You can monitor App and API Protection for Java apps running in Docker, Kubernetes, Amazon ECS, and AWS Fargate.

Prerequisites

• The Datadog Agent is installed and configured for your application’s operating system or container, cloud, or virtual environment.
• If your service is running with an Agent with Remote Configuration enabled and a tracing library version that supports it, you can block attackers from the Datadog UI without additional configuration of the Agent or tracing libraries.

Enabling Application & API Protection

Get started

1. Update your Datadog Java library to at least version 0.94.0:

   wget -O dd-java-agent.jar 'https://dtdg.co/latest-java-tracer'
   

   curl -Lo dd-java-agent.jar 'https://dtdg.co/latest-java-tracer'
   

   ADD 'https://dtdg.co/latest-java-tracer' dd-java-agent.jar
   

   To check that your service’s language and framework versions are supported for Application & API Protection capabilities, see Compatibility.

2. Run your Java application with Application & API Protection enabled. From the command line:

   java -javaagent:/path/to/dd-java-agent.jar -Ddd.appsec.enabled=true -Ddd.trace.enabled=false -Ddd.service=<MY SERVICE> -Ddd.env=<MY_ENV> -jar path/to/app.jar
   

   Or one of the following methods, depending on where your application runs:

   Note: Read-only file systems are not currently supported. The application must have access to a writable /tmp directory.

   Update your configuration container for APM by adding the following arguments in your docker run command:

   docker run [...] -e DD_APPSEC_ENABLED=true -e DD_APM_TRACING_ENABLED=false [...]
   

   Add the following environment variable values to your container Dockerfile:

   ENV DD_APPSEC_ENABLED=true
   ENV DD_APM_TRACING_ENABLED=false
   

   Update your deployment configuration file for APM and add the Application & API Protection environment variables:

   spec:
     template:
       spec:
         containers:
           - name: <CONTAINER_NAME>
             image: <CONTAINER_IMAGE>/<TAG>
             env:
               - name: DD_APPSEC_ENABLED
                 value: "true"
               - name: DD_APM_TRACING_ENABLED
                 value: "false"
   

   Update your ECS task definition JSON file, by adding these in the environment section:

   "environment": [
     ...,
     {
       "name": "DD_APPSEC_ENABLED",
       "value": "true"
     },
     {
       "name": "DD_APM_TRACING_ENABLED",
       "value": "false"
     }
   ]
   

   Set the appropriate flags or environment variables in your service invocation:

   java -javaagent:dd-java-agent.jar \
        -Ddd.appsec.enabled=true \
        -Ddd.trace.enabled=false \
        -jar <YOUR_SERVICE>.jar \
        <YOUR_SERVICE_FLAGS>
   

   この構成が完了すると、ライブラリは、アプリケーションからセキュリティデータを収集し、Agent に送信します。Agent は、そのデータを Datadog に送信し、すぐに使える検出ルールによって、攻撃者のテクニックや潜在的な誤構成にフラグが立てられるため、是正措置を講じることができます。

3. Application Security Management の脅威検出の動作を見るには、既知の攻撃パターンをアプリケーションに送信してください。例えば、次の curl スクリプトを含むファイルを実行して、Security Scanner Detected ルールをトリガーします。

   for ((i=1;i<=250;i++)); 
   do
   # Target existing service’s routes
   curl https://your-application-url/existing-route -A dd-test-scanner-log;
   # Target non existing service’s routes
   curl https://your-application-url/non-existing-route -A dd-test-scanner-log;
   done

   注: dd-test-scanner-log の値は、最新のリリースでサポートされています。

   アプリケーションを有効にして実行すると、数分後に Application Signals Explorer に脅威情報が表示され、Vulnerability Explorer に脆弱性情報が表示されます**。

If you need additional assistance, contact Datadog support.

Further Reading

お役に立つドキュメント、リンクや記事:

Adding user information to tracesDOCUMENTATION Java Datadog library source codeSOURCE CODE OOTB App & API Protection RulesDOCUMENTATION Troubleshooting App & API ProtectionDOCUMENTATION