Skip to content

Commit

Permalink
Add a switch for enabling datadog security
Browse files Browse the repository at this point in the history
  • Loading branch information
@essa
essa committed Mar 13, 2024
1 parent c957248 commit 4d6077f
Show file tree
Hide file tree
Showing 2 changed files with 193 additions and 74 deletions.
197 changes: 124 additions & 73 deletions lib/barcelona/plugins/datadog_plugin.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ module Plugins
class DatadogPlugin < Base
# This plugin must be the last of the instalation order
# Usage sample:
# bcn district put-plugin -a api_key=8e53.... -a hook_priority=10 ec-staging datadog
# bcn district put-plugin -a api_key=8e53.... -a hook_priority=10 -a cws=enabled ec-staging datadog

def on_container_instance_user_data(_instance, user_data)
add_files!(user_data)
Expand All @@ -19,7 +19,7 @@ def on_network_stack_template(_stack, template)
return template if bastion_lc.nil?

user_data = InstanceUserData.load_or_initialize(bastion_lc["Properties"]["UserData"])
add_files!(user_data, has_docker: false)
add_files!(user_data, has_docker: false, role: 'bastion')
user_data.run_commands += [
agent_command(has_docker: false)
]
Expand Down Expand Up @@ -56,86 +56,29 @@ def api_key
attributes["api_key"]
end

def add_files!(user_data, has_docker: true)
# this seems to be added to the bastion instance as well. "role:app" should probably be "role:bastion" to be accurate
if has_docker
user_data.add_file("/etc/datadog-agent/datadog.yaml", "root:root", "000755", <<~DATADOG_YAML)
api_key: #{api_key}
logs_enabled: true
listeners:
- name: docker
config_providers:
- name: docker
polling: true
logs_config:
container_collect_all: true
process_config:
enabled: 'true'
def security_enabled
attributes["cws"] == 'enabled'
end

def add_files!(user_data, has_docker: true, role: 'app')
user_data.add_file("/etc/datadog-agent/datadog.yaml", "root:root", "000755", agent_config_file(has_docker: has_docker, role: role))

if security_enabled
user_data.add_file("/etc/datadog-agent/system-probe.yaml", "root:root", "000755", <<~YAML)
runtime_security_config:
enabled: true
compliance_config:
enabled: true
sbom:
enabled: true
container_image:
enabled: true
host:
enabled: true
container_image:
enabled: true
tags:
- barcelona:#{district.name}
- barcelona-dd-agent
- district:#{district.name}
- role:app
DATADOG_YAML
else
user_data.add_file("/etc/datadog-agent/datadog.yaml", "root:root", "000755", <<~DATADOG_YAML)
api_key: #{api_key}
logs_enabled: true
listeners:
- name: docker
config_providers:
- name: docker
polling: true
logs_config:
container_collect_all: false
process_config:
enabled: 'true'
YAML

user_data.add_file("/etc/datadog-agent/security-agent.yaml", "root:root", "000755", <<~YAML)
runtime_security_config:
enabled: true
compliance_config:
enabled: true
sbom:
enabled: true
container_image:
enabled: false
host:
host_benchmarks:
enabled: true
container_image:
enabled: false
tags:
- barcelona:#{district.name}
- barcelona-dd-agent
- district:#{district.name}
- role:app
DATADOG_YAML
YAML
end

user_data.add_file("/etc/datadog-agent/system-probe.yaml", "root:root", "000755", <<~YAML)
runtime_security_config:
enabled: true
YAML

user_data.add_file("/etc/datadog-agent/security-agent.yaml", "root:root", "000755", <<~YAML)
runtime_security_config:
enabled: true
compliance_config:
enabled: true
host_benchmarks:
enabled: true
YAML

if has_docker
user_data.add_file("/etc/datadog-agent/conf.d/docker.d/docker_daemon.yaml", "root:root", "000755", <<~YAML)
init_config:
Expand All @@ -150,6 +93,114 @@ def add_files!(user_data, has_docker: true)
- type: journald
YAML
end

def agent_config_file(has_docker: true, role: 'app')
if has_docker
if security_enabled
<<~DATADOG_YAML
api_key: #{api_key}
logs_enabled: true
listeners:
- name: docker
config_providers:
- name: docker
polling: true
logs_config:
container_collect_all: true
process_config:
enabled: 'true'
runtime_security_config:
enabled: true
compliance_config:
enabled: true
sbom:
enabled: true
container_image:
enabled: true
host:
enabled: true
container_image:
enabled: true
tags:
- barcelona:#{district.name}
- barcelona-dd-agent
- district:#{district.name}
- role:#{role}
DATADOG_YAML
else
<<~DATADOG_YAML
api_key: #{api_key}
logs_enabled: true
listeners:
- name: docker
config_providers:
- name: docker
polling: true
logs_config:
container_collect_all: true
process_config:
enabled: 'true'
tags:
- barcelona:#{district.name}
- barcelona-dd-agent
- district:#{district.name}
- role:#{role}
DATADOG_YAML
end
else
if security_enabled
<<~DATADOG_YAML
api_key: #{api_key}
logs_enabled: true
listeners:
- name: docker
config_providers:
- name: docker
polling: true
logs_config:
container_collect_all: false
process_config:
enabled: 'true'
runtime_security_config:
enabled: true
compliance_config:
enabled: true
sbom:
enabled: true
container_image:
enabled: false
host:
enabled: true
container_image:
enabled: false
tags:
- barcelona:#{district.name}
- barcelona-dd-agent
- district:#{district.name}
- role:#{role}
DATADOG_YAML
else
<<~DATADOG_YAML
api_key: #{api_key}
logs_enabled: true
listeners:
- name: docker
config_providers:
- name: docker
polling: true
logs_config:
container_collect_all: false
process_config:
enabled: 'true'
tags:
- barcelona:#{district.name}
- barcelona-dd-agent
- district:#{district.name}
- role:#{role}
DATADOG_YAML
end
end
end
end
end
end
70 changes: 69 additions & 1 deletion spec/lib/barcelona/plugins/datadog_plugin_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,14 @@ module Plugins
describe DatadogPlugin do
context "without proxy plugin" do
let(:api_key) { 'abcdef'}
let(:security_enabled) { 'enabled' }
let!(:district) do
create :district, plugins_attributes: [
{
name: 'datadog',
plugin_attributes: {
"api_key" => api_key
"api_key" => api_key,
"cws" => security_enabled
}
}
]
Expand All @@ -32,6 +34,7 @@ module Plugins
expect(agent_config_hash['api_key']).to eq(api_key)
expect(agent_config_hash['logs_enabled']).to eq(true)
expect(agent_config_hash['runtime_security_config']['enabled']).to eq(true)
expect(agent_config_hash['tags'].last).to eq('role:app')
end

it "installs system-probe config file" do
Expand All @@ -52,6 +55,38 @@ module Plugins
expect(security_agent_config_hash['compliance_config']['host_benchmarks']['enabled']).to eq(true)
end

context "when security switch is off" do
let(:security_enabled) { nil }

it "gets hooked with container_instance_user_data trigger" do
expect(user_data["runcmd"].last).to eq "DD_RUNTIME_SECURITY_CONFIG_ENABLED=true DD_AGENT_MAJOR_VERSION=7 DD_API_KEY=abcdef bash -c \"$(curl -L https://raw.githubusercontent.com/DataDog/datadog-agent/master/cmd/agent/install_script.sh)\" && usermod -a -G docker dd-agent && usermod -a -G systemd-journal dd-agent && systemctl restart datadog-agent"
end

it "installs agent config file without security" do
agent_config = user_data['write_files'].find do |f|
f['path'] == '/etc/datadog-agent/datadog.yaml'
end
agent_config_hash = YAML.load(agent_config['content'])
expect(agent_config_hash['api_key']).to eq(api_key)
expect(agent_config_hash['logs_enabled']).to eq(true)
expect(agent_config_hash.dig('runtime_security_config', 'enabled')).to be_nil
end

it "dosn't installs system-probe config file" do
agent_config = user_data['write_files'].find do |f|
f['path'] == '/etc/datadog-agent/system-probe.yaml'
end
expect(agent_config).to be_nil
end

it "dosn't installs security config file" do
agent_config = user_data['write_files'].find do |f|
f['path'] == '/etc/datadog-agent/security-agent.yaml'
end
expect(agent_config).to be_nil
end
end

context "when hooked with network_stack_template trigger" do
before do
district.save!
Expand Down Expand Up @@ -96,6 +131,39 @@ module Plugins
expect(security_agent_config_hash['compliance_config']['enabled']).to eq(true)
expect(security_agent_config_hash['compliance_config']['host_benchmarks']['enabled']).to eq(true)
end

context "when security switch is off" do
let(:security_enabled) { nil }

it "gets hooked with container_instance_user_data trigger" do
expect(user_data["runcmd"].last).to eq "DD_RUNTIME_SECURITY_CONFIG_ENABLED=true DD_AGENT_MAJOR_VERSION=7 DD_API_KEY=abcdef bash -c \"$(curl -L https://raw.githubusercontent.com/DataDog/datadog-agent/master/cmd/agent/install_script.sh)\" && usermod -a -G systemd-journal dd-agent && systemctl restart datadog-agent"
end

it "installs agent config file without security" do
agent_config = user_data['write_files'].find do |f|
f['path'] == '/etc/datadog-agent/datadog.yaml'
end
agent_config_hash = YAML.load(agent_config['content'])
expect(agent_config_hash['api_key']).to eq(api_key)
expect(agent_config_hash['logs_enabled']).to eq(true)
expect(agent_config_hash['tags'].last).to eq('role:bastion')
expect(agent_config_hash.dig('runtime_security_config', 'enabled')).to be_nil
end

it "dosn't installs system-probe config file" do
agent_config = user_data['write_files'].find do |f|
f['path'] == '/etc/datadog-agent/system-probe.yaml'
end
expect(agent_config).to be_nil
end

it "dosn't installs security config file" do
agent_config = user_data['write_files'].find do |f|
f['path'] == '/etc/datadog-agent/security-agent.yaml'
end
expect(agent_config).to be_nil
end
end
end
end
end
Expand Down

0 comments on commit 4d6077f

Please sign in to comment.