--- title: Setting up Workload Protection on Linux description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Workload Protection > Setting up Workload Protection > Deploying Workload Protection on the Agent > Setting up Workload Protection on Linux --- # Setting up Workload Protection on Linux Use the following instructions to enable Workload Protection. {% alert level="info" %} Collecting events using Workload Protection will affect your billing. For more information, see [Datadog Pricing](https://www.datadoghq.com/pricing/?product=cloud-security-management#products). {% /alert %} ## Prerequisites{% #prerequisites %} - Datadog Agent version `7.46` or later. ## Installation{% #installation %} For a package-based deployment, [install the Datadog package](https://docs.datadoghq.com/agent/?tab=Linux) with your package manager, and then update the `datadog.yaml`, `security-agent.yaml`, and `system-probe.yaml` files. In the `/etc/datadog-agent/datadog.yaml` file: ```bash remote_configuration: ## @param enabled - boolean - optional - default: false ## Set to true to enable remote configuration. enabled: true runtime_security_config: ## @param enabled - boolean - optional - default: false ## Set to true to enable Threat Detection enabled: true compliance_config: ## @param enabled - boolean - optional - default: false ## Set to true to enable CIS benchmarks for Misconfigurations. # enabled: true host_benchmarks: enabled: true # Vulnerabilities are evaluated and scanned against your containers and hosts every hour. sbom: enabled: true # Set to true to enable Container Vulnerability Management container_image: enabled: true # Set to true to enable Host Vulnerability Management host: enabled: true ``` In the `/etc/datadog-agent/security-agent.yaml` file: ```bash runtime_security_config: ## @param enabled - boolean - optional - default: false ## Set to true to enable Threat Detection enabled: true compliance_config: ## @param enabled - boolean - optional - default: false ## Set to true to enable CIS benchmarks for Misconfigurations. # enabled: true host_benchmarks: enabled: true ``` In the `/etc/datadog-agent/system-probe.yaml` file: ```bash runtime_security_config: ## @param enabled - boolean - optional - default: false ## Set to true to enable Threat Detection enabled: true remote_configuration: ## @param enabled - boolean - optional - default: false enabled: true ``` **Notes**: - You can also use the following [Agent install script](https://docs.datadoghq.com/getting_started/agent/#installation) to automatically enable Misconfigurations and Threat Detection: ```shell DD_COMPLIANCE_CONFIG_ENABLED=true DD_RUNTIME_SECURITY_CONFIG_ENABLED=true DD_API_KEY= DD_SITE="datadoghq.com" bash -c "$(curl -L https://install.datadoghq.com/scripts/install_script_agent7.sh)" ``` - By default, Runtime Security is disabled. To enable it, both the `security-agent.yaml` and `system-probe.yaml` files need to be updated. - If you use the Agent install script to enable Misconfigurations and Threat Detection, you must manually update the `datadog.yaml` file to enable `host_benchmarks` for Misconfigurations, and `sbom` and `container_image` for Container Vulnerability Management. ```shell sudo cp /etc/datadog-agent/system-probe.yaml.example /etc/datadog-agent/system-probe.yaml sudo cp /etc/datadog-agent/security-agent.yaml.example /etc/datadog-agent/security-agent.yaml sudo chmod 640 /etc/datadog-agent/system-probe.yaml /etc/datadog-agent/security-agent.yaml sudo chgrp dd-agent /etc/datadog-agent/system-probe.yaml /etc/datadog-agent/security-agent.yaml ```