What is the maximum file size that we can scan?
By default, it is 16 KB. You can set the maximum file size by using the flag "Max_secret_scan_size".
Is the file locked or unavailable for other applications during the scan?
Yes, on Windows, the file will be locked for a brief duration while its contents are loaded in memory. On Linux and MacOS, the file will not be locked.
As part of secret scanning, what do we check for?
Public / Private keys - the secrets look for patterns that are in common public and private key formats.
Does the sensor scan one file after another?
Yes, the sensor crawls the whole disk and scans files one after another.
How much CPU will this scan consume?
Maximum CPU is 5% but it can be configured to any value above 1%. CPU limit can be configured using the flag disk_scan_cpu_percent
Do we also scan encrypted files?
No.
Do we scan running log files?
If a log file is below the scan size at the time of scanning, it will be scanned once during the scan iteration. Changes made to log files can be monitored via FIM but we do not look for secrets in content being added to log files.
When we are scanning all the paths for secrets, what exactly is the significance of additional scan mount types? (example: ext4)
Normally while looking for secrets, we give the choice of looking at root partition mounted disk or other disks mounted as NFS, docker layover, etc filesystems.
If the asset goes offline in between, will it scan again after it comes online from where it left? Yes, it starts in the same folder where it was left.
What happens if the file is deleted during the scan?
If the file is deleted before its contents are read in memory, it will not be scanned.