• How to get a complete log from a Sandfly docker container?

From a shell on either a Sandfly server or node host, use the following commands:
docker ps      # To obtain the id of the target container
docker logs <CONTAINER_ID> &> /tmp/sandfly.log

  • Can I clean up inside /var/lib/docker/?

Sandfly does not provide its own method for cleaning up /var/lib/docker/ due to the risk of data deletion. However, Docker provides the command 'docker system prune' (official Docker documentation at: that can be used to remove unused data, including volumes with the added '--volumes' flag, that have accumulated on your Sandfly server and / or nodes.

WARNING: Volume pruning can delete your database, so be careful!

If the sandfly-postgres docker container is NOT running, volume pruning will delete your database! Also, if non-Sandfly docker containers are or were on a target host, this process will affect every non-running container unless filters are applied.

Before using the command, we first recommend making a backup of the data. Next, open a shell with root privileges on either a Sandfly server or node host. If pruning the server, check that the container named sandfly-postgres is running:
docker ps

CONTAINER ID   IMAGE                                  COMMAND                  CREATED        STATUS        PORTS                                                                                            NAMES
898fb4975f46   "/opt/sandfly/start_…"   2 months ago   Up 2 months>8000/tcp, :::80->8000/tcp,>8443/tcp, :::443->8443/tcp                   sandfly-server
8e1da1d71142   "/bin/sh -c /usr/loc…"   2 months ago   Up 2 months   4369/tcp, 5671-5672/tcp, 15691-15692/tcp, 25672/tcp,>5673/tcp, :::5673->5673/tcp   sandfly-rabbit
49ad0760a3f6   postgres:14.2                          "docker-entrypoint.s…"   2 months ago   Up 2 months   5432/tcp                                                                                         sandfly-postgres

Finally, run the prune command, which will remove all unused containers, networks, images (both dangling and unreferenced), and optionally, volumes:

docker system prune --all     # Optionally add '--volumes' to prune volumes

Operating Systems:

  • What commands will Sandfly use on the endpoints?

When Sandfly first logs into a host it uses several native Linux commands, which are run as the associated user, in order to examine the system in order to determine what that host is. In addition, ssh starts a temporary sftp server as part of any scan. Below is a list of those native commands, full paths are used where possible:

  • id (additionally ran via sudo)
  • head
  • ls
  • pwd
  • sftp-server (ran as a part of the ssh connection)
  • tail
  • tr
  • uname

Outside of the native Linux commands, a Sandfly binary is pushed to a randomly named directory in the home directory of the associated user. Its default name is 'sandfly', however that binary name can be changed to one or more alternate names within the server's configuration. The directory will be in the format of <timestamp>.<random_chars> and the entire directory is removed after the scan finishes.

  • What version of Linux will Sandfly work against?

Sandfly will work against most Linux variants including embedded versions. It works on Linux versions running Intel, AMD, Arm or MIPS CPUs without any special modifications and only requires that your Linux host runs SSH. The application has been tested against the following distributions:
  • AlmaLinux
  • Amazon Linux Images
  • Arch
  • CentOS
  • CoreOS
  • Debian
  • Digital Ocean Linux Images
  • Fedora
  • Raspberry Pi and other embedded systems
  • RedHat
  • Rocky Linux
  • Suse
  • Ubuntu

  • Can Sandfly scan Mac OS?

The Mac OS uses an unrelated kernel, which started life as the Mach kernel as a university research project building on an old BSD Unix kernel, and evolved into the XNU kernel for NeXT, which Apple eventually acquired and used as the basis for Mac OS X. Also the command line userspace in Mac OS is also from the BSD world, not the GNU userspace of Linux.

Which is all a long way of saying that no, Sandfly can not scan Mac OS, because despite the similarities of the command line interface, behind the scenes Mac OS is an entirely different beast whose kernel does not share even a single line of code with Linux. And the way Mac OS has evolved, it is even further from how the other non-Linux commercial Unixes do things in a lot of areas.


  • What caused a "Sandfly halted with a SIGKILL signal" error?

SIGKILL is consistent with what the Linux OOM killer would use to terminate processes. Or there could be a malicious actor on the host.

If it was the Linux OOM killer, there should be an entry in the dmesg or kern logs. e.g. try `dmesg | grep -i 'out of memory'` and see if it mentions anything about killing a Sandfly associated process. Otherwise investigate that error as a potential security incident.

  • How do you change the timeout period of a Sandfly?

Complete the following steps to de-activate the original Sandfly and in its place use a customized version for future scheduled scans:

NOTE: This solution requires a license that allows for the creation of custom Sandflies.

NOTE: Timeout values are in seconds and maximum timeout allowed is 3600 seconds (1 hour)

  1. Locate and open the Sandfly Details page for the Sandfly that you would like to customize
  2. In the upper right corner, click on the De-Activate button
  3. In the upper right corner, click on the Clone button, a new page will load
  4. Inside the box where the JSON is displayed look for "name" at the top and add some unique text at the end of the value to make the name of the Sandfly unique and descriptive for your needs, for example "_10mTimeout"
  5. Inside the same JSON box, look for "activeand "custom" keys and change them both from false to true
  6. Inside the same JSON box, look for "max_timeout" (it is usually near the bottom) and change the value to an appropriate duration (NOTE: value is in seconds and must be less than 3600 [1 hour])
  7. Click on the Save button at the top of the page, which will create a new, custom Sandfly

  • What happens to custom sandflies as we update and improve the product?

In the past we have auto-updated custom sandfly modules to new formats without customers needing to do anything. It is very likely we will continue this tradition for the foreseeable future.

Secure Shell (SSH):

  • Why is a scan returning a "SSHException: EOF during negotiation" error?

First, from a shell on a Sandfly Node host, try to manually connected via SSH to the host in question using the same credentials.

Next, check the sshd_config (usually located at: /etc/ssh/sshd_config) to confirm that the location (path and file name) for the "Subsystem sftp" entry exists and is correct on the host that is reporting this error. The line in the config should look something like this (depending on your OS):

Subsystem sftp /usr/lib/openssh/sftp-server

If it is not valid, add or correct it in the configuration file, reload sshd (e.g. "service sshd reload" or similar method) to use the updated value, and finally run a manual scan via the Sandfly UI for that system to see if it now can connect properly by Sandfly.

If that succeeds, apply the same process to any remaining hosts with this situation. If it does not work, please open a Sandfly support ticket.

Previous Article:

Next Article: