Lacework provides the ability to assess, identify, and report vulnerabilities found on hosts, containers, and pods within your environment. This means you can identify and take action on software vulnerabilities in your environment and manage that risk proactively. For information about alerts, see Default Policies.
Lacework continuously assesses the risk of vulnerabilities, identifies OS packages, and correlates them with publicly known vulnerabilities with risk ratings by severity and CVSS scores.
After you install the Lacework agent on hosts, containers, or pods, Lacework can assess the monitored hosts, containers, or pods for software packages with known vulnerabilities and report them.
Agent Requirement
For installing on hosts, host vulnerability assessments require Lacework agent version 2.12.1 or later. For agent install instructions on hosts, see Agent Install Options.
For installing on containers or pods, host vulnerability assessments require Lacework agent version 3.0.47 or later. For agent install instructions on pods and containers, see Deploy on Kubernetes.
Note: If the agent does not meet the version requirement, the assessment is reported as failed.
Supported Operating Systems
| Operating System | Versions |
|---|---|
| Amazon Linux | 2 |
| Amazon Linux AMI | 2014.09, 2015.03, 2015.09, 2016.03, 2016.09, 2017.03, 2017.09, 2018.03 |
| CentOS | 5, 6, 7 |
| Debian | 7, 8, 9, 10, unstable |
| Redhat Enterprise Linux | 5, 6, 7, 8, minimal |
| Ubuntu | 12.04, 12.10, 13.04, 14.04, 14.10, 15.04, 15.10, 16.04, 16.10, 17.04, 17.10, 18.04, 18.10, 19.04, 19.10, 20.04, snap |
Note: Lacework does not support Redhat Universal Base Images (UBI).
Package Assessment Support
Lacework assesses the packages listed in the following table.
| Linux Distribution | Severity Attribution | CVSS Score Attribution | Links |
|---|---|---|---|
| Amazon Linux | Distro | N/A | See Amazon Linux CVSS Scores |
| CentOS/CoreOS | Distro | NVD | https://www.redhat.com/security/data/oval/v2/ - CoreOS and GCOS are not supported for host vulnerability assessments on containers or pods. |
| Debian | Distro (Security Tracker) | NVD | https://security-tracker.debian.org/tracker/data/json |
| Redhat Enterprise Linux | Distro | NVD | https://www.redhat.com/security/data/oval/v2/ |
| Ubuntu | Distro (Canonical) | NVD | https://git.launchpad.net/ubuntu-cve-tracker |
Lacework receives vulnerability and package data in a timely manner directly from the vendors and the NIST National Vulnerability Database (NVD).
Severity Attribution
Vulnerability assessment displays a Common Vulnerability Scoring System (CVSS) score and severity for each CVE. Scores range from 0 to 10. Severities can be Info, Low, Medium, High, or Critical.
For each CVE, the National Vulnerability Database (NVD) provides a base score for CVSS v3.x (if available) and CVSS v2.0. Lacework displays the provided CVSS v3 score or the CVSS v2 score if the v3 score is not available.
Lacework assigns severities to CVEs based on the following criteria in the following order of preference:
- The operating system distribution vendor (such as CentOS, Ubuntu, Alpine, etc.) provides a severity
- Lacework converts the CVSS v3 score to a severity
- Lacework converts the CVSS v2 score to a severity
Amazon Linux CVSS Scores
AMI security advisories combine CVEs. This results in no CVSS score or multiple CVSS scores from the Amazon Linux Security Center. Lacework shows N/A when a CVSS score is not available.
Package Managers for Host Vulnerability Assessments on Containers or Pods
Supported Package Managers for Host Vulnerability Assessments
- RPM, DEB
Unsupported Package Managers for Host Vulnerability Assessments
- APK (Alpine Linux Package Management)
Vulnerability Assessment
Lacework assesses for vulnerabilities after the agent is installed. Lacework completes the following actions at the listed schedule.
- Lacework collects package information from each installed agent on monitored hosts.
- Lacework assesses software packages installed by package managers dpkg, apt, and yum. The results of the new assessment are available for viewing on the Lacework Console.
- Lacework tracks multiple CVE Numbering Authorities looking for new CVEs and updates the Lacework common vulnerabilities and exposures (CVE) database once a day.
Lacework assesses for vulnerabilities using the following steps:
- Lacework assesses software packages on monitored hosts at 3 AM GMT.
- Lacework searches the CVE database (information available at 3 AM GMT) for software packages on the hosts and reports them. Lacework filters out rejected CVEs for Ubuntu and Debian.
When new CVE updates are released, Lacework assesses the existing assessments for newly identified risks. Lacework reassesses machine images based on CVE information for a known package and version.
These assessment steps are illustrated in the following example:
- You install the Lacework agent on a host.
- Lacework assesses the host.
- Lacework determines that the Python 3.6 package (3.6.7-1~18.04) is in the machine image.
- Lacework searches the Lacework CVE database for CVEs for the Python 3.6 package.
- Lacework reports all known CVEs associated with the Python 3.6 package such as CVE-2019-9947, CVE-2019-9740, CVE-2018-1000030, etc.
The Vulnerability Assessment page contains found vulnerabilities and previous vulnerabilities that have been fixed. To navigate to this page, select Vulnerability > Host in the Lacework Console.
The Machine Status drop-down controls which machine status to report on. The status can be Online, Offline, or All; Online is the default. Lacework bases the machine status on whether the hourly agent heartbeat was sent the last hour. This allows you to filter out ephemeral machines that are currently offline and helps you to understand fleet risk.
Under the drop-down are overview statistics about hosts and vulnerabilities from the last 24 hours.
Assessment Summary
Below the overview is the Assessment Summary table.
By default, the table displays assessments from the last 24 hours. To change the time range, click the Add filter icon and select a different range. Removing a non-default time range reverts the range back to the last 24 hours.
Above the right side of the table, the following icons are available.
| Icon | Description | Functionality |
|---|---|---|
 |
Add filter | Click the Add filter icon to filter on the following: 1) CVE—Filter the returned hosts on fixable CVEs. 2) CVE ID—Filter the returned hosts based on the specified CVE ID, such as CVE-2019-9948. 3) Machine ID—Filter the returned hosts based on the specified machine ID. 4) Machine Tags—Filter the returned hosts based on the specified machine tag. 5) Severity—Filter the returned hosts based on the specified CVE severity. Severities can be Critical, High, Medium, Low, Info. Comma separate multiple severities. You can add multiple filters that are ANDed together to produce a single result. You can use the * wildcard to match strings. Click X to remove the filters. |
 |
Download in CSV format | Click the Download in CSV format icon to get a comma-separated file of the table contents. |
 |
Select display columns | Click the Select display columns icon to hide or show the set of columns that are displayed in the table. Note that some columns are not displayed by default. |
 |
Full screen | Click the Full screen icon to show the table on the entire screen. |
The columns in the Assessment Summary table are described below. Each row in the table represents a single vulnerability assessment per host. The table includes a row for a host even if it has no vulnerabilities.
| Column | Description |
|---|---|
| Machine Name | Displays the host name for the machine. |
| Internal IP | Displays the internal IP(s) for the machine. |
| External IP | Displays the external IP(s) for the machine. |
| Tags | Click {...} to display the tags that are assigned to the machine. |
| Machine Status | Displays the most recent agent status, either Online or Offline, based on the last hour’s agent heartbeat. 1) Online—The Lacework agent sent a heartbeat the last hour. 2) Offline—The Lacework agent did not send a heartbeat the last hour. |
| Assessment Status | Displays the assessment status, either Success or Failure. Mouse over Failure to view the reason. Potential reasons for failure include the following: host is unavailable, unsupported OS, package data not found. For the reasons why package data was not found, see Package Data Not Found. |
| Vulnerabilities | Displays a snapshot of the vulnerabilities associated with this host for the specified date range. To get details about vulnerabilities, hover the cursor over the right side of the Vulnerabilities column until the View Report button appears. Click View Report to view detailed information about a single host as described in the next section. You can also mouse over the text in this field to view the total number of vulnerabilities. |
| Last Assessment | Displays the time of the latest assessment. |
| Machine Uptime | Displays the uptime for the machine within the given time-range, which is 24 hours by default. |
| Machine ID | Displays the unique identifier from the agent. |
Package Data Not Found
Package data not found occurs under two circumstances:
- Package collection was intentionally disabled
- Package collection did not occur due to timing
If package collection was not disabled, then timing prevented package collection.
Scans do not occur on the host. An enumeration of packages is sent as a manifest to Lacework and any scanning activity occurs in the Lacework backend based on that host's manifest.
Package collection on a host does not occur immediately after the agent is installed. Package collection is delayed to limit the impact on host resources (CPU, Memory) and occurs after the core HIDS functionality is started. If the host shuts down after it registers with Lacework but before it transports package data, the package data will not be found.
You can use the /scan endpoint to supply a manifest (os, os_ver, package name, package version) and get a response. You can do this 20 times an hour for up to 1k packages each time. This action does not directly result in an assessment in the Lacework Console, but it does help to get an assessment.
Vulnerability Assessment Host Details
When you click View Report in the Vulnerabilities column or a machine name in the Assessment Summary table, the Vulnerability Assessment Host page displays. This page provides details about a machine image that was collected in a single assessment run. An assessment is when Lacework assesses and reports on vulnerabilities in a machine image.
The following fields are available at the top of the page.
| Field | Description |
|---|---|
| Hostname | Displays the host name for the machine. |
| Machine ID | Displays the unique identifier from the agent. |
| Uptime | Displays the uptime for the machine within the given time-range, which is 24 hours by default. |
| Assessment Time | Displays the time of the assessment. |
| Tags | Lists the tags that are assigned to the machine image. |
| num unique vulnerabilities were detected in this assessment | Displays the number of unique vulnerabilities detected in this machine image during this assessment. |
| num fixed versions available | Displays how many fixed versions (software patches) are available that address the detected vulnerabilities in this machine image during this assessment |
Under num fixed versions available is a bar chart that shows the total number of unique vulnerabilities detected per severity rankings in the host. You can use this bar chart to filter the vulnerabilities by severity rankings that are listed in the Vulnerabilities table. For example, you can click the critical (dark red) and high (bright red) sections of the bar chart to filter by critical and high severity vulnerabilities. Note that the chart’s critical and high section widths become wider to indicate current filter conditions.
Clicking a number can result in listing more rows (compared to the number clicked) because each package affected by a unique vulnerability is listed.
Select the Show only fixable option to update the chart and table to show only fixable vulnerabilities. If the option is selected, the CSV download includes only fixable CVEs. The PDF always includes all CVEs.
Below the bar chart is a search bar. You can enter text to add an additional filter for the vulnerabilities listed in the table. You can search for text in any of the table columns as described in the following examples:
- Enter CVE-2018 to limit the list of vulnerabilities to only those CVEs that were found in the year 2018.
- Enter openssl to view all open SSL vulnerabilities.
Because every vulnerability (fixed and unfixed) has an individual table row, the number of rows will be higher than the number of detections on the Host Vulnerability Assessment and Host Vulnerability Assessment Report pages, which exclude fixed vulnerabilities.
To the right of the search bar, the following icons are available.
| Icon | Label | Description |
|---|---|---|
 |
Download Report | Click the Download Report icon to download a PDF version of the Vulnerability Assessment report. |
|
Download in CSV format | Click the Download in CSV format icon to get a comma-separated file of the table contents. |
|
Select display columns | Click the Select display columns icon to hide or show the set of columns that are displayed in the table. Note that some columns are not displayed by default. |
|
Full screen | Click the Full screen icon to show the table on the entire screen. |
The columns in the Vulnerabilities table are described below.
| Column | Description |
|---|---|
| CVE | Displays the common vulnerabilities and exposures (CVE) code assigned to this vulnerability by the CVE Numbering Authority. Click the arrow next to the CVE number to view a description and vectors about the CVE. In the description drop-down, click the More Details icon to open a web page that provides details about the CVE. |
| Severity | Displays the CVE’s severity ranking, which is assigned by the vendor or computed from CVSSv3 or CVSSv2 scores (in that order of precedence). |
| Score | Displays the CVSS (Common Vulnerability Scoring System) severity rankings score for the vulnerability. For both CVSS 3.x and CVSS 2.0, the severity ranking is a scale from 0 - 10, where 10 is the highest severity. Defaults to CVSSv3 scores or CVSSv2 if v3 scores are not available. |
| Machine ID | Displays the unique identifier from the agent. |
| Package Name | Displays the software package that contains the vulnerability. |
| Package Namespace | Displays the namespace associated with the package. |
| Current Version | Displays the current version of the software package that contains the vulnerability. |
| Fix Version | Displays the version (patch) of the software package that contains the patch for the vulnerability when a patch is available. |
| Package Status | Displays the status of the package, Active or empty. Active—Lacework has seen the package in use (a process launch) in the last 24 hour period. An empty status—Lacework does not have any data about the package in the last 24 hour period. |
| File Path | Displays the executable path for the package. |
| First Seen | Displays when Lacework first catalogued the package version on a specific host. |
| Last Status Update | Displays the time stamp for the last change to the vulnerability status. |
| Vulnerability Status | Displays the status of the vulnerability: New, Active, Fixed, Reopened, Unknown. For status descriptions, see Vulnerability Status Descriptions. |
Vulnerability Status Descriptions
New—This is the first time the vulnerability was detected, which occurs once and only once on a specific combination of machine ID, package, and version. It is possible for a New status to be displayed multiple times over a long period of time, as described in When Host Assessment Metrics Carry Forward.
Active—This was detected in two or more consecutive assessments on a specific combination of machine ID, package, and version.
Fixed—This was detected in previous assessments on a specific combination of machine ID, package, and version, but the vulnerability is no longer an issue, for example, the offending package/version was removed.
Reopened—The vulnerability was fixed earlier on a specific combination of machine ID, package, and version, but the vulnerability is detected again on the same combination within 30 days from when it was fixed. For example, the status change flow could be: New → Active → Fixed → Reopened → Fixed or stays Reopened
Unknown—The information is not available.