Host Vulnerability - FAQs
General
Why do host vulnerability results show two different versions of the same package on a machine?
Generally, assessment data is from what currently exists at the time of assessment. In some circumstances, Lacework can carry forward fixed status data to provide information about a previously existing vulnerability that has since been patched/addressed.
Hosts must be online at least once within a 30-day window for vulnerability assessment metrics to carry forward. Carrying forward metrics means Lacework updates the existing assessment report instead of creating a new assessment report. See When Host Assessment Metrics Carry Forward for more details.
How can I fix a host vulnerability detected by an assessment?
apt remove and dpkg --remove
rpm -e PackageName (instead of `yum remove PackageName`)
For details, see Fix a Host Vulnerability.
Why doesn’t the host vulnerability assessment identify recently updated packages as “Fixed”?
Package collection runs hourly, however, Lacework does not restrict the assessment to the last hour of collected packages. The last day of packages is considered because that is also the assessment interval - daily. The impact is that if the package existed within 24 hours before the assessment, it appears in the assessment. See When Host Assessments Identify a Vulnerability as Fixed for more details.
What happens when there are multiple fix versions for the same vulnerability?
If there are multiple fixed package versions, Lacework selects only one fixed version to assess against each installed version because there is one fixed version out of many that is the most appropriate for comparison.
By default, Lacework displays the longest version prefix match (for example, v2.* installed versions are compared against v2.* instead of v1.*). If no major version matches, Lacework selects the highest fixed version. See Multiple Fixed Parallel Package Versions for more details.
How often does Lacework update their CVE database?
The Lacework platform ingests a new CVEs daily from OS vendors and the NIST National Vulnerability Database (NVD).
Package Status
info
This feature is in Preview as of Linux Agent v6.4.
The following FAQs relate to the Package status filter.
tip
See codeaware Property for guidance on enabling package status detection on Linux Agents.
Which package managers and types are supported?
With codeaware
enabled on your Linux agents, dpkg and RPM packages are supported by the active package detection feature for Host Vulnerability.
Active package detection is also supported for golang, Java, and npm packages if you do the following:
- Install Linux agent v6.5 or later on hosts.
- Enable active package detection for the agent. For more information, see codeaware Property.
- Enable Agentless Workload Scanning on the hosts.
How does the Lacework Agent detect package activity?
The Lacework Agent monitors the file system: when a process accesses a file in a package to execute it, the Lacework Agent detects access to that file and declares the package as active.
When is package activity detected?
If a process accesses a file in a package to execute it, but the process runs for a month, only one package activity may be detected and reported by the Lacework Agent (at the time when the file is accessed). If the process does not access any files in the same package again during that month, the Lacework Agent does not detect any new activity for the package. Hence, querying for package inactivity in short time ranges (less than 24 hours) in the Host Vulnerability page is not recommended.
How does the Lacework Agent detect package inactivity?
When package status detection is enabled, the Lacework Agent constantly monitors package activity on the machine. If the Lacework Agent does not detect any process accessing a file in a package on the machine, the package is marked as inactive on that machine.
Why are inactive vulnerable packages not a security risk?
An inactive vulnerable package is one for which the Lacework agent did not detect any process accessing a file in that package during the timeframe you selected in the Host Vulnerability page. As an inactive vulnerable package is not executed, it cannot be hijacked, tricked into leaking sensitive data, or corrupted in any other way. Therefore, as long as a vulnerable package stays inactive, it is harmless, and fixing it can be deprioritized.
How often does the Lacework Agent report package activity?
When the Lacework Agent detects a package as active, this data is immediately sent to Lacework.
Every 24 hours, Lacework aggregates and refreshes this data, which is shown in the Lacework Console (Vulnerabilites > Hosts).