DataDog/datadog-agent
Cloud Workload Security
Purpose
Cloud Workload Security (CWS) is Datadog's runtime threat detection product. It uses eBPF and Linux Security Modules (LSM) to observe security-relevant syscalls in real time, evaluates them against rules written in SECL (Security Expression Language), and reports matched events to Datadog.
The Agent side of CWS lives in two binaries:
- System Probe hosts the privileged kernel-side module (
pkg/security/module/,pkg/security/probe/,pkg/security/ebpf/) that loads and manages the eBPF programs. - Security Agent hosts the user-space rule loader, evaluator, and reporter (
cmd/security-agent/+pkg/security/agent/,pkg/security/rules/,pkg/security/reporter/).
Pipeline
graph LR
subgraph kernel[Kernel]
EBPF[eBPF + LSM hooks]
MAPS[ring buffers and maps]
end
subgraph sysprobe[System Probe address space]
PROBE[Probe<br/>pkg/security/probe]
RESOLV[Resolvers<br/>process / container / cgroup]
EVAL[SECL evaluator<br/>pkg/security/secl]
end
subgraph secagent[Security Agent]
LOAD[Rule loader<br/>pkg/security/rules]
REPORT[Reporter<br/>pkg/security/reporter]
end
EBPF --> MAPS --> PROBE --> RESOLV --> EVAL
LOAD -. policies .-> EVAL
EVAL -->|matched events| REPORT
REPORT -->|HTTP, Event Platform forwarder| INTAKE[Datadog intake]
RC[Remote Config] --> LOADThe eBPF programs hook into the most security-relevant syscalls — open, exec, connect, bind, setuid, mmap, etc. — plus LSM hooks where available. They write structured events to a ring buffer; the user-space probe reads them, hands them to the resolvers (which fill in process tree, container, and cgroup context), and runs the result through the SECL evaluator.
SECL — Security Expression Language
SECL is the DSL CWS uses to describe rules. A trivial example:
open.file.path == "/etc/shadow" && process.parent.comm == "bash"pkg/security/secl/ is one of the larger packages in the repo:
parser/— lexer and grammar.compiler/andcompiler/eval/— AST and evaluator.model/— the event model (event types, fields, accessors). Every CWS event type and every queryable field is declared here.rules/— rule loading and indexing.- Generated accessors give the evaluator zero-allocation field access.
SECL rules are packaged as policies (YAML). The Security Agent loads policies from disk and from Remote Config, compiles them into rule sets, and pushes the compiled rule sets to the system probe over its socket. From there the probe evaluates them in-process for performance.
Resolvers
pkg/security/resolvers/ enriches raw kernel events:
- Process resolver — maintains a process tree rooted in the host. Tracks
execandforkevents to keep up to date. - Container resolver — maps cgroup paths to container IDs and pulls metadata from workloadmeta.
- Cgroup resolver — caches cgroup-to-attribute mappings for fast lookups.
- DNS resolver — passes DNS state from NPM to give CWS hostname context.
Without resolvers, raw events are too low-level to write meaningful rules against. With them, a rule can reference process.parent.parent.comm or container.image.tag.
Activity profiles and anomaly detection
pkg/security/security_profile/ implements activity profiles: per-workload baselines of expected syscall activity. The system probe compares live activity against the baseline and flags anomalies. Profiles can come from auto-generated learning or from manual definition.
Linux + Windows + ptrace
CWS targets multiple environments:
- Linux + eBPF + LSM — the primary path.
- Linux without eBPF (constrained environments, e.g., GKE Autopilot) —
pkg/security/ptracer/provides a ptrace-based fallback. Lower fidelity, but gets coverage everywhere. - Windows — uses ETW and the WFP driver instead of eBPF.
pkg/security/seclwin/hosts Windows-specific resolvers and event mappings. The same SECL grammar applies.
CSPM
pkg/compliance/ is a separate but related product: Cloud Security Posture Management. It evaluates compliance benchmarks (CIS Kubernetes, CIS Linux, CIS Docker, etc.) on a periodic cadence. CSPM is also driven by the Security Agent.
Benchmarks are YAML files under compliance/. Each rule references primitives like "read this file," "run this kubectl command," or "inspect this process" and asserts on the result.
Container instrumentation
cmd/cws-instrumentation/ is a small binary the Security Agent injects into customer containers when CWS needs in-container instrumentation. It is shipped separately so it can be embedded as a sidecar without dragging the full Agent.
Subcommands
The Security Agent's runtime and compliance subcommands are the operator-facing surface:
security-agent runtime policy check # Validate loaded SECL policies
security-agent runtime policy reload # Reload policies
security-agent runtime self-test # Run a CWS self-test
security-agent compliance check # Run a CSPM benchmark on demandConfiguration
runtime_security_config:
enabled: true
fim_enabled: true
policies_dir: /etc/datadog-agent/runtime-security.d/
socket: /var/run/datadog/security-agent.sock
remote_configuration:
enabled: true
compliance_config:
enabled: true
dir: /etc/datadog-agent/compliance.d/Internal observability
A recent commit ([CWS] Fix and improve event retry queue, PR #50016) is illustrative — CWS has its own internal retry queue and metrics, and operations are continuous. Counters surface via expvar, agent telemetry, and agent status.
Key abstractions
| Type / package | Location | Description |
|---|---|---|
Module |
pkg/security/module/ |
The system-probe module |
Probe |
pkg/security/probe/probe.go |
Kernel hooks |
RuleSet |
pkg/security/rules/ruleset.go |
Compiled SECL ruleset |
Evaluator |
pkg/security/secl/compiler/eval/ |
SECL evaluator |
Reporter |
pkg/security/reporter/ |
Outbound event sender |
ActivityProfile |
pkg/security/security_profile/ |
Anomaly baseline |
Entry points for modification
- New SECL field: add to
pkg/security/secl/model/, regenerate accessors, document in policies. - New event type: extend the model, the kernel hook, and the resolvers.
- New compliance benchmark: write a YAML file and reuse existing primitives.
- Changes to the CWS-instrumentation binary live in
cmd/cws-instrumentation/.
Related pages
- Apps: Security Agent — binary internals.
- Apps: System Probe — host of the kernel module.
- Features: eBPF / system probe — the eBPF foundation.
- Systems: Remote Config — policy delivery.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.