View a markdown version of this page

Advanced configuration - Amazon Inspector
Configuring local outputsConfiguring resource usageConfiguring scan targetsManaging periodic execution

Advanced configuration

This section describes advanced configuration options for Inspector VM Scanner.

Configuring local outputs

Inspector VM Scanner provides the following options to configure how local outputs are written:

  • --send-results must be set to telemetry or disabled. If you pass disabled, Inspector VM Scanner proceeds without sending the SBOM.

Tip

Use --state-dir with --send-results disabled to save the SBOM locally.

  • --log-dir configures where logs are written. By default, logs are written to stdout.

  • --log-level configures the granularity of logs. By default, this is INFO.

  • --log-retention configures how many days to retain logs. If a log file older than --log-retention is found in --log-dir, it is deleted. By default, this is 7 days.

  • --debug configures debug level logging and forces a dedicated log file for the current execution (rather than trying to maintain one log file for each day).

  • --state-dir configures where SBOMs are written. By default, SBOMs are not saved.

  • --metric-dir configures where metric logs are written. By default, metric logs are not saved.

  • --cpu-profile enables the Go runtime CPU profiler and configures where the result is written.

  • --mem-profile enables the Go runtime memory profiler and configures where the result is written.

  • --config-path directs Inspector VM Scanner to derive arguments from a local configuration file. If the same argument is passed in both the CLI and configuration file, the CLI value is prioritized.

    • Inspector VM Scanner configuration files are specified in TOML, with all argument names identical to the CLI.

The following example shows a configuration file: 

# Configuration file for Inspector VM Scanner
log-level = "INFO"
send-results = "telemetry"
cpu-profile = "cpuprofile"
mem-profile = "memprofile"
log-dir = "log"
state-dir = "state"
debug = false
log-retention = 7
scan-timeout = 300

[sbom]
max-scan-depth = 5
target-directory = ["~"]

Configuring resource usage

Inspector VM Scanner provides the following options to configure resource usage:

  • --scan-timeout forces the scanner to timeout after a specified number of seconds. By default, the scanner does not timeout.

  • --nice-priority sets the nice priority for the process (available for Unix systems). By default, this is 3.

  • --cpu-limit sets a hard cap on CPU usage (available for Linux systems using cgroups). By default, this is 65%.

  • --process-priority configures priority for the process (available for Windows systems). By default, this is the BELOW NORMAL priority.

Note

The default values for --cpu-limit and --process-priority are identical to Inspector SSM Plugin.

Configuring scan targets

Inspector VM Scanner leverages Inspector SBOM Generator for inventory collection. As a result, many of Inspector VM Scanner's scan coverage options are taken directly from SBOM Generator.

By default, Inspector VM Scanner uses SBOM Generator's localhost scanner group, as well as certificate and windows-kb scanners.

Inspector VM Scanner provides the following options to configure scan targets:

  • --max-scan-depth configures the maximum number of directories that scans traverse.

  • --target-directories configures additional directories to scan outside of defaults.

  • --override-scanners configures exact filescanners, overriding Inspector VM Scanner defaults.

  • --additional-scanners configures filescanners to use in addition to Inspector VM Scanner defaults.

You can use the following command to list all available scanners: 

./inspector-vm-scanner sbom --list-scanners

Managing periodic execution

When you install Inspector VM Scanner through a package manager, the installation creates a scheduled task that executes scans automatically. You can view, modify, or disable this schedule.

Linux (systemd)

View service status and recent runs 

systemctl status inspector-vm-scanner

View real-time logs 

journalctl -u inspector-vm-scanner -f

View recent logs 

journalctl -u inspector-vm-scanner --since "1 hour ago"

Check current timer interval 

systemctl cat inspector-vm-scanner.timer

Update timer interval

To change the scan frequency, edit the timer unit file: 

# Edit the timer unit file
systemctl edit inspector-vm-scanner.timer

# Add override configuration:
[Timer]
OnCalendar=
OnCalendar=daily

# Reload and restart
systemctl daemon-reload
systemctl restart inspector-vm-scanner.timer

Enable or disable automatic execution 

systemctl enable inspector-vm-scanner.timer   # Enable automatic runs
systemctl disable inspector-vm-scanner.timer  # Disable automatic runs

Windows (Task Scheduler)

View task status and last run 

Get-ScheduledTask -TaskName "Inspector VM Scanner" | Get-ScheduledTaskInfo

View recent task logs 

Get-ScheduledTaskInfo -TaskName "Inspector VM Scanner"

View detailed task history 

schtasks /query /tn "Inspector VM Scanner" /v /fo list

View current task schedule 

Get-ScheduledTask -TaskName "Inspector VM Scanner" | Select-Object -ExpandProperty Triggers

Update task schedule

To change the scan frequency: 

# Modify trigger to run daily at 2 AM
$trigger = New-ScheduledTaskTrigger -Daily -At 2:00AM
Set-ScheduledTask -TaskName "Inspector VM Scanner" -Trigger $trigger

Enable or disable task 

Enable-ScheduledTask -TaskName "Inspector VM Scanner"   # Enable automatic runs
Disable-ScheduledTask -TaskName "Inspector VM Scanner"  # Disable automatic runs

macOS (launchd)

View launchd task 

sudo launchctl print system/com.amazon.inspector.vm-scanner

Execute single task 

sudo launchctl start com.amazon.inspector.vm-scanner