헤더 데이터 - Sandfly Security

데이터 헤더는 모든 결과 집합에 첨부됩니다. 원격 호스트에서 Sandfly가 실행된 내용에 대한 데이터를 포함합니다. 여기에는 실행 시 Sandfly가 사용한 UID, 실행에 걸린 시간, 발생한 사항의 전반적인 상태와 같은 정보가 포함됩니다.

results 키에는 완료된 Sandfly 검사에 대한 데이터(있는 경우)와 함께 발견된 항목에 대한 데이터가 포함됩니다.

{
        "exec_seconds": 0,
        "start_time": "0001-01-01T00:00:00Z",
        "end_time": "0001-01-01T00:00:00Z",
        "name": "",
        "status": "",
        "status_msg": "",
        "severity": 0,
        "tags": null,
        "type": "",
        "engine": "",
        "key_data": ""
}

전체 예시는 아래와 같습니다.

{
  "exec_seconds": 0,
  "start_time": "2025-03-21T11:52:06Z",
  "end_time": "2025-03-21T11:52:06Z",
  "name": "log_tampering_missing_lastlog",
  "status": "alert",
  "status_msg": "ok",
  "severity": 3,
  "tags": [
    "attack.id.T1070.002",
    "attack.id.T1070.004",
    "attack.tactic.defense_evasion",
    "default_active",
    "log"
  ],
  "type": "log",
  "engine": "sandfly_engine_file",
  "key_data": "/var/log/lastlog",
  "results": {
    "containerized": false,
    "file": {
      "date": {
        "created": "1970-01-01T00:00:00Z",
        "created_minutes": 0,
        "modified": "1970-01-01T00:00:00Z",
        "modified_minutes": 0,
        "accessed": "1970-01-01T00:00:00Z",
        "accessed_minutes": 0
      },
      "inode": 0,
      "device": 0,
      "rdevice": 0,
      "nlink": 0,
      "mode": "",
      "uid": 0,
      "username": "",
      "gid": 0,
      "groupname": "",
      "size": 0,
      "size_byte_count": 0,
      "size_byte_count_status": "",
      "size_mismatch": false,
      "blksize": 0,
      "blocks": 0,
      "path": "/var/log/lastlog",
      "path_root": "/var/log/",
      "path_link": "",
      "true_path": "",
      "name": "lastlog",
      "extension": "",
      "selinux_context": "",
      "flags": {
        "directory": false,
        "regular": false,
        "link": false,
        "suid": false,
        "suid_root": false,
        "sgid": false,
        "sgid_root": false,
        "socket": false,
        "device": false,
        "char_device": false,
        "named_pipe": false,
        "sticky": false,
        "immutable": false,
        "hidden": false,
        "deleted": true,
        "containerized": false
      },
      "entropy": 0,
      "hash": {
        "md5": "",
        "sha1": "",
        "sha256": "",
        "sha512": ""
      },
      "magic_num": {
        "hex": "",
        "text": "",
        "type": "",
        "class": "",
        "expected_extensions": null
      },
      "mount": {
        "mountpoint": "/",
        "device": "none",
        "fs_type": "tmpfs"
      },
      "container": {
        "id": "",
        "id_short": "",
        "rootdir": ""
      },
      "data": null
    },
    "explanation": "The system lastlog audit log at '/var/log/lastlog' does not exist on the file system. This audit log records successful logins to the host and is present on most Linux systems by default. If deleted it will disable login accounting. However, deleting this log is also common with sloppy log file cleaning from intruders wishing to conceal their activity on the host. You should investigate this system to find out why the file is missing and see if other logs have been deleted as well to hide logins. (Note: some Linux distros do not create the lastlog file until the first non-root user logs in; if this host has never been logged in to other than by root, this alert may indicate a normal condition.)",
    "match_hashes": {
      "version": 1,
      "strict": "a49fe8cfe1e3311c1c39b732fbeb6e307eed6015fecddbeaa168a5c7b018abbd28bd8df990d94b99e428ebb842296037f80378bf4f7ab5d78ad30058bb57441",
      "moderate": "7900d3449a59568b1efa73dbbf6ec2c82723a1b198ac502cb8f333c57c6ec0d321fc3ded85f1507b8ee3efb34d226fc9dc57af1ab397968a171a2f1570afba2b",
      "permissive": "e50849ba13db91285a86543e00e02040aef4743c96a469b7c124ec5e4e42344f9a6cc63cfff0f59ad8c1d36b34778a5d541856ed3bb72995449ed41842f6be4f"
    }
  }
}