Sandfly Security

Sandfly Security Documentation

Welcome to the Sandfly Security documentation hub. Sandfly is an agentless compromise and intrusion detection system for Linux.

Sandfly automates security investigation and forensic evidence collection on Linux. Sandfly constantly searches for intruders 24 hours a day on your network without needing to load any agents on your endpoints.

Get Started

Upgrading Sandfly

Upgrading Sandfly

You will receive announcements about new versions of Sandfly from the mailing list if you subscribed to it. Additionally, you can check our website for announcements about new versions.

Keep Your System Updated!

We are constantly adding in new sandfly investigative capabilities and features. You will want to make sure you keep your system updated.

To update Sandfly, do the following steps.

Step 1: Stop the Scheduler

Go into the UI and delete the schedule tasks. We want to ensure no scheduled tasks are kicking off during the install. You will need to add these scheduled tasks in again after the upgrade.

Step 2: Make Sure All Tasks Have Completed

In the Sandfly UI, check the Dashboard and make sure the task queue is at 0. It's important that we do not stop nodes in the middle of scans because it can leave orphaned files on the remote hosts. If the nodes are allowed to finish then everything is cleaned up correctly.

Step 3: Pull Latest Setup Scripts

You'll next want to go to the sandlfy-setup directory on your server and nodes. Then do a pull for the latest setup scripts with the commands below:

cd ~/sandfly-setup

Then do a git pull to pull over any changes.

git pull origin

Step 4: Delete Docker Images

Once all tasks have been cleared out, we can run our scripts to stop and delete all Docker containers on the server and node instances.

Run the following command on both the server and node.

Server:

cd ~/sandfly-setup/setup
./clean_docker.sh

be5e5caf816b
db7a5567a8f1
b5ba80831a5d
be5e5caf816b
db7a5567a8f1
b5ba80831a5d
Untagged: sandfly/sandfly-rabbit:latest
Untagged: sandfly/sandfly-server-mgmt:latest
Untagged: sandfly/sandfly-server:latest
...

Node:

cd ~/sandfly-setup/setup
./clean_docker.sh

a8c3b80228c4
9ecc25cdaae7
0106c87dbfd3
fb25ff348c30
a8c3b80228c4
9ecc25cdaae7
0106c87dbfd3
fb25ff348c30
Untagged: sandfly/sandfly-node:latest
...

You will see a large list of container hashes go by. Then you will be back at the prompt. That means the script completed and the Docker containers have been removed.

Step 5: Run Start Scripts Again On Server and Node

On the server and nodes you simply run the start scripts again. They will pull over the latest version of Sandfly and run it.

The "sandfly-net" error is normal and is just for informational purposes. We are just updating the core containers.
On server:

cd ~/sandfly-setup/start_scripts/
./start_elastic.sh
Error response from daemon: network with name sandfly-net already exists
Error: No such container: elasticsearch
Unable to find image 'docker.elastic.co/elasticsearch/elasticsearch:6.8.2' locally
6.8.2: Pulling from elasticsearch/elasticsearch
...

./start_rabbit.sh
Error response from daemon: network with name sandfly-net already exists
Error: No such container: sandfly-rabbit
Unable to find image 'sandfly/sandfly-rabbit:latest' locally
latest: Pulling from sandfly/sandfly-rabbit
...

./start_server.sh
Error response from daemon: network with name sandfly-net already exists
Error: No such container: sandfly-server
Unable to find image 'sandfly/sandfly-server:latest' locally
latest: Pulling from sandfly/sandfly-server
...

On the node you need to either run the start script if you are using a signed certificate, or the one for unsigned certificates:

SIGNED CERTIFICATE

cd ~/sandfly-setup/start_scripts/
./start_node.sh
Unable to find image 'sandfly/sandfly-node:latest' locally
latest: Pulling from sandfly/sandfly-node
...

UNSIGNED CERTIFICATE
cd ~/sandfly-setup/start_scripts/
./start_node_unsigned_cert.sh
Unable to find image 'sandfly/sandfly-node:latest' locally
latest: Pulling from sandfly/sandfly-node
...

And again on the node you can run the start scripts multiple times to start multiple containers depending on your RAM and CPU capacity.

Finished

You can run docker ps on the server and node to make sure everything is running.

Server:

root@example:~/sandfly-setup/start_scripts# docker ps
CONTAINER ID        IMAGE                                                 COMMAND                  CREATED             STATUS              PORTS                    NAMES
caad0e18aeef        sandfly/sandfly-server:latest                         "/usr/local/sandfly/…"   5 minutes ago       Up 5 minutes        0.0.0.0:443->8443/tcp    sandfly-server
26c9df0d5c5b        sandfly/sandfly-rabbit:latest                         "/bin/sh -c /usr/loc…"   6 minutes ago       Up 6 minutes        0.0.0.0:5673->5673/tcp   sandfly-rabbit
3393a92b1a1a        docker.elastic.co/elasticsearch/elasticsearch:6.5.3   "/usr/local/bin/dock…"   6 minutes ago       Up 6 minutes        9200/tcp, 9300/tcp       elasticsearch

Node:

root@node-example:~/sandfly-setup/start_scripts# docker ps
CONTAINER ID        IMAGE                         COMMAND                  CREATED              STATUS              PORTS               NAMES
2d08ee113488        sandfly/sandfly-node:latest   "/usr/local/sandfly/…"   2 seconds ago        Up 1 second                             nostalgic_villani
059f71acec24        sandfly/sandfly-node:latest   "/usr/local/sandfly/…"   3 seconds ago        Up 3 seconds                            heuristic_agnesi
bd36bbb28944        sandfly/sandfly-node:latest   "/usr/local/sandfly/…"   5 seconds ago        Up 5 seconds                            elegant_jennings
bea2bc10800e        sandfly/sandfly-node:latest   "/usr/local/sandfly/…"   About a minute ago   Up About a minute                       trusting_roentgen

You can log into the UI on the server and check the Audit Log. You will see an entry near the top that shows the server and version timestamp:

Upgrade version.

Upgrade version.

Add Your Schedules Back In

You now can add your schedules back in again and Sandfly will take up where it left off.

Upgrading Sandfly


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.