Vulnerability Policies
Vulnerability assessment provides the ability to scan, identify, and report vulnerabilities found in the operating system software packages in hosts or Docker container images. After you install the Lacework agent on hosts or integrate a container registry in Lacework, Lacework scans the hosts or container images in the registry repositories for software packages with known vulnerabilities, and reports them. For information about vulnerability assessments, see Container Vulnerability Assessment Overview and Host Vulnerability Assessment Overview.
Vulnerability assessment policies are designed to help define organization-specific risk management and to notify you of critical software risk items within your monitored infrastructure. These policies apply to hosts and containers only and cannot be modified to apply to processes, users, etc.
The following table specifies the default vulnerability policies.
A known vulnerability is one that already exists in Lacework's vulnerability (CVE) sources.
A vulnerability/CVE in Lacework is defined as: "CVE ID + Package Name + OS/Language".
For example, CVE-12345 openssl debian:8 will be different from CVE-12345 openssl ubuntu:20.04.
Host Vulnerability Default Policies
| Policy ID | Alert Generated by Policy | Description |
|---|---|---|
| LW_VULN_102 | New Security Vulnerability | A new vulnerability (it is new to Lacework's vulnerability/CVE sources) was discovered for the first time across all monitored hosts. |
| LW_VULN_103 | Known Security Vulnerability | A known vulnerability was detected for a defined severity level on a monitored host. This is the first time that the vulnerability has been seen in your environment across all hosts. |
| LW_VULN_104 | Severity changes for Security Vulnerability | A vulnerability severity change was detected within monitored hosts. |
| LW_VULN_105 | A Fix available for Security Vulnerability | A software vulnerability patch status change was detected within monitored hosts. |
Container Vulnerability Default Policies
| Policy ID | Alert Generated by Policy | Description |
|---|---|---|
| LW_VULN_53 | New Security Vulnerability | A new vulnerability (it is new to Lacework's vulnerability/CVE sources) was discovered for the first time across all monitored repositories. |
| LW_VULN_54 | Known Security Vulnerability | A known vulnerability was detected within monitored repositories for a defined severity level. This is the first time that the vulnerability has been seen in your environment in any monitored repository. The related alert will only trigger once when the known vulnerability is detected for the first time in one or more monitored repositories. |
| LW_VULN_55 | New Security Vulnerability in Repository | A known vulnerability was found within a monitored repository for the first time. The related alert will trigger once for each new repository the known vulnerability is found in. |
| LW_VULN_56 | Severity changes for Security Vulnerability | A vulnerability severity change was detected within monitored repositories. |
| LW_VULN_57 | A Fix available for Security Vulnerability | A software vulnerability patch status change was detected within monitored repositories. |
First Vulnerability Detection versus First Vulnerability Detection in a Repository Alert Behavior (LW_VULN_54 and LW_VULN_55)
If a known vulnerability/CVE is introduced into any image in each repository on the same day at the same time:
- One alert for LW_VULN_54 and one or more alerts for LW_VULN_55 will be generated.
- LW_VULN_54 will state that this is the first time the known vulnerability has been seen in your repositories, and will reference all repositories where it has been found.
- LW_VULN_55 will state that this is the first time the known vulnerability has been seen in the repository, and will reference the specific repository it was found in. Multiple alerts for LW_VULN_55 are generated for each repository that the known vulnerability is found in.
Alternatively, if a known vulnerability is found in a single repository on day 1:
- One alert for LW_VULN_54 and one alert for LW_VULN_55 will be generated.
If the same known vulnerability is found in a different repository on day 2:
- One alert for LW_VULN_55 is generated.
Parameters for Vulnerability Policies (Prefix: LW_VULN)
You set and modify query conditions in custom vulnerability policies. The following table lists the parameters available for the conditions in vulnerability policies. For general information on editing policies, see Edit Custom Policies.
| Parameter | Type | Description |
|---|---|---|
| CVE | String | Enter the CVE ID full name(s), such as CVE-2019-01234, CVE-2019-5678. You can specify multiple values in one line separated by a comma. Common Vulnerabilities and Exposures (CVE) is a dictionary that provides definitions for publicly disclosed cybersecurity vulnerabilities and exposures. |
| CVE severity | String | Enter the CVE severity or severities, such as Critical or High. You can specify multiple values separated by a comma. This policy would generate an alert with the specified severities only. The severity is derived from the CVSS rating score. Valid values are None, Low, Medium, High, and Critical. |
| Image active | Number | Enter 0 for false, meaning the image is not active. Enter 1 for true, meaning the image is active. |
| Image privileged | Number | Enter 0 for false, meaning the image is not privileged. Enter 1 for true, meaning the image is privileged. |
| Image repo | String | Enter the image repository, such as lacework/myrepo123. A container image repository is a collection of related container images. |
| Image tags | String | Enter the image tag(s). A typical tag could look like DATE_BRANCH_RANDOM_ID, such as 2019-10-10_master_db0dd95. You can specify multiple values separated by a comma. A tag is a label applied to an image so that different images or versions of the same image can be identified. |
| Host name | String | Enter the host name, such as myhostname. |
| Machine tags | String | Select existing machine tags from the drop-down menu. Or enter new machine tags in the indicated format key->value. |
| Mid | Number | Enter the machine ID, a unique identifier from the agent, such as 1234. |
| Package active | Number | Enter 0 for false, meaning the package is not active. Enter 1 for true, meaning the package is active. |
| Package name | String | Enter the name of the software package, such as vim. |
| Package namespace | String | Enter the namespace associated with the package, such as ubuntu:18.04. |
| Package version | String | Specify the package version, such as 2.20.9-0ubuntu7.14. |