Skip to main content

FAQs - Agentless Workload Scanning

Compatibility

Which environments are supported for agentless scanning?

See Support Matrix for Agentless Workload Scanning.

See the following sections:

Does agentless scanning support container vulnerabilities?

Yes, any container images located on your cloud resources (such as running EC2 instances) are scanned for vulnerabilities.

This is enabled by default unless you set the Scan containers (AWS CloudFormation) / scan_containers (Terraform) option to false during the Agentless integration.

Which storage drivers for Docker are supported by agentless?

Currently, only the recommended storage driver (overlay2) is supported for Docker container images.

Does agentless scan Kubernetes persistent volumes?

No, agentless does not yet scan persistent volumes in Kubernetes, namely those volumes tagged with kubernetes.io/created-for/pv/name.

What is the maximum supported volume size for agentless scanning?

There is no limit on the volume size.

What volumes does agentless scan on a host?

Agentless scans the root volume of a host for vulnerabilities by default.

Any volumes mounted by filesystem UUID or label will also be scanned if scanning of secondary/multi volumes is enabled.

note

Mounting filesystems by UUID is generally recommended in Cloud environments because device names can be unstable after rebooting a host (for example, see AWS and GCP for guidance on mounting volumes).

Example of UUID mounted volume in /etc/fstab
UUID=be8213ac-feba-43f0-8017-d598ebe1d9ba /var/data ext4 defaults 1 1

When a volume is mounted by device name, Lacework provides a "best effort" support for AWS volumes, but none for GCP.

Example of device mounted volume in /etc/fstab
/dev/sdb1 /var/log xfs defaults 0 0

To enable scanning of secondary/multi volumes, see the Scan secondary volumes option for AWS CloudFormation deployments (Single Account or Organization) and scan_multi_volume option for Terraform deployments (AWS or GCP).

Are stopped instances scanned?

By default, agentless does not scan instances that have been stopped/terminated (see AWS and GCP documentation for instance lifecycle definitions).

To enable scanning of stopped/terminated instances, see the Scan stopped instances option for AWS CloudFormation deployments (Single Account or Organization) and scan_stopped_instances option for Terraform deployments (AWS or GCP).

Requirements

What is the minimum CPU and memory required for agentless scanning?

Agentless scanning does not require CPU and memory from your active workloads. It uses its own serverless cluster and configures its own CPU and memory limits that are optimized for cost-savings.

Integration And Configuration

Is the AWS Scanning Account also scanned when integrating an AWS Organization?

Yes, currently the AWS Scanning Account (Scanning AWS Account ID during CloudFormation integrations) is also included for Agentless Workload Scanning.

This nuance applies to Organization integrations where the list of Monitored Accounts is provided. The AWS Scanning Account is currently monitored by default, but this behavior will change in the future.

Is the GCP Scanning Project also scanned when integrating a GCP Organization?

For project integrations, the GCP Scanning Project is not included by default for Agentless Workload Scanning unless it is explicitly mentioned in the monitored projects list.

For organization integrations, the GCP Scanning Project is included but can be excluded explicitly via the filter list.

Is scanning supported for a specific type of workload?

You can specify a Lacework Query Language (LQL) query to select or filter workloads when you configure or edit your agentless workload scanning integration in the Lacework console at Settings > Integrations > Cloud accounts.

In the future, we plan to support example queries for targeting tags and other types of identifiers.

What is the default agentless scanning frequency?

The default scanning frequency is defined when configuring the Agentless Workload Scanning integration in the Lacework Console (Single Account or Organization).

Hosts and Container images are assessed for vulnerabilities every 24 hours, so increasing the scanning frequency beyond that is not currently recommended.

How can I change the agentless scanning frequency?

  1. In Settings > Integrations > Cloud accounts, select your agentless scanning integration. This displays the details of the integration.
  2. Click the Edit button.
  3. Change the frequency in the Scan Frequency (hours) field.
note

More frequent scans can result in higher AWS costs for snapshotting and periodic scanning.

For AWS integrations, how are the VPC and VPC Internet Gateway used?

During scanning, the VPC allows connections to the Lacework API to send diagnostic information and check for changes to the scanning configuration. Changes might include an update to the scanning frequency or if the scan filter is updated.

Connections to the Lacework API are also used to stream on-demand scanning requests made from the Lacework Console or CLI. The security group and network ACLs deny public access from the Internet through the VPC and internet gateway.

The VPC CIDR block can also be customized within CloudFormation or Terraform.

Usage and Features

How can I view the scan results?

See View Agentless Workload Scanning Results in the Lacework Console.

How do I upgrade the agentless scanning service?

Agentless scanning is a SaaS feature. As such, upgrades are automatic.

How does Lacework scan encrypted volumes?

The scanning infrastructure runs in your account, so you can securely delegate key management privileges to the role that is invoked to run the scan.

Can agentless scanning add custom tags to the snapshots it creates?

Yes, see the installation method and cloud provider specific documents for how custom tags are used.

Does agentless scanning detect active container images?

It depends, agentless scanning will attempt to detect whether your container images are active or not. This is done by examining the container configuration files on disk and comparing the start and finished times for the containers. If that time is within the most recent scan period, then the associated image will be considered active. Note that there are situations where container runtimes will not persist a container configuration after the container is finished, and thus the agentless scan will miss information about that image.

Lacework will detect active images on a host with high fidelity if you have an Agent installed.

Does agentless scanning on container images detect host operating system kernel packages?

Yes, Agentless scanning currently detects vulnerabilities on host operating system kernel packages.

This is different to regular container scanning (through Platform, Proxy, or Inline Scanning) where these packages are excluded from scans.