This topic contains the following sections:
Lacework provides the ability to assess, identify, and report vulnerabilities found on hosts, containers, and pods within your environment. This means you can identify and take action on software vulnerabilities in your environment and manage that risk proactively. For information about alerts, see Default Policies.
Lacework continuously assesses vulnerability risks, identifies OS packages, and correlates them with publicly known vulnerabilities with risk ratings by severity and CVSS scores.
After you install the Lacework agent on hosts, containers, or pods, Lacework can assess the monitored hosts, containers, or pods for software packages with known vulnerabilities and report them.
Agent Requirement
For installing on hosts, host vulnerability assessments require Lacework agent version 2.12.1 or later. For agent installation instructions on hosts, see Agent Install Options.
For installing on containers or pods, host vulnerability assessments require Lacework agent version 3.0.47 or later. For agent install instructions on pods and containers, see Deploy on Kubernetes.
Note: If the agent does not meet the version requirement, the assessment is reported as failed.
Supported Operating Systems
| Operating System | Versions |
|---|---|
| Amazon Linux | 2 |
| Amazon Linux AMI | 2014.09, 2015.03, 2015.09, 2016.03, 2016.09, 2017.03, 2017.09, 2018.03 |
| CentOS | 5, 6, 7. *CentOS vulnerability data sourced from RedHat. |
| Debian | 7, 8, 9, 10, unstable |
| Redhat Enterprise Linux | 5, 6, 7, 8, minimal |
| Ubuntu | 12.04 and above, snap |
Note: Lacework does not support Redhat Universal Base Images (UBI).
Package Assessment Support
Lacework assesses the packages listed in the following table.
| Linux Distribution | Severity Attribution | CVSS Score Attribution | Links |
|---|---|---|---|
| Amazon Linux | Distro | N/A | See Amazon Linux CVSS Scores |
| CentOS/CoreOS | Distro | NVD | https://www.redhat.com/security/data/oval/v2/ - CoreOS and GCOS are not supported for host vulnerability assessments on containers or pods. |
| Debian | Distro (Security Tracker) | NVD | https://security-tracker.debian.org/tracker/data/json |
| Redhat Enterprise Linux | Distro | NVD | https://www.redhat.com/security/data/oval/v2/ |
| Ubuntu | Distro (Canonical) | NVD | https://git.launchpad.net/ubuntu-cve-tracker |
Lacework receives vulnerability and package data in a timely manner directly from the vendors and the NIST National Vulnerability Database (NVD).
Severity Attribution
Vulnerability assessment displays a Common Vulnerability Scoring System (CVSS) score and severity for Common Vulnerabilities and Exposures (CVE). Scores range from 0 to 10. Severities can be info, low, medium, high, or critical.
For each CVE, the National Vulnerability Database (NVD) provides a base score for CVSS v3 (if available) and CVSS v2. Lacework displays the provided CVSS v3 score or the CVSS v2 score if the v3 score is not available.
Lacework assigns severities to CVEs based on the following criteria in the following order of preference:
- The operating system distribution vendor (such as CentOS, Ubuntu, Alpine, etc.) provides a severity
- Lacework converts the CVSS v3 score to a severity
- Lacework converts the CVSS v2 score to a severity
Severities are rated using the following scale (ref: FIRST.org):
| Rating | CVSS Score |
|---|---|
| Info | 0.0 |
| Low | 0.1 - 3.9 |
| Medium | 4.0 - 6.9 |
| High | 7.0 - 8.9 |
| Critical | 9.0 - 10.0 |
Amazon Linux CVSS Scores
AMI security advisories combine CVEs. This results in no CVSS score or multiple CVSS scores from the Amazon Linux Security Center. Lacework shows N/A when a CVSS score is not available.
Package Managers for Host Vulnerability Assessments on Containers or Pods
Supported Package Managers for Host Vulnerability Assessments
- RPM, DEB
Unsupported Package Managers for Host Vulnerability Assessments
- APK (Alpine Linux Package Management)
Vulnerability Assessment
Lacework assesses for vulnerabilities after the agent is installed. Lacework completes the following actions at the listed schedule.
- Lacework collects package information from each installed agent on monitored hosts.
- Lacework assesses software packages installed by package managers dpkg, apt, and yum. The results of the new assessment are available for viewing on the Lacework Console.
- Lacework tracks multiple CVE Numbering Authorities looking for new CVEs and updates the Lacework CVE database once a day.
Lacework assesses for vulnerabilities using the following steps:
- Lacework assesses software packages on monitored hosts at 3 AM GMT.
- Lacework searches the CVE database (information available at 3 AM GMT) for software packages on the hosts and reports them. Lacework filters out rejected CVEs for Ubuntu and Debian.
When new CVE updates are released, Lacework assesses the existing assessments for newly identified risks. Lacework reassesses machine images based on CVE information for a known package and version.
These assessment steps are illustrated in the following example:
- You install the Lacework agent on a host.
- Lacework assesses the host.
- Lacework determines that the Python 3.6 package (3.6.7-1~18.04) is in the machine image.
- Lacework searches the Lacework CVE database for CVEs for the Python 3.6 package.
- Lacework reports all known CVEs associated with the Python 3.6 package such as CVE-2019-9947, CVE-2019-9740, CVE-2018-1000030, etc.
View Vulnerabilities
The Vulnerability page contains current vulnerabilities and previous vulnerabilities that were fixed. To navigate to this page, select Vulnerabilities > Hosts in the Lacework Console.
By default, the page displays all vulnerabilities. You can use the following methods to refine the list of displayed vulnerabilities:
- Use filters to display a subset of specific vulnerabilities. Click filters along the top of the page to display only the desired vulnerabilities. Or click the filter icon and select the filters you want to display. EOL filters don't display along the top of the page by default.
Use the search function at the top of the page to find specific text in the hostname.
Note: Lacework bases the machine status on the last hour’s agent heartbeat. This allows you to filter out ephemeral machines that are currently offline and helps you to understand fleet risk. Online means the Lacework agent sent a heartbeat the last hour. Offline means the Lacework agent did not send a heartbeat the last hour.
Host OS end of life (EOL) filter definitions:
- Currently EOL – Matches all hosts where the EOL date is in the past.
- EOL within 30 days – Matches all hosts where the EOL is within 30 days from now.
EOL within 90 days – Matches all hosts where the EOL is within 90 days from now.
By default, the list displays vulnerabilities that are grouped by host and from the past day. To change how the list groups vulnerabilities, select a different grouping from the drop-down. Select from the following options: host, AMI ID, account, zone, CVE, package name, and package namespace. To change the time period, select a different one from the drop-down or use the horizontal arrows to move to the next/previous period. Select from the following past periods: hour, day, three days, week, or month.
When the page displays your desired vulnerabilities, you can save the current view by clicking the Save view icon in the top right corner. This allows you to access the saved view later through the Open view icon. When you open a saved view, its name displays in the page title as Vulnerabilities/Host/view name. Click the icon adjacent to this name to access additional actions such as update, reset, save as, and rename. You can also copy the link to the current view by clicking the Copy link icon. You can then share that link with others so they can see the same view. Note that searches and sorting cannot be saved in views or copied as links.
The statistics and chart depict data for the current view: mean time to resolve (MTTR) in days, number of scanned hosts, coverage percentage (of total known assets with agent and scanning enabled), number of hosts with critical and high severity vulnerabilities, and the number of open vulnerabilities.
Charts
The page displays the following charts:
- An open vulnerabilities trend-line chart
- A severity chart for each hostname row
- A severity detail chart under the CVE tab, which appears when you click a hostname
- A sunburst chart for each CVE row
- A CVE sunburst chart under the Hosts tab, which appears when you click a CVE
Hover your mouse over the trend-line chart to see the critical, high, medium, and low vulnerabilities.
Vulnerabilities List
Below the overview is the vulnerabilities list. The list's displayed information depends on how the vulnerabilities are grouped. All vulnerability lists allow you to refresh data, download CSV, and sort. Click a tag link to reload the vulnerability list with the tag as the filter.
Group by Host
Click a hostname to display its risk assessment where you can see an expandable view of host details and any vulnerabilities. Click a vulnerability ID to access its CVE information.
When grouped by Host, AMI ID, Account, or Zone, the list displays the following information:
- Hostname
- Uptime
- Number of vulnerabilities (If assessment failed, Failure displays instead. Potential reasons for failure include the following: host is unavailable, unsupported OS, package data not found. For the reasons why package data was not found, see Package Data Not Found.)
| Column | Description |
|---|---|
| Vulnerabilities | Displays the common vulnerabilities and exposures (CVE) code assigned to this vulnerability by the CVE Numbering Authority. Click the CVE number to open a web page that provides details about the CVE. |
| Severity | Displays the CVE’s severity ranking, which is assigned by the vendor or computed from CVSS v3 or CVSS v2 scores (in that order of precedence). |
| CVSS Score | Displays the CVSS (Common Vulnerability Scoring System) severity rankings score for the vulnerability. Hover over the score for the CVSS version. For both CVSS v3 and CVSS v2, the severity ranking is a scale from 0 - 10, where 10 is the highest severity. Defaults to CVSS v3 scores or CVSS v2 if v3 scores are not available. |
| Package Name | Displays the operating system package or language package that the vulnerability was found in. Click the package name to reload and filter the vulnerability list for this package. |
| Current Version | Displays the current version of the package found on the host. |
| Fix Version | Displays the version of the package where the issue is fixed. |
| Package Status | Displays whether the package is active on the host. If the package is not active, nothing will be displayed in this column. |
| Last Status Update | Displays the last time the status of this package was updated in the Lacework Console. |
| Vulnerability Status | Displays the status of the vulnerability. The status can be one of the following: New - Vulnerability was detected for the first time during the last assessment. Active - Vulnerability was detected in consecutive assessments. Reopened - Vulnerability was fixed, but has been detected again. Fixed - Vulnerability was not detected in consecutive assessments. |
Group by CVE
Click a vulnerability ID to display its risk assessment where you can see an expandable view of vulnerability details and affected/unaffected hosts.
When grouped by CVE, Package Name, or Package Namespace, the list displays the following information:
- Number of hosts affected
- Number of hosts unaffected
- Chart depicting hosts and their status
| Column | Description |
|---|---|
| Host | Displays the hostname for the machine. |
| Uptime | Displays the uptime for the machine. |
| Status | Displays the most recent agent status, either Online or Offline, based on the last hour’s agent heartbeat. Online means the Lacework agent sent a heartbeat the last hour. Offline means the Lacework agent did not send a heartbeat the last hour. |
Package Data Not Found
Package data not found occurs under two circumstances:
- Package collection was intentionally disabled
- Package collection did not occur due to timing
If package collection was not disabled, then timing prevented package collection.
Scans do not occur on the host. An enumeration of packages is sent as a manifest to Lacework and any scanning activity occurs in the Lacework backend based on that host's manifest.
Package collection on a host does not occur immediately after the agent is installed. Package collection is delayed to limit the impact on host resources (CPU, Memory) and occurs after the core HIDS functionality is started. If the host shuts down after it registers with Lacework but before it transports package data, the package data will not be found.
You can use the /scan endpoint to supply a manifest (os, os_ver, package name, package version) and get a response. You can do this 20 times an hour for up to 1k packages each time. This action does not directly result in an assessment in the Lacework Console, but it does help to get an assessment.