Create vulnerability exceptions to control and customize your alert profile for hosts and containers, such as for a particular vulnerability in a container registry or a known package on a specific host. Customize your exceptions by defining the resource scope, vulnerability criteria, and context for each exception.
There is a variety of use cases for vulnerability exceptions and the following sections describe each one.
Some vulnerabilities may never apply to a given host or container. For example, it is common to have multiple versions of the Linux kernel and kernel headers. Only the version currently running matters, other versions can be ignored.
You might agree to “accept” the risk of a given vulnerability for a specific system if that particular software version is necessary for business reasons and it is simply too difficult to upgrade. Typically this risk is signed-off on by management.
You may have additional controls in place for sensitive systems that Lacework doesn’t know about. For example: a locked down jump box with 2FA enabled through a UEM product, a web server behind a well-configured WAF, general network firewall, or other vulnerability shielding implementation.
A patch may be available for a particular vulnerability, and you are waiting for a maintenance window to apply it. Using a temporary exception can halt any unrequired alerts until after the patch is applied.