add security-agent config

manifests/params.pp

@@ -20,6 +20,7 @@
   $logs_open_files_limit          = undef
   $container_collect_all          = false
   $sysprobe_service_name          = 'datadog-agent-sysprobe'
+  $securityagent_service_name     = 'datadog-agent-security'
   $module_metadata                = load_module_metadata($module_name)
 
   case $::operatingsystem {

manifests/security_agent.pp

@@ -0,0 +1,65 @@
+class datadog_agent::security_agent(
+  Boolean $enabled = false,
+  Optional[Boolean] $fim_enabled = false,
+  Optional[Boolean] $syscall_monitor_enabled = false,
+  Optional[String] $socket = undef,
+
+  Boolean $service_enable = true,
+  String $service_ensure = 'running',
+  Optional[String] $service_provider = undef,
+
+) inherits datadog_agent::params {
+
+  $securityagent_config = {
+    'runtime_security_config' => {
+      'enabled' => $enabled,
+      'fim_enabled' => $fim_enabled,
+      'socket' =>  $socket,
+    },
+    'syscall_monitor' => {
+      'enabled' => $syscall_monitor_enabled,
+    },
+  }
+
+  if $::operatingsystem == 'Windows' {
+
+    file { 'C:/ProgramData/Datadog/security-agent.yaml':
+      owner   => $datadog_agent::params::dd_user,
+      group   => $datadog_agent::params::dd_group,
+      mode    => '0640',
+      content => template('datadog_agent/security-agent.yaml.erb'),
+      require => File['C:/ProgramData/Datadog'],
+    }
+
+  } else {
+
+    if $service_provider {
+      service { $datadog_agent::params::securityagent_service_name:
+        ensure    => $service_ensure,
+        enable    => $service_enable,
+        provider  => $service_provider,
+        hasstatus => false,
+        pattern   => 'dd-agent',
+        require   => Package[$datadog_agent::params::package_name],
+      }
+    } else {
+      service { $datadog_agent::params::securityagent_service_name:
+        ensure    => $service_ensure,
+        enable    => $service_enable,
+        hasstatus => false,
+        pattern   => 'dd-agent',
+        require   => Package[$datadog_agent::params::package_name],
+      }
+    }
+
+    file { '/etc/datadog-agent/security-agent.yaml':
+      owner   => $datadog_agent::params::dd_user,
+      group   => $datadog_agent::params::dd_group,
+      mode    => '0640',
+      content => template('datadog_agent/security-agent.yaml.erb'),
+      notify  => Service[$datadog_agent::params::securityagent_service_name],
+      require => File['/etc/datadog-agent'],
+    }
+  }
+
+}

manifests/system_probe.pp

@@ -4,6 +4,7 @@
   Optional[String] $log_file = undef,
   Optional[String] $sysprobe_socket = undef,
   Optional[Boolean] $enable_oom_kill = false,
+  Optional[Hash] $runtime_security_config = undef,
 
   Boolean $service_enable = true,
   String $service_ensure = 'running',
@@ -20,7 +21,8 @@
     },
     'network_config' => {
       'enabled' => $network_enabled,
-    }
+    },
+    'runtime_security_config' => $runtime_security_config,
   }
 
   if $::operatingsystem == 'Windows' {

templates/security-agent.yaml.erb

@@ -0,0 +1,6 @@
+### MANAGED BY PUPPET
+
+<%
+require 'yaml'
+%>
+<%= @securityagent_config.to_yaml %>