Cisco Secure Application のポリシー

Cisco Secure Application Runtime の ポリシーは、無視、検出、またはブロックするランタイム動作を定義します。ランタイムイベントはすべての攻撃と脆弱性を識別し、定義されたランタイムポリシーに基づいてアクションが実行されます。ランタイムポリシーを作成および設定すると、攻撃と脆弱性を軽減するアクションを指定できます。

アプリケーションのセキュリティをモニタするには、ポリシーを作成する必要があります。ポリシーを作成するには、Cisco Secure Application の設定権限が必要です。デフォルトでは、Cisco Secure Application には、すべての攻撃と脆弱性を最適に検出して誤検出を減らすランタイムポリシーが含まれています。

Supported Runtime Policies

Cisco Secure Application scans attacks and vulnerabilities for the following runtime behaviors:

Command Execution (PROCESS)

This policy detects or blocks the creation of new application processes. You can block a process at the tier level, but not at the application or the global level. The action can be limited to specific processes by name. For example, you can detect the creation of any process that executes the ps command or block the creation of any process that executes the cat command.

You can create rules for processes and stack traces. Meaning, that you can Detect, Block, or Ignore any command execution if a process starts with the following: equals, contains, or matches regex for a specific value. You can also Detect, Block, or Ignore any command execution if the stack trace contains, or matches regex of a specific value.

Filesystem Access (FILE)

This policy detects or blocks the access to the local files. You can block the access to local files at tier level, but not at the application or the global level. The action can be limited to specific files by name. For example, you can detect the access to any file that contains /etc or block the access to any file that contains passwd.

Headers in HTTP Transactions (HTTP_RESPONSE_HEADER)

This policy adds or detects a specific HTTP header to each HTTP response. The default action is detect. You can specify which headers to add with the patch option. You can specify this at the tier level, not at the application or the global level.

You can set the action for any of the following headers:

  • Strict-Transport-Security
  • X-Frame-Options
  • X-XSS-Protection
  • X-Content-Type-Options
注: You must specify Application and Tier to set an action for each header.

Web Transaction (TRANSACTION)

This policy detects or block certain web requests. The default action for this type of policy is detect. The transaction policy has two special options, to block non-encrypted HTTP requests and to block requests from unauthenticated users. You can specify rules to block requests based on originating IP or based on the URL.

Network or Socket Access (NETWORK)

This policy detects or blocks network connections to specific hosts. You can block the network connections at the tier level, not at the application or the global level. A specific rule can either block connections to and from a specific host, or connections that originate from a specific stack trace within the application.

Create a Runtime Policy

To create a policy for an attack or vulnerability at runtime, perform the following steps:

  1. Click Policies > Create New Policy.
  2. From the Add Policy dialog, select the required criteria for the runtime in these fields:
    Field Name Details
    Name Select the required runtime activity. See Supported Runtime Policies.
    Application Select the application that includes the tiers or services on which you require to apply the policy. Splunk AppDynamics recommends to select a specific application for the policy. However, you can select All to apply the policy on all the applications.
    Tier Select the required application-specific tier or service to apply the policy.Splunk AppDynamics recommends to select a specific tier for the policy. However, you can select All to apply the policy on all the tiers or services. Also, review the default policy and if needed create a policy for specific applications and tiers.
    Default Action Select the default action for this policy.
    • You can select Ignore for no notifications for the runtime activity; select Detect to detect the runtime activity and display the details on the Attacks or Vulnerabilities page; or select Block to block a specific runtime activity and to display it as Blocked on the Attacks and Vulnerabilities page.
    • In case of headers the Default Action is always set to Detect.
    注: Block is unavailable for some of the supported runtime policies. For policies such as Headers in http transactions policy, you need to specify the Application and Tier to block a runtime activity.
    Rules Add the rules based on your requirement. The action that you specify within the rule supersedes the default action specified in Default Action.

    You can select Ignore for no notifications for the runtime activity; select Detect to detect the runtime activity and display the details on the Attacks or Vulnerabilities page; or select Patch to add the header and value to the HTTP response.

    注: Block is unavailable for some of the supported runtime policies.
    Enable Policy Select Yes to enable the runtime policy.
    注: If Application and Tier are set to All, you cannot select this option.
  3. Click Save.

Modify a Security Policy

To view or modify a policy, perform the following steps:

注: You can use the Search filter to search based on the values of the Name, Tier or Application fields. Here, Name is the name of the runtime policy.
  1. Click Policies > Runtime.
    You can view 5, 10, 20, or 50 policies based on the number that you select at the bottom right corner of the page in the Show<number of policies> dropdown.
  2. Click the Modify icon next to the required policy.
  3. Modify the required fields.
  4. Click Update or click Delete Policy based on the requirement.