Header Data Example

Header Data and Example

The data header is attached to all result sets. It contains data of the sandfly execution on the remote host. This will have information such as the UID the sandfly used when running, how long it took to execute, and the general status of what happened.

The results key will contain the data (if any) of the completed sandfly check along with the data of anything that was found.

{
    "uid": 0,
    "uid_username": "",
    "euid": 0,
    "euid_username": "",
    "pid": 0,
    "output_format": "",
    "exec_seconds": 0,
    "start_time": "",
    "end_time": "",
    "name": "",
    "status": "",
    "status_msg": "",
    "results": null
}

A full example is below.

{
    "end_time": "2019-10-30T02:23:50Z",
    "euid": 0,
    "euid_username": "root",
    "exec_seconds": 0,
    "name": "sandfly_file_suid_root_binary_in_usr_games_dir",
    "output_format": "2.3",
    "pid": 14672,
    "results": {
        "explanation": "The file '/usr/games/test_usr_games_suid_file' was found under '/usr/games/' and is SUID root. This is a suspicious location for a SUID file. It is owned by UID '0' and was created on 2018-12-18T00:05:36Z.",
        "file": {
            "blksize": 4096,
            "blocks": 96,
            "data": null,
            "date": {
                "accessed": "2019-10-29T21:56:16Z",
                "accessed_minutes": 267,
                "created": "2018-12-18T00:05:36Z",
                "created_minutes": 455178,
                "modified": "2018-12-18T00:05:36Z",
                "modified_minutes": 455178
            },
            "device": 51713,
            "entropy": 5.24,
            "extension": "",
            "flags": {
                "char_device": false,
                "device": false,
                "directory": false,
                "hidden": false,
                "immutable": false,
                "link": false,
                "named_pipe": false,
                "regular": true,
                "sgid": false,
                "sgid_root": false,
                "socket": false,
                "sticky": false,
                "suid": true,
                "suid_root": true
            },
            "gid": 0,
            "gid_name": "root",
            "hash": {
                "md5": "8107debe929a7c79383a2f4667546285",
                "sha1": "4fc6b54b40636d10fd727298892442146941417f",
                "sha256": "3baea53413fee988caf0b4f4d9e9869f44aaced545cc734cbcb30c5c82928df4",
                "sha512": "7b28217824f8079be426740cfce2539382b7181a2f9a29abe04318f2af10792a266a62582a724b615da05260714cf1ddb38d44245556ff1f6334a38420953ac7"
            },
            "inode": 590,
            "magic_num": {
                "class": "executable_linux",
                "expected_extensions": [],
                "hex": "7f454c46020101000000",
                "text": "...",
                "type": "elf"
            },
            "mode": 35264,
            "mode_string": "-rwx------",
            "name": "test_usr_games_suid_file",
            "nlink": 1,
            "path": "/usr/games/test_usr_games_suid_file",
            "path_link": "",
            "path_root": "/usr/games/",
            "rdevice": 0,
            "size": 47032,
            "size_byte_count": 47032,
            "size_mismatch": false,
            "uid": 0,
            "uid_name": "root"
        }
    },
    "start_time": "2019-10-30T02:23:50Z",
    "status": "fail",
    "status_msg": "ok",
    "uid": 0,
    "uid_username": "root"
}

Did this page help you?