[CSPM] Add support for XCCDF benchmarks

[0intro]

What does this PR do?

This change adds support for XCCDF benchmarks in the pkg/compliance package.

XCCDF is an XML format specifying security benchmarks, which is part of the SCAP standards.

The XCCDF support relies on the OpenSCAP library.

Motivation

The goal was to implement support of CIS benchmarks for Linux operating systems into the Datadog Agent.

Instead of writing the checks ourselves, we chose to rely on the automated checks available as part of the ComplianceAsCode project. The checks are written in SCAP format and can be executed with the OpenSCAP library and tools.

Additional Notes

Possible Drawbacks / Trade-offs

The major drawback of including the OpenSCAP library is that it requires its own set of dependencies, adding 25 new software definitions to omnibus.

However, we tried to limit the size of the new dependencies, by removing the unnecessary files from the Agent installation, like documentation and static libraries. The total size of the newly installed shared libraries approximates 20 MB.

Describe how to test/QA your changes

Build for RHEL:

cd datadog-agent
docker run -v "$PWD:/go/src/github.com/DataDog/datadog-agent" -v "/tmp/omnibus:/omnibus" -v "/tmp/opt/datadog-agent:/opt/datadog-agent" -v"/tmp/gems:/gems" --workdir=/go/src/github.com/DataDog/datadog-agent datadog/agent-buildimages:deb-x64 inv -e agent.omnibus-build --base-dir=/omnibus --gem-path=/gems

Or build for Ubuntu:

cd datadog-agent
docker run -v "$PWD:/go/src/github.com/DataDog/datadog-agent" -v "/tmp/omnibus:/omnibus" -v "/tmp/opt/datadog-agent:/opt/datadog-agent" -v"/tmp/gems:/gems" --workdir=/go/src/github.com/DataDog/datadog-agent datadog-agent-buildimages:rpm-x64 inv -e agent.omnibus-build --base-dir=/omnibus --gem-path=/gems

Run RHEL 7, 8 or 9:

docker run -v "/tmp/opt:/opt" -v "/:/host" -it registry.access.redhat.com/ubi7/ubi /bin/bash

Or run Ubuntu 20.04 or 22.04:

docker run -v "/tmp/opt:/opt" -v "/:/host" -it ubuntu:22.04 /bin/bash

Remove the /.dockerenv file, so OpenSCAP doesn't know it's running in a container:

rm -f /.dockerenv

Install curl (on RHEL):

yum install curl -y

Or install curl (on Ubuntu):

apt update && apt install curl -y

Install CSPM rules:

mkdir -p /etc/datadog-agent/compliance.d
curl -Ls https://github.com/DataDog/security-agent-policies/archive/refs/heads/jinroh/cspm-scap-rules.tar.gz | tar xz --strip-components=3 -C /etc/datadog-agent/compliance.d -f - security-agent-policies-jinroh-cspm-scap-rules/compliance

Configure datadog-agent:

cat << EOF >/etc/datadog-agent/datadog.yaml
api_key: <api_key>
site: datad0g.com
hostname: test-xccdf

security_agent:
  remote_tagger: false

compliance_config:
  enabled: true
  dir: /etc/datadog-agent/compliance.d
  xccdf:
      enabled: true
EOF

Run the compliance checks from the security-agent, on docker:

/opt/datadog-agent/embedded/bin/security-agent -c /etc/datadog-agent/datadog.yaml start

Run the compliance checks from the security-agent, on the host's operating system:

DOCKER_DD_AGENT=true /opt/datadog-agent/embedded/bin/security-agent -c /etc/datadog-agent/datadog.yaml start

Go to the CSPM web page and verify that you can see the check results.

Reviewer's Checklist

• If known, an appropriate milestone has been selected; otherwise the Triage milestone is set.
• Use the major_change label if your change either has a major impact on the code base, is impacting multiple teams or is changing important well-established internals of the Agent. This label will be use during QA to make sure each team pay extra attention to the changed behavior. For any customer facing change use a releasenote.
• A release note has been added or the changelog/no-changelog label has been applied.
• Changed code has automated tests for its functionality.
• Adequate QA/testing plan information is provided if the qa/skip-qa label is not applied.
• At least one team/.. label has been applied, indicating the team(s) that should QA this change.
• If applicable, docs team has been notified or an issue has been opened on the documentation repo.
• If applicable, the need-change/operator and need-change/helm labels have been applied.
• If applicable, the k8s/<min-version> label, indicating the lowest Kubernetes version compatible with this feature.
• If applicable, the config template has been updated.

[maycmlee]

Small suggestion

[bkabrda]

👋 the PR mostly looks good, I left couple points inline to address/talk about. In addition, we need to add the ship_source_offer true line to all the new GPL/LGPL software.

[bkabrda]

Is the triehash file something that we should add to our buildimages longer term? Again, this is not something I see as a blocker, but it looks like a build dependency that won't change (often) and could live there - it's not part of the distributed agent, correct?

[0intro]

triehash is a build time dependency for building APT.

[bkabrda]

Yup, so eventually it would be great to move it to buildimages, rather than have it in this repository.

[0intro]

The question was raised at some point, but I finally preferred to install triehash as part of the apt build, since it's only used to build apt. My feeling was that the build images had a more general purpose.

[lebauce]

I reopened the PR with only the triehash relevant bits : DataDog/datadog-agent-buildimages#378

[bkabrda]

Thanks for opening the PR! Because we're a bit short on time, I'll approve this PR with triehash file included and ask you to, later on, upgrade the buildimages and remove the file from here in a followup PR.

[pr-commenter]

Bloop Bleep... Dogbot Here

Regression Detector Results

Run ID: 348b99dc-ceaf-418d-bd8a-387a7fca4d83
Baseline: c7f38ca
Comparison: 40d433c
Total datadog-agent CPUs: 7

Explanation

A regression test is an integrated performance test for datadog- agent in a repeatable rig, with varying configuration for datadog- agent. What follows is a statistical summary of a brief datadog- agent run for each configuration across SHAs given above. The goal of these tests are to determine quickly if datadog-agent performance is changed and to what degree by a pull request.

The table below, if present, lists those experiments that have experienced a statistically significant change in mean optimization goal performance between baseline and comparison SHAs with 90.00% confidence OR have been detected as newly erratic. Negative values mean that baseline is faster, positive comparison. Results that do not exhibit more than a ±5.00% change in their mean optimization goal are discarded. An experiment is erratic if its coefficient of variation is greater than 0.1. The abbreviated table will be omitted if no interesting change is observed.

No interesting changes in experiment optimization goals with confidence ≥ 90.00% and |Δ mean %| ≥ 5.00%.

Fine details of change detection per experiment.

experiment	goal	Δ mean	Δ mean %	confidence	baseline mean	baseline stdev	baseline stderr	baseline outlier %	baseline CoV	comparison mean	comparison stdev	comparison stderr	comparison outlier %	comparison CoV	erratic	declared erratic
uds_dogstatsd_to_api	ingress throughput	3.02KiB/CPU-s	2.06	97.81%	146.88KiB/CPU-s	70.05KiB/CPU-s	923.05B/CPU-s	0.0	0.47688	149.9KiB/CPU-s	74.83KiB/CPU-s	986.26B/CPU-s	0.0	0.499134	True	False
tcp_syslog_to_blackhole	ingress throughput	37.59KiB/CPU-s	0.49	100.00%	7.43MiB/CPU-s	281.34KiB/CPU-s	3.63KiB/CPU-s	0.0	0.036988	7.46MiB/CPU-s	307.96KiB/CPU-s	3.97KiB/CPU-s	0.0	0.040289	False	False
file_to_blackhole	egress throughput	2.5B/CPU-s	0.24	32.96%	1.01KiB/CPU-s	121.19B/CPU-s	4.25B/CPU-s	0.0	0.117668	1.01KiB/CPU-s	115.48B/CPU-s	4.06B/CPU-s	0.0	0.111855	True	False
tcp_dd_logs_filter_exclude	ingress throughput	34.06KiB/CPU-s	0.12	86.04%	27.92MiB/CPU-s	1.31MiB/CPU-s	17.36KiB/CPU-s	0.0	0.047065	27.95MiB/CPU-s	1.15MiB/CPU-s	15.17KiB/CPU-s	0.0	0.041066	False	False
otel_to_otel_logs	ingress throughput	-8.19MiB/CPU-s	-2.38	100.00%	343.41MiB/CPU-s	17.67MiB/CPU-s	233.37KiB/CPU-s	0.0	0.051438	335.23MiB/CPU-s	18.94MiB/CPU-s	250.19KiB/CPU-s	0.0	0.056489	False	False

[0intro]

The macos_test job is failing on:

 # github.com/DataDog/datadog-agent/pkg/network/encoding [github.com/DataDog/datadog-agent/pkg/network/encoding.test]
pkg/network/encoding/http.go:87:31: undefined: network.ConnectionKeysFromConnectionStats
pkg/network/encoding/http.go:102:28: undefined: network.ConnectionKeysFromConnectionStats
pkg/network/encoding/http2.go:45:28: undefined: network.ConnectionKeysFromConnectionStats
pkg/network/encoding/http2.go:101:31: undefined: network.ConnectionKeysFromConnectionStats
pkg/network/encoding/kafka.go:80:31: undefined: network.ConnectionKeysFromConnectionStats
pkg/network/encoding/kafka.go:94:28: undefined: network.ConnectionKeysFromConnectionStats

Which seems to be related to PR #16220.