Skip to main content

Host Vulnerability

Lacework provides the ability to assess, identify, and report vulnerabilities found on Linux hosts within your environment. This means you can identify and take action on software vulnerabilities in your VMs and manage that risk proactively.

The Lacework CLI provides the lacework vulnerability host command to retrieve data on host vulnerability assessments with the intention of providing fast, accurate, and actionable data via Lacework's APIs. This includes the ability to list all CVEs found on hosts in your environment, search for hosts in your environment that have a specific CVE, show the assessment for a specific host, and the ability to submit a package-manifest.json for on-demand scanning of vulnerabilities.

To list the CVEs found in the hosts in your environment:

lacework vulnerability host list-cves

Additionally, you can filter results with the following flags:

  • --active displays only vulnerabilities that are active within your environment
  • --fixable displays only vulnerabilities with fixes
  • --packages modifies the output format to show a list of packages with CVE count

To list the hosts that contain a specific CVE in your environment:

lacework vulnerability host list-hosts <cve_id>

Additionally, you can filter results with the following flags:

  • --online shows only hosts that are online
  • --offline shows only hosts that are offline

To show the results of a host vulnerability assessment:

lacework vulnerability host show-assessment <machine_id>

Additionally, you can filter results with the following flags:

  • --active displays only vulnerabilities that are active within your environment
  • --fixable displays only vulnerabilities with fixes
  • --packages modifies the output format to show a list of packages with CVE count

On-demand Assessment of Package Manifest

To request an on-demand host vulnerability assessment of your software packages to determine if the packages contain any common vulnerabilities and exposures:

lacework vulnerability host scan-pkg-manifest '{
"os_pkg_info_list": [
{
"os":"Ubuntu",
"os_ver":"18.04",
"pkg": "openssl",
"pkg_ver": "1.1.1-1ubuntu2.1~18.04.5"
}
]
}'
note
  • Only packages managed by a package manager for supported OS's are reported.
  • Calls to this operation are rate limited to 10 calls per hour, per access key.
  • This operation is limited to 10k packages per command execution.

You can use the Lacework CLI to generate a package-manifest formatted and ready to be submitted for evaluation.

lacework vulnerability host generate-pkg-manifest
note

This command doesn't require any CLI configuration because it is meant to be executed on a running host.

To automatically generate a package manifest from the local host and send it directly to the Lacework platform for evaluation.

lacework vulnerability host scan-pkg-manifest --local

For a guided tutorial that shows how to build base images from code that are free of vulnerabilities and validated with Lacework’s host vulnerability scanning, see the blog post Up and Running with Lacework and Hashicorp Packer.