New announcements for Serverless, Network, RUM, and more from Dash!

Twistlock

Agent Check Agent Check

Supported OS: Linux Mac OS Windows

Overview

Twistlock is a security scanner. It scans containers, hosts and packages to find vulnerabilities and compliance issues.

Setup

Find below instructions to install and configure the check when running the Agent on a host. See the Autodiscovery Integration Templates documentation to learn how to apply those instructions to a containerized environment.

Installation

The Twistlock check is included in the Datadog Agent package, so you do not need to install anything else on your server.

Configuration

Edit the twistlock.d/conf.yaml file, in the conf.d/ folder at the root of your Agent’s configuration directory to start collecting your twistlock performance data. See the sample twistlock.d/conf.yaml for all available configuration options.

If you’re using Kubernetes, add the config to replication controller section of twistlock_console.yaml before deploying:

...
apiVersion: v1
kind: ReplicationController
metadata:
  name: twistlock-console
  namespace: twistlock
spec:
  replicas: 1
  selector:
    name: twistlock-console
  template:
    metadata:
      annotations:
        ad.datadoghq.com/twistlock-console.check_names: '["twistlock"]'
        ad.datadoghq.com/twistlock-console.init_configs: '[{}]'
        ad.datadoghq.com/twistlock-console.instances: '[{"url":"http://%%host%%:8083", "username":"USERNAME", "password": "PASSWORD"}]'
        ad.datadoghq.com/twistlock-console.logs: '[{"source": "twistlock", "service": "twistlock"}]'
      name: twistlock-console
      namespace: twistlock
      labels:
        name: twistlock-console
...

Restart the Agent

Validation

Run the Agent’s status subcommand and look for twistlock under the Checks section.

Log Collection

Available for Agent >6.0

Kubernetes
(...)
  env:
    (...)
    - name: DD_LOGS_ENABLED
        value: "true"
    - name: DD_LOGS_CONFIG_CONTAINER_COLLECT_ALL
        value: "true"
(...)
  • Make sure that the Docker socket is mounted to the Datadog Agent as done in this manifest.

  • Make sure the log section is included in the Pod annotation for the defender, where the container name can be found just below in the pod spec:

ad.datadoghq.com/<container-name>.logs: '[{"source": "twistlock", "service": "twistlock"}]'
Docker
  • Collecting logs is disabled by default in the Datadog Agent. Enable it by adding those two environment variables:
DD_LOGS_ENABLED=true
  • Add a label on the defender container:
ad.datadoghq.com/<container-name>.logs: '[{"source": "twistlock", "service": "twistlock"}]'
  • Make sure that the Docker socket is mounted to the Datadog Agent. More information about the required configuration to collect logs with the Datadog Agent available in the Docker documentation

  • Restart the Agent to begin sending Twistlock logs to Datadog.

Data Collected

Metrics

twistlock.registry.cve.details
(gauge)
the details of a CVE on an image in a registry
shown as occurrence
twistlock.registry.cve.count
(gauge)
the number of CVEs an image has
shown as occurrence
twistlock.registry.compliance.count
(gauge)
the number of compliance violations an image has
shown as occurrence
twistlock.registry.size
(gauge)
the size of an image in a registry
shown as byte
twistlock.registry.layer_count
(gauge)
the count of layers in an image in a registry
shown as occurrence
twistlock.images.cve.details
(gauge)
the details of a CVE on an image
shown as occurrence
twistlock.images.cve.count
(gauge)
the number of CVEs an image has
shown as occurrence
twistlock.images.compliance.count
(gauge)
the number of compliance violations an image has
shown as occurrence
twistlock.images.size
(gauge)
the size of a local image
shown as byte
twistlock.images.layer_count
(gauge)
the count of layers in a local image
shown as occurrence
twistlock.hosts.cve.details
(gauge)
the details of a CVE on a host
shown as occurrence
twistlock.hosts.cve.count
(gauge)
the number of CVEs a host has
shown as occurrence
twistlock.hosts.compliance.count
(gauge)
the number of compliance violations a host has
shown as occurrence
twistlock.containers.compliance.count
(gauge)
the number of compliance violations a container has
shown as occurrence

Service Checks

Twistlock sends service checks when a scan fails.

Events

Twistlock sends an event when a new CVE is found.

Troubleshooting

Need help? Contact Datadog support.


Mistake in the docs? Feel free to contribute!