Cisco Secure Application Runtime policies define what runtime behaviors to ignore, detect, or block. The runtime events identify all the attacks and vulnerabilities and the action is taken based on the defined runtime policy. You can create and configure runtime policies to specify an action to mitigate the attacks and vulnerabilities. 

To monitor the security of the application, you must create policies. To create policies, you require the Configure permission for Cisco Secure Application. By default, Cisco Secure Application includes a runtime policy that provides the best detection of all the attacks and vulnerabilities, reducing the false positives.

Supported Runtime Policies

Cisco Secure Application scans attacks and vulnerabilities for the following runtime behaviors:

Command Execution (PROCESS)

This policy detects or blocks the creation of new application processes. You can block a process at the tier level, but not at the application or the global level. The action can be limited to specific processes by name. For example, you can detect the creation of any process that executes the ps command or block the creation of any process that executes the cat command.

You can create rules for processes and stack traces. Meaning, that you can Detect, Block, or Ignore any command execution if a process starts with the following: equals, contains, or matches regex for a specific value. You can also Detect, Block, or Ignore any command execution if the stack trace contains, or matches regex of a specific value.

Filesystem Access (FILE) 

This policy detects or blocks the access to the local files. You can block the access to local files at tier level, but not at the application or the global level. The action can be limited to specific files by name. For example, you can detect the access to any file that contains /etc or block the access to any file that contains passwd

Headers in HTTP Transactions (HTTP_RESPONSE_HEADER)

This policy adds or detects a specific HTTP header to each HTTP response. The default action is detect. You can specify which headers to add with the patch option. You can specify this at the tier level, not at the application or the global level. 

You can set the action for any of the following headers:

You must specify Application and Tier to set an action for each header.

Web Transaction (TRANSACTION)

This policy detects or block certain web requests. The default action for this type of policy is detect. The transaction policy has two special options, to block non-encrypted HTTP requests and to block requests from unauthenticated users. You can specify rules to block requests based on originating IP or based on the URL.

Network or Socket Access (NETWORK)

This policy detects or blocks network connections to specific hosts. You can block the network connections at the tier level, not at the application or the global level. A specific rule can either block connections to and from a specific host, or connections that originate from a specific stack trace within the application.

Create a Runtime Policy 

To create a policy for an attack or vulnerability at runtime, perform the following steps:

  1. Click Policies > Create New Policy.

  2. From the Add Policy dialog, select the required criteria for the runtime in these fields:

    Field NameDetails
    NameSelect the required runtime activity. See Supported Runtime Policies.
    Application

    Select the application that includes the tiers or services on which you require to apply the policy. recommends to select a specific application for the policy. However, you can select All to apply the policy on all the applications.


    Tier

    Select the required application-specific tier or service to apply the policy.
    recommends to select a specific tier for the policy. However, you can select All to apply the policy on all the tiers or services. Also, review the default policy and if needed create a policy for specific applications and tiers.


    Default Action
    Select the default action for this policy.
    • You can select Ignore for no notifications for the runtime activity; select Detect to detect the runtime activity and display the details on the Attacks or  Vulnerabilities page; or select Block to block a specific runtime activity and to display it as Blocked on the Attacks and  Vulnerabilities page. 
    • In case of headers the Default Action is always set to Detect

    Block is unavailable for some of the supported runtime policies.

    For policies such as Headers in http transactions policy, you need to specify the Application and Tier to block a runtime activity.


    Rules
    Add the rules based on your requirement. The action that you specify within the rule supersedes the default action specified in Default Action.

    You can select Ignore for no notifications for the runtime activity; select Detect to detect the runtime activity and display the details on the Attacks or  Vulnerabilities page; or select Patch to add the header and value to the HTTP response.

    Block is unavailable for some of the supported runtime policies.


    Enable Policy

    Select Yes to enable the runtime policy.

    If Application and Tier are set to All, you cannot select this option.


  3. Click Save.

Modify a Security Policy

To view or modify a policy, perform the following steps:

You can use the Search filter to search based on the values of the Name, Tier or Application fields. Here, Name is the name of the runtime policy.

  1. Click Policies > Runtime.
    You can view 5, 10, 20, or 50 policies based on the number that you select at the bottom right corner of the page in the Show<number of policies> dropdown.
  2. Click the Modify icon next to the required policy.
  3. Modify the required fields. 
  4. Click Update or click Delete Policy based on the requirement.