TABLE OF CONTENTS
- Operating Systems:
- Secure Shell (SSH):
- Sensitive Data:
Can an existing sandfly-setup folder be moved to a different directory?
Can more than one credential be attached to a given set of assets?
How to get a complete log from a Sandfly docker container?
docker ps # To obtain the id of the target container docker logs <CONTAINER_ID> &> /tmp/sandfly.log
Can Sandfly scan inside containers?
Can I clean up inside /var/lib/docker/?
WARNING: Volume pruning can delete your database, so be careful! If the sandfly-postgres docker container is NOT running, volume pruning will delete your database! Also, if non-Sandfly docker containers are or were on a target host, this process will affect every non-running container unless filters are applied.
docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 898fb4975f46 quay.io/sandfly/sandfly-server:3.3.0 "/opt/sandfly/start_…" 2 months ago Up 2 months 0.0.0.0:80->8000/tcp, :::80->8000/tcp, 0.0.0.0:443->8443/tcp, :::443->8443/tcp sandfly-server 8e1da1d71142 quay.io/sandfly/sandfly-rabbit:3.3.0 "/bin/sh -c /usr/loc…" 2 months ago Up 2 months 4369/tcp, 5671-5672/tcp, 15691-15692/tcp, 25672/tcp, 0.0.0.0:5673->5673/tcp, :::5673->5673/tcp sandfly-rabbit 49ad0760a3f6 postgres:14.2 "docker-entrypoint.s…" 2 months ago Up 2 months 5432/tcp sandfly-postgres
Finally, run the prune command, which will remove all unused containers, networks, images (both dangling and unreferenced), and optionally, volumes:
docker system prune --all # Optionally add '--volumes' to prune volumes
What commands will Sandfly use on the endpoints?
- id (additionally ran via sudo)
- sftp-server (ran as a part of the ssh connection)
What version of Linux will Sandfly work against?
- Amazon Linux Images
- Digital Ocean Linux Images
- Microsoft Azure Images
- Oracle Linux
- Raspberry Pi and other embedded systems
- Rocky Linux
- Customized Distributions
Can Sandfly scan Mac OS?
Which is all a long way of saying that no, Sandfly can not scan Mac OS, because despite the similarities of the command line interface, behind the scenes Mac OS is an entirely different beast whose kernel does not share even a single line of code with Linux. And the way Mac OS has evolved, it is even further from how the other non-Linux commercial Unixes do things in a lot of areas.
What caused a "Sandfly halted with a SIGKILL signal" error?
If it was the Linux OOM killer, there should be an entry in the dmesg or kern logs. e.g. try `dmesg | grep -i 'out of memory'` and see if it mentions anything about killing a Sandfly associated process. Otherwise investigate that error as a potential security incident.
How do you change the timeout period of a Sandfly?
NOTE: This solution requires a license that allows for the creation of custom Sandflies.
NOTE: Timeout values are in seconds and maximum timeout allowed is 3600 seconds (1 hour)
- Locate and open the Sandfly Details page for the Sandfly that you would like to customize
- In the upper right corner, click on the De-Activate button
- In the upper right corner, click on the Clone button, a new page will load
- Inside the box where the JSON is displayed look for "name" at the top and add some unique text at the end of the value to make the name of the Sandfly unique and descriptive for your needs, for example "_10mTimeout"
- Inside the same JSON box, look for "active" and "custom" keys and change them both from false to true
- Inside the same JSON box, look for "max_timeout" (it is usually near the bottom) and change the value to an appropriate duration (NOTE: value is in seconds and must be less than 3600 [1 hour])
- Click on the Save button at the top of the page, which will create a new, custom Sandfly
What happens to custom sandflies as we update and improve the product?
Secure Shell (SSH):
Why is a scan returning a "SSHException: EOF during negotiation" error?
Subsystem sftp /usr/lib/openssh/sftp-server
If it is not valid, add or correct it in the configuration file, reload sshd (e.g. "service sshd reload" or similar method) to use the updated value, and finally run a manual scan via the Sandfly UI for that system to see if it now can connect properly by Sandfly.
If that succeeds, apply the same process to any remaining hosts with this situation. If it does not work, please open a Sandfly support ticket.
Is sensitive data encrypted in transport? (e.g. system-to-client)?
Is sensitive data encrypted in storage (e.g. disk encryption, at-rest)?