diff --git a/content/en/security_platform/application_security/getting_started/ruby.md b/content/en/security_platform/application_security/getting_started/ruby.md index 8ca36a57143a3..0c73c62983a1d 100644 --- a/content/en/security_platform/application_security/getting_started/ruby.md +++ b/content/en/security_platform/application_security/getting_started/ruby.md @@ -16,7 +16,7 @@ further_reading: text: "Troubleshooting Application Security Monitoring" --- -You can monitor application security for Ruby apps running in Docker, Kubernetes, AWS ECS, and AWS Fargate. +You can monitor application security for Ruby apps running in Docker, Kubernetes, AWS ECS, and AWS Fargate. {{% appsec-getstarted %}} @@ -25,24 +25,44 @@ You can monitor application security for Ruby apps running in Docker, Kubernetes 1. **Update your Gemfile to include the Datadog library**: ```ruby - gem 'ddtrace', '~> 1.0' + gem 'ddtrace', '~> 1.1' ``` For information about which language and framework versions are supported by the library, see [Compatibility][1]. For more information about upgrading from a `dd-trace` 0.x version, see [the Ruby tracer upgrade guide][2]. -2. **Enable ASM**, either in your code: +2. **Enable ASM** by enabling the APM tracer. The following options describe a quick setup that covers the most common cases. Read [the Ruby tracer documentation][3] for more details. + + You can enable ASM either in your code: + {{< tabs >}} {{% tab "Rails" %}} - Either enable the tracer through auto-instrumentation by updating your Gemfile: + Enable the APM tracer by adding an initializer in your application code: + + ```ruby + # config/initializers/datadog.rb + + require 'datadog/appsec' + + Datadog.configure do |c| + # enable the APM tracer + c.tracing.instrument :rails + + # enable ASM + c.appsec.enabled = true + c.appsec.instrument :rails + end + ``` + + Or enable the APM tracer through auto-instrumentation by updating your Gemfile to auto-instrument: ```ruby - gem 'ddtrace', '~> 1.0', require: 'ddtrace/auto_instrument' + gem 'ddtrace', '~> 1.1', require: 'ddtrace/auto_instrument' ``` - Or enable the tracer by adding an initializer in your application code: + And also enable `appsec`: ```ruby # config/initializers/datadog.rb @@ -50,20 +70,21 @@ You can monitor application security for Ruby apps running in Docker, Kubernetes require 'datadog/appsec' Datadog.configure do |c| - # enable the APM tracer - # not needed if `gem 'ddtrace', require: 'ddtrace/auto_instrument' is used - c.tracing.instrument :rails + # the APM tracer is enabled by auto-instrumentation + # enable ASM c.appsec.enabled = true c.appsec.instrument :rails end ``` + {{% /tab %}} {{% tab "Sinatra" %}} - Enable the tracer by adding the following to your application's startup: + Enable the APM tracer by adding the following to your application's startup: ```ruby + require 'sinatra' require 'ddtrace' require 'datadog/appsec' @@ -71,7 +92,22 @@ You can monitor application security for Ruby apps running in Docker, Kubernetes # enable the APM tracer c.tracing.instrument :sinatra - # enable appsec for Sinatra + # enable ASM for Sinatra + c.appsec.enabled = true + c.appsec.instrument :sinatra + end + ``` + + Or enable the APM tracer through auto-instrumentation: + + ```ruby + require 'sinatra' + require 'ddtrace/auto_instrument' + + Datadog.configure do |c| + # the APM tracer is enabled by auto-instrumentation + + # enable ASM for Sinatra c.appsec.enabled = true c.appsec.instrument :sinatra end @@ -79,7 +115,7 @@ You can monitor application security for Ruby apps running in Docker, Kubernetes {{% /tab %}} {{% tab "Rack" %}} - Enable the tracer by adding the following to your `config.ru` file: + Enable the APM tracer by adding the following to your `config.ru` file: ```ruby require 'ddtrace' @@ -89,7 +125,7 @@ You can monitor application security for Ruby apps running in Docker, Kubernetes # enable the APM tracer c.tracing.instrument :rack - # enable appsec for Rack + # enable ASM for Rack c.appsec.enabled = true c.appsec.instrument :rack end @@ -141,7 +177,7 @@ spec: {{% /tab %}} {{% tab "AWS ECS" %}} -Update your ECS task definition JSON file, by adding this in the environment section: +Update your ECS task definition JSON file, by adding this in the environment section: ```json "environment": [ @@ -175,3 +211,4 @@ env DD_APPSEC_ENABLED=true rails server [1]: /security_platform/application_security/setup_and_configure/?code-lang=ruby#compatibility [2]: https://github.com/DataDog/dd-trace-rb/blob/master/docs/UpgradeGuide.md#from-0x-to-10 +[3]: /tracing/setup_overview/setup/ruby/ diff --git a/content/en/security_platform/application_security/setup_and_configure.md b/content/en/security_platform/application_security/setup_and_configure.md index 6808a7ca42eb7..6592e3076b319 100644 --- a/content/en/security_platform/application_security/setup_and_configure.md +++ b/content/en/security_platform/application_security/setup_and_configure.md @@ -292,11 +292,49 @@ if span, ok := tracer.SpanFromContext(request.Context()); ok { {{< programming-lang lang="ruby" >}} -Use the the Ruby tracer's API for adding custom tags to a trace, and add user information so that you can monitor authenticated requests in the application. +Use one of the following APIs to add user information to a trace so that you can monitor authenticated requests in the application: -User monitoring tags are applied on the trace and start with the prefix `usr` followed by the name of the field. For example, `usr.name` is a user monitoring tag that tracks the user’s name. +{{< tabs >}} -The example below shows how to obtain the root span and add relevant user monitoring tags: +{{% tab "set_user" %}} + +Starting with `ddtrace` 1.1.0, the `Datadog::Kit::Identity.set_user` method is available. This is the recommended API for adding user information to traces: + +```ruby +# Get the active trace +trace = Datadog::Tracing.active_trace + +# Set mandatory user id tag +Datadog::Kit::Identity.set_user(trace, id: 'd131dd02c56eeec4') + +# Or set any of these optional user monitoring tags +Datadog::Kit::Identity.set_user( + trace, + + # mandatory id + id: 'd131dd02c56eeec4', + + # optional tags with known semantics + name: 'Jean Example', + email:, 'jean.example@example.com', + session_id:, '987654321', + role: 'admin', + scope: 'read:message, write:files', + + # optional free-form tags + another_tag: 'another_value', +) +``` + +{{% /tab %}} + +{{% tab "set_tag" %}} + +If `Datadog::Kit::Identity.set_user` does not meet your needs, you can use `set_tag` instead. + +User monitoring tags are applied on the trace and start with the prefix `usr.` followed by the name of the field. For example, `usr.name` is a user monitoring tag that tracks the user’s name. + +The example below shows how to obtain the active trace and add relevant user monitoring tags: **Notes**: - Tag values must be strings. @@ -309,14 +347,21 @@ trace = Datadog::Tracing.active_trace # Set mandatory user id tag trace.set_tag('usr.id', 'd131dd02c56eeec4') -# Set optional user monitoring tags +# Set optional user monitoring tags with known sematics trace.set_tag('usr.name', 'Jean Example') trace.set_tag('usr.email', 'jean.example@example.com') trace.set_tag('usr.session_id', '987654321') trace.set_tag('usr.role', 'admin') trace.set_tag('usr.scope', 'read:message, write:files') + +# Set free-form tags: +trace.set_tag('usr.another_tag', 'another_value') ``` +{{% /tab %}} + +{{< /tabs >}} + {{< /programming-lang >}} {{< programming-lang lang="php" >}} @@ -386,11 +431,28 @@ The data that you collect with Datadog can contain sensitive information that yo By default, ASM collects information from suspicious requests to help you understand why the request was flagged as suspicious. Before sending the data, ASM scans it for patterns and keywords that indicate that the data is sensitive. If the data is deemed sensitive, it is replaced with a `` flag, so you observe that although the request was suspicious, the request data could not be collected because of data security concerns. -To protect users' data, sensitive data scanning is activated by default in ASM. You can customize the configuration by using the following environment variables. The scanning is based on the [RE2 syntax][2], so to customize scanning, set the value of these environment variables to a valid RE2 patten: +To protect users' data, sensitive data scanning is activated by default in ASM. You can customize the configuration by using the following environment variables. The scanning is based on the [RE2 syntax][2], so to customize scanning, set the value of these environment variables to a valid RE2 pattern: -* `DD_APPSEC_OBFUSCATION_PARAMETER_KEY_REGEXP` - Pattern for scanning for keys whose values commonly contain sensitive data. If found, the key, all corresponding values, and any child nodes are redacted. +* `DD_APPSEC_OBFUSCATION_PARAMETER_KEY_REGEXP` - Pattern for scanning for keys whose values commonly contain sensitive data. If found, the values and any child nodes associated with the key are redacted. * `DD_APPSEC_OBFUSCATION_PARAMETER_VALUE_REGEXP` - Pattern for scanning for values that could indicate sensitive data. If found, the value and all its child nodes are redacted. +
For Ruby only, starting in ddtrace version 1.1.0 + +

You can also configure scanning patterns in code:

+ +```ruby +Datadog.configure do |c| + # ... + + # Set custom RE2 regexes + c.appsec.obfuscator_key_regex = '...' + c.appsec.obfuscator_value_regex = '...' +end +``` + +
+ + The following are examples of data that are flagged as sensitive by default: * `pwd`, `password`, `ipassword`, `pass_phrase`