add support for security agent service on windows

DataDog · Jan 24, 2024 · 8b275af · 8b275af
1 parent 4e6920f
commit 8b275af
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 14 deletions.
diff --git a/recipes/security-agent.rb b/recipes/security-agent.rb
@@ -20,11 +20,17 @@
 is_windows = platform_family?('windows')
 
 # Set the correct agent startup action
-security_agent_enabled = !is_windows && node['datadog']['security_agent']['cws']['enabled'] || node['datadog']['security_agent']['cspm']['enabled']
+security_agent_enabled = node['datadog']['security_agent']['cws']['enabled'] || (!is_windows && node['datadog']['security_agent']['cspm']['enabled'])
+security_agent_start = security_agent_enabled && node['datadog']['agent_start'] && node['datadog']['agent_enable'] ? :start : :stop
 
 #
 # Configures security-agent agent
-security_agent_config_file = '/etc/datadog-agent/security-agent.yaml'
+security_agent_config_file =
+  if is_windows
+    'C:/ProgramData/Datadog/security-agent.yaml'
+  else
+    '/etc/datadog-agent/security-agent.yaml'
+  end
 security_agent_config_file_exists = ::File.exist?(security_agent_config_file)
 
 template security_agent_config_file do
@@ -52,9 +58,11 @@
     compliance_extra_config: compliance_extra_config
   )
 
-  owner 'root'
-  group 'dd-agent'
-  mode '640'
+  unless is_windows
+    owner 'root'
+    group 'dd-agent'
+    mode '640'
+  end
 
   notifies :restart, 'service[datadog-agent-security]', :delayed if security_agent_enabled
 
@@ -65,14 +73,18 @@
 # Common configuration
 service_provider = Chef::Datadog.service_provider(node)
 
-service_name = 'datadog-agent-security'
+service_name = is_windows ? 'datadog-security-agent' : 'datadog-agent-security'
 
-if security_agent_enabled
-  service 'datadog-agent-security' do
-    service_name service_name
-    action :start
-    provider service_provider unless service_provider.nil?
+service 'datadog-agent-security' do
+  service_name service_name
+  action [security_agent_start]
+  provider service_provider unless service_provider.nil?
+  if is_windows
+    supports :restart => true, :start => true, :stop => true
+    restart_command "powershell restart-service #{service_name} -Force"
+    stop_command "powershell stop-service #{service_name} -Force"
+  else
     supports :restart => true, :status => true, :start => true, :stop => true
-    subscribes :restart, "template[#{security_agent_config_file}]", :delayed
   end
+  subscribes :restart, "template[#{security_agent_config_file}]", :delayed if security_agent_enabled
 end
diff --git a/recipes/system-probe.rb b/recipes/system-probe.rb
@@ -22,7 +22,7 @@
 # Set the correct agent startup action
 cws_enabled = node['datadog']['security_agent']['cws']['enabled']
 sysprobe_enabled = if is_windows
-                     node['datadog']['system_probe']['network_enabled']
+                     node['datadog']['system_probe']['network_enabled'] || cws_enabled
                    else
                      node['datadog']['system_probe']['enabled'] || node['datadog']['system_probe']['network_enabled'] || node['datadog']['system_probe']['service_monitoring_enabled'] || cws_enabled
                    end
@@ -99,6 +99,5 @@
   else
     supports :restart => true, :status => true, :start => true, :stop => true
   end
-  supports :restart => true, :status => true, :start => true, :stop => true
   subscribes :restart, "template[#{system_probe_config_file}]", :delayed if sysprobe_enabled
 end