Up and Running with the Lacework CLI

In this edition of Up and Running with Lacework, we get you going with the Lacework Command Line Interface (CLI).

To put it succinctly, the data that resides within each customer account in the Lacework platform is immense. Luckily, the engine behind the platform makes sense of all of that data and organizes it for our customers so they easily can zero in on the most critical security concerns.

While the UI provides a ton of capabilities to run reports, dive into events, and do deep investigations around incidents, sometimes you need access to all of that data outside of the UI for automation or to reduce context switching in a workflow. Enter the Lacework Command Line Interface (CLI)

In this post, I’ll introduce you to the CLI then walk you through installation and configuration, and show off some of the most common use cases including:

  • Event Inspection
  • Vulnerability assessments for containers and hosts
  • Cloud configuration compliance Assessments

The Lacework CLI

The Lacework CLI is an open source project written in Golang and released as separate binaries for Linux, macOS, and, yes, even Windows! Additionally, all releases of the CLI are published as Docker containers for various platforms with the intended purpose of integrating with CI/CD automation pipelines.

Lacework as a platform provides a set of robust APIs for configuring accounts within the platform, as well as accessing data from accounts. The Lacework CLI provides an interface to those APIs with the goal of providing fast, accurate, and actionable insights into the platform.

Installation

Installing the latest version of the CLI is a simple one-liner from a terminal (zsh, bash, powershell, cmd), or if you are on MacOS you can also use Homebrew.

Linux and macOS (shell):

  

  curl https://raw.githubusercontent.com/lacework/go-sdk/master/cli/install.sh | bash
  

Powershell (Windows):

  

  Set-ExecutionPolicy Bypass -Scope Process -Force
  iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/lacework/go-sdk/main/cli/install.ps1'))
  

Homebrew (macOS):

  

  brew install lacework/tap/lacework-cli
  

Validation

  

  $ lacework version
  lacework v0.2.22 (sha:65acb3d4d4eadef5b166e0adaa3e6c9fb1fb5652) (time:20210310203210)
  

Note:The lacework version command checks to see if a new version is available and prompts you to update if a new version is available.

Configuration

With the CLI installed, we need to move to configuration with your Lacework account and for that we are going to need an API key.

Create Lacework API Key

Animated gif of the Lacework console showing how to generate an api key

  1. Log in to the Lacework Console.
  2. Click Settings -> API Keys .
  3. Click CREATE NEW API KEY.
  4. Give the API key a Name and optional Description.
  5. Click SAVE.
  6. Click DOWNLOAD to save the API key file locally.

The contents of your API key contain a keyId, secret, subAccount, and account:

  

  {
    "keyId": "ACCOUNT_ABCEF01234559B9B07114E834D8570F567C824039756E03",
    "secret": "_abc1234e243a645bcf173ef55b837c19",
    "subAccount": "my-sub-account",
    "account": "my-account.lacework.net"
  }

The lacework configure command is the fastest way to set up your Lacework CLI installation. The following command reads the downloaded JSON file and sets up a default configuration for the CLI:

  

  lacework configure -j /path/to/API_KEY.json
  

Once configured, run the following command to validate that CLI can authenticate with your account:

  

  lacework int list
  

Multiple Profiles

The Lacework CLI has the ability to configure multiple profiles if you are managing multiple accounts within the platform. For that you simply need to generate keys for any accounts you want access to, download API Keys, then run the following command for each account:

  

  lacework configure --profile my-profile-name -j /path/to/API_KEY.json
  

After configuring the CLI with multiple profiles, you can run commands against any of your configured accounts with the --profile flag:

  

  lacework int list --profile my-profile-name
  

At this point we have enough to move on to the next section. For more information on configuring the Lacework CLI, including ENVIRONMENT VARIABLES, visit the documentation here.

Event Insights

One of the most important day-to-day activities of users of the platforms is understanding the WHO, WHAT, WHERE, WHEN, and HOW data contained in Lacework events. There are many ways to customize Alert Channels you can configure in the platform to receive events including PagerDuty, Slack, email, and more. Additionally, you can pull events directly from your accounts via the Lacework CLI, filter by severity, get detailed information, and open events directly from the CLI in the UI for further investigation.

Listing Events

The first command to familiarize yourself with is simply listing events:

  

  lacework events list
  

If you want to filter your results by severity, or by a specific number of days, you can do so with the --severity and --days flags. It should be noted that the --severity flag is a threshold and returns the specific severity level and above

The following example will list all of the high and critical events in your environment for the past 3 days:

  

  lacework events list --severity high --days 3
  

Showing Event Details

If you need to dig into an event for further triage, you can use the lacework event show command:

  

  lacework event show <event_id>
  

If you notice at the bottom of the output of the previous command there is a link for the event in the Lacework console. Should the need arise to do deep investigation, you can click that to launch the event in your default browser. You can also open any event using its event ID with the lacework event open command:

  

  lacework event open <event_id>
  

PRO TIP: All of the references above used the default human-readable output from the commands executed, but all CLI commands also support returning JSON format by passing the --json flag.

Container Vulnerability Assessments

With the speed at which most companies are shipping containerized services, teams responsible for vulnerability remediation can quickly become overwhelmed. The challenge that we have alluded to in other blog posts is that vulnerability and vulnerable are NOT the same thing. Understanding the risk behind a vulnerability is extremely important. Lacework’s container vulnerability capability stitches together information on vulnerabilities at build time, as well as providing continuous assessments of what vulnerabilities are actively running in your environment.

Before diving into container vulnerability assessments, it is important to note that you should already have integrated a container registry into your Lacework account. You can find more information on integrating container registries here. Once integrated, Lacework will run continuous assessments on the images found in the registry. You can schedule on demand scans as part of a (CI) pipeline as we covered in Up and Running with Lacework and Jenkins.

Show Assessments

When diving into vulnerabilities in your environment, you’ll first want to get an understanding of current container vulnerability assessments available. Run the following command:

  

  lacework vulnerability container list-assessments
  

This will list all of the assessments available from the past 7 days. We can filter those results down to vulnerabilities that are active within your environment, as well as vulnerabilities that have fixes available:

  

  lacework vulnerability container list-assessments --active --fixable
  

As a developer you may only care about specific repositories that you are responsible for. You can also show assessments for specific repositories with the following command:

  

  lacework vulnerability container list-assessments --repository <my_repo>
  

PRO TIP: If you’re like us you’ve got no time for typing long commands! Most sub-commands have aliases. Here are the three command from above with shortened aliases:

  

  lacework vul ctr ls
  lacework vul ctr ls --active --fixable
  lacework vul ctr ls -r <my_repo> 
  

Be sure to check out the help message by passing the --help flag for a list of all aliases. You can find the complete documentation for Lacework CLI container assessments here.

For more information on how you can use the Lacework CLI to test your containers at build time visit our support docs here.

Host Vulnerability Assessments

Lacework recently announced the release of our new Active Host Vulnerability Monitoring capability which provides Lacework customers with high-fidelity insights into vulnerabilities residing on the hosts within their environments. The Lacework CLI has the lacework vulnerability host sub-command to access all of that data.

Listing Assessments

Just like the container vulnerability assessment example, the first thing you’ll want to do is list out all the CVEs found within your environment:

  

  lacework vulnerability host list-cves
  

The output from this command can return mountains of data, so it is helpful to zero in on what to prioritize. You can also filter on what CVEs are active and fixable within your environment:

  

  lacework vulnerability host list-cves --active --fixable
  

The output from the previous command shows all of the CVEs that are active and have fixes, but sometimes you need to zero in on a specific CVE and get an understanding of which hosts have that CVE. You can do so with the following command:

  

  lacework vulnerability host list-hosts <cve_id>
  

If you are responsible for specific host you can also get an assessment of that host with the following command:

  

  lacework vulnerability host show-assessment <machine_id>
  

If you need more details you can pass the --details flag to get more information about each CVE.

  

  lacework vulnerability host show-assessment <machine_id> --details
  

Additionally, you can pass the --fixable flag to filter on CVEs that have fixes.

  

  lacework vulnerability host show-assessment <machine_id> --fixable
  

The lacework vulnerability host command also has a scan-pkg-manifest command for scanning a manifest.json file containing packages installed on a host. This is particularly useful when building base image pipelines with tools such as Hashicorp’s Packer. We cover this in Up and Running with Lacework and Hashicorp Packer.

For more information on the host vulnerability assessments with the Lacework CLI visit the documentation here.

Compliance Assessments

The Lacework platform continuously runs configuration assessments for integrated cloud accounts for frameworks including CIS Benchmarks, NIST_800-53_Rev4, ISO_2700, HIPAA, SOC2, and others. The Lacework CLI also has the ability to both retrieve and run compliance assessments of integrated AWS, GCP, and Azure Cloud environments. To run or retrieve a compliance assessment you will need to know the account ID for the account you are interested in, or you can use the CLI to first retrieve any of your account IDs.

List Available Accounts (ex. AWS)

The following command lists all AWS accounts integrated with Lacework:

  

  lacework compliance aws list-accounts
  

Get Latest Compliance Report for AWS Account

To get the latest compliance report for a given AWS account use the command:

  

  lacework compliance aws get <account_id>
  

To retrieve a PCI compliance assessment as a PDF run the following command:

  

  lacework compliance aws get <account_id> --pdf --type PCI
  

Run Compliance Assessment for AWS Account

To trigger a new compliance assessment for an AWS account use the command:

  

  lacework compliance aws run <account_id>
  

PRO TIP: The lacework compliance command also has aliases to minimize typing:

  

  lacework comp aws list
  lacework comp aws get <account_id>
  lacework comp aws run <account_id>
  

(Other types of assessments include CIS, NIST_800-53_Rev4, ISO_2700, HIPAA, and SOC)

Conclusion

Hopefully this gives you a good idea of how to start using the Lacework CLI for day-to-day tasks, and automation workflows. If you want to dig in more you can find the complete documentation here.

The team at Lacework will continue to release new updates to the CLI, but if you find any issues or have a feature request you would like to see, feel free to open an issue on the git repository here.

Categories