Are root privileges required for installing a Lacework agent?
- Log in as root and run the installer.
- Run the installer with sudo. Running a command with just the
sudoprefix invokes the command with root privileges.
Does the Lacework agent have any package dependencies?
Does the Lacework agent support containers/microservices?
- Agent runs as a Docker container - For more information, see Install on a Dockerized Host. For Docker containers, the Lacework agent must be run as a privileged container.
- Agent is deployed across a Kubernetes cluster as a daemonset - For more information, see Deploy Using Kubernetes.
- Processes running on the host
- Processes running in a container that make a network connection (server or client)
- All container internal servers and processes that are listening actively on certain ports
- File Integrity Monitoring (FIM) on the host
- Host vulnerability on the host
What is the impact of the Lacework agent on CPU?
How much disk size does the agent use on a machine?
How much memory does the Lacework agent consume?
You can optionally configure a limit for agent memory usage. For more information, see Usage Impact of Agent Deployment.
What is the impact of the Lacework agent on network resources?
Does the Lacework agent work in the kernel or user space?
How often does the Lacework agent collect data?
What happens to the data collected by the agent if it cannot connect to the Lacework platform?
What does the Lacework agent monitor?
- Every process that sends UDP or TCP packets over the network or receives UDP or TCP packets (client process or server process)
- Processes in all containers
- Any process that is used to log in (if the agent detects that it has network connections)
For every process that the agent monitors, it also monitors the dependent processes. These are the dependent processes:
- Parent process of the monitored process
- Process that belongs to the process group ID of the current monitored process
- Process that belongs to the session ID of the current monitored process
- Process that traces the current monitored process (if there is one)
The agent discovers the dependent processes recursively until it detects a cycle or reaches the root of the process hierarchy.
What affects retrieving vulnerability reports?
- Falling outside of the viewable timeframe
- A container registry is not integrated with Lacework
To help prevent this, consider integrating container registries with Lacework because a host running for less than 60 minutes (applicable to host vulnerability only).
How is the Linux agent updated?
Does the Lacework agent have remote access?
How can I deploy the agent?
For single host installations, you can also use the Lacework installation script or embed the Lacework agent in a base image or AMI.
You can also install from Debian-based (APT) and RPM-based (YUM and Zypper) repositories. For more information, see Linux Agent Installation Options.
Does the Lacework agent work with a proxy?
https_proxyenvironment variable. For more information about configuring a Lacework agent to use a proxy, see Required Connectivity, Proxies & Certificates.
What Linux versions are supported by the agent?
What kind of connectivity is needed by the agent?
What authentication methods are used by the Lacework agent to connect to the Lacework platform?
Is the data encrypted when in transit from the agent?
Is the data compressed by the agent?
Does the agent support the ability to add custom tags?
Why do some events not report event details in the Lacework Console?
How can I view where the agents are running in my environment and what version of the agents are running?
Can the agent capture command-line arguments from processes that generate no network activity?
If it is outside the container, even if it opens a local Unix socket, it is monitored.
If you don't want a process to be monitored, ensure that it meets the following requirements:
- Be a process that does not do network activity
- Does not open Unix sockets
- Is not inside containers
- Is not a parent (parent group/trace) of any process that is being monitored
- Is not a login process (like shell)
What is a pod?
How does Lacework calculate the monthly agent usage?
Lacework calculates the 95th percentile at the end of the month to get the total agent usage for the month. The following example demonstrates how this is calculated.
- For each hour, Lacework counts the number of unique agents that sent data to Lacework.
- At the end of the month, Lacework records 720 individual hourly agent counts for every hour in the month (assuming a 30-day month, 24 * 30=720). If the month has 31 days, the number of hourly agent counts is 24 * 31 = 744
- Lacework sorts the hourly agent counts from lowest to highest and takes the 95th percentile of the 720 hourly counts. That is, Lacework sorts the hourly agent counts in ascending order and picks the 684th hourly agent count number. 684 is the 95th percentile of 720 items. For a 31-day month, it’s the 706th position.
- The number of agents for the month is the 95th percentile number calculated above.
For example in a 30-day month, there are the following agent counts per hour, sorted in ascending order.
684. 691 <---
The 95th percentile of the monthly agent count is 691 agents and therefore, Lacework charges for 691 agents.
What type of agents are counted towards usage and licensing?
ACTIVEagents are counted towards usage and licensing. If the agent cannot send data back to backend, it's shown as
INACTIVEin the platform.