Host Vulnerability
Lacework provides the ability to assess, identify, and report vulnerabilities found on Linux hosts within your environment. This means you can identify and take action on software vulnerabilities in your VMs and manage that risk proactively.
The Lacework CLI provides the lacework vulnerability host
command to retrieve data on host vulnerability assessments with the intention of providing fast, accurate, and actionable data via Lacework's APIs. This includes the ability to list all CVEs found on hosts in your environment, search for hosts in your environment that have a specific CVE, show the assessment for a specific host, and the ability to submit a package-manifest.json
for on-demand scanning of vulnerabilities.
To list the CVEs found in the hosts in your environment:
lacework vulnerability host list-cves
Additionally, you can filter results with the following flags:
--active
displays only vulnerabilities that are active within your environment--fixable
displays only vulnerabilities with fixes--packages
modifies the output format to show a list of packages with CVE count
To list the hosts that contain a specific CVE in your environment:
lacework vulnerability host list-hosts <cve_id>
To show the results of a host vulnerability assessment:
lacework vulnerability host show-assessment <machine_id>
Additionally, you can filter results with the following flags:
--active
displays only vulnerabilities that are active within your environment--fixable
displays only vulnerabilities with fixes--packages
modifies the output format to show a list of packages with CVE count
On-demand Assessment of Package Manifest
To request an on-demand host vulnerability assessment of your software packages to determine if the packages contain any common vulnerabilities and exposures:
lacework vulnerability host scan-pkg-manifest '{
"osPkgInfoList": [
{
"os":"Ubuntu",
"osVer":"18.04",
"pkg": "openssl",
"pkgVer": "1.1.1-1ubuntu2.1~18.04.5"
}
]
}'
note
- Only packages managed by a package manager for supported OS's are reported.
- Calls to this operation are rate limited to 10 calls per hour, per access key.
- This operation is limited to 10k packages per command execution.
You can use the Lacework CLI to generate a package-manifest formatted and ready to be submitted for evaluation.
lacework vulnerability host generate-pkg-manifest
note
This command doesn't require any CLI configuration because it is meant to be executed on a running host.
To automatically generate a package manifest from the local host and send it directly to the Lacework platform for evaluation.
lacework vulnerability host scan-pkg-manifest --local
For a guided tutorial that shows how to build base images from code that are free of vulnerabilities and validated with Lacework’s host vulnerability scanning, see the blog post Up and Running with Lacework and Hashicorp Packer.