chore(ruby agent): Update config docs

newrelic-ruby-agent-bot · newrelic-ruby-agent-bot · commit 3a24da763a06 · 2024-11-19T22:41:12.000Z
diff --git a/src/content/docs/apm/agents/ruby-agent/configuration/ruby-agent-configuration.mdx b/src/content/docs/apm/agents/ruby-agent/configuration/ruby-agent-configuration.mdx
@@ -196,7 +196,7 @@ These settings are available for agent configuration. Some settings depend on yo
       </tbody>
     </table>
 
-  Manual override for the path to your local CA bundle. This CA bundle will be used to validate the SSL certificate presented by New Relic's data collection service.
+  Manual override for the path to your local CA bundle. This CA bundle validates the SSL certificate presented by New Relic's data collection service.
   </Collapser>
 
   <Collapser id="capture_memcache_keys" title="capture_memcache_keys">
@@ -953,6 +953,30 @@ Valid values (ordered lowest to highest):
   A hash with key/value pairs to add as custom attributes to all log events forwarded to New Relic. If sending using an environment variable, the value must be formatted like: "key1=value1,key2=value2"
   </Collapser>
 
+  <Collapser id="application_logging-forwarding-labels-enabled" title="application_logging.forwarding.labels.enabled">
+    <table>
+      <tbody>
+        <tr><th>Type</th><td>Boolean</td></tr>
+        <tr><th>Default</th><td>`false`</td></tr>
+        <tr><th>Environ variable</th><td>`NEW_RELIC_APPLICATION_LOGGING_FORWARDING_LABELS_ENABLED`</td></tr>
+      </tbody>
+    </table>
+
+  If `true`, the agent attaches [labels](https://docs.newrelic.com/docs/apm/agents/ruby-agent/configuration/ruby-agent-configuration/#labels) to log records.
+  </Collapser>
+
+  <Collapser id="application_logging-forwarding-labels-exclude" title="application_logging.forwarding.labels.exclude">
+    <table>
+      <tbody>
+        <tr><th>Type</th><td>Array</td></tr>
+        <tr><th>Default</th><td>`[]`</td></tr>
+        <tr><th>Environ variable</th><td>`NEW_RELIC_APPLICATION_LOGGING_FORWARDING_LABELS_EXCLUDE`</td></tr>
+      </tbody>
+    </table>
+
+  A case-insensitive array or comma-delimited string containing the labels to exclude from log records.
+  </Collapser>
+
   <Collapser id="application_logging-forwarding-max_samples_stored" title="application_logging.forwarding.max_samples_stored">
     <table>
       <tbody>
@@ -2009,6 +2033,18 @@ Use these settings to toggle instrumentation types during agent startup.
   Controls auto-instrumentation of bunny at start-up. May be one of: `auto`, `prepend`, `chain`, `disabled`.
   </Collapser>
 
+  <Collapser id="instrumentation-aws_sdk_lambda" title="instrumentation.aws_sdk_lambda">
+    <table>
+      <tbody>
+        <tr><th>Type</th><td>String</td></tr>
+        <tr><th>Default</th><td>`auto`</td></tr>
+        <tr><th>Environ variable</th><td>`NEW_RELIC_INSTRUMENTATION_AWS_SDK_LAMBDA`</td></tr>
+      </tbody>
+    </table>
+
+  Controls auto-instrumentation of the aws_sdk_lambda library at start-up. May be one of `auto`, `prepend`, `chain`, `disabled`.
+  </Collapser>
+
   <Collapser id="instrumentation-ruby_kafka" title="instrumentation.ruby_kafka">
     <table>
       <tbody>
@@ -2686,7 +2722,7 @@ Use these settings to toggle instrumentation types during agent startup.
       </tbody>
     </table>
 
-  If `true`, the security agent is loaded (a Ruby 'require' is performed)
+  If `true`, the security agent is loaded (the agent performs a Ruby 'require')
   </Collapser>
 
   <Collapser id="security-enabled" title="security.enabled">
@@ -2725,64 +2761,280 @@ Use these settings to toggle instrumentation types during agent startup.
   Defines the endpoint URL for posting security-related data
   </Collapser>
 
-  <Collapser id="security-detection-rci-enabled" title="security.detection.rci.enabled">
+  <Collapser id="security-application_info-port" title="security.application_info.port">
+    <table>
+      <tbody>
+        <tr><th>Type</th><td>Integer</td></tr>
+        <tr><th>Default</th><td>`nil`</td></tr>
+        <tr><th>Environ variable</th><td>`NEW_RELIC_SECURITY_APPLICATION_INFO_PORT`</td></tr>
+      </tbody>
+    </table>
+
+  The port the application is listening on. This setting is mandatory for Passenger servers. The agent detects other servers by default.
+  </Collapser>
+
+  <Collapser id="security-exclude_from_iast_scan-api" title="security.exclude_from_iast_scan.api">
+    <table>
+      <tbody>
+        <tr><th>Type</th><td>Array</td></tr>
+        <tr><th>Default</th><td>`[]`</td></tr>
+        <tr><th>Environ variable</th><td>`NEW_RELIC_SECURITY_EXCLUDE_FROM_IAST_SCAN_API`</td></tr>
+      </tbody>
+    </table>
+
+  Defines API paths the security agent should ignore in IAST scans. Accepts an array of regex patterns matching the URI to ignore. The regex pattern should find a complete match for the URL without the endpoint. For example, `[".*account.*"], [".*/\api\/v1\/.*?\/login"]`
+  </Collapser>
+
+  <Collapser id="security-exclude_from_iast_scan-http_request_parameters-header" title="security.exclude_from_iast_scan.http_request_parameters.header">
+    <table>
+      <tbody>
+        <tr><th>Type</th><td>Array</td></tr>
+        <tr><th>Default</th><td>`[]`</td></tr>
+        <tr><th>Environ variable</th><td>`NEW_RELIC_SECURITY_EXCLUDE_FROM_IAST_SCAN_HTTP_REQUEST_PARAMETERS_HEADER`</td></tr>
+      </tbody>
+    </table>
+
+  An array of HTTP request headers the security agent should ignore in IAST scans. The array should specify a list of patterns matching the headers to ignore.
+  </Collapser>
+
+  <Collapser id="security-exclude_from_iast_scan-http_request_parameters-query" title="security.exclude_from_iast_scan.http_request_parameters.query">
+    <table>
+      <tbody>
+        <tr><th>Type</th><td>Array</td></tr>
+        <tr><th>Default</th><td>`[]`</td></tr>
+        <tr><th>Environ variable</th><td>`NEW_RELIC_SECURITY_EXCLUDE_FROM_IAST_SCAN_HTTP_REQUEST_PARAMETERS_QUERY`</td></tr>
+      </tbody>
+    </table>
+
+  An array of HTTP request query parameters the security agent should ignore in IAST scans. The array should specify a list of patterns matching the HTTP request query parameters to ignore.
+  </Collapser>
+
+  <Collapser id="security-exclude_from_iast_scan-http_request_parameters-body" title="security.exclude_from_iast_scan.http_request_parameters.body">
+    <table>
+      <tbody>
+        <tr><th>Type</th><td>Array</td></tr>
+        <tr><th>Default</th><td>`[]`</td></tr>
+        <tr><th>Environ variable</th><td>`NEW_RELIC_SECURITY_EXCLUDE_FROM_IAST_SCAN_HTTP_REQUEST_PARAMETERS_BODY`</td></tr>
+      </tbody>
+    </table>
+
+  An array of HTTP request body keys the security agent should ignore in IAST scans.
+  </Collapser>
+
+  <Collapser id="security-exclude_from_iast_scan-iast_detection_category-insecure_settings" title="security.exclude_from_iast_scan.iast_detection_category.insecure_settings">
     <table>
       <tbody>
         <tr><th>Type</th><td>Boolean</td></tr>
-        <tr><th>Default</th><td>`true`</td></tr>
-        <tr><th>Environ variable</th><td>`NEW_RELIC_SECURITY_DETECTION_RCI_ENABLED`</td></tr>
+        <tr><th>Default</th><td>`false`</td></tr>
+        <tr><th>Environ variable</th><td>`NEW_RELIC_SECURITY_EXCLUDE_FROM_IAST_SCAN_IAST_DETECTION_CATEGORY_INSECURE_SETTINGS`</td></tr>
       </tbody>
     </table>
 
-  If `true`, enables RCI (remote code injection) detection
+  If `true`, disables the detection of low-severity insecure settings. For example, hash, crypto, cookie, random generators, trust boundary).
   </Collapser>
 
-  <Collapser id="security-detection-rxss-enabled" title="security.detection.rxss.enabled">
+  <Collapser id="security-exclude_from_iast_scan-iast_detection_category-invalid_file_access" title="security.exclude_from_iast_scan.iast_detection_category.invalid_file_access">
     <table>
       <tbody>
         <tr><th>Type</th><td>Boolean</td></tr>
-        <tr><th>Default</th><td>`true`</td></tr>
-        <tr><th>Environ variable</th><td>`NEW_RELIC_SECURITY_DETECTION_RXSS_ENABLED`</td></tr>
+        <tr><th>Default</th><td>`false`</td></tr>
+        <tr><th>Environ variable</th><td>`NEW_RELIC_SECURITY_EXCLUDE_FROM_IAST_SCAN_IAST_DETECTION_CATEGORY_INVALID_FILE_ACCESS`</td></tr>
       </tbody>
     </table>
 
-  If `true`, enables RXSS (reflected cross-site scripting) detection
+  If `true`, disables file operation-related IAST detections (File Access & Application integrity violation)
   </Collapser>
 
-  <Collapser id="security-detection-deserialization-enabled" title="security.detection.deserialization.enabled">
+  <Collapser id="security-exclude_from_iast_scan-iast_detection_category-sql_injection" title="security.exclude_from_iast_scan.iast_detection_category.sql_injection">
     <table>
       <tbody>
         <tr><th>Type</th><td>Boolean</td></tr>
-        <tr><th>Default</th><td>`true`</td></tr>
-        <tr><th>Environ variable</th><td>`NEW_RELIC_SECURITY_DETECTION_DESERIALIZATION_ENABLED`</td></tr>
+        <tr><th>Default</th><td>`false`</td></tr>
+        <tr><th>Environ variable</th><td>`NEW_RELIC_SECURITY_EXCLUDE_FROM_IAST_SCAN_IAST_DETECTION_CATEGORY_SQL_INJECTION`</td></tr>
       </tbody>
     </table>
 
-  If `true`, enables deserialization detection
+  If `true`, disables SQL injection detection in IAST scans.
   </Collapser>
 
-  <Collapser id="security-application_info-port" title="security.application_info.port">
+  <Collapser id="security-exclude_from_iast_scan-iast_detection_category-nosql_injection" title="security.exclude_from_iast_scan.iast_detection_category.nosql_injection">
+    <table>
+      <tbody>
+        <tr><th>Type</th><td>Boolean</td></tr>
+        <tr><th>Default</th><td>`false`</td></tr>
+        <tr><th>Environ variable</th><td>`NEW_RELIC_SECURITY_EXCLUDE_FROM_IAST_SCAN_IAST_DETECTION_CATEGORY_NOSQL_INJECTION`</td></tr>
+      </tbody>
+    </table>
+
+  If `true`, disables NOSQL injection detection in IAST scans.
+  </Collapser>
+
+  <Collapser id="security-exclude_from_iast_scan-iast_detection_category-ldap_injection" title="security.exclude_from_iast_scan.iast_detection_category.ldap_injection">
+    <table>
+      <tbody>
+        <tr><th>Type</th><td>Boolean</td></tr>
+        <tr><th>Default</th><td>`false`</td></tr>
+        <tr><th>Environ variable</th><td>`NEW_RELIC_SECURITY_EXCLUDE_FROM_IAST_SCAN_IAST_DETECTION_CATEGORY_LDAP_INJECTION`</td></tr>
+      </tbody>
+    </table>
+
+  If `true`, disables LDAP injection detection in IAST scans.
+  </Collapser>
+
+  <Collapser id="security-exclude_from_iast_scan-iast_detection_category-javascript_injection" title="security.exclude_from_iast_scan.iast_detection_category.javascript_injection">
+    <table>
+      <tbody>
+        <tr><th>Type</th><td>Boolean</td></tr>
+        <tr><th>Default</th><td>`false`</td></tr>
+        <tr><th>Environ variable</th><td>`NEW_RELIC_SECURITY_EXCLUDE_FROM_IAST_SCAN_IAST_DETECTION_CATEGORY_JAVASCRIPT_INJECTION`</td></tr>
+      </tbody>
+    </table>
+
+  If `true`, disables Javascript injection detection in IAST scans.
+  </Collapser>
+
+  <Collapser id="security-exclude_from_iast_scan-iast_detection_category-command_injection" title="security.exclude_from_iast_scan.iast_detection_category.command_injection">
+    <table>
+      <tbody>
+        <tr><th>Type</th><td>Boolean</td></tr>
+        <tr><th>Default</th><td>`false`</td></tr>
+        <tr><th>Environ variable</th><td>`NEW_RELIC_SECURITY_EXCLUDE_FROM_IAST_SCAN_IAST_DETECTION_CATEGORY_COMMAND_INJECTION`</td></tr>
+      </tbody>
+    </table>
+
+  If `true`, disables system command injection detection in IAST scans.
+  </Collapser>
+
+  <Collapser id="security-exclude_from_iast_scan-iast_detection_category-xpath_injection" title="security.exclude_from_iast_scan.iast_detection_category.xpath_injection">
+    <table>
+      <tbody>
+        <tr><th>Type</th><td>Boolean</td></tr>
+        <tr><th>Default</th><td>`false`</td></tr>
+        <tr><th>Environ variable</th><td>`NEW_RELIC_SECURITY_EXCLUDE_FROM_IAST_SCAN_IAST_DETECTION_CATEGORY_XPATH_INJECTION`</td></tr>
+      </tbody>
+    </table>
+
+  If `true`, disables XPATH injection detection in IAST scans.
+  </Collapser>
+
+  <Collapser id="security-exclude_from_iast_scan-iast_detection_category-ssrf" title="security.exclude_from_iast_scan.iast_detection_category.ssrf">
+    <table>
+      <tbody>
+        <tr><th>Type</th><td>Boolean</td></tr>
+        <tr><th>Default</th><td>`false`</td></tr>
+        <tr><th>Environ variable</th><td>`NEW_RELIC_SECURITY_EXCLUDE_FROM_IAST_SCAN_IAST_DETECTION_CATEGORY_SSRF`</td></tr>
+      </tbody>
+    </table>
+
+  If `true`, disables Sever-Side Request Forgery (SSRF) detection in IAST scans.
+  </Collapser>
+
+  <Collapser id="security-exclude_from_iast_scan-iast_detection_category-rxss" title="security.exclude_from_iast_scan.iast_detection_category.rxss">
+    <table>
+      <tbody>
+        <tr><th>Type</th><td>Boolean</td></tr>
+        <tr><th>Default</th><td>`false`</td></tr>
+        <tr><th>Environ variable</th><td>`NEW_RELIC_SECURITY_EXCLUDE_FROM_IAST_SCAN_IAST_DETECTION_CATEGORY_RXSS`</td></tr>
+      </tbody>
+    </table>
+
+  If `true`, disables Reflected Cross-Site Scripting (RXSS) detection in IAST scans.
+  </Collapser>
+
+  <Collapser id="security-scan_schedule-delay" title="security.scan_schedule.delay">
     <table>
       <tbody>
         <tr><th>Type</th><td>Integer</td></tr>
-        <tr><th>Default</th><td>`nil`</td></tr>
-        <tr><th>Environ variable</th><td>`NEW_RELIC_SECURITY_APPLICATION_INFO_PORT`</td></tr>
+        <tr><th>Default</th><td>`0`</td></tr>
+        <tr><th>Environ variable</th><td>`NEW_RELIC_SECURITY_SCAN_SCHEDULE_DELAY`</td></tr>
       </tbody>
     </table>
 
-  The port the application is listening on. This setting is mandatory for Passenger servers. Other servers should be detected by default.
+  Specifies the delay time (in minutes) before the IAST scan begins after the application starts.
   </Collapser>
 
-  <Collapser id="security-request-body_limit" title="security.request.body_limit">
+  <Collapser id="security-scan_schedule-duration" title="security.scan_schedule.duration">
     <table>
       <tbody>
         <tr><th>Type</th><td>Integer</td></tr>
-        <tr><th>Default</th><td>`300`</td></tr>
-        <tr><th>Environ variable</th><td>`NEW_RELIC_SECURITY_REQUEST_BODY_LIMIT`</td></tr>
+        <tr><th>Default</th><td>`0`</td></tr>
+        <tr><th>Environ variable</th><td>`NEW_RELIC_SECURITY_SCAN_SCHEDULE_DURATION`</td></tr>
       </tbody>
     </table>
 
-  Defines the request body limit to process in security events (in KB). The default value is 300, for 300KB.
+  Specifies the length of time (in minutes) that the IAST scan will run.
+  </Collapser>
+
+  <Collapser id="security-scan_schedule-schedule" title="security.scan_schedule.schedule">
+    <table>
+      <tbody>
+        <tr><th>Type</th><td>String</td></tr>
+        <tr><th>Default</th><td>`""`</td></tr>
+        <tr><th>Environ variable</th><td>`NEW_RELIC_SECURITY_SCAN_SCHEDULE_SCHEDULE`</td></tr>
+      </tbody>
+    </table>
+
+  Specifies a cron expression that sets when the IAST scan should run.
+  </Collapser>
+
+  <Collapser id="security-scan_schedule-always_sample_traces" title="security.scan_schedule.always_sample_traces">
+    <table>
+      <tbody>
+        <tr><th>Type</th><td>Boolean</td></tr>
+        <tr><th>Default</th><td>`false`</td></tr>
+        <tr><th>Environ variable</th><td>`NEW_RELIC_SECURITY_SCAN_SCHEDULE_ALWAYS_SAMPLE_TRACES`</td></tr>
+      </tbody>
+    </table>
+
+  If `true`, allows IAST to continuously gather trace data in the background. Collected data will be used by the security agent to perform an IAST scan at the scheduled time.
+  </Collapser>
+
+  <Collapser id="security-scan_controllers-iast_scan_request_rate_limit" title="security.scan_controllers.iast_scan_request_rate_limit">
+    <table>
+      <tbody>
+        <tr><th>Type</th><td>Integer</td></tr>
+        <tr><th>Default</th><td>`3600`</td></tr>
+        <tr><th>Environ variable</th><td>`NEW_RELIC_SECURITY_SCAN_CONTROLLERS_IAST_SCAN_REQUEST_RATE_LIMIT`</td></tr>
+      </tbody>
+    </table>
+
+  Sets the maximum number of HTTP requests allowed for the IAST scan per minute. Any Integer between 12 and 3600 is valid. The default value is 3600.
+  </Collapser>
+
+  <Collapser id="security-scan_controllers-scan_instance_count" title="security.scan_controllers.scan_instance_count">
+    <table>
+      <tbody>
+        <tr><th>Type</th><td>Integer</td></tr>
+        <tr><th>Default</th><td>`0`</td></tr>
+        <tr><th>Environ variable</th><td>`NEW_RELIC_SECURITY_SCAN_CONTROLLERS_SCAN_INSTANCE_COUNT`</td></tr>
+      </tbody>
+    </table>
+
+  The number of application instances for a specific entity to perform IAST analysis on.
+  </Collapser>
+
+  <Collapser id="security-scan_controllers-report_http_response_body" title="security.scan_controllers.report_http_response_body">
+    <table>
+      <tbody>
+        <tr><th>Type</th><td>Boolean</td></tr>
+        <tr><th>Default</th><td>`true`</td></tr>
+        <tr><th>Environ variable</th><td>`NEW_RELIC_SECURITY_SCAN_CONTROLLERS_REPORT_HTTP_RESPONSE_BODY`</td></tr>
+      </tbody>
+    </table>
+
+  If `true`, enables the sending of HTTP responses bodies. Disabling this also disables Reflected Cross-Site Scripting (RXSS) vulnerability detection.
+  </Collapser>
+
+  <Collapser id="security-iast_test_identifier" title="security.iast_test_identifier">
+    <table>
+      <tbody>
+        <tr><th>Type</th><td>String</td></tr>
+        <tr><th>Default</th><td>`nil`</td></tr>
+        <tr><th>Environ variable</th><td>`NEW_RELIC_SECURITY_IAST_TEST_IDENTIFIER`</td></tr>
+      </tbody>
+    </table>
+
+  A unique test identifier when runnning IAST in a CI/CD environment to differentiate between different test runs. For example, a build number.
   </Collapser>
 
 </CollapserGroup>
@@ -3018,8 +3270,8 @@ permit advanced matching. Setting the value to `["."]` will report all `user_dat
   An array of strings to specify which keys and/or values inside a Stripe event's `user_data` hash should
 not be reported to New Relic. Each string in this array will be turned into a regular expression via
 `Regexp.new` to permit advanced matching. For each hash pair, if either the key or value is matched the
-pair will not be reported. By default, no `user_data` is reported, so this option should only be used if
-the `stripe.user_data.include` option is being used.
+pair will not be reported. By default, no `user_data` is reported. Use this option only if the
+`stripe.user_data.include` option is also used.
 
   </Collapser>
 
@@ -3123,4 +3375,4 @@ the `stripe.user_data.include` option is being used.
   If `true`, the agent automatically detects that it is running in a Pivotal Cloud Foundry environment.
   </Collapser>
 
-</CollapserGroup>
+</CollapserGroup>
