Skip to main content

Host Vulnerability Assessment Overview

Lacework provides the ability to assess, identify, and report vulnerabilities found on hosts, containers, and pods within your environment. This means you can identify and take action on software vulnerabilities in your environment and manage that risk proactively. For information about alerts, see Default Policies.

Lacework continuously assesses vulnerability risks, identifies OS packages, and correlates them with publicly known vulnerabilities with risk ratings by severity and CVSS scores.

Host vulnerability scanning with Lacework can be performed using two different methods:

note
  • Agentless Workload Scanning does not support host vulnerability assessment on Windows Server hosts. You must install the Lacework Windows agent to enable host vulnerability assessment on Windows Server hosts.
  • The Lacework Windows agent does not support vulnerability assessment on pods and containers.

Host Vulnerability with Agent

Agent Features

After you install the Lacework agent on hosts, containers, or pods, Lacework can assess the monitored hosts, containers, or pods for OS packages and applications with known vulnerabilities and report them.

See Lacework Agent FAQs for additional details on what is collected.

note

AWS Fargate containers do not appear in the host vulnerability console.

Agent Requirements

On Linux hosts, host vulnerability assessments require Lacework Linux agent version 2.12.1 or later. For Linux agent installation instructions on hosts, see Install the Linux Agent.

On Linux containers or pods, host vulnerability assessments require Lacework Linux agent version 3.0.47 or later. For Linux agent install instructions on pods and containers, see Install Linux Agent on Kubernetes.

On Windows Server hosts, host vulnerability assessments require Lacework Windows agent version 1.5 or later. For Windows agent installation instructions on hosts, see Install the Windows Agent.

note

If the agent does not meet the version requirement, the assessment is reported as failed.

Host Vulnerability with Agentless

Agentless Features

After you have integrated your cloud provider with Agentless Workload Scanning, Lacework can assess all the Linux hosts within your integrated account for software vulnerabilities and report them. This includes assessment of operating system packages and language library packages.

note

Agentless Workload Scanning does not support host vulnerability assessment on Windows Server hosts. You must install the Lacework Windows agent to enable host vulnerability assessment on Windows Server hosts.

Agentless Requirements

An Agentless Workload Scanning integration with your cloud provider is required before using Host Vulnerability scanning.

See Before you Start - Agentless Workload Scanning for supported operating systems and cloud providers.

Vulnerability Assessment

Agent Assessments

Lacework assesses for vulnerabilities after the agent is installed. Lacework completes the following actions at the listed schedule.

  • Lacework collects package, Windows OS, and Windows application information from each installed agent on monitored hosts.
  • On Linux hosts, Lacework assesses software packages installed by package managers dpkg, apt, and yum. On Windows Server hosts, Lacework assesses Windows OS and Windows application information. The results of the new assessment are available for viewing on the Lacework Console.
  • Lacework tracks multiple CVE Numbering Authorities looking for new CVEs and updates the Lacework CVE database once a day.

Lacework assesses for vulnerabilities using the following steps:

  1. Lacework assesses software packages and Windows applications on monitored hosts at 3 AM GMT.
  2. Lacework searches the CVE database (information available at 3 AM GMT) for software packages and Windows applications on the hosts and reports them. Lacework filters out rejected CVEs for Ubuntu and Debian.

When new CVE updates are released, Lacework assesses the existing assessments for newly identified risks. Lacework reassesses machine images based on CVE information for a known package, Windows application, and version.

These assessment steps are illustrated in the following example:

  1. You install the Lacework agent on a host.
  2. Lacework assesses the host.
  3. Lacework determines that the Python 3.6 package (3.6.7-1~18.04) is in the machine image.
  4. Lacework searches the Lacework CVE database for CVEs for the Python 3.6 package.
  5. Lacework reports all known CVEs associated with the Python 3.6 package such as CVE-2019-9947, CVE-2019-9740, CVE-2018-1000030, etc.

Agentless Assessments

Lacework assesses for vulnerabilities after the agentless workload scanning integration is installed. Lacework completes the following actions at the listed schedule.

  • Lacework collects package information from each workload in the regions and accounts configured for the integration.
  • Lacework assesses software packages installed by package managers dpkg, apt, and yum. It also assesses software dependencies discovered by scanning for applications and libraries. The results of the new assessment are available for viewing on the Lacework Console.
  • Lacework tracks multiple CVE Numbering Authorities looking for new CVEs and updates the Lacework CVE database once a day.

Lacework assesses for vulnerabilities using the following steps:

  1. Lacework agentless workload scanning runs on a schedule configured by the integration. The schedule period can be reconfigured anytime.
  2. Lacework searches the CVE database for software packages and software dependencies on the hosts and reports them. Lacework filters out rejected CVEs for Ubuntu and Debian.
Last updated on