Enabling ASM for PHP

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

You can monitor application security for PHP apps running in host-based or container-based environments such as Docker, Kubernetes, AWS ECS, and AWS EKS.

Prerequisites

1-Click Enablement
If your service is running with an Agent with Remote Configuration enabled and a tracing library version that supports it, hover over the Not Enabled indicator in the ASM Status column and click Enable ASM. There's no need to re-launch the service with the DD_APPSEC_ENABLED=true or --enable-appsec flags.

Enabling threat detection

Get started

  1. Install the latest Datadog PHP library by downloading and running the installer:

    wget https://github.com/DataDog/dd-trace-php/releases/latest/download/datadog-setup.php -O datadog-setup.php
php datadog-setup.php --php-bin all --enable-appsec

    To check that your service’s language and framework versions are supported for ASM capabilities, see Compatibility.

  2. Enable the library in your code by restarting PHP-FPM or Apache. In a containerized environment, if you previously installed the library without enabling ASM, you can optionally enable it after by setting the following environment variable:

      Update your configuration container for APM by adding the following argument in your docker run command:

      docker run [...] -e DD_APPSEC_ENABLED=true [...]

      Add the following environment variable value to your container Dockerfile:

      ENV DD_APPSEC_ENABLED=true

      Update your configuration yaml file container for APM and add the AppSec env variable:

      spec:
  template:
    spec:
      containers:
        - name: <CONTAINER_NAME>
          image: <CONTAINER_IMAGE>/<TAG>
          env:
            - name: DD_APPSEC_ENABLED
              value: "true"

      Update your ECS task definition JSON file, by adding this in the environment section:

      "environment": [
  ...,
  {
    "name": "DD_APPSEC_ENABLED",
    "value": "true"
  }
]

      The library collects security data from your application and sends it to the Agent, which sends it to Datadog, where out-of-the-box detection rules flag attacker techniques and potential misconfigurations so you can take steps to remediate.

    • To see Application Security Management threat detection in action, send known attack patterns to your application. For example, trigger the Security Scanner Detected rule by running a file that contains the following curl script:

      for ((i=1;i<=250;i++)); 
      do
      # Target existing service’s routes
      curl https://your-application-url/existing-route -A dd-test-scanner-log;
      # Target non existing service’s routes
      curl https://your-application-url/non-existing-route -A dd-test-scanner-log;
      done

      Note: The dd-test-scanner-log value is supported in the most recent releases.

      A few minutes after you enable your application and exercise it, threat information appears in the Application Trace and Signals Explorer in Datadog.

    Further Reading

    추가 유용한 문서, 링크 및 기사:

    Adding user information to tracesDOCUMENTATION more more PHP Datadog Tracer Library source codeSOURCE CODE more more OOTB Application Security Management RulesDOCUMENTATION more more Troubleshooting Application Security ManagementDOCUMENTATION more more
    PREVIEWING: may/unit-testing