Sandfly is an agentless intrusion detection system for Linux. The key feature of the product is you do not need to load anything on the Linux hosts you want protected. This makes Sandfly extremely fast to deploy even against a large number of Linux systems you want protected.
Being agentless also makes Sandfly very low impact and is unlikely to cause any instability on your systems, unlike agent-based systems that require tight integration with the kernel to run. You can upgrade your systems without fear that patches and new packages will cause Sandfly to fail.
Sandfly 2.0 needs nothing loaded on the remote endpoint to offer attack detection. In order for Sandfly to protect your hosts, they only need the following:
- SSH access.
- A system account with sudo or root level access.
SSH is a standard utility on virtually all Linux systems. An account with elevated privileges is required to allow Sandfly to access system areas to hunt for intruders. This account can be a normal user with sudo rights and does not need to be root user login credentials.
Sandfly can run on all modern and many older Linux distributions. The Sandfly forensic engine modules are statically built and require nothing on the remote system to run other than the system account above. Sandfly can run on multiple Linux architectures as well such as:
Intel/AMD 64 Bit
Intel/AMD 32 Bit
Sandfly will determine the architecture of the remote system and automatically run the correct modules. If your architecture is not supported, this will be reported during the system operation. If you happen to have an unsupported architecture, contact Sandfly and we will help you get your system covered.
Failed Sandflies Do Not Impact Remote Hosts
Errors from sandfly investigations are not fatal and do not impact the remote host. They simply report back the error and no other intervention is needed.