Getting Started with Cloud Workload Security

Getting Started with Cloud Workload Security

Cloud Workload Security is currently in public beta.

Overview

There are two types of monitoring that the Datadog Agent uses for Cloud Workload Security:

  1. File Integrity Monitoring to watch for changes to key files and directories on hosts or containers in real-time.
  2. Process Execution Monitoring to monitor process executions for malicious activity on hosts or containers in real-time.

Requirements

  • Datadog Agent >= 7.27.0
  • Hosts/containers must be running Linux with kernel versions >= 4.15
    • All major Linux distributions running on those kernels are supported.
    • Custom kernel builds are not supported.

Installation

    Follow the Helm instructions on this page with the following changes in your values.yaml:

    Note: By enabling runtime capabilities in the Runtime Security Agent, the Datadog system-probe will also be activated automatically. The system-probe is required to collect FIM events.

    values.yaml

    datadog:
  ...
  securityAgent:
    runtime:
      enabled: true
 ...
agents:
  image:
    repository: datadog/agent
    tag: 7-jmx
    doNotCheckTag: true

    The following command can be used to start the Runtime Security Agent and system-probe in a Docker environment:

    docker-runtime-security.sh

    DOCKER_CONTENT_TRUST=1 \
  docker run -d --name dd-agent \
  --security-opt apparmor:unconfined \
  --cap-add SYS_ADMIN \
  --cap-add SYS_RESOURCE \
  --cap-add SYS_PTRACE \
  --cap-add NET_ADMIN \
  --cap-add IPC_LOCK \
  -v /var/run/docker.sock:/var/run/docker.sock:ro \
  -v /proc/:/host/proc/:ro \
  -v /sys/fs/cgroup/:/host/sys/fs/cgroup:ro \
  -v /etc/passwd:/etc/passwd:ro \
  -v /etc/group:/etc/group:ro \
  -v /:/host/root:ro \
  -v /sys/kernel/debug:/sys/kernel/debug \
  -e DD_RUNTIME_SECURITY_CONFIG_ENABLED=true \
  -e DD_SYSTEM_PROBE_ENABLED=true \
  -e HOST_ROOT=/host/root \
  -e DD_API_KEY=<API KEY> datadog/agent:7-jmx

    For a package-based deployment, the Datadog package has to be deployed: run dkpg -i datadog-agent_7….deb

    By default Runtime Security is disabled. To enable it, both the datadog.yaml and the system-probe.yaml files need to be adapted. Run the following commands to enable these configurations:

    debian-runtime-security.sh

    echo "runtime_security_config.enabled: true" > /etc/datadog-agent/security-agent.yaml
echo "runtime_security_config.enabled: true" > /etc/datadog-agent/system-probe.yaml

    systemctl restart datadog-agent

    Once you apply the changes, restart both the Security Agent and the system-probe.

    For a package-based deployment, the Datadog package has to be deployed: run yum/dnf install datadog-agent_7….rpm

    fedora-centos-runtime-security.sh

    echo "runtime_security_config.enabled: true" > /etc/datadog-agent/security-agent.yaml
echo "runtime_security_config.enabled: true" > /etc/datadog-agent/system-probe.yaml

    systemctl restart datadog-agent

    Further Reading

    Additional helpful documentation, links, and articles:

    Learn more about Datadog Cloud Runtime SecurityBLOG more more