Enabling AAP for Ruby

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

You can monitor App and API Protection for Ruby apps running in Docker, Kubernetes, Amazon ECS, and AWS Fargate.

前提条件

1 クリック有効化
サービスがリモート構成を有効にした Agent とそれをサポートするトレーシングライブラリのバージョンで実行されている場合、ASM Status 列の Not Enabled インジケーターにカーソルを合わせ、Enable ASM をクリックします。DD_APPSEC_ENABLED=true または --enable-appsec のフラグを使ってサービスを再起動する必要はありません。

Enabling threat detection

Get started

  1. Update your Gemfile to include the Datadog library:

    gem 'datadog', '~> 2.0' # Use 'ddtrace' if you're using v1.x

    To check that your service’s language and framework versions are supported for AAP capabilities, see Compatibility.

    For more information about upgrading to v2 from a dd-trace 1.x version, see the Ruby tracer upgrade guide.

  2. Enable AAP by enabling the APM tracer. The following options describe a quick setup that covers the most common cases. Read the Ruby tracer documentation for more details.

    You can enable AAP either in your code:

      Enable the APM tracer by adding an initializer in your application code:

      # config/initializers/datadog.rb

require 'datadog/appsec'

Datadog.configure do |c|
  # enable the APM tracer
  c.tracing.instrument :rails

  # enable AAP
  c.appsec.enabled = true
  c.appsec.instrument :rails
end

      Or enable the APM tracer through auto-instrumentation by updating your Gemfile to auto-instrument:

      gem 'datadog', '~> 2.0', require: 'datadog/auto_instrument'

      And also enable appsec:

      # config/initializers/datadog.rb

require 'datadog/appsec'

Datadog.configure do |c|
  # the APM tracer is enabled by auto-instrumentation

  # enable AAP
  c.appsec.enabled = true
  c.appsec.instrument :rails
end

      Enable the APM tracer by adding the following to your application’s startup:

      require 'sinatra'
require 'datadog'
require 'datadog/appsec'

Datadog.configure do |c|
  # enable the APM tracer
  c.tracing.instrument :sinatra

  # enable AAP for Sinatra
  c.appsec.enabled = true
  c.appsec.instrument :sinatra
end

      Or enable the APM tracer through auto-instrumentation:

      require 'sinatra'
require 'datadog/auto_instrument'

Datadog.configure do |c|
  # the APM tracer is enabled by auto-instrumentation

  # enable AAP for Sinatra
  c.appsec.enabled = true
  c.appsec.instrument :sinatra
end

      Enable the APM tracer by adding the following to your config.ru file:

      require 'datadog'
require 'datadog/appsec'

Datadog.configure do |c|
  # enable the APM tracer
  c.tracing.instrument :rack

  # enable AAP for Rack
  c.appsec.enabled = true
  c.appsec.instrument :rack
end

use Datadog::Tracing::Contrib::Rack::TraceMiddleware
use Datadog::AppSec::Contrib::Rack::RequestMiddleware

      Or one of the following methods, depending on where your application runs:

        Update your configuration container for APM by adding the following argument in your docker run command:

        docker run [...] -e DD_APPSEC_ENABLED=true [...]

        Add the following environment variable value to your container Dockerfile:

        ENV DD_APPSEC_ENABLED=true

        Update your configuration yaml file container for APM and add the AppSec env variable:

        spec:
  template:
    spec:
      containers:
        - name: <CONTAINER_NAME>
          image: <CONTAINER_IMAGE>/<TAG>
          env:
            - name: DD_APPSEC_ENABLED
              value: "true"

        Update your ECS task definition JSON file, by adding this in the environment section:

        "environment": [
  ...,
  {
    "name": "DD_APPSEC_ENABLED",
    "value": "true"
  }
]

        Initialize AAP in your code or set DD_APPSEC_ENABLED environment variable to true in your service invocation:

        env DD_APPSEC_ENABLED=true rails server

        ライブラリは、アプリケーションからセキュリティデータを収集し、Agent に送信します。Agent は、そのデータを Datadog に送信し、すぐに使える検出ルールによって、攻撃者のテクニックや潜在的な誤構成にフラグが立てられるため、是正措置を講じることができます。

      • Application Security Management の脅威検出を実際に確認するには、既知の攻撃パターンをアプリケーションに送信してください。例えば、次の curl スクリプトを含むファイルを実行して、Security Scanner Detected ルールをトリガーします。

        for ((i=1;i<=250;i++)); 
        do
        # Target existing service’s routes
        curl https://your-application-url/existing-route -A dd-test-scanner-log;
        # Target non existing service’s routes
        curl https://your-application-url/non-existing-route -A dd-test-scanner-log;
        done

        : dd-test-scanner-log の値は、最新のリリースでサポートされています。

        アプリケーションを有効にして実行すると、数分後に Datadog の Application Trace and Signals Explorer に脅威情報が表示されます。

      Using AAP without APM tracing

      If you want to use Application & API Protection without APM tracing functionality, you can deploy with tracing disabled:

      1. Configure your tracing library with the DD_APM_TRACING_ENABLED=false environment variable in addition to the DD_APPSEC_ENABLED=true environment variable.
      2. This configuration will reduce the amount of APM data sent to Datadog to the minimum required by App and API Protection products.

      For more details, see [Standalone App and API Protection][standalone_billing_guide]. [standalone_billing_guide]: /security/application_security/guide/standalone_application_security/

      Further Reading

      お役に立つドキュメント、リンクや記事:

      Adding user information to tracesDOCUMENTATION more more Ruby Datadog library source codeSOURCE CODE more more OOTB App and API Protection RulesDOCUMENTATION more more Troubleshooting App and API ProtectionDOCUMENTATION more more
      PREVIEWING: julio.guerra/aap-setup-page-grid