Getting Started with Cloud Workload Security

Getting Started with Cloud Workload Security

Cloud Workload Security is currently in public beta.

Overview

There are two types of monitoring that the Datadog Agent uses for Cloud Workload Security:

  1. File Integrity Monitoring to watch for changes to key files and directories on hosts or containers in real-time.
  2. Process Execution Monitoring to monitor process executions for malicious activity on hosts or containers in real-time.

Requirements

  • Datadog Agent >= 7.27.0
  • Hosts/containers must be running Linux with kernel versions >= 4.15
    • All major Linux distributions running on those kernels are supported.
    • Custom kernel builds are not supported.

Installation

Follow the Helm instructions on this page with the following changes in your values.yaml:

Note: By enabling runtime capabilities in the Runtime Security Agent, the Datadog system-probe will also be activated automatically. The system-probe is required to collect FIM events.

values.yaml

datadog:
  ...
  securityAgent:
    runtime:
      enabled: true
 ...
agents:
  image:
    repository: datadog/agent
    tag: 7-jmx
    doNotCheckTag: true

The following command can be used to start the Runtime Security Agent and system-probe in a Docker environment:

docker-runtime-security.sh

DOCKER_CONTENT_TRUST=1 \
  docker run -d --name dd-agent \
  --security-opt apparmor:unconfined \
  --cap-add SYS_ADMIN \
  --cap-add SYS_RESOURCE \
  --cap-add SYS_PTRACE \
  --cap-add NET_ADMIN \
  --cap-add IPC_LOCK \
  -v /var/run/docker.sock:/var/run/docker.sock:ro \
  -v /proc/:/host/proc/:ro \
  -v /sys/fs/cgroup/:/host/sys/fs/cgroup:ro \
  -v /etc/passwd:/etc/passwd:ro \
  -v /etc/group:/etc/group:ro \
  -v /:/host/root:ro \
  -v /sys/kernel/debug:/sys/kernel/debug \
  -e DD_RUNTIME_SECURITY_CONFIG_ENABLED=true \
  -e DD_SYSTEM_PROBE_ENABLED=true \
  -e HOST_ROOT=/host/root \
  -e DD_API_KEY=<API KEY> datadog/agent:7-jmx

For a package-based deployment, the Datadog package has to be deployed: run dkpg -i datadog-agent_7….deb

By default Runtime Security is disabled. To enable it, both the datadog.yaml and the system-probe.yaml files need to be adapted. Run the following commands to enable these configurations:

debian-runtime-security.sh

echo "runtime_security_config.enabled: true" > /etc/datadog-agent/security-agent.yaml
echo "runtime_security_config.enabled: true" > /etc/datadog-agent/system-probe.yaml

systemctl restart datadog-agent

Once you apply the changes, restart both the Security Agent and the system-probe.

For a package-based deployment, the Datadog package has to be deployed: run yum/dnf install datadog-agent_7….rpm

fedora-centos-runtime-security.sh

echo "runtime_security_config.enabled: true" > /etc/datadog-agent/security-agent.yaml
echo "runtime_security_config.enabled: true" > /etc/datadog-agent/system-probe.yaml

systemctl restart datadog-agent

Further Reading

Additional helpful documentation, links, and articles: