Open-Source Wikis

/

Datadog Agent

/

Features

/

Cloud Workload Security

DataDog/datadog-agent

Cloud Workload Security

Purpose

Cloud Workload Security (CWS) is Datadog's runtime threat detection product. It uses eBPF and Linux Security Modules (LSM) to observe security-relevant syscalls in real time, evaluates them against rules written in SECL (Security Expression Language), and reports matched events to Datadog.

The Agent side of CWS lives in two binaries:

  • System Probe hosts the privileged kernel-side module (pkg/security/module/, pkg/security/probe/, pkg/security/ebpf/) that loads and manages the eBPF programs.
  • Security Agent hosts the user-space rule loader, evaluator, and reporter (cmd/security-agent/ + pkg/security/agent/, pkg/security/rules/, pkg/security/reporter/).

Pipeline

graph LR
    subgraph kernel[Kernel]
        EBPF[eBPF + LSM hooks]
        MAPS[ring buffers and maps]
    end
    subgraph sysprobe[System Probe address space]
        PROBE[Probe<br/>pkg/security/probe]
        RESOLV[Resolvers<br/>process / container / cgroup]
        EVAL[SECL evaluator<br/>pkg/security/secl]
    end
    subgraph secagent[Security Agent]
        LOAD[Rule loader<br/>pkg/security/rules]
        REPORT[Reporter<br/>pkg/security/reporter]
    end
    EBPF --> MAPS --> PROBE --> RESOLV --> EVAL
    LOAD -. policies .-> EVAL
    EVAL -->|matched events| REPORT
    REPORT -->|HTTP, Event Platform forwarder| INTAKE[Datadog intake]
    RC[Remote Config] --> LOAD

The eBPF programs hook into the most security-relevant syscalls — open, exec, connect, bind, setuid, mmap, etc. — plus LSM hooks where available. They write structured events to a ring buffer; the user-space probe reads them, hands them to the resolvers (which fill in process tree, container, and cgroup context), and runs the result through the SECL evaluator.

SECL — Security Expression Language

SECL is the DSL CWS uses to describe rules. A trivial example:

open.file.path == "/etc/shadow" && process.parent.comm == "bash"

pkg/security/secl/ is one of the larger packages in the repo:

  • parser/ — lexer and grammar.
  • compiler/ and compiler/eval/ — AST and evaluator.
  • model/ — the event model (event types, fields, accessors). Every CWS event type and every queryable field is declared here.
  • rules/ — rule loading and indexing.
  • Generated accessors give the evaluator zero-allocation field access.

SECL rules are packaged as policies (YAML). The Security Agent loads policies from disk and from Remote Config, compiles them into rule sets, and pushes the compiled rule sets to the system probe over its socket. From there the probe evaluates them in-process for performance.

Resolvers

pkg/security/resolvers/ enriches raw kernel events:

  • Process resolver — maintains a process tree rooted in the host. Tracks exec and fork events to keep up to date.
  • Container resolver — maps cgroup paths to container IDs and pulls metadata from workloadmeta.
  • Cgroup resolver — caches cgroup-to-attribute mappings for fast lookups.
  • DNS resolver — passes DNS state from NPM to give CWS hostname context.

Without resolvers, raw events are too low-level to write meaningful rules against. With them, a rule can reference process.parent.parent.comm or container.image.tag.

Activity profiles and anomaly detection

pkg/security/security_profile/ implements activity profiles: per-workload baselines of expected syscall activity. The system probe compares live activity against the baseline and flags anomalies. Profiles can come from auto-generated learning or from manual definition.

Linux + Windows + ptrace

CWS targets multiple environments:

  • Linux + eBPF + LSM — the primary path.
  • Linux without eBPF (constrained environments, e.g., GKE Autopilot)pkg/security/ptracer/ provides a ptrace-based fallback. Lower fidelity, but gets coverage everywhere.
  • Windows — uses ETW and the WFP driver instead of eBPF. pkg/security/seclwin/ hosts Windows-specific resolvers and event mappings. The same SECL grammar applies.

CSPM

pkg/compliance/ is a separate but related product: Cloud Security Posture Management. It evaluates compliance benchmarks (CIS Kubernetes, CIS Linux, CIS Docker, etc.) on a periodic cadence. CSPM is also driven by the Security Agent.

Benchmarks are YAML files under compliance/. Each rule references primitives like "read this file," "run this kubectl command," or "inspect this process" and asserts on the result.

Container instrumentation

cmd/cws-instrumentation/ is a small binary the Security Agent injects into customer containers when CWS needs in-container instrumentation. It is shipped separately so it can be embedded as a sidecar without dragging the full Agent.

Subcommands

The Security Agent's runtime and compliance subcommands are the operator-facing surface:

security-agent runtime policy check       # Validate loaded SECL policies
security-agent runtime policy reload      # Reload policies
security-agent runtime self-test          # Run a CWS self-test
security-agent compliance check           # Run a CSPM benchmark on demand

Configuration

runtime_security_config:
  enabled: true
  fim_enabled: true
  policies_dir: /etc/datadog-agent/runtime-security.d/
  socket: /var/run/datadog/security-agent.sock
  remote_configuration:
    enabled: true

compliance_config:
  enabled: true
  dir: /etc/datadog-agent/compliance.d/

Internal observability

A recent commit ([CWS] Fix and improve event retry queue, PR #50016) is illustrative — CWS has its own internal retry queue and metrics, and operations are continuous. Counters surface via expvar, agent telemetry, and agent status.

Key abstractions

Type / package Location Description
Module pkg/security/module/ The system-probe module
Probe pkg/security/probe/probe.go Kernel hooks
RuleSet pkg/security/rules/ruleset.go Compiled SECL ruleset
Evaluator pkg/security/secl/compiler/eval/ SECL evaluator
Reporter pkg/security/reporter/ Outbound event sender
ActivityProfile pkg/security/security_profile/ Anomaly baseline

Entry points for modification

  • New SECL field: add to pkg/security/secl/model/, regenerate accessors, document in policies.
  • New event type: extend the model, the kernel hook, and the resolvers.
  • New compliance benchmark: write a YAML file and reuse existing primitives.
  • Changes to the CWS-instrumentation binary live in cmd/cws-instrumentation/.

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Cloud Workload Security – Datadog Agent wiki | Factory