Aqua

Agent Check

Supported OS:

Overview

This check monitors Aqua.

The Aqua check will alert the user if total high-severity vulnerability is reached, or if a container is running inside a host not registered by Aqua. Aqua will also send data alerts regarding blocked events in runtime, and it is possible to trigger a webhook to scale infrastructure if more Aqua scanners are required.

Setup

The Aqua check is not included in the Datadog Agent package, so you will need to install it yourself.

Installation

To install the Aqua check on your host:

Install the developer toolkit on any machine.
Run ddev release build aqua to build the package.
Download the Datadog Agent.
Upload the build artifact to any host with an Agent and run datadog-agent integration install -w path/to/aqua/dist/<ARTIFACT_NAME>.whl.

Configuration

Edit the aqua.d/conf.yaml file in the conf.d/ folder at the root of your Agent’s configuration directory to start collecting your Aqua metrics and logs. See the sample conf.yaml for all available configuration options.

Metric Collection

Add this configuration block to your aqua.d/conf.yaml file to start gathering your Aqua Metrics:

instances:
  - url: http://your-aqua-instance.com
    api_user: <api_username>
    password: <api_user_password>

Change the api_user and password parameter values and configure them for your environment.

Restart the Agent.

Log Collection

There are two types of logs generated by Aqua:

Aqua audit logs
Aqua enforcer logs

To collect Aqua audit logs:

Connect to your Aqua account
Go to the Log Management Section of the Integration Page
Activate the Webhook integration
Enable it and add the following endpoint: https://http-intake.logs.datadoghq.com/v1/input/<DATADOG_API_KEY>?ddsource=aqua

Replace <DATADOG_API_KEY> by your Datadog Api Key.
Note: For the EU region, replace .com by .eu in the endpoint.

For the Aqua Enforcer logs: Available for Agent >6.0

Collecting logs is disabled by default in the Datadog Agent. Enable it in your daemonset configuration:

(...)
  env:
    (...)
    - name: DD_LOGS_ENABLED
        value: "true"
    - name: DD_LOGS_CONFIG_CONTAINER_COLLECT_ALL
        value: "true"
(...)

Make sure that the Docker socket is mounted to the Datadog Agent as done in this manifest.
Restart the Agent.

Validation

Run the Agent’s status subcommand and look for aqua under the Checks section.

Data Collected

Metrics

aqua.images (gauge)	The number of images seen by Aqua shown as unit
aqua.vulnerabilities (gauge)	The number and categories of vulnerabilities detected by Aqua shown as occurrence
aqua.running_containers (gauge)	The number of running containers seen by Aqua shown as container
aqua.audit.access (gauge)	The number of audit events per category shown as event
aqua.scan_queue (gauge)	The number of scan queues per type shown as occurrence
aqua.enforcers (gauge)	The number of host enforcers per status shown as host

Service Checks

aqua.can_connect:

Returns CRITICAL if the Agent cannot connect to Aqua to collect metrics. Returns OK otherwise.

Events

Aqua does not include any events.

Troubleshooting

Need help? Contact Datadog support.

Mistake in the docs? Feel free to contribute!