For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/cloud_security_management/setup/agent/linux.md.
A documentation index is available at /llms.txt.
Use the following instructions to enable Misconfigurations and Vulnerability Management.
Collecting events using Cloud Security affects your billing. For more information, see Datadog Pricing.
Prerequisites
Datadog Agent version 7.46 or later.
Installation
For a package-based deployment, install the Datadog package with your package manager, and then update the files listed below.
/etc/datadog-agent/datadog.yaml
compliance_config:
## @param enabled - boolean - optional - default: false## Set to true to enable CIS benchmarks for Misconfigurations.# enabled: true host_benchmarks:
enabled: true# Vulnerabilities are evaluated and scanned against your containers and hosts every hour.sbom:
enabled: true# Set to true to enable Container Vulnerability Management container_image:
enabled: true# Enables scanning of application libraries in addition to OS packages (Agent 7.70+) analyzers: ["os", "languages"]# Set to true to enable Host Vulnerability Management host:
enabled: true# Enables scanning of application libraries in addition to OS packages (Agent 7.70+) analyzers: ["os", "languages"]# Enables runtime package prioritization (Preview, Agent 7.79+)# See Runtime Package Tracking section below. enrichment:
usage:
enabled: true
Note: enrichment.usage.enabled: true is in Preview and requires Datadog Agent 7.79.0 or later. From 7.79.0, runtime package tracking runs independently of Workload Protection and does not affect its usage. See the Runtime Package Tracking section for more details.
/etc/datadog-agent/security-agent.yaml
compliance_config:
## @param enabled - boolean - optional - default: false## Set to true to enable CIS benchmarks for Misconfigurations.# enabled: true host_benchmarks:
enabled: true
Note: The languages analyzer requires Datadog Agent 7.70 or later. When enabled, it detects vulnerabilities in application libraries managed by package managers such as npm, pip, Maven/Gradle, NuGet, Go modules, Cargo, and Bundler, in addition to OS packages. When the analyzers field is omitted, only OS packages are scanned for container images. See Supported application library package managers for the full list.
Supported application library package managers
The languages analyzer covers the following package ecosystems:
Runtime package tracking enriches each vulnerability finding with real-time signals from the running environment. When enabled, the Agent uses eBPF to monitor file access at runtime and records how packages are actually used by running processes.
Each vulnerability finding is enriched with the following signals:
Signal
Description
Package is running
The package files are actively being accessed by running processes.
Accessed by root process
The package is being accessed by a process running as root (UID 0).
SUID binary present
The package contains a binary with the SUID bit set, which can enable privilege escalation.
These signals power vulnerability prioritization in Cloud Security, surfacing findings where vulnerable code is confirmed running in production.
Requirements:
Datadog Agent 7.79.0 or later
Linux only (eBPF dependency)
Note: Use Datadog Agent 7.79.0 or later. Earlier Agent versions enable this feature through Workload Protection and can affect its usage. From 7.79.0, runtime package tracking runs independently and does not affect its usage.
Add the enrichment block to the sbom section of your datadog.yaml file:
If you use the Agent install script to enable Misconfigurations and Vulnerability Management, you must manually update the datadog.yaml file to enable host_benchmarks for Misconfigurations, and sbom and container_image for Vulnerability Management.
