Use the following instructions to enable CSM Misconfigurations, CSM Threats, and CSM Vulnerabilities on Linux. To learn more about the supported deployment types for each CSM feature, see Setting Up Cloud Security Management.

For a package-based deployment, install the Datadog package with your package manager, and then update the datadog.yaml, security-agent.yaml, and system-probe.yaml files.

You can also use the Agent install script to automatically enable CSM Misconfigurations and CSM Threats:

DD_COMPLIANCE_CONFIG_ENABLED=true DD_RUNTIME_SECURITY_CONFIG_ENABLED=true DD_API_KEY=<DATADOG_API_KEY> DD_SITE="datadoghq.com" bash -c "$(curl -L https://s3.amazonaws.com/dd-agent/scripts/install_script_agent7.sh)"

Notes:

  • By default, Runtime Security is disabled. To enable it, both the security-agent.yaml and system-probe.yaml files need to be updated.
  • If you use the Agent install script to enable CSM Misconfigurations and CSM Threats, you must still manually update the datadog.yaml file to enable host_benchmarks for CSM Misconfigurations, and sbom and container_image for CSM Vulnerabilities.
sudo cp /etc/datadog-agent/system-probe.yaml.example /etc/datadog-agent/system-probe.yaml
sudo cp /etc/datadog-agent/security-agent.yaml.example /etc/datadog-agent/security-agent.yaml
sudo chmod 640 /etc/datadog-agent/system-probe.yaml /etc/datadog-agent/security-agent.yaml
sudo chgrp dd-agent /etc/datadog-agent/system-probe.yaml /etc/datadog-agent/security-agent.yaml
# /etc/datadog-agent/datadog.yaml file
remote_configuration:
  ## @param enabled - boolean - optional - default: false
  ## Set to true to enable remote configuration.
  enabled: true

runtime_security_config:
  ## @param enabled - boolean - optional - default: false
  ## Set to true to enable full CSM Threats.
  enabled: true

compliance_config:
  ## @param enabled - boolean - optional - default: false
  ## Set to true to enable CIS benchmarks for CSPM.
  #
  enabled: true
  host_benchmarks:
    enabled: true

# Vulnerabilities are evaluated and and scanned against your containers and hosts every hour.
sbom:
  enabled: true
  container_image:
    enabled: true
  host:
    enabled: true
container_image:
  enabled: true
# /etc/datadog-agent/security-agent.yaml file
runtime_security_config:
  ## @param enabled - boolean - optional - default: false
  ## Set to true to enable full CSM Threats.
  enabled: true

compliance_config:
  ## @param enabled - boolean - optional - default: false
  ## Set to true to enable CIS benchmarks for CSPM.
  #
  enabled: true
  host_benchmarks:
    enabled: true
# /etc/datadog-agent/system-probe.yaml file
runtime_security_config:
  ## @param enabled - boolean - optional - default: false
  ## Set to true to enable full CSM Threats.
  enabled: true

  remote_configuration:
    ## @param enabled - boolean - optional - default: false
    enabled: true