Skip to content

Commit

Permalink
Merge pull request #807 from degica/datadog_security
Browse files Browse the repository at this point in the history 
Remove docker feature from datadog agent on bastion
  • Loading branch information
@essa
essa authored Mar 1, 2024
2 parents db6595f + 5fe76af commit c957248
Show file tree
Hide file tree
Showing 2 changed files with 76 additions and 39 deletions.
111 changes: 73 additions & 38 deletions lib/barcelona/plugins/datadog_plugin.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,9 @@ def on_network_stack_template(_stack, template)
return template if bastion_lc.nil?

user_data = InstanceUserData.load_or_initialize(bastion_lc["Properties"]["UserData"])
add_files!(user_data)
add_files!(user_data, has_docker: false)
user_data.run_commands += [
agent_command
agent_command(has_docker: false)
]
bastion_lc["Properties"]["UserData"] = user_data.build
template
Expand All @@ -42,11 +42,11 @@ def on_heritage_task_definition(_heritage, task_definition)
)
end

def agent_command
def agent_command(has_docker: true)
[
"DD_RUNTIME_SECURITY_CONFIG_ENABLED=true DD_AGENT_MAJOR_VERSION=7 DD_API_KEY=#{api_key} bash -c",
'"$(curl -L https://raw.githubusercontent.com/DataDog/datadog-agent/master/cmd/agent/install_script.sh)" &&',
'usermod -a -G docker dd-agent &&',
has_docker ? 'usermod -a -G docker dd-agent &&' : '',
'usermod -a -G systemd-journal dd-agent &&',
'systemctl restart datadog-agent'
].flatten.compact.join(" ")
Expand All @@ -56,38 +56,71 @@ def api_key
attributes["api_key"]
end

def add_files!(user_data)
def add_files!(user_data, has_docker: true)
# this seems to be added to the bastion instance as well. "role:app" should probably be "role:bastion" to be accurate
user_data.add_file("/etc/datadog-agent/datadog.yaml", "root:root", "000755", <<~DATADOG_YAML)
api_key: #{api_key}
logs_enabled: true
listeners:
- name: docker
config_providers:
- name: docker
polling: true
logs_config:
container_collect_all: true
process_config:
enabled: 'true'
runtime_security_config:
enabled: true
compliance_config:
enabled: true
sbom:
enabled: true
if has_docker
user_data.add_file("/etc/datadog-agent/datadog.yaml", "root:root", "000755", <<~DATADOG_YAML)
api_key: #{api_key}
logs_enabled: true
listeners:
- name: docker
config_providers:
- name: docker
polling: true
logs_config:
container_collect_all: true
process_config:
enabled: 'true'
runtime_security_config:
enabled: true
compliance_config:
enabled: true
sbom:
enabled: true
container_image:
enabled: true
host:
enabled: true
container_image:
enabled: true
host:
tags:
- barcelona:#{district.name}
- barcelona-dd-agent
- district:#{district.name}
- role:app
DATADOG_YAML
else
user_data.add_file("/etc/datadog-agent/datadog.yaml", "root:root", "000755", <<~DATADOG_YAML)
api_key: #{api_key}
logs_enabled: true
listeners:
- name: docker
config_providers:
- name: docker
polling: true
logs_config:
container_collect_all: false
process_config:
enabled: 'true'
runtime_security_config:
enabled: true
container_image:
enabled: true
tags:
- barcelona:#{district.name}
- barcelona-dd-agent
- district:#{district.name}
- role:app
DATADOG_YAML
compliance_config:
enabled: true
sbom:
enabled: true
container_image:
enabled: false
host:
enabled: true
container_image:
enabled: false
tags:
- barcelona:#{district.name}
- barcelona-dd-agent
- district:#{district.name}
- role:app
DATADOG_YAML
end

user_data.add_file("/etc/datadog-agent/system-probe.yaml", "root:root", "000755", <<~YAML)
runtime_security_config:
Expand All @@ -103,12 +136,14 @@ def add_files!(user_data)
enabled: true
YAML

user_data.add_file("/etc/datadog-agent/conf.d/docker.d/docker_daemon.yaml", "root:root", "000755", <<~YAML)
init_config:
instances:
- url: "unix://var/run/docker.sock"
new_tag_names: true
YAML
if has_docker
user_data.add_file("/etc/datadog-agent/conf.d/docker.d/docker_daemon.yaml", "root:root", "000755", <<~YAML)
init_config:
instances:
- url: "unix://var/run/docker.sock"
new_tag_names: true
YAML
end

user_data.add_file("/etc/datadog-agent/conf.d/journal.d/conf.yaml", "root:root", "000755", <<~YAML)
logs:
Expand Down
4 changes: 3 additions & 1 deletion spec/lib/barcelona/plugins/datadog_plugin_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ module Plugins
end

it "adds datadog agent instalation to bastion servers" do
expect(user_data["runcmd"].last).to eq "DD_RUNTIME_SECURITY_CONFIG_ENABLED=true DD_AGENT_MAJOR_VERSION=7 DD_API_KEY=abcdef bash -c \"$(curl -L https://raw.githubusercontent.com/DataDog/datadog-agent/master/cmd/agent/install_script.sh)\" && usermod -a -G docker dd-agent && usermod -a -G systemd-journal dd-agent && systemctl restart datadog-agent"
expect(user_data["runcmd"].last).to eq "DD_RUNTIME_SECURITY_CONFIG_ENABLED=true DD_AGENT_MAJOR_VERSION=7 DD_API_KEY=abcdef bash -c \"$(curl -L https://raw.githubusercontent.com/DataDog/datadog-agent/master/cmd/agent/install_script.sh)\" && usermod -a -G systemd-journal dd-agent && systemctl restart datadog-agent"
end

it "installs agent config file to bastion servers" do
Expand All @@ -74,7 +74,9 @@ module Plugins
agent_config_hash = YAML.load(agent_config['content'])
expect(agent_config_hash['api_key']).to eq(api_key)
expect(agent_config_hash['logs_enabled']).to eq(true)
expect(agent_config_hash['logs_config']['container_collect_all']).not_to eq(true)
expect(agent_config_hash['runtime_security_config']['enabled']).to eq(true)
expect(agent_config_hash['container_image']['enabled']).not_to eq(true)
end

it "installs system-probe config file to bastion servers" do
Expand Down

0 comments on commit c957248

Please sign in to comment.