Recommended API Protect Policy
The below is a recommended policy for RASP Java Agent.
It is advised that these are first verified on a suitable test system. When verifying, protect() actions may be replaced with detect() actions to enable passive assessment of how the application behaves with the policy in place.
RASP Java Agent Recommended API Protect Policy
app("strict API hardening policy for Java"):
requires(version: ARMR/2.11)
dns("API block any DNS address resolution"):
lookup(any)
api(any)
input(http, database, deserialization)
protect(message: "", severity: High)
enddns
filesystem("API block any file read operations"):
read("*")
api(any)
protect(message: "", severity: High)
endfilesystem
filesystem("API block any file write operations"):
write("*")
api(any)
protect(message: "", severity: High)
endfilesystem
process("API block any process forking operations"):
execute("*")
api(any)
protect(message: "", severity: High)
endprocess
socket("API block any incoming traffic using new connections"):
accept("0.0.0.0:0")
api(any)
protect(message: "", severity: High)
endsocket
socket("API block any outgoing traffic using new connections"):
connect("0.0.0.0:0")
api(any)
protect(message: "", severity: High)
endsocket
endapp