Host Vulnerability Assessment Overview
Lacework provides the ability to assess, identify, and report vulnerabilities found on hosts, containers, and pods within your environment. This means you can identify and take action on software vulnerabilities in your environment and manage that risk proactively. For information about alerts, see Default Policies.
Lacework continuously assesses vulnerability risks, identifies OS packages, and correlates them with publicly known vulnerabilities with risk ratings by severity and CVSS scores.
Host vulnerability scanning with Lacework can be performed using two different methods:
Host Vulnerability with Agent
Agent Features
After you install the Lacework agent on hosts, containers, or pods, Lacework can assess the monitored hosts, containers, or pods for OS packages with known vulnerabilities and report them.
See Lacework Agent FAQs for additional details on what is collected.
note
AWS Fargate containers do not appear in the host vulnerability console.
Agent Requirements
For installing on hosts, host vulnerability assessments require Lacework agent version 2.12.1 or later. For agent installation instructions on hosts, see Agent Install Options.
For installing on containers or pods, host vulnerability assessments require Lacework agent version 3.0.47 or later. For agent install instructions on pods and containers, see Deploy Linux Agent on Kubernetes.
note
If the agent does not meet the version requirement, the assessment is reported as failed.
Host Vulnerability with Agentless
Agentless Features
After you have integrated your cloud provider with Agentless Workload Scanning, Lacework can assess all the hosts within your integrated account for software vulnerabilities and report them. This includes assessment of operating system packages and language library packages.
note
Agentless Workload Scanning will be able to scan your containers and pods in upcoming releases.
Agentless Requirements
An Agentless Workload Scanning integration with your cloud provider is required before using Host Vulnerability scanning.
See Before you Start - Agentless Workload Scanning for supported operating systems and cloud providers.
Vulnerability Assessment
Agent Assessments
Lacework assesses for vulnerabilities after the agent is installed. Lacework completes the following actions at the listed schedule.
- Lacework collects package information from each installed agent on monitored hosts.
- Lacework assesses software packages installed by package managers dpkg, apt, and yum. The results of the new assessment are available for viewing on the Lacework Console.
- Lacework tracks multiple CVE Numbering Authorities looking for new CVEs and updates the Lacework CVE database once a day.
Lacework assesses for vulnerabilities using the following steps:
- Lacework assesses software packages on monitored hosts at 3 AM GMT.
- Lacework searches the CVE database (information available at 3 AM GMT) for software packages on the hosts and reports them. Lacework filters out rejected CVEs for Ubuntu and Debian.
When new CVE updates are released, Lacework assesses the existing assessments for newly identified risks. Lacework reassesses machine images based on CVE information for a known package and version.
These assessment steps are illustrated in the following example:
- You install the Lacework agent on a host.
- Lacework assesses the host.
- Lacework determines that the Python 3.6 package (3.6.7-1~18.04) is in the machine image.
- Lacework searches the Lacework CVE database for CVEs for the Python 3.6 package.
- Lacework reports all known CVEs associated with the Python 3.6 package such as CVE-2019-9947, CVE-2019-9740, CVE-2018-1000030, etc.
Agentless Assessments
Lacework assesses for vulnerabilities after the agentless workload scanning integration is installed. Lacework completes the following actions at the listed schedule.
- Lacework collects package information from each workload in the regions and accounts configured for the integration.
- Lacework assesses software packages installed by package managers dpkg, apt, and yum. It also assesses software dependencies discovered by scanning for applications and libraries. The results of the new assessment are available for viewing on the Lacework Console.
- Lacework tracks multiple CVE Numbering Authorities looking for new CVEs and updates the Lacework CVE database once a day.
Lacework assesses for vulnerabilities using the following steps:
- Lacework agentless workload scanning runs on a schedule configured by the integration. The schedule period can be reconfigured anytime.
- Lacework searches the CVE database for software packages and software dependencies on the hosts and reports them. Lacework filters out rejected CVEs for Ubuntu and Debian.