Active package detection enables you to know whether a vulnerable package is being used by an application on your Linux hosts and containers, and prioritize fixing active vulnerable packages first.
Tracking all vulnerabilities in your environment can take a considerable amount of time. By understanding which packages are inactive or active, you can focus on where to concentrate your efforts and lessen the risk of a potential breach.
This allows you to have a greater impact on your security risk posture in a shorter period of time.
How does Active Package Detection provide Active Vulnerability Detection?
Active package detection is made possible using an extension of Lacework's runtime agent known as Code Aware Agent.
Using Lacework's Code Aware Agent technology, we detect all activity and inactivity for supported host and container packages.
This allows you to:
- Detect the active vulnerabilities in your environment and prioritize remediation of these packages.
- Detect the inactive vulnerabilities in your environment and deprioritize remediation of packages that aren't being used.
See our blog article on why active vulnerability detection is a game changer for vulnerability risk management.
How do I view active or inactive vulnerable packages?
Active package detection is disabled by default, see How do I enable active package detection? for steps to enable this feature.
How do I enable active package detection?
To enable active package detection, do the following:
Install the Linux agent on hosts, containers, and/or Kubernetes clusters.
- If deployed on a host, package activity is reported on that host and for all containers (if any) running on that host.
- If deployed on a privileged Kubernetes agent pod/container on a Kubernetes node, package activity is reported on that node and for all containers running on that node.
- If deployed on a non-privileged container, package activity is reported for that container only.
Your container images must be scanned by Lacework for container package activity to display in the Lacework Console.
See Different Types of Scanning for the options that Lacework provides to scan your container images.
If you have active images that are unscanned, see Unscanned Active Images - FAQs to help discover why this may be the case.
Enable active package detection for the agent(s).
To enable active package detection using the Lacework Console:
Log in to the Lacework Console.
Go to Settings > Configuration > Agent Tokens.
Click on the row for the agent access token you used to install the agent.
The Access Token page appears.
Click the Configure tab, then click the Edit icon.
Expand the Agent runtime settings section.
See Enable active package detection for all available options.
Click Save All.
If you enable active package detection using the Lacework Console, it will be enabled on all agents that use the agent access token for which you enabled active package detection.
To enable active package detection using the
config.jsonagent configuration file, see
If you enable active package detection using the
config.jsonfile for an agent, it will be enabled only for that agent.
Which package managers and types are supported?
Active Package Detection supports the following package managers and types:
|Package Type||Minimum Linux Agent Version for Hosts||Minimum Linux Agent Version for Containers||Agentless Workload Scanning required?|
How does the Lacework agent detect package activity?
The Lacework agent monitors the file system: when a process accesses a file in a package to execute it, the Lacework agent detects access to that file and declares the package as active.
When is package activity detected?
If a process accesses a file in a package to execute it, but the process runs for a month, only one package activity may be detected and reported by the Lacework agent (at the time when the file is accessed). If the process does not access any files in the same package again during that month, the Lacework agent does not detect any new activity for the package.
How does the Lacework agent detect package inactivity?
When active package detection is enabled, the Lacework agent constantly monitors package activity on the host/container. If the Lacework agent does not detect any process accessing a file in a package on the host/container, the package is marked as inactive on that host/container.
By default, if no package activity has been detected by the Lacework agent for the last 30 days, Lacework considers the package inactive.
Why are inactive vulnerable packages not a security risk?
A vulnerable package is deemed inactive if, within the past 30 days, the Lacework agent did not detect any processes accessing files within that package.
As an inactive vulnerable package is not executed, it cannot be hijacked, tricked into leaking sensitive data, or corrupted in any other way. Therefore, as long as a vulnerable package stays inactive, it is harmless, and fixing it can be deprioritized.
How often does the Lacework agent report package activity?
When the Lacework agent detects a package as active, this data is immediately sent to Lacework.
Every 24 hours, Lacework aggregates and refreshes this data, which is shown in the Lacework Console (Vulnerabilities > Hosts and Vulnerabilities > Containers).