Host Image Support
Supported Operating Systems
Operating System | Versions |
---|---|
Amazon Linux | 2 |
Amazon Linux AMI | 2014.09, 2015.03, 2015.09, 2016.03, 2016.09, 2017.03, 2017.09, 2018.03 |
CentOS | 5, 6, 7 |
Debian | 7, 8, 9, 10, unstable |
Oracle Linux | 8.3, 8.4, 8.5 |
Redhat Enterprise Linux | 5, 6, 7, 8, minimal |
Rocky Linux (Public Preview) | 8.4, 8.5, 8.6, 8.7, 9.0, 9.1 |
Ubuntu | 12.04 and above, snap, ESM |
SUSE Linux Enterprise Server (SLES) | x86 = 11.4.20, 12 SP1, 12 SP5, 15, 15 SP1 ARM64 = 12 SP5, 15 SP2 |
openSUSE | Leap, Tumbleweed |
note
Lacework does not support Redhat Universal Base Images (UBI) or Fedora for host vulnerability assessments.
Package Assessment Support
Lacework assesses operating system packages using the sources listed in the following table:
Linux Distribution | Severity Attribution | CVSS Score Attribution | CVE Source |
---|---|---|---|
Amazon Linux | Distro | See Amazon Linux CVSS Scores. | https://alas.aws.amazon.com/ |
CentOS/CoreOS | Distro | NVD | 1. Risk Based Security (RBS) - VulnDB 2. https://www.redhat.com/security/data/oval/v2/ |
Debian | Distro (Security Tracker) | NVD | https://security-tracker.debian.org/tracker |
Oracle Linux | Distro | NVD | https://linux.oracle.com/oval/ |
Redhat Enterprise Linux | Distro | NVD | https://www.redhat.com/security/data/oval/v2/ |
Rocky Linux (Public Preview) | Distro | NVD | Risk Based Security (RBS) - VulnDB |
Ubuntu | Distro (Canonical) | NVD | https://git.launchpad.net/ubuntu-cve-tracker https://ubuntu.com/security/cves |
SUSE Linux Enterprise Server (SLES) | Distro | NVD | https://www.suse.com/security/cve/ https://ftp.suse.com/pub/projects/security/oval/ |
openSUSE | Distro | NVD | https://www.suse.com/security/cve/ https://ftp.suse.com/pub/projects/security/oval/ |
note
Container-Optimized OS from Google is not supported for vulnerability scans.
Lacework receives vulnerability and package data in a timely manner directly from the vendors and the NIST National Vulnerability Database (NVD).
Lacework assesses the severity and CVSS score for vulnerabilities from different sources. Distributions often reclassify vulnerabilities with a different severity than the NIST National Vulnerability Database (NVD). It is not uncommon that the severity displayed by Lacework is associated with a different CVSSv3 score coming from a different source.
More information about CVSS scoring can be found in the Severity Attribution section.
Package Manager Support for Containers or Pods
Supported
- RPM
- DEB
Unsupported
- APK (Alpine Linux Package Management)
Supported Language Libraries and Package Managers
Lacework offers support on the following programming language libraries and package managers when using Agentless Workload Scanning:
Library name | Package manager | CVE Sources |
---|---|---|
Java | maven | RBS |
Ruby | bundler | RBS |
PHP | composer | RBS |
Go | go | RBS |
npm (node / react / typescript) | npm yarn | RBS |
Python | pip poetry python | RBS |
Rust | cargo | RBS |
CVE Sources for Language Libraries and Package Managers
Lacework uses the following CVE Sources for language libraries when using Agentless Workload Scanning:
Lacework uses NVD for the severity and CVSS score associated with the CVEs.
note
When an NVD CVSS score is not available for a given GitHub Security Advisory (GHSA) package, Lacework uses the CVSS score directly from GHSA for that package.
How Scanning is Performed
Package scanning for programming languages works in a variety of ways:
- By scanning
.lock
files that are generated by the package managers. - By scanning different binaries that are generated by the package managers.
- By scanning specific files (in specific format) that are generated by package installations.
These files can exist in any path in a container or on a host's root volume.
Files Scanned
The following table is a breakdown of the types of files and file extensions that are scanned for each programming language (when using Agentless Workload Scanning):
Language or Package manager | Files scanned |
---|---|
Java | *.jar *.war *.ear pom.properties MANIFEST.MF Fat JAR files are also scanned for their dependencies. |
Ruby | *Gemfile.lock |
PHP | composer.lock |
Go | *.sum Any executable binaries built by Go |
npm | package-lock.json yarn.lock |
NuGet | packages.lock.json |
Python | Pipfile.lock poetry.lock *.egg-info/PKG-INFO *.dist-info/METADATA |
Rust | *Cargo.lock |
Disable Language Libraries Support
It is not currently possible to disable language library scanning of hosts when using Agentless Workload Scanning. You can disable host scanning altogether, but this will also stop scans of operating system packages.
Follow the steps below if you still want to disable all scanning of hosts with Agentless:
- In the Lacework Console, go to Settings > Integrations: Cloud accounts.
- Find and select your integration in the table.
- Click the Edit option.
- Uncheck the Scan host vulnerabilities option.
- Click Save.
Usage of CVE/Vulnerability Sources
Lacework uses multiple CVE / vulnerability sources and will determine the best source for new and existing vulnerabilities.
The vulnerability source used is based on the quality of the data returned on a given vulnerability (such as affected version range, fix version, and data schema).
In some cases, a certain vulnerability source may be used solely for a given operating system, language library, or package manager. This is often the case when other vulnerability sources are lacking detail or specificity for that particular operating system, language library, or package manager.
Severity Attribution
Vulnerability assessment displays a Common Vulnerability Scoring System (CVSS) score and severity for Common Vulnerabilities and Exposures (CVE). Scores range from 0 to 10. Severities can be info, low, medium, high, or critical.
For each CVE, the National Vulnerability Database (NVD) provides a base score for CVSS v3 (if available) and CVSS v2. Lacework displays the provided CVSS v3 score or the CVSS v2 score if the v3 score is not available.
Lacework assigns severities to CVEs based on the following criteria in the following order of preference:
- The operating system distribution vendor (such as CentOS, Ubuntu, Alpine, etc.) provides a severity.
- Lacework converts the CVSS v3 score to a severity.
- Lacework converts the CVSS v2 score to a severity.
Severities are rated using the following scale (ref: FIRST.org):
Rating | CVSS Score |
---|---|
Info | 0.0 |
Low | 0.1 - 3.9 |
Medium | 4.0 - 6.9 |
High | 7.0 - 8.9 |
Critical | 9.0 - 10.0 |
Amazon Linux CVSS Scores
Amazon Machine Image (AMI) security advisories combine CVEs. This results in no CVSS score or multiple CVSS scores from the Amazon Linux Security Center.
When a CVSS score is not available, Lacework reports the value as N/A
in the Console, and 0
in the CLI.