Sandfly 4.6.1 adds support for compatibility with Microsoft Azure Active Directory Single Sign-On (SSO). We next enabled our agentless Linux password auditor on by default due to the high priority nature of these attacks. Finally, we also have a variety of small bug fixes in the UI.

This release is primarily a bug fix release. If you are using Sandfly 4.6.0 there is no rush to upgrade unless you are impacted by these issues.

Microsoft Azure Active Directory Support

We fixed a compatibility issue with Microsoft Azure Active Directory SSO support.

Agentless Linux Password Auditing on by Default

We added in our novel agentless Linux password auditing feature in Sandfly 4.4.0, but left the modules disabled by default in most cases as policy checks. We now feel these checks have minimal CPU impacts and find such high priority problems that we have enabled them by default.

The following modules will now be activated when you upgrade.

• policy_user_password_auditor_top_worst_small_list - Audits for ~100 of the absolute worst passwords imaginable for users (e.g. password123, letmein).

• policy_user_password_auditor_linux_common - Audits for the the worst combinations of Linux usernames and passwords (e.g. hadoop, apache, admin).

These lists contain the worst of the worst passwords commonly targeted by both automated malware and deliberate intruders. We recommend you keep these enabled as they can help save you hours of aggravation due to a successful brute force password compromise. If you need to disable them, you can do so in the master sandfly list.

However, we can go further. The following module is still disabled by default but customers can enable it:

• policy_user_password_auditor_top_worst_big_list - About 500 of the worst passwords in existence.

This modules takes a little longer to run. However, in many cases it is still worth doing on a periodic basis. Again, this is disabled by default.

Our agentless password auditing modules are low impact. First, they run only on one core and usually for less than a minute at low priority. Secondly, they will select at random the first 10 users they see with password hashes and only attempt to audit those users (e.g. won't audit more than 10 at any time).

When the auditor runs on the system again, a new random 10 users will be checked. In this way we never audit more than 10 users at a time to prevent CPU impacts. However, over time you are guaranteed that all users with passwords on a host will be audited. This is a very low-impact way to check for these serious issues.

Customers can also clone and modify our modules. You can put in your own passwords and adjust user auditing loads to suit.

New Detection Modules

We have added new detection modules as well:

• policy_user_ssh_authorized_keys_owner_mismatch - Detects if a user's SSH authorized keys file is not owned by them.

• Improved accuracy for SSH key forwarding, rc file, X11 forwarding, port forwarding, and other SSH key options.

• Expansion of process mount table evasion detection.

• Expansion of existing detection modules for malicious processes.

Bug Fixes

We have a list of other bug fixes that may be important to you:

• A bug that would false alarm on file size mismatches when over 2GB has been fixed.

• Support for all languages of Linux.

• Process hidden checks has been improved to reduce false alarm risks.

• Small UI fixes and updates to filter views and more.

Get a Free License Today

All Sandfly users get access to the 4.6.1 upgrades and more. Get you free license today:

Get Sandfly

Upgrading Sandfly

Sandfly 4.6.1 is primarily a bug fix release. All customers are encouraged to upgrade, but it is not urgent. We are here to help with any questions.

Customers wishing to upgrade can follow the instructions here:

Upgrading Sandfly

If you have any questions, please reach out to us.

Thank you for using Sandfly.