Enabling Application Protection_Application Protection_Server Protection_User Guide

Scenario

To protect Java applications, enable protection for the applications. To apply protection settings, HSS will install the RASP probe on your applications.

How to Enable

Application protection can be enabled automatically or manually. Their differences are as follows.

How to Enable	Advantage	Restriction	Operation
Automatically	You do not need to manually configure application protection startup parameters. HSS automatically identifies and accesses Java applications that have listening ports on servers or containers, and dynamically installs or uninstalls application protection probes when Java applications are running.	This method depends on Dynamic Server RASP and Dynamic Container RASP, which are in the OBT phase. To use this method, submit a service ticket. If a Java application is just started and runs for 5 minutes or less, RASP cannot be enabled using this method. When the running time of the application exceeds 5 minutes, RASP is automatically enabled.	Automatically Enabling Application Protection
Manually	Java applications without listening ports can be accessed.	You need to manually configure application protection startup parameters for applications.	Manually Enabling Application Protection for a Server Manually Enabling Application Protection for a Container

Automatically Enabling Application Protection

Log in to the HSS console.
Click in the upper left corner and select a region or project.
Choose Server Protection > Application Protection. Click the Servers tab.

Figure 1 Viewing protected assets

(Optional) If you have enabled the enterprise project function, select an enterprise project from the Enterprise Project drop-down list in the upper part of the page to view its data.
Click Add Server. The Add Server slide-out panel is displayed.
Select the OS type and assets to be protected, and click Next.

Figure 2 Selecting assets to be protected

Configure a protection policy. For more information, see Table 1.

Figure 3 Configuring a protection policy
Click to enlarge

**Table 1** Protection policy parameters
Parameter	Description	Example Value
Dynamic Server RASP	Whether to automatically enable dynamic protection for server applications. If this function is enabled, the system uses the JVM Attach mechanism to automatically identify Java applications that have listening ports on servers and dynamically enable protection for the applications. In this way, RASP probes can be dynamically installed and uninstalled when Java applications are running. No application restarts are required, and service continuity remains unaffected. NOTE: This function is in the OBT phase. To use it, submit a service ticket.	, enabled
Dynamic Container RASP	Whether to automatically enable dynamic protection for container applications. If this function is enabled, the system uses the JVM Attach mechanism to automatically identify Java applications that have listening ports on containers and dynamically enable protection for the applications. In this way, RASP probes can be dynamically installed and uninstalled when Java applications are running. No application restarts are required, and service continuity remains unaffected. NOTE: This function is in the OBT phase. To use it, submit a service ticket.	, enabled
RASP Port	Port used by the RASP probe to communicate with HSS.	19999
Policy	Application protection policy. The system provides the default policy. For details about the detection rules in the default policy, see Default Policies. If the default policy does not apply to your protection scenario, you can click Create Policy and create a custom policy.	default policy

Click OK.
On the Servers tab page, check whether the RASP Status of the server is Protected. If yes, RASP has been enabled for all the Java applications on the server.

Manually Enabling Application Protection for a Server

Log in to the HSS console.
Click in the upper left corner and select a region or project.
Choose Server Protection > Application Protection. Click the Servers tab.

Figure 4 Viewing protected assets

(Optional) If you have enabled the enterprise project function, select an enterprise project from the Enterprise Project drop-down list in the upper part of the page to view its data.
Click Add Server. The Add Server slide-out panel is displayed.
Select the OS type and assets to be protected, and click Next.

Figure 5 Selecting assets to be protected

Configure a protection policy. For more information, see Table 2.

Figure 6 Configuring a protection policy
Click to enlarge

**Table 2** Protection policy parameters
Parameter	Description	Example Value
Dynamic Server RASP	NOTE: This function is in the OBT phase. To use it, submit a service ticket. Java applications without listening ports do not support RASP dynamic protection. Keep it disabled.	, disabled
RASP Port	Port used by the RASP probe to communicate with HSS.	19999
Policy	Application protection policy. The system provides the default policy. For details about the detection rules in the default policy, see Default Policies. If the default policy does not apply to your protection scenario, you can click Create Policy and create a custom policy.	default policy

Click OK.
On the Servers tab page, check the RASP Status of the server and wait until its status changes to Unprotected.
Click Manual Configuration. The Configure Microservice RASP page is displayed.
Refer to the Servers page or the following description to configure startup parameters for Java applications.
- Tomcat (Windows)
  Perform the following operations on each application one by one to enable RASP:
  1. Copy the following parameters to the setenv.bat startup script in the Tomcat bin directory. If the script does not exist, create one.
```
call "C:\Program Files\HostGuard\rasp\secRASP\slave_agent\bin\set_java_opts.bat"
```
    Figure 7 shows the parameter location.
    Figure 7 Configuring startup parameters for Tomcat (Windows)
  2. Restart the application. After the restart succeeds, return to the HSS console.
  3. In the Operation column of the server, click View Details. On the application protection details page, check whether the RASP Status of the application is Protected. If yes, RASP has been enabled.
- Tomcat (Linux)
  Perform the following operations on each application one by one to enable RASP:
  1. Copy the following parameters to the setenv.sh startup script in the Tomcat bin directory. (If the script does not exist, create one.)
```
SEC_RASP_HOME=/usr/local/rasp/secRASP
if [ -f "$SEC_RASP_HOME/slave_agent/bin/set_java_opts.sh" ]; then
. $SEC_RASP_HOME/slave_agent/bin/set_java_opts.sh
fi
```
    Figure 8 shows the parameter location.
    
    Figure 8 Configuring startup parameters for Tomcat (Linux)
  2. Restart the application. After the restart succeeds, return to the HSS console.
  3. In the Operation column of the server, click View Details. On the application protection details page, check whether the RASP Status of the application is Protected. If yes, RASP has been enabled.
- Weblogic (Linux)
  Perform the following operations on each application one by one to enable RASP:
  1. Copy the following parameters to the startWebLogic.sh script in the bin directory of WebLogic:
```
SEC_RASP_HOME=/usr/local/rasp/secRASP
if [ -f "$SEC_RASP_HOME/slave_agent/bin/set_java_opts.sh" ]; then
. $SEC_RASP_HOME/slave_agent/bin/set_java_opts.sh
fi
```
    Figure 9 shows the parameter location.
    
    Figure 9 Configuring startup parameters for WebLogic (Linux)
  2. Restart the application. After the restart succeeds, return to the HSS console.
  3. In the Operation column of the server, click View Details. On the application protection details page, check whether the RASP Status of the application is Protected. If yes, RASP has been enabled.
- Netty (Linux)
  Perform the following operations on each application one by one to enable RASP:
  1. Create a start.sh file in the Netty directory (the directory that contains the *netty-xxx.jar file). Copy and paste the following configuration to the file, and change the name of the Netty program (the .jar file) to the actual program name.
```
#!/bin/bash

SEC_RASP_HOME=/usr/local/rasp/secRASP
if [ -f "$SEC_RASP_HOME/slave_agent/bin/set_java_opts.sh" ]; then
. $SEC_RASP_HOME/slave_agent/bin/set_java_opts.sh
fi

java ${JAVA_OPTS} -jar netty-target-1.0-SNAPSHOT.jar
```
    Figure 10 shows the parameter location.
    
    Figure 10 Configuring startup parameters for Netty (Linux)
  2. Restart the application. After the restart succeeds, return to the HSS console.
  3. In the Operation column of the server, click View Details. On the application protection details page, check whether the RASP Status of the application is Protected. If yes, RASP has been enabled.
- Jetty (Linux)
  Perform the following operations on each application one by one to enable RASP:
  1. Create a start.sh file in the Jetty directory (the directory that contains start.jar) and copy the following configuration to the file:
```
#!/bin/bash

SEC_RASP_HOME=/usr/local/rasp/secRASP
if [ -f "$SEC_RASP_HOME/slave_agent/bin/set_java_opts.sh" ]; then
. $SEC_RASP_HOME/slave_agent/bin/set_java_opts.sh
fi

java ${JAVA_OPTS} -jar start.jar
```
    Figure 11 shows the parameter location.
    
    Figure 11 Configuring startup parameters for Jetty (Linux)
  2. Restart the application. After the restart succeeds, return to the HSS console.
  3. In the Operation column of the server, click View Details. On the application protection details page, check whether the RASP Status of the application is Protected. If yes, RASP has been enabled.

Manually Enabling Application Protection for a Container

Log in to the HSS console.
Click in the upper left corner and select a region or project.
Choose Server Protection > Application Protection. Click the Servers tab.

Figure 12 Viewing protected assets

(Optional) If you have enabled the enterprise project function, select an enterprise project from the Enterprise Project drop-down list in the upper part of the page to view its data.
Click Add Server. The Add Server slide-out panel is displayed.
Select the OS type and assets to be protected, and click Next.

Figure 13 Selecting assets to be protected

Configure a protection policy. For more information, see Table 3.

Figure 14 Configuring a protection policy
Click to enlarge

**Table 3** Protection policy parameters
Parameter	Description	Example Value
Dynamic Server RASP	NOTE: This function is in the OBT phase. To use it, submit a service ticket. Java applications without listening ports do not support RASP dynamic protection. Keep it disabled.	, disabled
Dynamic Container RASP	NOTE: This function is in the OBT phase. To use it, submit a service ticket. Java applications without listening ports do not support RASP dynamic protection. Keep it disabled.	, disabled
RASP Port	Port used by the RASP probe to communicate with HSS.	19999
Policy	Application protection policy. The system provides the default policy. For details about the detection rules in the default policy, see Default Policies. If the default policy does not apply to your protection scenario, you can click Create Policy and create a custom policy.	default policy

Click OK.
On the Servers tab page, check the RASP Status of the server and wait until its status changes to Unprotected.
Click Manual Configuration. The Configure Microservice RASP page is displayed.

Refer to the Containers page or the following description to configure startup parameters for Java applications.

Starting a container using Docker

Perform the following operations on each application one by one to enable RASP:

Add JVM startup parameters using either of the following methods:

Method 1: Modify the parameters in the application startup script, as shown in Table 4.

**Table 4** Modifying application startup script parameters
Environment	Parameter Configuration
Tomcat (Linux)	Copy the following parameters to the setenv.sh startup script in the Tomcat bin directory. (If the script does not exist, create one.) SEC_RASP_HOME=/usr/local/rasp/secRASP if [ -f "$SEC_RASP_HOME/slave_agent/bin/set_java_opts.sh" ]; then . $SEC_RASP_HOME/slave_agent/bin/set_java_opts.sh fi Figure 15 shows the parameter location. Figure 15 Configuring startup parameters for Tomcat (Linux)
Weblogic (Linux)	Copy the following parameters to the startWebLogic.sh script in the bin directory of WebLogic: SEC_RASP_HOME=/usr/local/rasp/secRASP if [ -f "$SEC_RASP_HOME/slave_agent/bin/set_java_opts.sh" ]; then . $SEC_RASP_HOME/slave_agent/bin/set_java_opts.sh fi Figure 16 shows the parameter location. Figure 16 Configuring startup parameters for WebLogic (Linux)
Netty (Linux)	Create a start.sh file in the Netty directory (the directory that contains the netty-xxx.jar file). Copy and paste the following configuration to the file, and change the name of the Netty program (the .jar file) to the actual program name. #!/bin/bash SEC_RASP_HOME=/usr/local/rasp/secRASP if [ -f "$SEC_RASP_HOME/slave_agent/bin/set_java_opts.sh" ]; then . $SEC_RASP_HOME/slave_agent/bin/set_java_opts.sh fi java ${JAVA_OPTS} -jar netty-target-1.0-SNAPSHOT.jar Figure 17 shows the parameter location. Figure 17* Configuring startup parameters for Netty (Linux)
Jetty (Linux)	Create a start.sh file in the Jetty directory (the directory that contains start.jar) and copy the following configuration to the file: #!/bin/bash SEC_RASP_HOME=/usr/local/rasp/secRASP if [ -f "$SEC_RASP_HOME/slave_agent/bin/set_java_opts.sh" ]; then . $SEC_RASP_HOME/slave_agent/bin/set_java_opts.sh fi java ${JAVA_OPTS} -jar start.jar Figure 18 shows the parameter location. Figure 18 Configuring startup parameters for Jetty (Linux)

Method 2: Add the following parameters to the Docker startup command to add environment variables:

   --env JAVA_OPTS="-javaagent:/usr/local/rasp/secRASP/slave_agent/lib/secsoter.jar=socketType=0,socketFile=/usr/local/rasp/raspSocket/hss.rasp.socket,productScenario=HSS_Container,iVersion=V1"

Add the following parameters to the Docker startup command to mount the RASP directory.
```
   -v /usr/local/rasp:/usr/local/rasp
```
Start the container. After the startup succeeds, return to the HSS console.
In the Operation column of the server, click View Details. On the application protection details page, check whether the RASP Status of the application is Protected. If yes, RASP has been enabled.

Starting a container using Dockerfile

Perform the following operations on each application one by one to enable RASP:

During image packaging, modify the application startup script and add JVM startup parameters. See Table 5.

**Table 5** Modifying the application startup script
Environment	Parameter Configuration
Tomcat (Linux)	Copy the following parameters to the setenv.sh startup script in the Tomcat bin directory. (If the script does not exist, create one.) SEC_RASP_HOME=/usr/local/rasp/secRASP if [ -f "$SEC_RASP_HOME/slave_agent/bin/set_java_opts.sh" ]; then . $SEC_RASP_HOME/slave_agent/bin/set_java_opts.sh fi Figure 19 shows the parameter location. Figure 19 Configuring startup parameters for Tomcat (Linux)
Weblogic (Linux)	Copy the following parameters to the startWebLogic.sh script in the bin directory of WebLogic: SEC_RASP_HOME=/usr/local/rasp/secRASP if [ -f "$SEC_RASP_HOME/slave_agent/bin/set_java_opts.sh" ]; then . $SEC_RASP_HOME/slave_agent/bin/set_java_opts.sh fi Figure 20 shows the parameter location. Figure 20 Configuring startup parameters for WebLogic (Linux)
Netty (Linux)	Create a start.sh file in the Netty directory (the directory that contains the netty-xxx.jar file). Copy and paste the following configuration to the file, and change the name of the Netty program (the .jar file) to the actual program name. #!/bin/bash SEC_RASP_HOME=/usr/local/rasp/secRASP if [ -f "$SEC_RASP_HOME/slave_agent/bin/set_java_opts.sh" ]; then . $SEC_RASP_HOME/slave_agent/bin/set_java_opts.sh fi java ${JAVA_OPTS} -jar netty-target-1.0-SNAPSHOT.jar Figure 21 shows the parameter location. Figure 21* Configuring startup parameters for Netty (Linux)
Jetty (Linux)	Create a start.sh file in the Jetty directory (the directory that contains start.jar) and copy the following configuration to the file: #!/bin/bash SEC_RASP_HOME=/usr/local/rasp/secRASP if [ -f "$SEC_RASP_HOME/slave_agent/bin/set_java_opts.sh" ]; then . $SEC_RASP_HOME/slave_agent/bin/set_java_opts.sh fi java ${JAVA_OPTS} -jar start.jar Figure 22 shows the parameter location. Figure 22 Configuring startup parameters for Jetty (Linux)

Add the following parameters to the Docker startup command to mount the RASP directory.
```
   -v /usr/local/rasp:/usr/local/rasp
```
Start the container. After the startup succeeds, return to the HSS console.
In the Operation column of the server, click View Details. On the application protection details page, check whether the RASP Status of the application is Protected. If yes, RASP has been enabled.

Starting a container using Docker Compose
Perform the following operations on each application one by one to enable RASP:
1. Add the following setting to the docker-compose configuration file to configure JVM startup parameters:
```
environment: 
   JAVA_OPTS: "-javaagent:/usr/local/rasp/secRASP/slave_agent/lib/secsoter.jar=socketType=0,socketFile=/usr/local/rasp/raspSocket/hss.rasp.socket,productScenario=HSS_Container,iVersion=V1"
```
2. Add the following setting to the Docker Compose configuration file to mount the RASP directory:
```
   volumes: 
   - /usr/local/rasp:/usr/local/rasp
```
3. Start the container. After the startup succeeds, return to the HSS console.
4. In the Operation column of the server, click View Details. On the application protection details page, check whether the RASP Status of the application is Protected. If yes, RASP has been enabled.
Managing containers through a Kubernetes cluster
Perform the following operations on each application one by one to enable RASP:
1. Add the following setting to the Kubernetes configuration file to specify JVM startup parameters.
```
  env:
   - name: JAVA_OPTS
    value: "-javaagent:/usr/local/rasp/secRASP/slave_agent/lib/secsoter.jar=socketType=0,socketFile=/usr/local/rasp/raspSocket/hss.rasp.socket,productScenario=HSS_Container,iVersion=V1"
```
2. Add the following setting to the Kubernetes configuration file to mount the RASP directory:
```
   volumeMounts:
    - name: rasp-volume
    mountPath: /usr/local/rasp
```
3. Update the cluster. After the update succeeds, return to the HSS console.
4. In the Operation column of the server, click View Details. On the application protection details page, check whether the RASP Status of the application is Protected. If yes, RASP has been enabled.

Default Policies

Detection Rule ID	Action	Rule Description	Rule Configuration
CMDI	Detect	Detect and defend against remote OS command injection attacks and check web applications for related vulnerabilities.	-
ExpressionInject	Detect	Detect and defend against expression injection attacks, and check web applications for related vulnerabilities.	-
FileDirAccess	Detect	Check whether sensitive directories or files are accessed.	Path blacklist: C:/Windows/system.ini;C:/Windows/system32/drivers/etc/hosts
FilelessWebshell	Detect	Detect various types of fileless Java web shells.	-
JNDI	Detect	Detect and defend against JNDI injection attacks, and check web applications for related vulnerabilities.	-
Log4jRCE	Detect	Check the JNDI parsing initiated during logging.	-
SQLI	Detect	Detect and defend against SQL injection attacks, and check web applications for related vulnerabilities.	-
SuspiciousBehavior	Detect	Detect suspicious behaviors.	-
SuspiciousException	Detect	Detect suspicious exceptions.	-
UntrustedDeserialization	Detect	Detect deserialization attacks that exploit unsafe classes.	-
WebShellUpload	Detect	Detect and defend against attacks of uploading dangerous files (mainly web shells in JSP format) or renaming existing files to dangerous file name extensions (mainly web shells in JSP format), and check whether web applications have corresponding vulnerabilities.	File name extension blacklist: .jspx;.jsp;.jar;.phtml;.asp;.php;.ascx;.ashx;.cer;.phar;.sh;.py;.pl;.rb;.exe;.scr;.vbs;.cmd;.bat;.so;.dll;.ps1;.war;authorized_key
ZeroDay	Detect	Check whether a command stack is similar to some typical stacks of the 0-day vulnerability.	-

Related Operations

To change a protected RASP port, click Edit Port in the Operation column of a server. After the port is changed, the system will restart the RASP plug-in. It will take several minutes.

Enabling Application Protection