Sandfly Security

Sandfly Security Documentation

Welcome to the Sandfly Security documentation hub. Sandfly is an agentless compromise and intrusion detection system for Linux.

Sandfly automates security investigation and forensic evidence collection on Linux. Sandfly constantly searches for intruders 24 hours a day on your network without needing to load any agents on your endpoints.

Get Started

Protected System Requirements

Protected System Requirements

Sandfly is an agentless intrusion detection system for Linux. The key feature of the product is you do not need to load anything on the Linux hosts you want protected. This makes Sandfly extremely fast to deploy even against a large number of Linux systems you want protected.

Being agentless also makes Sandfly very low impact and is unlikely to cause any instability on your systems, unlike agent-based systems that require tight integration with the kernel to run. You can upgrade your systems without fear that patches and new packages will cause Sandfly to fail.

SSH and System Account Required

Sandfly needs nothing loaded on the remote endpoint to offer attack detection. In order for Sandfly to protect your hosts, they only need the following:

  1. SSH access.
  2. A system account with sudo or root level access.

SSH is a standard utility on virtually all Linux systems. An account with elevated privileges is required to allow Sandfly to access system areas to hunt for intruders. This account can be a normal user with sudo rights and does not need to be root user login credentials.

Sandfly can run on all modern and many older Linux distributions. The Sandfly forensic engine modules are statically built and require nothing on the remote system to run other than the system account above. Sandfly can run on multiple Linux architectures as well such as:

Intel/AMD 64 Bit
Intel/AMD 32 Bit
Arm64/32 bit

Sandfly will determine the architecture of the remote system and automatically run the correct modules. If your architecture is not supported, this will be reported during the system operation. If you happen to have an unsupported architecture, contact Sandfly and we will help you get your system covered.


Failed Scans Do Not Impact Remote Hosts

Errors from Sandfly investigations are not fatal and do not impact the remote host. They simply report back the error and no other intervention is needed.

Updated 3 months ago

Protected System Requirements

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.