To put it succinctly, the data that resides within each customer account in the Lacework platform is immense. Luckily, the engine behind the platform makes sense of all of that data and organizes it for our customers so they easily can zero in on the most critical security concerns. While the UI provides a ton of capabilities to run reports, dive into events, and do deep investigations around incidents, sometimes you need access to all of that data outside of the UI for automation or to reduce context switching in a workflow. Enter the Lacework Command Line Interface (CLI)
In this post, I’ll introduce you to the CLI then walk you through installation and some of the most common use cases including:
- Event inspection
- Container vulnerability assessments of production & registries
- Host vulnerability assessments of production & pre-Deployment images
- Cloud service configuration compliance checks
The Lacework CLI
The Lacework CLI is an open source project written in Golang and released as separate binaries for Linux, macOS, and, yes, even Windows! Additionally, all releases of the CLI are published as Docker containers for various platforms with the intended purpose of integrating with CI/CD automation pipelines.
Lacework as a platform provides a set of robust APIs for configuring accounts within the platform, as well as accessing data from accounts. The Lacework CLI provides an interface to those APIs with the goal of providing fast, accurate, and actionable insights into the platform.
As mentioned, the Lacework CLI runs on Linux, macOS, and Windows. Installing the latest version of the CLI is a simple one-liner from a terminal (zsh, bash, powershell, cmd).
Linux and macOS
$ curl https://raw.githubusercontent.com/lacework/go-sdk/master/cli/install.sh | bash
C:\> Set-ExecutionPolicy Bypass -Scope Process -Force
C:\> iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/lacework/go-sdk/master/cli/install.ps1'))
$ lacework version
lacework v0.2.0 (sha:31caa8a5c0b14d651903dac3c06e77769c9efd79) (time:20200826160923)
Note: The lacework version command checks to see if a new version is available and prompts you to update if a new version is available.
With the CLI installed, we need to move to configuration with your Lacework account and for that we are going to need an API key.
Create Lacework API Key
- Open a browser and login to your Lacework account
- Click on Settings -> API Keys
- Click CREATE NEW API KEY
- Give your new API Key a Name and an optional Description and then click SAVE
- Click the Download button and save the JSON file somewhere as we will need it to configure the CLI
The contents of your API key contain a “keyId” and “secret” and will look something like this…
Configure the Lacework CLI to your account
The Lacework CLI provides a
configure command to make it easy to get configured to your account. Open a terminal and run the following command:
$ lacework configure -j /path/to/API_KEY.json
You will be prompted to provide your account name (this is the subdomain in the URL you use to login i.e. <ACCOUNT>.lacework.net), but both Lacework API Key ID, and the API secret will be automatically added from the JSON file.
Once finished you can run the following command to validate that you can successfully authenticate and interact with your account:
$ lacework integration list
lacework integration list lists out any of the cloud accounts you have configured into Lacework.
The configuration for the Lacework CLI is stored in your home directory in a
$ cat ~/.lacework.toml
account = "my-account"
api_key = "MYACCOUNT_ABCDEFGHIB6ACF722C7D37542F079B23F6E45F1717A62A04B"
api_secret = "_xcdsced69b73b309d76df59a9c127f7s7f7"
The Lacework CLI does have the ability to configure multiple profiles if you are managing multiple accounts within the platform. For that you simply need to generate keys for any accounts you want access to, download API Keys, then run the following command for each account:
$ lacework configure --profile my-profile-name -j /path/to/API_KEY.json
At this point we have enough to move on to the next section. For more information on configuring the Lacework CLI, including ENVIRONMENT VARIABLES, visit the documentation here.
One of the most important day-to-day activities of users of the platforms is understanding the WHO, WHAT, WHERE, WHEN, and HOW data contained in Lacework events. There are many ways to customize Alert Channels you can configure in the platform to receive events including PagerDuty, Slack, email, and more. Additionally, you can pull events directly from your accounts via the Lacework CLI, filter by severity, get detailed information, and open events directly from the CLI in the UI for further investigation.
The first command to familiarize yourself with is simply listing events:
$ lacework events list
If you want to filter your results by severity, or by a specific number of days, you can do so with the
--days flags. It should be noted that the
--severity flag is a threshold and returns the specific severity level and above.
The following example will list all of the high and critical events in your environment for the past 3 days:
$ lacework events list --severity high --days 3
Showing Event Details
If you need to dig into an event for further triage, you can use the lacework event show command:
$ lacework event show <event_id>
If you notice at the bottom of the output of the previous command there is a link for the event in the Lacework console. Should the need arise to do deep investigation, you can click that to launch the event in your default browser. You can also open any event using its event ID with the
lacework event open command:
$ lacework event open <event_id>
PRO TIP: All of the references above used the default human-readable output from the commands executed, but all CLI commands also support returning JSON format by passing the
Container Vulnerability Assessments
With the speed at which most companies are shipping containerized services, teams responsible for vulnerability remediation can quickly become overwhelmed. The challenge that we have alluded to in other blog posts is that vulnerability and vulnerable are NOT the same thing. Understanding the risk behind a vulnerability is extremely important. Lacework’s container vulnerability capability stitches together information on vulnerabilities at build time, as well as providing continuous assessments of what vulnerabilities are actively running in your environment.
Before diving into container vulnerability assessments, it is important to note that you should already have integrated a container registry into your Lacework account. You can find more information on integrating container registries here. Once integrated, Lacework will run continuous assessments on the images found in the registry. You can schedule on demand scans as part of a (CI) pipeline as we covered in Up and Running with Lacework and Jenkins.
When diving into vulnerabilities in your environment, you’ll first want to get an understanding of current container vulnerability assessments available. Run the following command:
$ lacework vulnerability container list-assessments
This will list all of the assessments available from the past 7 days. We can filter those results down to vulnerabilities that are active within your environment, as well as vulnerabilities that have fixes available:
$ lacework vulnerability container show-assessment --active --fixable
As a developer you may only care about specific repositories that you are responsible for. You can also show assessments for specific repositories with the following command:
$ lacework vulnerability container show-assessment --repository <my_repo>
PRO TIP: If you’re like us you’ve got no time for typing long commands! Most sub-commands have aliases. Here are the three command from above with shortened aliases:
$ lacework vul ctr list
$ lacework vul ctr list --active --fixable
$ lacework vul ctr list --repository <my_repo>
Be sure to check out the help message by passing the
--help flag for a list of all aliases. You can find the complete documentation for Lacework CLI container assessments here.
For more information on how you can use the Lacework CLI to test your containers at build time visit our support docs here.
Host Vulnerability Assessments
Lacework recently announced the release of our new Active Host Vulnerability Monitoring capability which provides Lacework customers with high-fidelity insights into vulnerabilities residing on the hosts within their environments. The Lacework CLI has the lacework vulnerability host sub-command to access all of that data.
Just like the container vulnerability assessment example, the first thing you’ll want to do is list out all the CVEs found within your environment:
$ lacework vulnerability host list-cves
The output from this command can return mountains of data, so it is helpful to zero in on what to prioritize. You can also filter on what CVEs are active and fixable within your environment:
$ lacework vulnerability host list-cves --active --fixable
The output from the previous command shows all of the CVEs that are active and have fixes, but sometimes you need to zero in on a specific CVE and get an understanding of which hosts have that CVE. You can do so with the following command:
$ lacework vulnerability host list-hosts <cve_id>
If you are responsible for specific host you can also get an assessment of that host with the following command:
$ lacework vulnerability host show-assessment <machine_id>
If you need more details you can pass the –details flag to get more information about each CVE, as well as filter on just vulnerabilities with fixes:
$ lacework vulnerability host show-assessment <machine_id> --details --fixable
The lacework vulnerability host command also has a
scan-pkg-manifest command for scanning a
manifest.json file containing packages installed on a host. This is particularly useful when building base image pipelines with tools such as Hashicorp’s Packer. We cover this in Up and Running with Lacework and Hashicorp Packer.
For more information on the host vulnerability assessments with the Lacework CLI visit the documentation here.
The Lacework platform continuously runs configuration assessments for integrated cloud accounts for frameworks including CIS Benchmarks, NIST_800-53_Rev4, ISO_2700, HIPAA, SOC2, and others. The Lacework CLI also has the ability to both retrieve and run compliance assessments of integrated AWS, GCP, and Azure Cloud environments. To run or retrieve a compliance assessment you will need to know the account ID for the account you are interested in, or you can use the CLI to first retrieve any of your account IDs.
Retrieve Account ID with the CLI (ex. AWS)
In the following example, we will use the CLI to retrieve an AWS account ID. First list all of the AWS cloud accounts you have integrated with Lacework:
$ lacework integrations list --type AWS_CFG
Next, choose one integration, copy the GUID and use the lacework integration show sub-command to view the integration’s details:
$ lacework integration show <int_guid>
Run and Retrieve Compliance Reports
To run an ad-hoc compliance assessment use the command:
$ lacework compliance aws run-assessment <account_id>
To retrieve a PCI compliance assessment as a PDF run the following command:
$ lacework compliance aws get-report <account_id> --pdf --type PCI
(Other types of assessments include CIS, NIST_800-53_Rev4, ISO_2700, HIPAA, and SOC)
Hopefully this gives you a good idea of how to start using the Lacework CLI for day-to-day tasks, and automation workflows. If you want to dig in more you can find the complete documentation here.
The team at Lacework will continue to release new updates to the CLI, but if you find any issues or have a feature request you would like to see, feel free to open an issue on the git repository here.