Skip to content

Commit

Permalink
Merge branch 'master' into tim.sara/WEB-5727-nvidia
Browse files Browse the repository at this point in the history
  • Loading branch information
@timsara331
timsara331 committed Jan 2, 2025
2 parents 1dde160 + 6822d33 commit 7eeeac0
Show file tree
Hide file tree
Showing 16 changed files with 586 additions and 104 deletions.
5 changes: 5 additions & 0 deletions config/_default/menus/main.en.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5764,6 +5764,11 @@ menu:
parent: csm_setup_agentless_scanning
identifier: csm_setup_agentless_scanning_terraform
weight: 10002
- name: Azure Resource Manager
url: security/cloud_security_management/setup/agentless_scanning/azure_resource_manager
parent: csm_setup_agentless_scanning
identifier: csm_setup_agentless_scanning_azure_resource_manager
weight: 10003
- name: Deploy the Agent
url: security/cloud_security_management/setup/agent
parent: csm_setup
Expand Down
38 changes: 19 additions & 19 deletions content/en/security/cloud_security_management/agentless_scanning/_index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,28 +26,27 @@ further_reading:

## Overview

Agentless Scanning provides visibility into vulnerabilities that exist within your AWS hosts, running containers, Lambda functions, and running Amazon Machine Images (AMIs) without requiring you to install the Datadog Agent. Datadog recommends enabling Agentless Scanning as a first step to gain complete visibility into your cloud resources, and then installing the Datadog Agent on your core assets over time for deeper security and observability context.
Agentless Scanning provides visibility into vulnerabilities that exist within your cloud infrastructure, without requiring you to install the Datadog Agent. Datadog recommends enabling Agentless Scanning as a first step to gain complete visibility into your cloud resources, and then installing the Datadog Agent on your core assets over time for deeper security and observability context.

## Availability

The following table provides a summary of Agentless scanning technologies in relation to their corresponding components:
The following table provides a summary of Agentless scanning technologies in relation to their corresponding components for each supported cloud provider:

| Component | Supported technology |
|-----------------------------|-------------------------------------------------------------|
| Cloud Provider | AWS |
| Operating System | Linux |
| Host Filesystem | Btrfs, Ext2, Ext3, Ext4, xfs |
| Package Manager | Deb (debian, ubuntu) <br> RPM (amazon-linux, fedora, redhat, centos) <br> APK (alpine) |
| Encryption | AWS </br> Unencrypted </br> Encrypted - Platform Managed Key (PMK) </br> **Note**: Encrypted - Customer Managed Key (CMK) is **not** supported |
| Container runtime | Docker, containerd </br> **Note**: CRI-O is **not** supported |
| Serverless | AWS, AWS Lambda |
| Serverless languages | .Net, Python, Java, Ruby, Node.js, Go |
| Component | AWS | Azure |
|-------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Operating System | Linux | Linux |
| Host Filesystem | Btrfs, Ext2, Ext3, Ext4, xfs | Btrfs, Ext2, Ext3, Ext4, xfs |
| Package Manager | Deb (debian, ubuntu) <br> RPM (amazon-linux, fedora, redhat, centos) <br> APK (alpine) | Deb (debian, ubuntu) <br> RPM (fedora, redhat, centos) <br> APK (alpine) |
| Encryption | AWS </br> Unencrypted </br> Encrypted - Platform Managed Key (PMK) </br> **Note**: Encrypted - Customer Managed Key (CMK) is **not** supported | Encrypted - Platform Managed Key (PMK): Azure Disk Storage Server-Side Encryption, Encryption at host </br> **Note**: Encrypted - Customer Managed Key (CMK) is **not** supported |
| Container runtime | Docker, containerd </br> **Note**: CRI-O is **not** supported | Docker, containerd </br> **Note**: CRI-O is **not** supported |
| Serverless | AWS Lambda | To request this feature, contact [Datadog Support][12] |
| Application languages (in hosts and containers) | Java, .Net, Python, Node.js, Go, Ruby, Rust, PHP, Swift, Dart, Elixir, Conan, Conda | Java, .Net, Python, Node.js, Go, Ruby, Rust, PHP, Swift, Dart, Elixir, Conan, Conda |

**Note**: AMIs must be stored in an account that uses Datadog's AWS integration. Otherwise, Datadog can't read the AMI's underlying Amazon Elastic Block Store (EBS) snapshot, so it can't scan or report on the AMI.

## How it works

After [setting up Agentless scanning][1] for your resources, Datadog schedules automated scans in 12-hour intervals through [Remote Configuration][2]. During a scan cycle, Agentless scanners gather Lambda code dependencies and create snapshots of your EC2 instances. With these snapshots, the Agentless scanners scan, generate, and transmit a list of packages to Datadog to check for vulnerabilities, along with Lambda code dependencies. When scans of a snapshot are completed, the snapshot is deleted. No confidential or private personal information is ever transmitted outside of your infrastructure.
After [setting up Agentless scanning][1] for your resources, Datadog schedules automated scans in 12-hour intervals through [Remote Configuration][2]. During a scan cycle, Agentless scanners gather Lambda code dependencies and create snapshots of your VM instances. With these snapshots, the Agentless scanners scan, generate, and transmit a list of packages to Datadog to check for vulnerabilities, along with Lambda code dependencies. When scans of a snapshot are completed, the snapshot is deleted. No confidential or private personal information is ever transmitted outside of your infrastructure.

The following diagram illustrates how Agentless Scanning works:

Expand All @@ -58,14 +57,14 @@ The following diagram illustrates how Agentless Scanning works:
**Note**: Scheduled scans ignore hosts that already have the [Datadog Agent installed with Cloud Security Management enabled](#agentless-scanning-with-existing-agent-installations). Datadog schedules a continuous re-scanning of resources every 12 hours to provide up-to-date insights into potential vulnerabilities and weaknesses.

2. For Lambda functions, the scanners fetch the function's code.
3. The scanner creates snapshots of EBS volumes used by EC2 instances. These snapshots serve as the basis for conducting scans. Using the snapshots, or the code, the scanner generates a list of packages.
4. After the scan is complete, the list of packages and information related to collected hosts (hostnames/EC2 instances) are transmitted to Datadog, with all other data remaining within your infrastructure. Snapshots created during the scan cycle are deleted.
3. The scanner creates snapshots of volumes used in running VM instances. These snapshots serve as the basis for conducting scans. Using the snapshots, or the code, the scanner generates a list of packages.
4. After the scan is complete, the list of packages and information related to collected hosts are transmitted to Datadog, with all other data remaining within your infrastructure. Snapshots created during the scan cycle are deleted.
5. Leveraging the collected package list along with Datadog's access to the Trivy vulnerabilities database, Datadog finds matching affected vulnerabilities in your resources and code.

**Notes**:
- The scanner operates as a separate EC2 instance within your infrastructure, ensuring minimal impact on existing systems and resources.
- The scanner operates as a separate VM instance within your infrastructure, ensuring minimal impact on existing systems and resources.
- The scanner securely collects a list of packages from your hosts without transmitting any confidential or private personal information outside your infrastructure.
- The scanner limits its use of the AWS API to prevent reaching the AWS rate limit, and uses exponential backoff if needed.
- The scanner limits its use of the cloud provider API to prevent reaching any rate limit, and uses exponential backoff if needed.

## What data is sent to Datadog
The Agentless scanner uses the OWASP [cycloneDX][3] format to transmit a list of packages to Datadog. No confidential or private personal information is ever transmitted outside of your infrastructure.
Expand All @@ -78,7 +77,7 @@ Datadog does **not** send:

## Security considerations

Because the scanner instances grant [permissions][4] to create and copy EBS snapshots, and describe volumes, Datadog advises restricting access to these instances solely to administrative users.
Because the scanner instances grant [permissions][4] to create and copy snapshots, and describe volumes, Datadog advises restricting access to these instances solely to administrative users.

To further mitigate this risk, Datadog implements the following security measures:

Expand All @@ -87,7 +86,7 @@ To further mitigate this risk, Datadog implements the following security measure
- The Datadog scanner operates under the principle of least privilege. This means that it is granted only the minimum permissions necessary to perform its intended functions effectively.
- Datadog carefully reviews and limits the permissions granted to the scanner to ensure that it can conduct scans without unnecessary access to sensitive data or resources.
- Unattended security updates are enabled on Datadog's scanner instances. This feature automates the process of installing critical security patches and updates without requiring manual intervention.
- The Datadog scanner instances are automatically rotated every 24 hours. This rotation ensures that the scanner instances are continually updated with the latest Ubuntu Amazon Machine Images (AMIs).
- The Datadog scanner instances are automatically rotated every 24 hours. This rotation ensures that the scanner instances are continually updated with the latest Ubuntu images.
- Access to the scanner instances is tightly controlled through the use of security groups. No inbound access to the scanner is allowed, restricting possibility to compromise the instance.
- No confidential or private personal information is ever transmitted outside of your infrastructure.

Expand Down Expand Up @@ -134,3 +133,4 @@ To establish estimates on scanner costs, reach out to your [Datadog Customer Suc
[9]: /security/cloud_security_management
[10]: /agent/remote_config
[11]: /sensitive_data_scanner/library_rules/
[12]: /help
33 changes: 27 additions & 6 deletions content/en/security/cloud_security_management/setup/agentless_scanning/_index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,14 +13,15 @@ further_reading:
<div class="alert alert-warning">Agentless Scanning for Cloud Security Management is not supported for your selected <a href="/getting_started/site">Datadog site</a> ({{< region-param key="dd_site_name" >}}).</div>
{{< /site-region >}}

Agentless Scanning provides visibility into vulnerabilities that exist within your cloud infrastructure, without requiring you to install the Datadog Agent. To learn more about Agentless Scanning's capabilities and how it works, see the [Agentless Scanning][12] docs.

## Prerequisites

Before setting up Agentless Scanning, ensure the following prerequisites are met:

- **AWS integration**: The [AWS integration][2] must be installed and configured for your AWS accounts.
- **Remote Configuration**: [Remote Configuration][3] is required to enable Datadog to send information to Agentless scanners, such as which cloud resources to scan.
- **IAM permissions**: The Agentless Scanning instance requires specific IAM permissions to scan hosts, containers, and Lambda functions. These permissions are automatically applied as part of the installation process.<br><br>
{{< collapse-content title="Host and container permissions" level="h5" >}}
- **Cloud permissions**: The Agentless Scanning instance requires specific permissions to scan hosts, containers, and functions. These permissions are automatically applied as part of the installation process.<br><br>
{{< collapse-content title="AWS Host and container scanning permissions" level="h5" >}}
<ul>
<li><code>ec2:DescribeVolumes</code></li>
<li><code>ec2:CreateTags</code></li>
Expand All @@ -34,9 +35,23 @@ Before setting up Agentless Scanning, ensure the following prerequisites are met
</ul>
{{< /collapse-content >}}

{{< collapse-content title="Lambda permissions" level="h5" >}}
{{< collapse-content title="AWS Lambda scanning permissions" level="h5" >}}
<ul><li><code>lambda:GetFunction</code></li></ul>
{{< /collapse-content >}}
{{< /collapse-content >}}

{{< collapse-content title="Azure Host scanning permissions" level="h5" >}}
<ul>
<li><code>Microsoft.Compute/virtualMachines/read</code></li>
<li><code>Microsoft.Compute/virtualMachines/instanceView/read</code></li>
<li><code>Microsoft.Compute/virtualMachineScaleSets/read</code></li>
<li><code>Microsoft.Compute/virtualMachineScaleSets/instanceView/read</code></li>
<li><code>Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read</code></li>
<li><code>Microsoft.Compute/virtualMachineScaleSets/virtualMachines/instanceView/read</code></li>
<li><code>Microsoft.Compute/disks/read</code></li>
<li><code>Microsoft.Compute/disks/beginGetAccess/action</code></li>
<li><code>Microsoft.Compute/disks/endGetAccess/action</code></li>
</ul>
{{< /collapse-content >}}

## Setup

Expand All @@ -56,6 +71,10 @@ The [Terraform Datadog Agentless Scanner module][6] provides a simple and reusab

Use the AWS CloudFormation template to create a CloudFormation stack. The template includes the IAM permissions required to deploy and manage Agentless scanners. For more information, see [Setting up Agentless Scanning using AWS CloudFormation][11].

### Azure Resource Manager

Use the Azure Resource Manager template to deploy the Agentless Scanner. The template includes the role definitions required to deploy and manage Agentless scanners. For more information, see [Setting up Agentless Scanning using Azure Resource Manager][13].

## Further Reading

{{< partial name="whats-next/whats-next.html" >}}
Expand All @@ -70,4 +89,6 @@ Use the AWS CloudFormation template to create a CloudFormation stack. The templa
[8]: mailto:[email protected]
[9]: https://github.com/DataDog/terraform-module-datadog-agentless-scanner/blob/main/README.md#uninstall
[10]: https://app.datadoghq.com/security/configuration/csm/setup
[11]: /security/cloud_security_management/setup/agentless_scanning/cloudformation
[11]: /security/cloud_security_management/setup/agentless_scanning/cloudformation
[12]: /security/cloud_security_management/agentless_scanning
[13]: /security/cloud_security_management/setup/agentless_scanning/azure_resource_manager
62 changes: 62 additions & 0 deletions ...ty/cloud_security_management/setup/agentless_scanning/azure_resource_manager.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
---
title: Setting up Agentless Scanning using Azure Resource Manager
further_reading:
- link: "/security/cloud_security_management/agentless_scanning"
tag: "Documentation"
text: "Cloud Security Management Agentless Scanning"
- link: "/security/cloud_security_management/setup/agentless_scanning/terraform"
tag: "Documentation"
text: "Setting up Agentless Scanning using Terraform"
---

If you've already [set up Cloud Security Management][3] and want to add a new Azure subscription or enable [Agentless Scanning][1] on an existing integrated Azure subscription, you can use either [Terraform][2] or Azure Resource Manager. This article provides detailed instructions for the Azure Resource Manager approach.

<div class="alert alert-warning">Running Agentless scanners incurs additional costs. To optimize these costs while still ensuring reliable 12-hour scans, Datadog recommends setting up <a href="/security/cloud_security_management/setup/agentless_scanning/terraform/">Agentless Scanning with Terraform</a> as the default template.</div>

## Enable Agentless Scanning

{{< tabs >}}
{{% tab "New Azure subscription" %}}

### Set up the Datadog Azure integration

Follow the instructions for setting up the [Datadog Azure integration][1].

{{% csm-agentless-azure-resource-manager %}}

[1]: /integrations/guide/azure-manual-setup/?tab=azurecli
{{% /tab %}}

{{% tab "Existing Azure subscription" %}}

{{% csm-agentless-azure-resource-manager %}}

{{% /tab %}}
{{< /tabs >}}

## Exclude resources from scans

{{% csm-agentless-exclude-resources %}}

## Disable Agentless Scanning

1. On the [Cloud Security Management Setup][3] page, click **Cloud Integrations** > **Azure**.
1. Locate your subscription's tenant, expand the list of subscriptions, and identify the subscription for which you want to disable Agentless Scanning.
1. Click the **Edit** button {{< img src="security/csm/setup/edit-button.png" inline="true" style="width:24px;">}} and toggle **Vulnerability Scanning** to the off position.
1. Click **Done**.

## Uninstall with Azure Resource Manager

To uninstall Agentless Scanning, log in to your Azure subscription. If you created a dedicated resource group for the Agentless scanner, delete this resource group along with the following Azure role definitions:
- Datadog Agentless Scanner Role
- Datadog Agentless Scanner Delegate Role

If you did not use a dedicated resource group, you must manually delete the scanner resources, which can be identified by the tags `Datadog:true` and `DatadogAgentlessScanner:true`.

## Further Reading

{{< partial name="whats-next/whats-next.html" >}}

[1]: /security/cloud_security_management/agentless_scanning
[2]: /security/cloud_security_management/setup/agentless_scanning/terraform
[3]: https://app.datadoghq.com/security/configuration/csm/setup
Loading

0 comments on commit 7eeeac0

Please sign in to comment.