This feature is currently in general beta.
Lacework provides the ability to assess, identify, and report vulnerabilities found on Linux hosts within your environment. This means you can identify and take action on software vulnerabilities in your VMs and manage that risk proactively.
Lacework continuously assesses the risk of vulnerabilities on hosts, identifies OS packages, and correlates them with publicly known vulnerabilities with risk ratings by severity and CVSS scores.
After installing the Lacework agent on hosts, Lacework can assess the monitored hosts for software packages with known vulnerabilities and report them.
Agent Requirement
Host vulnerability requires Lacework agent version 2.12.1 or later.
NOTE: Assessments will be shown as failed if the agent does not meet the version requirement.
Package Assessment Support
Lacework assesses the packages listed in the following table.
| Linux Distribution | Severity Attribution | CVSS Score Attribution | Links |
| Amazon Linux | Distro | NVD | http://repo.us-west-2.amazonaws.com/2018.03/updates/x86_64/mirror.list |
| Alpine Linux | NVD Score (CVSS v3 supersedes CVSS v2) | NVD | https://github.com/alpinelinux/aports.git |
| CentOS (10/11/2019) | Distro | NVD | None |
| CentOS/RHA/CoreOS | Distro | NVD | https://www.redhat.com/security/data/oval/v2/ |
| Debian | Distro (Security Tracker) | NVD | https://security-tracker.debian.org/tracker/data/json |
| RHEL (10/11/2019) | Distro | NVD | https://www.redhat.com/security/data/oval/v2/ |
| Ubuntu | Distro (Canonical) | NVD | https://git.launchpad.net/ubuntu-cve-tracker |
Lacework receives vulnerability and package data in a timely manner directly from the vendors and the NIST National Vulnerability Database (NVD).
Host Assessment
Lacework assesses for vulnerabilities after the agent is installed. Lacework completes the following actions at the listed schedule.
- Lacework collects package information from each installed agent on monitored hosts.
- Lacework assesses software packages installed by package managers dpkg, apt, and yum. The results of the new assessment are available for viewing on the Lacework Console.
- Lacework tracks multiple CVE Numbering Authorities looking for new CVEs and updates the Lacework common vulnerabilities and exposures (CVEs) database once a day.
Lacework assesses for vulnerabilities using the following steps:
- Lacework assesses software packages on monitored hosts at 3 AM GMT.
- Lacework searches the common vulnerabilities and exposures (CVEs) database (information available at 3 AM GMT) for software packages on the hosts and reports them.
When new CVE updates are released, Lacework assesses the existing assessments for newly identified risks. Lacework reassesses machine images based on CVE information for a known package and version.
These assessment steps are illustrated in the following example:
- You install the Lacework agent on a host.
- Lacework assesses the host.
- Lacework determines that the Python 3.6 package (3.6.7-1~18.04) is in the machine image.
- Lacework searches the Lacework CVE database for common vulnerabilities and exposures (CVEs) for the Python 3.6 package.
- Lacework reports all known CVEs associated with the Python 3.6 package such as CVE-2019-9947, CVE-2019-9740, CVE-2018-1000030, etc.
The Vulnerability Assessment page contains found vulnerabilities and previous vulnerabilities that have been fixed. To navigate to this page, select Host > Vulnerability Assessment in the Lacework Console.
NOTE: The top-level Workload menu is renamed to Host for the Host Vulnerability beta participants.
At the top right of the Vulnerability Assessment page, there is a drop-down that controls the output displayed on this entire page.
The Machine Status drop-down controls which machine status to report on. The status can be Online, Offline, or All; Online is the default. Lacework bases the machine status on whether the hourly agent heartbeat was sent the last hour. This allows you to filter out ephemeral machines that are currently offline and helps you to understand fleet risk.
Under the drop-down are overview statistics about hosts and vulnerabilities from the last 24 hours.
Assessment Summary
Below the overview is the Assessment Summary table.
By default, the table displays assessments from the last 24 hours. To change the time range, click the Add filter icon and select a different range. Removing a non-default time range reverts the range back to the last 24 hours.
Above the right side of the table, the following icons are available.
| Icon | Description | Functionality |
 |
Add filter | Click the Add filter icon to filter on the following: 1) CVE ID—Filter the returned hosts based on the specified Common Vulnerabilities and Exposure (CVE) ID, such as CVE-2019-9948. 2) Machine ID—Filter the returned hosts based on the specified machine ID. 3) Machine Tags—Filter the returned hosts based on the specified machine tag. You can add multiple filters that are ANDed together to produce a single result. You can use the * wildcard to match strings. Click X to remove the filters. |
 |
Download in CSV format | Click the Download in CSV format icon to get a comma-separated file of the table contents. |
 |
Select display columns | Click the Select display columns icon to hide or show the set of columns that are displayed in the table. Note that some columns are not displayed by default. |
 |
Full screen | Click the Full screen icon to show the table on the entire screen. |
The columns in the Assessment Summary table are described below. Each row in the table represents a single vulnerability assessment per host. The table includes a row for a host even if it has no vulnerabilities.
| Column | Description |
| Machine Name | Displays the host name for the machine. |
| Internal IP | Displays the internal IP(s) for the machine. |
| External IP | Displays the external IP(s) for the machine. |
| Tags | Click {...} to display the tags that are assigned to the machine. |
| Machine Status | Displays the most recent agent status, either Online or Offline, based on the last hour’s agent heartbeat. 1) Online—The Lacework agent sent a heartbeat the last hour. 2) Offline—The Lacework agent did not send a heartbeat the last hour. |
| Assessment Status | Displays the assessment status, either Success or Failure. Mouse over Failure to view the reason. Potential reasons for failure include the following: host is unavailable and unsupported OS. |
| Vulnerabilities | Displays a snapshot of the vulnerabilities associated with this host for the specified date range. To get details about vulnerabilities, hover the cursor over the right side of the Vulnerabilities column until the View Report button appears. Click View Report to view detailed information about a single host as described in the next section. You can also mouse over the text in this field to view the total number of vulnerabilities. |
| Last Assessment | Displays the time of the latest assessment. |
| Machine Uptime | Displays the uptime for the machine within the given time-range, which is 24 hours by default. |
| Machine ID | Displays the unique identifier from the agent. |
Vulnerability Assessment Host Details
When you click View Report in the Vulnerabilities column or a machine name in the Assessment Summary table, the Vulnerability Assessment Host page displays. This page provides details about a machine image that was collected in a single assessment run. An assessment is when Lacework assesses and reports on vulnerabilities in a machine image.
The following fields are available at the top of the page.
| Field | Description |
| Hostname | Displays the host name for the machine. |
| Machine ID | Displays the unique identifier from the agent. |
| Uptime | Displays the uptime for the machine within the given time-range, which is 24 hours by default. |
| Assessment Time | Displays the time of the assessment. |
| Tags | Lists the tags that are assigned to the machine image. |
| num vulnerabilities were detected in this evaluation | Displays the number of vulnerabilities detected in this machine image during this assessment. |
| num fixed versions available | Displays how many fixed versions (software patches) are available that address the detected vulnerabilities in this machine image during this assessment |
Under num fixed versions available is a bar chart that shows the total number of unique vulnerabilities detected per severity rankings in the host. You can use this bar chart to filter the vulnerabilities by severity rankings that are listed in the Vulnerabilities table. For example, you can click the critical (dark red) and high (bright red) sections of the bar chart to filter by critical and high severity vulnerabilities. Note that the chart’s critical and high section widths become wider to indicate current filter conditions.
Clicking a number can result in listing more rows (compared to the number clicked) because each package affected by a unique vulnerability is listed.
Select the Show only fixable option to update the chart and table to show only fixable vulnerabilities. If the option is selected, the CSV download includes only fixable CVEs. The PDF always includes all CVEs.
Below the bar chart is a search bar. You can enter text to add an additional filter for the vulnerabilities listed in the table. You can search for text in any of the table columns as described in the following examples:
- Enter CVE-2018 to limit the list of vulnerabilities to only those CVEs that were found in the year 2018.
- Enter openssl to view all open SSL vulnerabilities.
To the right of the search bar, the following icons are available.
| Icon | Label | Description |
 |
Download Report | Click the Download Report icon to download a PDF version of the Vulnerability Assessment report. |
|
Download in CSV format | Click the Download in CSV format icon to get a comma-separated file of the table contents. |
|
Select display columns | Click the Select display columns icon to hide or show the set of columns that are displayed in the table. Note that some columns are not displayed by default. |
|
Full screen | Click the Full screen icon to show the table on the entire screen. |
The columns in the Vulnerabilities table are described below.
| Column | Description |
| CVE | Displays the common vulnerabilities and exposures (CVEs) code assigned to this vulnerability by the CVE Numbering Authority. Click the arrow next to the CVE number to view a description and vectors about the CVE. In the description drop-down, click the More Details icon to open a web page that provides details about the CVE. |
| Severity | Displays the CVE’s severity ranking, which is assigned by the vendor or computed from CVSSv3 or CVSSv2 scores (in that order of precedence). |
| Score | Displays the CVSS (Common Vulnerability Scoring System) severity rankings score for the vulnerability. For both CVSS 3.x and CVSS 2.0, the severity ranking is a scale from 0 - 10, where 10 is the highest severity. Defaults to CVSSv3 scores or CVSSv2 if v3 scores are not available. |
| Machine ID | Displays the unique identifier from the agent. |
| Package Name | Displays the software package that contains the vulnerability. |
| Package Namespace | Displays the namespace associated with the package. |
| Current Version | Displays the current version of the software package that contains the vulnerability. |
| Fix Version | Displays the version (patch) of the software package that contains the patch for the vulnerability when a patch is available. |
| Package Status | Displays the status of the package, Active or empty. Active—Lacework has seen the package in use (a process launch) in the last 24 hour period. An empty status—Lacework does not have any data about the package in the last 24 hour period. |
| File Path | Displays the executable path for the package. |
| First Seen | Displays when Lacework first catalogued the package version on a specific host. |
| Last Status Update | Displays the time stamp for the last change to the vulnerability status. |
| Vulnerability Status | Displays the status of the vulnerability. 1) New—This is the first time the vulnerability was detected, which occurs once and only once on a specific combination of machine ID, package, and version. It is possible for a New status to be displayed multiple times over a long period of time, as described in When Host Assessment Metrics Carry Forward. 2) Active—This was detected in two or more consecutive assessments on a specific combination of machine ID, package, and version. 3) Fixed—This was detected in previous assessments on a specific combination of machine ID, package, and version, but the vulnerability is no longer an issue, for example, offending package/version was removed. 4) Unknown—The information is not available. |