일을 실행해 보안 스캐너 감지됨 규칙을 트리거할 수 있습니다.

      for ((i=1;i<=250;i++)); 
      do
      # Target existing service’s routes
      curl https://your-application-url/existing-route -A Arachni/v1.0;
      # Target non existing service’s routes
      curl https://your-application-url/non-existing-route -A Arachni/v1.0;
      done

      애플리케이션을 활성화하고 실행한 몇 분 후 Datadog의 Application Trace and Signals Explorer에 위협 정보가 표시됩니다.

    Building without CGO

    If you are building your Go application without CGO, you can still enable AAP by following these steps:

    1. Add the appsec build tag when compiling your application:
      $ CGO_ENABLED=0 orchestrion go build -tags appsec my-program

    Using CGO_ENABLED=0 usually guarantees a statically-linked binary. This will NOT be the case in this setup.

    1. Install libc.so.6 and libpthread.so.0 on your system, as these libraries are required by the Datadog WAF: This can be done by installing the glibc package on your system via your package manager. Read more on Creating a Dockerfile for AAP

    2. Redeploy your Go service with the DD_APPSEC_ENABLED=true environment variable set, as described above.

    Using AAP without APM tracing

    If you want to use Application & API Protection without APM tracing functionality, you can deploy with tracing disabled:

    1. Configure your tracing library with the DD_APM_TRACING_ENABLED=false environment variable in addition to the DD_APPSEC_ENABLED=true environment variable.
    2. This configuration will reduce the amount of APM data sent to Datadog to the minimum required by App and API Protection products.

    For more details, see [Standalone App and API Protection][standalone_billing_guide]. [standalone_billing_guide]: /security/application_security/guide/standalone_application_security/

    Further Reading

    추가 유용한 문서, 링크 및 기사:

    Go Security API docsDOCUMENTATION more more Adding user information to tracesDOCUMENTATION more more Tracer source codeSOURCE CODE more more Orchestrion source codeSOURCE CODE more more OOTB App and API Protection RulesDOCUMENTATION more more Troubleshooting App and API ProtectionDOCUMENTATION more more
    PREVIEWING: eliottness/exhaustive-doc