Sandfly is an agentless intrusion detection system for Linux. The key feature of the product is you do not need to load anything on the Linux hosts you want protected. This makes Sandfly extremely fast to deploy even against a large number of Linux systems you want protected.

Being agentless also makes Sandfly very low impact and is unlikely to cause any instability on your systems, unlike agent-based systems that require tight integration with the kernel to run. You can upgrade your systems without fear that patches and new packages will cause Sandfly to fail. The agentless design also means we run on an extremely wide range of Linux distributions, even some very old legacy versions.

SSH and System Account Required

In order for Sandfly to protect your hosts, they only need the following:

1. SSH access.
2. A system account with sudo or root level access.

SSH is a standard utility on virtually all Linux systems. An account with elevated privileges is required to allow Sandfly to access system areas to hunt for intruders. This account can be a normal user with sudo rights and does not need to be root user login credentials.

Sandfly can run on all modern and many older Linux distributions. The Sandfly forensic engine modules are statically built and require nothing on the remote system to run other than the system account above. Sandfly can protect multiple Linux architectures as well such as:

• Intel/AMD 64 bit
• Intel/AMD 32 bit
• Arm 64/32 bit
• MIPS
• Etc.

Being able to run on so many architectures means Sandfly can not only watch traditional Linux servers, but also many embedded Linux devices and Internet of Things (IoT) if they allow SSH access.

Sandfly will determine the architecture of the remote system and automatically run the correct modules. If your architecture is not supported, this will be reported during the system operation. If you happen to have an unsupported architecture, contact Sandfly and we will help you get your system covered.

📘

NOTE: Failed Scans Do Not Impact Remote Hosts

Errors from Sandfly investigations are not fatal and do not impact the remote host. They simply report back the error and no other intervention is needed.