Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Running lacework cli command to scan package manifests is creating empty output file #491

Closed
lorelei-rupp-imprivata opened this issue Jul 26, 2021 · 7 comments · Fixed by #498
Assignees
Labels
bug Something isn't working cli Something related to the Lacework CLI

Comments

@lorelei-rupp-imprivata
Copy link

lorelei-rupp-imprivata commented Jul 26, 2021

Following this doc https://www.lacework.com/blog/running-with-packer/ and running lacework vulnerability host scan-pkg-manifest --local | tee /tmp/lacework-vulnerability.out leaves me with an empty out file every time with packer. Running manually returns sh-4.2$ lacework vulnerability host scan-pkg-manifest --local 2>&1 > /tmp/lacework-vulnerability.json sh-4.2$ cat /tmp/lacework-vulnerability.json There are no vulnerabilities found! Time for 🍕

I turned on debug mode with lacework vulnerability host scan-pkg-manifest --local --debug --noninteractive | tee /tmp/lacework-vulnerability.out and I see more output from the running of the cli, but the output file is still empty. Trying to understand why and what I am doing wrong

amazon-ebs.eks-node-build: Starting scan amazon-ebs.eks-node-build: {"level":"info","ts":"2021-07-26T12:13:01Z","caller":"cmd/cli_state.go:258","msg":"turning off interactive mode"} amazon-ebs.eks-node-build: {"level":"info","ts":"2021-07-26T12:13:01Z","caller":"cmd/cli_state.go:313","msg":"switch output to json format"} amazon-ebs.eks-node-build: {"level":"debug","ts":"2021-07-26T12:13:01Z","caller":"cmd/root.go:214","msg":"configuration file not found"} amazon-ebs.eks-node-build: {"level":"debug","ts":"2021-07-26T12:13:01Z","caller":"cmd/cli_state.go:133","msg":"unable to load state from config"} amazon-ebs.eks-node-build: {"level":"debug","ts":"2021-07-26T12:13:01Z","caller":"cmd/cli_state.go:349","msg":"state updated","api_key":"<sensitive>"} amazon-ebs.eks-node-build: {"level":"debug","ts":"2021-07-26T12:13:01Z","caller":"cmd/cli_state.go:354","msg":"state updated","api_secret":"<sensitive>"} amazon-ebs.eks-node-build: {"level":"debug","ts":"2021-07-26T12:13:01Z","caller":"cmd/cli_state.go:359","msg":"state updated","account":"<sensitive>"} amazon-ebs.eks-node-build: {"level":"debug","ts":"2021-07-26T12:13:01Z","caller":"cmd/root.go:53","msg":"updating honeyvent","dataset":"lacework-cli-prod"} amazon-ebs.eks-node-build: {"level":"debug","ts":"2021-07-26T12:13:01Z","caller":"cmd/honeyvent.go:175","msg":"new honeyvent","dataset":"lacework-cli-prod","trace_id":"2155f929a76309b0","span_id":"6e10fc4718d283e9","parent_id":""}{\"name\":\"libss\",\"namespace\":\"amzn:2\"},\"CVE_PROPS\":{\"cve_batch_id\":\"2C3E1E2F758548629868B9090BEABF6C\",\"description\":\"Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-5188: A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability. 1790048: CVE-2019-5188 e2fsprogs: Out-of-bounds write in e2fsck/rehash.c CVE-2019-5094: 1768555: CVE-2019-5094 e2fsprogs: Crafted ext4 partition leads to out-of-bounds write An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.\",\"link\":\"https://alas.aws.amazon.com/AL2/ALAS-2020-1509.html\",\"metadata\":null},\"FIX_INFO\":{\"compare_result\":0,\"eval_status\":\"GOOD\",\"fix_available\":0,\"fixed_version\":\"0:1.42.9-19.amzn2\",\"fixed_version_comparison_infos\":[{\"curr_fix_ver\":\"1.42.9-19.amzn2\",\"is_curr_fix_ver_greater_than_other_fix_ver\":\"0\",\"other_fix_ver\":\"1.42.9-19.amzn2\"}],\"fixed_version_comparison_score\":0,\"max_prefix_matching_len_score\":17,\"version_installed\":\"0:1.42.9-19.amzn2\"},\"SUMMARY\":{\"eval_created_time\":\"Mon, 26 Jul 2021 05:13:03 -0700\",\"eval_status\":\"MATCH_NO_VULN\",\"num_fixable_vuln\":0,\"num_fixable_vuln_by_severity\":{\"1\":0,\"2\":0,\"3\":0,\"4\":0,\"5\":0},\"num_total\":1,\"num_vuln\":0,\"num_vuln_by_severity\":{\"1\":0,\"2\":0,\"3\":0,\"4\":0,\"5\":0}},\"PROPS\":{\"eval_algo\":\"1001\"}},{\"OS_PKG_INFO\":{\"namespace\":\"amzn:2\",\"os\":\"amzn\",\"os_ver\":\"2\",\"pkg\":\"glibc-minimal-langpack\",\"pkg_ver\":\"0:2.26-48.amzn2\",\"version_format\":\"rpm\"},\"VULN_ID\":\"ALAS2-2021-1599\",\"SEVERITY\":\"High\",\"FEATURE_KEY\":{\"name\":\"glibc-minimal-langpack\",\"namespace\":\"amzn:2\"},\"CVE_PROPS\":{\"cve_batch_id\":\"2C3E1E2F758548629868B9090BEABF6C\",\"description\":\"Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-25013: A flaw was found in glibc. When processing input in the EUC-KR encoding, an invalid input sequence could cause glibc to read beyond the end of a buffer, resulting in a segmentation fault. The highest threat from this vulnerability is to system availability. 1912960: CVE-2019-25013 glibc: buffer over-read in iconv when processing invalid multi-byte input sequences in the EUC-KR encoding\",\"link\":\"https://alas.aws.amazon.com/AL2/ALAS-2021-1599.html\",\"metadata\":null},\"FIX_INFO\":{\"compare_result\":-1,\"eval_status\":\"GOOD\",\"fix_available\":0,\"fixed_version\":\"0:2.26-40.amzn2\",\"fixed_version_comparison_infos\":[{\"curr_fix_ver\":\"2.26-40.amzn2\",\"is_curr_fix_ver_greater_than_other_fix_ver\":\"0\",\"other_fix_ver\":\"2.26-40.amzn2\"}],\"fixed_version_comparison_score\":0,\"max_prefix_matching_len_score\":8,\"version_installed\":\"0:2.26-48.amzn2\"},\"SUMMARY\":{\"eval_created_time\":\"Mon, 26 Jul 2021 05:13:03 -0700\",\"eval_status\":\"MATCH_NO_VULN\",\"num_fixable_vuln\":0,\"num_fixable_vuln_by_severity\":{\"1\":0,\"2\":0,\"3\":0,\"4\":0,\"5\":0},\"num_total\":9,\"num_vuln\":0,\"num_vuln_by_severity\":{\"1\":0,\"2\":0,\"3\":0,\"4\":0,\"5\":0}},\"PROPS\":{\"eval_algo\":\"1001\"}},{\"OS_PKG_INFO\":{\"namespace\":\"amzn:2\",\"os\":\"amzn\",\"os_ver\":\"2\",\"pkg\":\"yum-utils\",\"pkg_ver\":\"0:1.1.31-46.amzn2.0.1\",\"version_format\":\"rpm\"},\"VULN_ID\":\"ALAS2-2018-1063\",\"SEVERITY\":\"High\",\"FEATURE_KEY\":{\"name\":\"yum-utils\",\"namespace\":\"amzn:2\"},\"CVE_PROPS\":{\"cve_batch_id\":\"2C3E1E2F758548629868B9090BEABF6C\",\"description\":\"Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-10897: A directory traversal issue was found in reposync, a part of yum-utils, where reposync fails to sanitize paths in remote repository configuration files. If an attacker controls a repository, they may be able to copy files outside of the destination directory on the targeted system via path traversal. If reposync is running with heightened privileges on a targeted system, this flaw could potentially result in system compromise via the overwriting of critical system files. 1600221: CVE-2018-10897 yum-utils: reposync: improper path validation may lead to directory traversal\",\"link\":\"https://alas.aws.amazon.com/AL2/ALAS-2018-1063.html\",\"metadata\":null},\"FIX_INFO\":{\"compare_result\":0,\"eval_status\":\"GOOD\",\"fix_available\":0,\"fixed_version\":\"0:1.1.31-46.amzn2.0.1\",\"fixed_version_comparison_infos\":[{\"curr_fix_ver\":\"1.1.31-46.amzn2.0.1\",\"is_curr_fix_ver_greater_than_other_fix_ver\":\"0\",\"other_fix_ver\":\"1.1.31-46.amzn2.0.1\"}],\"fixed_version_comparison_score\":0,\"max_prefix_matching_len_score\":21,\"version_installed\":\"0:1.1.31-46.amzn2.0.1\"},\"SUMMARY\":{\"eval_created_time\":\"Mon, 26 Jul 2021 05:13:03 -0700\",\"eval_status\":\"MATCH_NO_VULN\",\"num_fixable_vuln\":0,\"num_fixable_vuln_by_severity\":{\"1\":0,\"2\":0,\"3\":0,\"4\":0,\"5\":0},\"num_total\":1,\"num_vuln\":0,\"num_vuln_by_severity\":{\"1\":0,\"2\":0,\"3\":0,\"4\":0,\"5\":0}},\"PROPS\":{\"eval_algo\":\"1001\"}},{\"OS_PKG_INFO\":{\"namespace\":\"amzn:2\",\"os\":\"amzn\",\"os_ver\":\"2\",\"pkg\":\"jq\",\"pkg_ver\":\"0:1.5-1.amzn2.0.2\",\"version_format\":\"rpm\"},\"VULN_ID\":null,\"SEVERITY\":null,\"FEATURE_KEY\":null,\"CVE_PROPS\":null,\"FIX_INFO\":null,\"SUMMARY\":{\"eval_created_time\":\"Mon, 26 Jul 2021 05:13:03 -0700\",\"eval_status\":\"NO_MATCH\",\"num_fixable_vuln\":0,\"num_fixable_vuln_by_severity\":{\"1\":0,\"2\":0,\"3\":0,\"4\":0,\"5\":0},\"num_total\":0,\"num_vuln\":0,\"num_vuln_by_severity\":{\"1\":0,\"2\":0,\"3\":0,\"4\":0,\"5\":0}},\"PROPS\":{\"eval_algo\":\"1001\"}},{\"OS_PKG_INFO\":{\"namespace\":\"amzn:2\",\"os\":\"amzn\",\"os_ver\":\"2\",\"pkg\":\"irqbalance\",\"pkg_ver\":\"2:1.7.0-4.amzn2.0.1\",\"version_format\":\"rpm\"},\"VULN_ID\":null,\"SEVERITY\":null,\"FEATURE_KEY\":null,\"CVE_PROPS\":null,\"FIX_INFO\":null,\"SUMMARY\":{\"eval_created_time\":\"Mon, 26 Jul 2021 05:13:03 -0700\",\"eval_status\":\"NO_MATCH\",\"num_fixable_vuln\":0,\"num_fixable_vuln_by_severity\":{\"1\":0,\"2\":0,\"3\":0,\"4\":0,\"5\":0},\"num_total\":0,\"num_vuln\":0,\"num_vuln_by_severity\":{\"1\":0,\"2\":0,\"3\":0,\"4\":0,\"5\":0}},\"PROPS\":{\"eval_algo\":\"1001\"}},{\"OS_PKG_INFO\":{\"namespace\":\"amzn:2\",\"os\":\"amzn\",\"os_ver\":\"2\",\"pkg\":\"xfsprogs\",\"pkg_ver\":\"0:4.5.0-18.amzn2.0.1\",\"version_format\":\"rpm\"},\"VULN_ID\":null,\"SEVERITY\":null,\"FEATURE_KEY\":null,\"CVE_PROPS\":null,\"FIX_INFO\":null,\"SUMMARY\":{\"eval_created_time\":\"Mon, 26 Jul 2021 05:13:03 -0700\",\"eval_status\":\"NO_MATCH\",\"num_fixable_vuln\":0,\"num_fixable_vuln_by_severity\":{\"1\":0,\"2\":0,\"3\":0,\"4\":0,\"5\":0},\"num_total\":0,\"num_vuln\":0,\"num_vuln_by_severity\":{\"1\":0,\"2\":0,\"3\":0,\"4\":0,\"5\":0}},\"PROPS\":{\"eval_algo\":\"1001\"}},{\"OS_PKG_INFO\":{\"namespace\":\"amzn:2\",\"os\":\"amzn\",\"os_ver\":\"2\",\"pkg\":\"python-chardet\",\"pkg_ver\":\"0:2.2.1-1.amzn2\",\"version_format\":\"rpm\"},\"VULN_ID\":null,\"SEVERITY\":null,\"FEATURE_KEY\":null,\"CVE_PROPS\":null,\"FIX_INFO\":null,\"SUMMARY\":{\"eval_created_time\":\"Mon, 26 Jul 2021 05:13:03 -0700\",\"eval_status\":\"NO_MATCH\",\"num_fixable_vuln\":0,\"num_fixable_vuln_by_severity\":{\"1\":0,\"2\":0,\"3\":0,\"4\":0,\"5\":0},\"num_total\":0,\"num_vuln\":0,\"num_vuln_by_severity\":{\"1\":0,\"2\":0,\"3\":0,\"4\":0,\"5\":0}},\"PROPS\":{\"eval_algo\":\"1001\"}},{\"OS_PKG_INFO\":{\"namespace\":\"amzn:2\",\"os\":\"amzn\",\"os_ver\":\"2\",\"pkg\":\"libstdc++\",\"pkg_ver\":\"0:7.3.1-13.amzn2\",\"version_format\":\"rpm\"},\"VULN_ID\":null,\"SEVERITY\":null,\"FEATURE_KEY\":null,\"CVE_PROPS\":null,\"FIX_INFO\":null,\"SUMMARY\":{\"eval_created_time\":\"Mon, 26 Jul 2021 05:13:03 -0700\",\"eval_status\":\"NO_MATCH\",\"num_fixable_vuln\":0,\"num_fixable_vuln_by_severity\":{\"1\":0,\"2\":0,\"3\":0,\"4\":0,\"5\":0},\"num_total\":0,\"num_vuln\":0,\"num_vuln_by_severity\":{\"1\":0,\"2\":0,\"3\":0,\"4\":0,\"5\":0}},\"PROPS\":{\"eval_algo\":\"1001\"}}],\"ok\":true,\"message\":\"SUCCESS\"}"} amazon-ebs.eks-node-build: {"level":"debug","ts":"2021-07-26T12:13:08Z","caller":"cmd/cli_state.go:294","msg":"skipping spinner","noninteractive":true,"action":"stop_progress"}

@afiune afiune self-assigned this Jul 26, 2021
@afiune afiune added the cli Something related to the Lacework CLI label Jul 26, 2021
@lorelei-rupp-imprivata
Copy link
Author

Actually it looks like this may work lacework vulnerability host scan-pkg-manifest --local --debug --noninteractive 2>&1 | sudo tee /tmp/lacework-vulnerability.json

You may need to update your documentation here https://www.lacework.com/blog/running-with-packer/

@afiune
Copy link
Contributor

afiune commented Jul 26, 2021

@lorelei-rupp-imprivata Thank you so much for your feedback! 🎉 - Let me look at the blog post and
come back to you. 🙌🏽

@lorelei-rupp-imprivata
Copy link
Author

Yeah, at least suggest things to look at if you are using packer etc.. because I spent a lot of time trying to figure out why I had an empty file

@lorelei-rupp-imprivata
Copy link
Author

@afiune so interestingly when I drop the --debug flag, I get back to an empty file. At the end of the debug output too it says {\"eval_algo\":\"1001\"}},{\"OS_PKG_INFO\":{\"namespace\":\"amzn:2\",\"os\":\"amzn\",\"os_ver\":\"2\",\"pkg\":\"awscli\",\"pkg_ver\":\"0:1.18.147-1.amzn2.0.1\",\"version_format\":\"rpm\"},\"VULN_ID\":null,\"SEVERITY\":null,\"FEATURE_KEY\":null,\"CVE_PROPS\":null,\"FIX_INFO\":null,\"SUMMARY\":{\"eval_created_time\":\"Mon, 26 Jul 2021 08:29:33 -0700\",\"eval_status\":\"NO_MATCH\",\"num_fixable_vuln\":0,\"num_fixable_vuln_by_severity\":{\"1\":0,\"2\":0,\"3\":0,\"4\":0,\"5\":0},\"num_total\":0,\"num_vuln\":0,\"num_vuln_by_severity\":{\"1\":0,\"2\":0,\"3\":0,\"4\":0,\"5\":0}},\"PROPS\":{\"eval_algo\":\"1001\"}}],\"ok\":true,\"message\":\"SUCCESS\"}"} amazon-ebs.eks-node-build: {"level":"debug","ts":"2021-07-26T15:29:39Z","caller":"cmd/cli_state.go:294","msg":"skipping spinner","noninteractive":true,"action":"stop_progress"}
so while debug listed many CVE print outs dropping debug appears there are no issues? I am very confused

@lorelei-rupp-imprivata
Copy link
Author

Does the cli, when there are no vulnerabilities not output empty json or anything to that affect?

@afiune
Copy link
Contributor

afiune commented Jul 26, 2021

@lorelei-rupp-imprivata If I understand correctly, when you run the scan-pkg-manifest command it is returning:

There are no vulnerabilities found! Time for 🍕

This is correct and indicates that your packer image doesn't have any vulnerability, though, I see your point where,
if you pass the --json flag you would expect a valid JSON response, and I think that right now it is just an empty
file.

To further troubleshoot I will need the package-manifest your are sending to Lacework, you can generate it with
the command:

lacework vuln host generate-pkg-manifest

Could you please send it to me via Email at afiune@lacework.net?

NOTE: Run that command from within the package image 👆🏽

@lorelei-rupp-imprivata
Copy link
Author

When I run the cli manually on the box myself I see the There are no vulnerabilities found! Time for 🍕
When it runs with packer without the --json, it returns Empty File, with --json Empty File. I do not see this no vulnerabilities message when running in the packer build.

Will generate and send, Thanks! I am just confused if I am suppose to see an empty file or if I should see this message when there are no issues

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working cli Something related to the Lacework CLI
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants