Sandfly 5.3.1 - New License Tiers and SELinux Support
Sandfly 5.3.1 features new licensing tier options, including an affordable Home User Edition. We've also added SELinux support and more stealth rootkit detection. New features include just some of the following:
New Home, Professional, and Air-Gapped license tiers
Monthly and annual subscriptions
SELinux support
Expanded stealth rootkit detection
New detections for masquerading processes, network sniffers, and SSH forwarding
New License Tiers
We have been asked many times if we would offer a full-featured license for home users. We have also been asked if we had easier ways to try the product without needing to buy an annual license for commercial users. We now have answers to both of these questions.
Home User Edition License
Introducing our new Home User Edition of Sandfly. This is a full-featured version of Sandfly that is extremely affordable. This version has the following features:
Protects up to 10 hosts all inclusive in the price
Unlimited alert views
SSH Hunter
Password auditor
30 days data retention
Automated scheduled threat scans
Custom sandfly threat hunting modules
This version is perfect for a home network. The annual subscription is about $8 a month, or $99 a year to watch 10 systems. You get full agentless Linux EDR for an incredibly low price.
Professional Edition License
The Professional Edition allows users to quickly buy a Sandfly license that is fully unlocked. This version is for commercial use, or for power users at home that need extra capabilities such as distributed scanning, result replication, and Single Sign On (SSO). This version is available in monthly subscription, or annually at a discount. The Professional Edition features everything in the Home User Edition, plus:
Unlimited users, including SSO login
Unlimited schedules
Jump hosts
Distributed scanning
Result replication to external SIEM and SOAR applications
Full REST API access
This version gives immediate protection to commercial deployments either on-prem or in the cloud.
Air Gapped License
Sandfly is unique as we are one of the only Linux EDRs that does not require any active Internet connection to run. The product was designed from the beginning to allow air-gap operation and this continues with our Air Gapped license tier. This license has all the features of the Professional Edition, but is available as annual only with a license that works completely offline.
This license is perfect for organizations that will be using Sandfly in networks where the infrastructure will not have any Internet access.
Annual or Monthly Subscriptions
We have added the ability to get monthly subscriptions for users looking to try Sandfly on an extended basis. Annual subscriptions all offer substantial discounts once customers decide to upgrade. The air gapped license is available as an annual subscription only due to how the licensing works (offline only). Read more about the different licenses here:
If you need a larger volume of hosts, please reach out to our team for more information.
SELinux Support
We have added support to determine SELinux boot and configuration status. We also made SELinux security context labels available for all processes, files, and directories.
SELinux Status Detection
Sandfly can now scan for the status of SELinux on your systems. If you require systems to run with SELinux enabled, this can be easily seen and verified with Sandfly. Further, we can also detect if the status since boot has changed to be disabled or is not set correctly.
The new policy modules for SELinux are the following:
policy_kernel_selinux_disabled - Looks for systems that have SELinux disabled.
policy_kernel_selinux_enforce_mode_boot_disabled - Looks for systems that have SELinux enforce mode disabled at boot time.
policy_kernel_selinux_enforce_mode_boot_permissive - Looks for systems that have SELinux enforce mode set permissive at boot time.
policy_kernel_selinux_enforce_mode_current_disabled - Looks for systems that have SELinux enforce mode disabled in current state.
policy_kernel_selinux_enforce_mode_current_permissive - Looks for systems that have SELinux enforce mode set permissive in current state.
policy_kernel_selinux_enforce_mode_disabled_since_boot - Looks for systems that have had SELinux enforce mode disabled since boot.
policy_kernel_selinux_mls_disabled - Looks for systems that have SELinux MLS disabled.
The bold policy_kernel_selinux_enforce_mode_disabled_since_boot module is enabled by default. Others can be enabled if relevant for your environment.
The policy_kernel_selinux_enforce_mode_disabled_since_boot is enabled by default as it can find systems where attackers executed setenforce 0 to disable SELinux. This is often done by attackers that have obtained root access and is a strong indication of compromise if you are not expecting to see it on your hosts.
SELinux Security Contexts: Processes, Files, and Directories
We have added SELinux security context label reporting on all processes, files, directories and file descriptors. This is a powerful way to make sure systems are not running unconfined processes, incorrect SELinux types, or leaking data in directories where it shouldn't be.
For instance, admins can quickly find any systems running unconfined network processes. Or, security teams can search across directories for sensitive file contexts that may have leaked (e.g. password or SSH key data). We have a variety of modules teams can clone and modify to suit their needs as well. New modules include the following:
policy_process_selinux_unconfined_type_network_port_listening - Looks for network processes with listening ports and unconfined SELinux context.
policy_process_selinux_unconfined_type_network_port_operating - Looks for network processes operating (listening or established) with unconfined SELinux context.
policy_process_selinux_unconfined_type_running - Looks for any process running with unconfined type SELinux context.
We also have modules to find SELinux file contexts that may be sensitive if left in vulnerable areas. These modules can be easily cloned and modified by teams for custom SELinux sweeps for a variety of uses.
file_selinux_passwd_shadow_context_in_dev_shm_dir - Searches for /etc/passwd or /etc/shadow SELinux context types in system /dev/shm ramdisk directories.
file_selinux_passwd_shadow_context_in_tmp_dir - Searches for /etc/passwd or /etc/shadow SELinux context types in system temporary directories.
file_selinux_shell_exec_context_in_dev_shm_dir - Searches for shell_exec_t system shell context types in system /dev/shm ramdisk directories.
file_selinux_shell_exec_context_in_tmp_dir - Searches for shell_exec_t system shell SELinux context types in system temporary directories.
file_selinux_ssh_context_in_dev_shm_dir - Searches for SSH SELinux context types in system /dev/shm ramdisk directories.
file_selinux_ssh_context_in_tmp_dir - Searches for SSH SELinux context types in system temporary directories.
For example, below we see a file with an SSH context that was left under the system ramdisk, which would be extremely suspicious.
Stealth Rootkit Detection and De-Cloaking
We have expanded our ability to de-cloak more stealth rootkits on Linux. Coverage includes new mechanisms to discover hidden processes by rootkits such as Kovid as well as suspicious ftrace operations indicating a rootkit is likely operating. We also included additional signatures to help identify variants of the SEASPY backdoor which uses traffic sniffing with magic packets to hide.
process_kernel_rootkit_lkm_ftrace_1 - Looks for stealth rootkit ftrace hooking to hide activity.
process_running_hidden_stealth - Expansion of capabilities to locate and identify processes being hidden by kernel rootkits.
process_masquerade_kernel_thread_* - Expanded and refined capability to locate malicious processes masquerading as kernel threads.
process_masquerade_kernel_thread_network_operating - Looks for processes hiding with a name to appear to be a kernel thread and operating with network activity.
process_masquerade_kernel_thread_sniffer - Looks for processes hiding with a name to appear to be a kernel thread and operating as a sniffer.
Persistence
We have expanded our persistence checks to find more attackers attempting to hide on Linux.
process_running_nologin_shell - Looks for processes running as a nologin shell to conceal login activity.
systemd_exec_args_base64 - Looks for systemd units that contain base64 encoded data in ExecStart/Stop entries to obfuscate malicious commands.
user_shell_whitespace_name_end - Looks for users that have a whitespace present on the end of their shell entry to hide login activity.
user_ssh_authorized_keys_options_command_base64 - Looks for users that have an SSH authorized_keys entry with a command option block containing obfuscated base64 data.
user_ssh_authorized_keys_options_command_suspicious - Looks for users that have an SSH authorized_keys entry with a suspicious command option.
SSH Port Forwarding Detection
Finally, we added in a new detections that will find any user that is using SSH with port forwarding. These detections can be used to find SSH clients forwarding traffic to hosts other than the one they logged into. This is typically done to bypass network controls once attackers gain access. This tactic helps attackers pivot into the internal network from trusted IP addresses for lateral movement.
policy_process_ssh_port_forwarding_tcp - Looks for SSH actively forwarding traffic on a TCP port.
policy_process_ssh_port_forwarding_tcp6 - Looks for SSH actively forwarding traffic on a TCP IPv6 port.
Try Sandfly Today
Our new licensing tiers give home and professional users more options and the features they've asked for, plus our detection coverage on Linux is better than ever. As always, Sandfly has free trials available for all license tiers. Please see below for more information:
Upgrading Sandfly
All customers are encouraged to upgrade to see our expanded coverage and protection options for Linux. We are here to help with any questions. Please see our documentation on the new features and capabilities:
Customers wishing to upgrade can follow the instructions here:
If you have any questions, please reach out to us.
Thank you for using Sandfly.