Install Swell on a Linux Appliance

In many cases, an EDR solution would be detrimental to the performance of a network/security appliance but you want visibility... good news. You can use Swell!

There are a number of environment specific flags you may want to enable such as allow/deny lists for extensions and much more. For more on those specifics in-depth please refer to the Swell documentation or use the --help flag at the command line.In recent times, we have observed attackers targeting network and security appliances as a primary objective in their campaigns. Often, these devices would not withstand nor support the installation of a full EDR solution, and attackers are keenly aware of this blind spot.

We have collaborated with customers on deploying the Swell binary onto devices that use Linux as the underlying operating system, utilizing the Cron Tab to initiate periodic scans of the device in search of new files.

Distinct Advantages:

  1. It provides security teams with awareness of activity on business-critical devices that would otherwise require manual intervention.
  2. Swell is extremely lightweight and does not interfere with CPU utilization, using only the necessary network bandwidth to upload newly discovered files.
  3. By utilizing the Cron Tab, the scan can be scheduled to run during off-peak hours or at a cadence suitable for your environment.
  4. Anything newly observed, from the latest dropper to a one-line webshell, can be analyzed out of band without the risk of a false positive causing business disruption.
  5. Setting up Swell takes just moments, and removing the Cron job is a matter of seconds, whether you want to disable it from your fleet or use it for incident response as a one-off.


To learn more about this use case, check out this Stairwell blog post:

Next Steps:

  1. Download our specialized version of Swell optimized for this purpose, which supports HTTP/1.x and later proxy configurations, should your environment require them.

  2. Review and follow our Swell documentation which can be found here.

  3. After installing the Swell binary on your device, simply input the auth token from your Stairwell environment by entering:

./swell_linux auth login

The application will prompt you for the API key, which will be loaded into the application, eliminating the need to pass it as an argument later on.

  1. To properly identify this appliance in your Stairwell environment you need to 'onboard' it with a variation of the following command:
./swell_linux onboard <ASSET NAME> --environment_id <ENVIRONMENT ID>

There are a number of environment specific flags you may want to enable such as allow/deny lists for extensions. For more on those specifics in-depth, please refer to the Swell documentation or use the --help flag at the command line.

  1. Once the binary is installed and configured on your appliance, create or edit a crontab file from the command line by entering:
./crontab -e

Usually, a text editor like vi or nano is required to edit a crontab file, which is a simple text file. If you are using crontab for the first time, you'll be prompted to choose a text editor.

  1. The crontab syntax consists of five fields representing the time and/or date you want the job to run, followed by the path to the Swell binary. For instance, to run the scan every night at 10:20 pm local time, the syntax would be:
20 22 \* \* \* /usr/bin/swell_linux objects upload --asset <ASSET_ID> /

In this example, "20" represents the minutes (0-59 are acceptable). "22" is the 24-hour equivalent of 10 pm (0-23 for hours). The "*" (wildcards) signify all values for the day of the month, month, and day of the week.

Advanced configurations account for ranges using a hyphen between two numbers or a collection of specific times, such as "7,19" in the minutes position for 7 am AND 7 pm. If it becomes complex, you can use websites like Crontab Generator.

  1. Next, ensure you have set the correct permissions for your system's cron files to run the Swell binary.
  • If /etc/cron.allow exists, it should contain a username permitted to run the cron job automation.
  • If /etc/cron.deny exists, it should not contain a username intended to run the cron job automation. If it does the account cannot use cron.
  1. Remember to save your changes, and your setup should be complete and ready to go!