- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
This guide describes how to set up the CSM Threats eBPF-less solution for eBPF disabled environments, such as AWS Fargate. The eBPF-less solution uses a ptrace-based Datadog Agent.
This guide also describes some advantages of the ptrace solution.
CSM Threats includes two Agent options for threat detection and response:
Datadog has built all its security products around eBPF (extended Berkeley Packet Filter). Some of the benfits of eBPF are:
The Datadog eBPF Agent code is fully open source.
Some environments use instances with old kernels that do not have eBPF at all. The ptrace solution is provided for these environments.
The following features are not available in the eBPF-less Agent:
A ptrace-based solution achieves a balance between robust threat detection and unwavering service availability. Some of the advantages of the ptrace-based solution are:
Precise process control: ptrace provides detailed inspection of memory and registers, safeguarding critical application workloads. This granular visibility is essential for identifying sophisticated threats. The Datadog procfs (Process Filesystem) scanner monitors all system-wide executions, enabling the surgical termination of malicious processes. Together, these tools protect from malicious activity.
Operational stability: Operating in user space, ptrace avoids the complexities and risks of kernel space, providing a safer and more manageable approach. In the event of a failure, a ptrace-based agent defaults to a fail-open state at the OS layer, keeping the system unaffected, even if the application hangs.
Performance efficiency: Recent benchmarks conducted by Datadog’s engineering team demonstrate that the Datadog ptrace-based implementation shows comparable performance to kernel-based solutions. Specifically, it introduces only a minimal overhead of around 3% for PostgreSQL workloads and negligible impacts for Redis operations, making it very efficient for most use cases.
Open source verification: Datadog has open-sourced the ptrace-based and eBPF Agent, allowing clients and the security community to verify its safety and effectiveness themselves, fostering transparency and trust in the solution.
You can set up the eBPF-less Agent on various platforms, including Docker and Linux hosts.
This section covers Docker and Linux hosts. For steps on setting up an Amazon Fargate environment where eBPF is disabled, see AWS Fargate Configuration Guide for Datadog Security.
The eBPF-less solution includes two tracing modes for applications:
An additional environment variable is required on Docker. Add the following line to your docker installation command:
-e DD_RUNTIME_SECURITY_CONFIG_EBPFLESS_ENABLED=true
The corresponding command should be:
docker run -d --name dd-agent \
--cgroupns host \
--pid host \
--security-opt apparmor:unconfined \
--cap-add SYS_ADMIN \
--cap-add SYS_RESOURCE \
--cap-add SYS_PTRACE \
--cap-add NET_ADMIN \
--cap-add NET_BROADCAST \
--cap-add NET_RAW \
--cap-add IPC_LOCK \
--cap-add CHOWN \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
-v /proc/:/host/proc/:ro \
-v /sys/fs/cgroup/:/host/sys/fs/cgroup:ro \
-v /etc/passwd:/etc/passwd:ro \
-v /etc/group:/etc/group:ro \
-v /:/host/root:ro \
-v /sys/kernel/debug:/sys/kernel/debug \
-v /etc/os-release:/etc/os-release \
-e DD_COMPLIANCE_CONFIG_ENABLED=true \
-e DD_COMPLIANCE_CONFIG_HOST_BENCHMARKS_ENABLED=true \
-e DD_RUNTIME_SECURITY_CONFIG_ENABLED=true \
-e DD_RUNTIME_SECURITY_CONFIG_REMOTE_CONFIGURATION_ENABLED=true \
-e DD_RUNTIME_SECURITY_CONFIG_EBPFLESS_ENABLED=true \
-e HOST_ROOT=/host/root \
-e DD_API_KEY=<API KEY> \
gcr.io/datadoghq/agent:7
To install the Agent to a Linux host, use the following install script to install the custom build:
DD_API_KEY=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX DD_SITE="datadoghq.com" \
DD_RUNTIME_SECURITY_CONFIG_ENABLED=true \
bash -c "$(curl -L https://install.datadoghq.com/scripts/install_script_agent7.sh)"
Next, modify the /etc/datadog-agent/system-probe.yaml
file to enable CWS and eBPF-less mode as follow:
system-probe.yaml
runtime_security_config:
enabled: true
ebpfless:
enabled: true
Alternatively, to manually install the .deb/.rmp
provided custom build packages, modify the /etc/datadog-agent/system-probe.yaml
file to enable CWS and eBPF-less mode as follows:
system-probe.yaml
runtime_security_config:
enabled: true
ebpfless:
enabled: true
Ensure you perform the following configuration requirements before deploying the Agent:
To validate your Agent installation and setup, connect to your Linux host or Docker container and run:
sudo /opt/datadog-agent/embedded/bin/system-probe config|grep -A 1 ebpfless
You should see the output:
ebpfless:
enabled: true
After the eBPF-less Agent is installed and set up to use the eBPF-Free mode, you can set up how your application is traced. This section provides you two different methods:
Both modes use the cws-instrumentation binary packaged with the Datadog Agent, and located at /opt/datadog-agent/embedded/bin/cws-instrumentation
.
--probe-addr=host:port
cws-instrumentation option. The server-side address can be updated through the runtime_security_config.ebpfless.socket option of the /etc/datadog-agent/system-probe.yaml
Agent config file.In wrap mode, the Datadog wrapper launchs the application. Here is an example:
sudo /opt/datadog-agent/embedded/bin/cws-instrumentation trace -- /usr/bin/your_application
If your application runs as non-root, specify the uid/gid as numeric values:
sudo /opt/datadog-agent/embedded/bin/cws-instrumentation trace --uid 100 --gid 100 -- /usr/bin/your_application
The following examples show how the tracer can be integrated within applications for different deployment types.
–disable-seccomp
option.If you already have an init script, here is a simple example of the required changes:
[Unit]
Description=My application
After=datadog-agent-sysprobe.service
[Service]
ExecStart=/opt/datadog-agent/embedded/bin/cws-instrumentation trace -- /usr/bin/myapp
Restart=on-failure
[Install]
WantedBy=multi-user.target
If you already have an init script, here is a simple example of the required changes:
#!/bin/sh
set -e
### BEGIN INIT INFO
# Provides: my_app
# Required-Start: $network
# Required-Stop: $network
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My application
# Description: My application
### END INIT INFO
# Start the service
start() {
echo "Starting my app"
/opt/datadog-agent/embedded/bin/cws-instrumentation trace -- /usr/bin/myapp &
}
# Stop the service
stop() {
echo "Stopping my app"
pkill -f /usr/bin/myapp
}
### main logic ###
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
*)
echo $"Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0
For Docker application deployments, you should modify your Dockerfile to wrap your application like this:
FROM gcr.io/datadoghq/agent:7 AS datadogagent
FROM ubuntu:latest
COPY --from=datadogagent /opt/datadog-agent/embedded/bin/cws-instrumentation .
ENTRYPOINT ["/cws-instrumentation", "trace", "--"]
CMD ["/bin/bash", "-c", "while true; do sleep 1; echo my app is running; done"]
When running your docker application, it’s important to give it an additional capability by adding --cap-add=SYS_PTRACE
to your docker run
command.
You also have to connect the container to Datadog on port 5678 by doing one of the following:
--network
host option.The wrap mode is recommended because the attach mode has the following limitations:
The attach mode differs from the wrap mode by attaching directly the tracer on an already running application, like this:
sudo /opt/datadog-agent/embedded/bin/cws-instrumentation trace --pid 2301
Several PIDs can be attached at once:
sudo /opt/datadog-agent/embedded/bin/cws-instrumentation trace --pid 2301 --pid 2302 --pid 2303
The following examples show how the tracer can be integrated within applications for different deployment types.
If you already have an init script, here is an example of how to integrate the wrapper using a new systemd service:
[Unit]
Description=Datadog CWS instrumentation attach to my application
After=datadog-agent-sysprobe.service my-app.service
[Service]
ExecStart=/bin/bash -c "/opt/datadog-agent/embedded/bin/cws-instrumentation trace $(for pid in $(pidof myapp); do echo --pid $pid; done)"
Restart=on-failure
[Install]
WantedBy=multi-user.target
If you already have an init script, here is an example of how to integrate the tracer using a new sysvinit service:
#!/bin/sh
set -e
### BEGIN INIT INFO
# Provides: dd_tracing_my_app
# Required-Start: $network
# Required-Stop: $network
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Datadog tracing of my application
# Description: Datadog tracing of my application
### END INIT INFO
# Start the service
start() {
echo "Starting tracing my app"
/opt/datadog-agent/embedded/bin/cws-instrumentation trace $(for pid in $(pidof myapp); do echo --pid $pid; done) &
}
# Stop the service
stop() {
echo "Stopping my app"
pkill -f /opt/datadog-agent/embedded/bin/cws-instrumentation
}
### main logic ###
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
*)
echo $"Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0
To attach the wrapper to a Docker image running an application, use the following Dockerfile:
FROM gcr.io/datadoghq/agent:7
ENTRYPOINT ["/opt/datadog-agent/embedded/bin/cws-instrumentation", "trace", "--pid", "$PID"]
Next, provide the host PID for connecting to Docker as an environment variable.
To attach to an application, you’ll need the following:
--cap-add=SYS_PTRACE
to your docker run
command.--network
host option.--cgroupns host --pid host
.