--ids-check/--ids-init documentation

author: netblue30 <netblue30@protonmail.com> 2021-11-13 09:01:18 -0500
committer: netblue30 <netblue30@protonmail.com> 2021-11-13 09:01:18 -0500
commit: 1f6767c90605be5b0fd75b8b41f3f36937691bd9 (patch)
tree: b4a32cf60d6c6e7d017ddd9424fc4d05b7061494
parent: merges (diff)
download: firejail-1f6767c90605be5b0fd75b8b41f3f36937691bd9.tar.gz
firejail-1f6767c90605be5b0fd75b8b41f3f36937691bd9.tar.zst
firejail-1f6767c90605be5b0fd75b8b41f3f36937691bd9.zip
2 files changed, 135 insertions, 25 deletions
diff --git a/README.md b/README.md
index 9dd9bbbfd..a856495f0 100644
--- a/README.md
+++ b/README.md
@@ -183,34 +183,65 @@ in order to give users a chance to switch their local profiles.
 The latest discussion on this issue is here: https://github.com/netblue30/firejail/issues/4379
 ### Intrusion Detection System ###
-We are adding IDS capabilities in the next release. We have the list of files in [/etc/firejail/ids.config](https://github.com/netblue30/firejail/blob/master/etc/ids.config),
-and we generate a [BLAKE2](https://en.wikipedia.org/wiki/BLAKE_%28hash_function%29) checksum in /var/lib/firejail/username.ids.
-The program runs as regular user, each user has his own file in /var/lib/firejail.
-Initialize the database:
-`````
-$ firejail --ids-init
-Loading /etc/firejail/ids.config config file
-500 1000 1500 2000
-2457 files scanned
-IDS database initialized
 `````
+      --ids-check
+              Check  file  hashes previously generated by --ids-check. See IN‐
+              TRUSION DETECTION SYSTEM section for more details.
+              Example:
+              $ firejail --ids-check
+       --ids-init
+              Initialize file hashes. See INTRUSION DETECTION  SYSTEM  section
+              for more details.
+              Example:
+              $ firejail --ids-init
+INTRUSION DETECTION SYSTEM (IDS)
+       The  host-based  intrusion detection system tracks down and audits user
+       and  system  file  modifications.   The  feature  is  configured  using
+       /etc/firejail/ids.config    file,   the   checksums   are   stored   in
+       /var/lib/firejail/USERNAME.ids, where USERNAME is the name of the  cur‐
+       rent user. We use BLAKE2 cryptographic function for hashing.
+       As a regular user, initialize the database:
+       $ firejail --ids-init
+       Opening config file /etc/firejail/ids.config
+       Loading config file /etc/firejail/ids.config
+       Opening config file /etc/firejail/ids.config.local
+       500 1000 1500 2000
+       2466 files scanned
+       IDS database initialized
+       The  default configuration targets several system executables in direc‐
+       tories such as /bin, /sbin, /usr/bin, /usr/sbin, and  several  critical
+       config  files in user home directory such as ~/.bashrc, ~/.xinitrc, and
+       ~/.config/autostart. Several system config files in /etc directory  are
+       also hashed.
+       Run --ids-check to audit the system:
+       $ firejail --ids-check
+       Opening config file /etc/firejail/ids.config
+       Loading config file /etc/firejail/ids.config
+       Opening config file /etc/firejail/ids.config.local
+       500 1000 1500
+       Warning: modified /home/netblue/.bashrc
+       2000
+       2466 files scanned: modified 1, permissions 0, new 0, removed 0
+       The  program  will  print  the  files that have been modified since the
+       database was created, or the files with different  access  permissions.
+       New files and deleted files are also flagged.
+       Currently  while  scanning  the file system symbolic links are not fol‐
+       lowed, and files the user doesn't have  read  access  to  are  silently
+       dropped.   The  program  can  also be run as root (sudo firejail --ids-
+       init/--ids-check).
-Later, we check it:
 `````
-$ firejail --ids-check
-Loading /etc/firejail/ids.config config file
-500 1000 1500
-Warning: modified /home/netblue/.bashrc
-2000
-2457 files scanned: modified 1, permissions 0, new 0, removed 0
-`````
-The program will print the files that have been modified since the database was created, or the files with different access permissions.
-New files and deleted files are also flagged.
-Currently while scanning the file system symbolic links are not followed, and files the user doesn't have read access to are silently dropped.
-The program can also be run as root (sudo firejail --ids-init/--ids-check).
 ### Deteministic Shutdown
 `````
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 499339264..b5cb1e7c2 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -821,6 +821,26 @@ Example:
 $ firejail \-\-hosts-file=~/myhosts firefox
 .TP
+\fB\-\-ids-check
+Check file hashes previously generated by \-\-ids-check. See INTRUSION DETECTION SYSTEM section for more details.
+.br
+.br
+Example:
+.br
+$ firejail \-\-ids-check
+.TP
+\fB\-\-ids-init
+Initialize file hashes. See INTRUSION DETECTION SYSTEM section for more details.
+.br
+.br
+Example:
+.br
+$ firejail \-\-ids-init
+.TP
 \fB\-\-ignore=command
 Ignore command in profile file.
 .br
@@ -3208,6 +3228,65 @@ $ firejail \-\-put=mybrowser xpra-clipboard.png ~/Downloads/xpra-clipboard.png
 $ firejail \-\-cat=mybrowser ~/.bashrc
 .br
 #endif
+.SH INTRUSION DETECTION SYSTEM (IDS)
+The host-based intrusion detection system tracks down and audits user and system file modifications.
+The feature is configured using /etc/firejail/ids.config file, the checksums are stored in /var/lib/firejail/USERNAME.ids,
+where USERNAME is the name of the current user. We use BLAKE2 cryptographic function for hashing.
+As a regular user, initialize the database:
+.br
+.br
+$ firejail --ids-init
+.br
+Opening config file /etc/firejail/ids.config
+.br
+Loading config file /etc/firejail/ids.config
+.br
+Opening config file /etc/firejail/ids.config.local
+.br
+500 1000 1500 2000
+.br
+2466 files scanned
+.br
+IDS database initialized
+.br
+.br
+The default configuration targets several system executables in directories such as /bin, /sbin, /usr/bin, /usr/sbin, and several critical config files in user home directory
+such as ~/.bashrc, ~/.xinitrc, and ~/.config/autostart. Several system config files in /etc directory are also hashed.
+.br
+.br
+Run --ids-check to audit the system:
+.br
+.br
+$ firejail --ids-check
+.br
+Opening config file /etc/firejail/ids.config
+.br
+Loading config file /etc/firejail/ids.config
+.br
+Opening config file /etc/firejail/ids.config.local
+.br
+500 1000 1500
+.br
+Warning: modified /home/netblue/.bashrc
+.br
+2000
+.br
+2466 files scanned: modified 1, permissions 0, new 0, removed 0
+.br
+.br
+The program will print the files that have been modified since the database was created, or the files with different access permissions.
+New files and deleted files are also flagged.
+Currently while scanning the file system, symbolic links are not followed, and files the user doesn't have read access to are silently dropped.
+The program can also be run as root (sudo firejail --ids-init/--ids-check).
 .SH MONITORING
 Option \-\-list prints a list of all sandboxes. The format
 for each process entry is as follows:
author	netblue30 <netblue30@protonmail.com>	2021-11-13 09:01:18 -0500
committer	netblue30 <netblue30@protonmail.com>	2021-11-13 09:01:18 -0500
commit	1f6767c90605be5b0fd75b8b41f3f36937691bd9 (patch)
tree	b4a32cf60d6c6e7d017ddd9424fc4d05b7061494
parent	merges (diff)
download	firejail-1f6767c90605be5b0fd75b8b41f3f36937691bd9.tar.gz firejail-1f6767c90605be5b0fd75b8b41f3f36937691bd9.tar.zst firejail-1f6767c90605be5b0fd75b8b41f3f36937691bd9.zip

diff --git a/README.md b/README.md index 9dd9bbbfd..a856495f0 100644 --- a/README.md +++ b/README.md
@@ -183,34 +183,65 @@ in order to give users a chance to switch their local profiles.
183	The latest discussion on this issue is here: https://github.com/netblue30/firejail/issues/4379	183	The latest discussion on this issue is here: https://github.com/netblue30/firejail/issues/4379
184		184
185	### Intrusion Detection System ###	185	### Intrusion Detection System ###
186
187	We are adding IDS capabilities in the next release. We have the list of files in [/etc/firejail/ids.config](https://github.com/netblue30/firejail/blob/master/etc/ids.config),
188	and we generate a [BLAKE2](https://en.wikipedia.org/wiki/BLAKE_%28hash_function%29) checksum in /var/lib/firejail/username.ids.
189	The program runs as regular user, each user has his own file in /var/lib/firejail.
190
191	Initialize the database:
192	`````
193	$ firejail --ids-init
194	Loading /etc/firejail/ids.config config file
195	500 1000 1500 2000
196	2457 files scanned
197	IDS database initialized
198	`````	186	`````
		187	--ids-check
		188	Check file hashes previously generated by --ids-check. See IN‐
		189	TRUSION DETECTION SYSTEM section for more details.
		190
		191	Example:
		192	$ firejail --ids-check
		193
		194	--ids-init
		195	Initialize file hashes. See INTRUSION DETECTION SYSTEM section
		196	for more details.
		197
		198	Example:
		199	$ firejail --ids-init
		200
		201	INTRUSION DETECTION SYSTEM (IDS)
		202	The host-based intrusion detection system tracks down and audits user
		203	and system file modifications. The feature is configured using
		204	/etc/firejail/ids.config file, the checksums are stored in
		205	/var/lib/firejail/USERNAME.ids, where USERNAME is the name of the cur‐
		206	rent user. We use BLAKE2 cryptographic function for hashing.
		207
		208	As a regular user, initialize the database:
		209
		210	$ firejail --ids-init
		211	Opening config file /etc/firejail/ids.config
		212	Loading config file /etc/firejail/ids.config
		213	Opening config file /etc/firejail/ids.config.local
		214	500 1000 1500 2000
		215	2466 files scanned
		216	IDS database initialized
		217
		218	The default configuration targets several system executables in direc‐
		219	tories such as /bin, /sbin, /usr/bin, /usr/sbin, and several critical
		220	config files in user home directory such as ~/.bashrc, ~/.xinitrc, and
		221	~/.config/autostart. Several system config files in /etc directory are
		222	also hashed.
		223
		224	Run --ids-check to audit the system:
		225
		226	$ firejail --ids-check
		227	Opening config file /etc/firejail/ids.config
		228	Loading config file /etc/firejail/ids.config
		229	Opening config file /etc/firejail/ids.config.local
		230	500 1000 1500
		231	Warning: modified /home/netblue/.bashrc
		232	2000
		233	2466 files scanned: modified 1, permissions 0, new 0, removed 0
		234
		235	The program will print the files that have been modified since the
		236	database was created, or the files with different access permissions.
		237	New files and deleted files are also flagged.
		238
		239	Currently while scanning the file system symbolic links are not fol‐
		240	lowed, and files the user doesn't have read access to are silently
		241	dropped. The program can also be run as root (sudo firejail --ids-
		242	init/--ids-check).
199		243
200	Later, we check it:
201	`````	244	`````
202	$ firejail --ids-check
203	Loading /etc/firejail/ids.config config file
204	500 1000 1500
205	Warning: modified /home/netblue/.bashrc
206	2000
207	2457 files scanned: modified 1, permissions 0, new 0, removed 0
208	`````
209	The program will print the files that have been modified since the database was created, or the files with different access permissions.
210	New files and deleted files are also flagged.
211
212	Currently while scanning the file system symbolic links are not followed, and files the user doesn't have read access to are silently dropped.
213	The program can also be run as root (sudo firejail --ids-init/--ids-check).
214		245
215	### Deteministic Shutdown	246	### Deteministic Shutdown
216	`````	247	`````


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 499339264..b5cb1e7c2 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -821,6 +821,26 @@ Example:
821	$ firejail \-\-hosts-file=~/myhosts firefox	821	$ firejail \-\-hosts-file=~/myhosts firefox
822		822
823	.TP	823	.TP
		824	\fB\-\-ids-check
		825	Check file hashes previously generated by \-\-ids-check. See INTRUSION DETECTION SYSTEM section for more details.
		826	.br
		827
		828	.br
		829	Example:
		830	.br
		831	$ firejail \-\-ids-check
		832
		833	.TP
		834	\fB\-\-ids-init
		835	Initialize file hashes. See INTRUSION DETECTION SYSTEM section for more details.
		836	.br
		837
		838	.br
		839	Example:
		840	.br
		841	$ firejail \-\-ids-init
		842
		843	.TP
824	\fB\-\-ignore=command	844	\fB\-\-ignore=command
825	Ignore command in profile file.	845	Ignore command in profile file.
826	.br	846	.br
@@ -3208,6 +3228,65 @@ $ firejail \-\-put=mybrowser xpra-clipboard.png ~/Downloads/xpra-clipboard.png
3208	$ firejail \-\-cat=mybrowser ~/.bashrc	3228	$ firejail \-\-cat=mybrowser ~/.bashrc
3209	.br	3229	.br
3210	#endif	3230	#endif
		3231
		3232	.SH INTRUSION DETECTION SYSTEM (IDS)
		3233	The host-based intrusion detection system tracks down and audits user and system file modifications.
		3234	The feature is configured using /etc/firejail/ids.config file, the checksums are stored in /var/lib/firejail/USERNAME.ids,
		3235	where USERNAME is the name of the current user. We use BLAKE2 cryptographic function for hashing.
		3236
		3237	As a regular user, initialize the database:
		3238	.br
		3239
		3240	.br
		3241	$ firejail --ids-init
		3242	.br
		3243	Opening config file /etc/firejail/ids.config
		3244	.br
		3245	Loading config file /etc/firejail/ids.config
		3246	.br
		3247	Opening config file /etc/firejail/ids.config.local
		3248	.br
		3249	500 1000 1500 2000
		3250	.br
		3251	2466 files scanned
		3252	.br
		3253	IDS database initialized
		3254	.br
		3255
		3256	.br
		3257	The default configuration targets several system executables in directories such as /bin, /sbin, /usr/bin, /usr/sbin, and several critical config files in user home directory
		3258	such as ~/.bashrc, ~/.xinitrc, and ~/.config/autostart. Several system config files in /etc directory are also hashed.
		3259	.br
		3260
		3261	.br
		3262	Run --ids-check to audit the system:
		3263	.br
		3264
		3265	.br
		3266	$ firejail --ids-check
		3267	.br
		3268	Opening config file /etc/firejail/ids.config
		3269	.br
		3270	Loading config file /etc/firejail/ids.config
		3271	.br
		3272	Opening config file /etc/firejail/ids.config.local
		3273	.br
		3274	500 1000 1500
		3275	.br
		3276	Warning: modified /home/netblue/.bashrc
		3277	.br
		3278	2000
		3279	.br
		3280	2466 files scanned: modified 1, permissions 0, new 0, removed 0
		3281	.br
		3282
		3283	.br
		3284	The program will print the files that have been modified since the database was created, or the files with different access permissions.
		3285	New files and deleted files are also flagged.
		3286
		3287	Currently while scanning the file system, symbolic links are not followed, and files the user doesn't have read access to are silently dropped.
		3288	The program can also be run as root (sudo firejail --ids-init/--ids-check).
		3289
3211	.SH MONITORING	3290	.SH MONITORING
3212	Option \-\-list prints a list of all sandboxes. The format	3291	Option \-\-list prints a list of all sandboxes. The format
3213	for each process entry is as follows:	3292	for each process entry is as follows: