Setting up Cloud Security on Docker
Use the following instructions to enable Misconfigurations, Threat Detection, and Vulnerability Management.
Collecting events using Cloud Security Management will affect your billing. For more information, see
Datadog Pricing.
Prerequisites
- Datadog Agent version
7.46 or later.
Installation
The following command starts the Runtime Security Agent and system-probe in a Docker environment:
docker-runtime-security.sh
docker run -d --name dd-agent \
--cgroupns host \
--pid host \
--security-opt apparmor:unconfined \
--cap-add SYS_ADMIN \
--cap-add SYS_RESOURCE \
--cap-add SYS_PTRACE \
--cap-add NET_ADMIN \
--cap-add NET_BROADCAST \
--cap-add NET_RAW \
--cap-add IPC_LOCK \
--cap-add CHOWN \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
-v /proc/:/host/proc/:ro \
-v /sys/fs/cgroup/:/host/sys/fs/cgroup:ro \
-v /etc/passwd:/etc/passwd:ro \
-v /etc/group:/etc/group:ro \
-v /:/host/root:ro \
-v /sys/kernel/debug:/sys/kernel/debug \
-v /etc/os-release:/etc/os-release \
-e DD_COMPLIANCE_CONFIG_ENABLED=true \
-e DD_COMPLIANCE_CONFIG_HOST_BENCHMARKS_ENABLED=true \
-e DD_RUNTIME_SECURITY_CONFIG_ENABLED=true \
-e DD_RUNTIME_SECURITY_CONFIG_REMOTE_CONFIGURATION_ENABLED=true \
-e DD_CONTAINER_IMAGE_ENABLE=true
-e DD_SBOM_ENABLED=true
-e DD_SBOM_CONTAINER_IMAGE_ENABLED=true
-e DD_SBOM_HOST_ENABLED=true
-e HOST_ROOT=/host/root \
-e DD_API_KEY=<API KEY> \
gcr.io/datadoghq/agent:7
