Active Package Detection (Code Aware Agent)
See Which package managers and types are supported? for the minimum agent versions required.
Overview
Active package detection enables you to know whether a vulnerable package is being used by an application on your Linux hosts and containers, and prioritize fixing active vulnerable packages first.
Tracking all vulnerabilities in your environment can take a considerable amount of time. By understanding which packages are inactive or active, you can focus on where to concentrate your efforts and lessen the risk of a potential breach. This allows you to have a greater impact on your security risk posture in a shorter period of time.
How does Active Package Detection provide Active Vulnerability Detection?
Active package detection is made possible using an extension of Lacework's runtime agent known as Code Aware Agent.
Using Lacework's Code Aware Agent technology, we detect all activity and inactivity for supported host and container packages.
This allows you to:
- Detect the active vulnerabilities in your environment and prioritize remediation of these packages.
- Detect the inactive vulnerabilities in your environment and deprioritize remediation of packages that aren't being used.
See our blog article on why active vulnerability detection is a game changer for vulnerability risk management.
Active package detection is only supported on Linux hosts and containers. It is not supported on Microsoft Windows hosts and containers.
How do I view active or inactive vulnerable packages?
Active package detection is disabled by default, see How do I enable active package detection? for steps to enable this feature.
Once enabled, use the Package Status filter on the Host Vulnerability or Container Vulnerability pages to see active or inactive vulnerable packages.
How do I enable active package detection?
To enable active package detection, do the following:
Install the Linux agent on hosts, containers, and/or Kubernetes clusters.
- If deployed on a host, package activity is reported on that host and for all containers (if any) running on that host.
- If deployed on a privileged Kubernetes agent pod/container on a Kubernetes node, package activity is reported on that node and for all containers running on that node.
- If deployed on a non-privileged container, package activity is reported for that container only.
infoYour container images must be scanned by Lacework for container package activity to display in the Lacework Console.
See Different Types of Scanning for the options that Lacework provides to scan your container images.
If you have active images that are unscanned, see Unscanned Active Images - FAQs to help discover why this may be the case.
Enable active package detection for the agent(s).
To enable active package detection using the Lacework Console:
Log in to the Lacework Console.
Go to Settings > Agent Tokens.
Click on the row for the agent access token you used to install the agent.
The Access Token page appears.
Click the Configure tab, then click the Edit icon.
Expand the Agent runtime settings section.
See Enable active package detection for all available options.
Click Save All.
noteIf you enable active package detection using the Lacework Console, it will be enabled on all agents that use the agent access token for which you enabled active package detection.
To enable active package detection using the
config.jsonagent configuration file, seecodeawareProperty.noteIf you enable active package detection using the
config.jsonfile for an agent, it will be enabled only for that agent.
For some package types, you may need to enable Agentless Workload Scanning in your environment. See Which package managers and types are supported? for details.
Is ECS Fargate supported for Active Package Detection?
ECS Fargate is not supported for Active Package Detection. This is because Lacework agents do not have enough privilege to monitor the file systems in an ECS Fargate environment (which is necessary for code aware agent functionality).
Which package managers and types are supported?
Active Package Detection supports the following package managers and types:
| Package Type | Minimum Linux Agent Version for Hosts | Minimum Linux Agent Version for Containers | Agentless Workload Scanning required? |
|---|---|---|---|
| dpkg | v6.4 | v6.9 | No |
| golang | v6.5 | v6.9 | Yes |
| Java | v6.5 | v6.9 | Yes |
| npm | v6.5 | v6.9 | Yes |
| PHP | v6.11 | v6.11 | Yes |
| Python | v6.5.2 | v6.9 | Yes |
| RPM | v6.4 | v6.9 | No |
| Ruby | v6.6 | v6.9 | Yes |
| Rust | v6.12 | v6.12 | Yes |
| .NET/NuGet | v6.9 | v6.9 | Yes |
How does the Lacework agent detect package activity?
The Lacework agent monitors the file system: when a process accesses a file in a package to execute it, the Lacework agent detects access to that file and declares the package as active.
When is package activity detected?
If a process accesses a file in a package to execute it, but the process runs for a month, only one package activity may be detected and reported by the Lacework agent (at the time when the file is accessed). If the process does not access any files in the same package again during that month, the Lacework agent does not detect any new activity for the package.
How does the Lacework agent detect package inactivity?
When active package detection is enabled, the Lacework agent constantly monitors package activity on the host/container. If the Lacework agent does not detect any process accessing a file in a package on the host/container, the package is marked as inactive on that host/container.
By default, if no package activity has been detected by the Lacework agent for the last 30 days, Lacework considers the package inactive.
Why are inactive vulnerable packages not a security risk?
A vulnerable package is deemed inactive if, within the past 30 days, the Lacework agent did not detect any processes accessing files within that package.
As an inactive vulnerable package is not executed, it cannot be hijacked, tricked into leaking sensitive data, or corrupted in any other way. Therefore, as long as a vulnerable package stays inactive, it is harmless, and fixing it can be deprioritized.
How often does the Lacework agent report package activity?
When the Lacework agent detects a package as active, this data is immediately sent to Lacework.
Every 24 hours, Lacework aggregates and refreshes this data, which is shown in the Lacework Console (Vulnerabilities > Hosts and Vulnerabilities > Containers).
What does “Monitored by CAA” in the Lacework Console mean?
Monitored by CAA in the:
- Host Vulnerabilities page (Vulnerabilities > Hosts) means that active package detection is enabled on the Lacework agent running on a host, and the agent detected some package activity on the host within the last 24 hours. For more information, see Monitored by CAA.
- Container Vulnerabilities page (Vulnerabilities > Containers) means that running instances of a container image are monitored by a Lacework agent with active package detection enabled, and the agent detected some package activity on the container image within the last 24 hours. For more information, see Monitored by CAA.