Linux Filesystem Scanner getting started guide

This guide explains how to use the SandboxAQ Filesystem Scanner (formerly Host Scanner) to obtain a cryptography scan from the filesystem in Linux.

Installation

The Linux Filesystem Scanner is distributed as a zip package named cs-host-scanner-<VERSION>-x86_64-<PLATFORM>.zip. When you extract this package, it creates a directory named cs-host-scanner-<VERSION>-x86_64-<PLATFORM> that contains an executable cs-host-scanner file and a README file. For instance:

cs-host-scanner-0.9.6-x86_64-linux/
├── cs-host-scanner
└── README.md

You can move the cs-host-scanner-<VERSION>-x86_64-<PLATFORM> directory anywhere on your system.

Caution

If you move the executable file, make sure to also move the DLLs. They must be in the same directory.

Scanning a Filesystem

Navigate to a directory where you have write permissions to store scan results.

Move the cs-host-scanner executable file to your chosen directory and run:

Bash

./cs-host-scanner \
    --root /path/to/root/directory \
    --output scan.cst.gz

Note

The Filesystem Scanner only looks for regular files on Linux. It won’t scan block devices such as /dev/sda, but it will scan regular files in directories like /proc or /sys.

When the Filesystem Scanner has finished executing, the directory you chose earlier will contain the generated trace file.

You can change the directory where the Filesystem Scanner generates traces with the --output option.

Upload the trace to AQtive Guard to run an analysis and generate a report. Refer to these instructions:

• Web Interface - Uploading a new trace
• API - Upload a trace using the API Client

Note

Refer to the Filesystem Scanner reference for details on using the scanner on Linux and for a list of available parameters.

How it works

Starting from the chosen root location, the Filesystem Scanner goes through every file in the directory tree below, recursively descending into all subdirectories (without pursuing symbolic links). It tests the initial bytes of each file against a set of detectors for supported formats.

Note

The FileSystem Scanner alters the access timestamp of files but won’t alter the modification and change timestamps. Additionally, the scanner only performs read-only actions, so it won’t lock files for other processes. A file with a mandatory or exclusive lock placed on it by another process will be skipped by the scanner, but the scanner will be able to access and open files with advisory locks on them.

For those that are supported, it parses the files and logs the cryptographic material in a format suitable for analysis by AQtive Guard. No sensitive data, such as private keys, is stored. In the case of encrypted keystores, if a password is provided, the Filesystem Scanner also attempts to decrypt the encrypted portions using that password.