Attack Path Secrets Detection
Secrets detection is available only when agentless workload scanning (AWLS) (AWS, Google Cloud) is enabled.
Lacework logs details about any secret credentials and associated file metadata. The files are identified as secrets if they adhere to a common format (the format depends on the type of credential). The actual content of any secret credentials is not logged.
The table lists the types of credentials detected and example filesystem locations:
| Credential Type | Example Filesystem Locations |
|---|---|
| SSH private keys | /home/ec2-user/.ssh/id_rsa |
| AWS Access Key IDs (if a secret key is associated) | /home/ec2-user/.aws/credentials /root/.aws/credentials |
| Google Cloud Service Account and User Credentials files | /etc/keys.json /home/user/.config/gcloud/keys.json |
| Kubernetes user tokens and certificate private keys | /root/.kube/config /home/user/.kube/config |
| Authorized Keys files | /home/user/.ssh/authorized_keys /root/.ssh/authorized_keys |
| Authentication log | /var/log/auth.log |
note
While the authorized_keys and auth.log files are not secrets, the data is used in combination with the detection of SSH private keys to determine whether keys are authorized and/or used on hosts.