Skip to main content

Host Vulnerability - FAQs

Vulnerability Assessment on Linux Hosts

Why do host vulnerability results show two different versions of the same package on a machine?

Generally, assessment data is from what currently exists at the time of assessment. In some circumstances, Lacework can carry forward fixed status data to provide information about a previously existing vulnerability that has since been patched/addressed.

Hosts must be online at least once within a 30-day window for vulnerability assessment metrics to carry forward. Carrying forward metrics means Lacework updates the existing assessment report instead of creating a new assessment report. See When Host Assessment Metrics Carry Forward for more details.

How can I fix a host vulnerability detected by an assessment?

Debian-based Distributions
apt remove and dpkg --remove
RedHat-based Distributions
rpm -e PackageName (instead of `yum remove PackageName`)

For details, see Fix a Host Vulnerability.

Why doesn’t the host vulnerability assessment identify recently updated packages as “Fixed”?

Package collection runs hourly, however, Lacework does not restrict the assessment to the last hour of collected packages. The last day of packages is considered because that is also the assessment interval - daily. The impact is that if the package existed within 24 hours before the assessment, it appears in the assessment. See When Host Assessments Identify a Vulnerability as Fixed for more details.

What happens when there are multiple fix versions for the same vulnerability?

If there are multiple fixed package versions, Lacework selects only one fixed version to assess against each installed version because there is one fixed version out of many that is the most appropriate for comparison.

By default, Lacework displays the longest version prefix match (for example, v2.* installed versions are compared against v2.* instead of v1.*). If no major version matches, Lacework selects the highest fixed version. See Multiple Fixed Parallel Package Versions for more details.

How often does Lacework update their CVE database?

The Lacework platform ingests new CVEs daily from OS vendors and the NIST National Vulnerability Database (NVD).

How does Lacework handle inactive kernel packages on hosts?

Vulnerabilities found on inactive kernel packages on hosts have exceptions automatically created for them.

  • The Lacework Console does not display vulnerability exceptions for inactive kernel packages.
  • The Lacework API does return data that displays these automated exceptions.

Does Lacework support scanning of Fat JARs?

Scanning of Fat JARs is fully supported when using Agentless Workload Scanning to assess vulnerabilities on hosts. Fat JARs are single JAR files that contain all the dependencies needed for a project or to run a service (including the service code itself). Lacework will scan all the dependent packages within the Fat JAR and report back with any vulnerabilities.

Vulnerability Assessment on Windows Hosts

Which Lacework Windows agent version is required to enable vulnerability assessment on Windows Server hosts?

Lacework Windows agent v1.7.2 or later.

Does Agentless Workload Scanning support vulnerability assessment on Windows Server hosts?

No. Agentless Workload Scanning currently does not support vulnerability assessment on Windows Server hosts. You must install the Lacework Windows agent to enable vulnerability assessment.

Which Windows OS and applications are supported for vulnerability assessment?

See Supported Windows Operating Systems and Applications.

Is active package detection supported on Windows Server hosts?

No. Active package detection is not supported on Windows Server hosts.