diff options
author | netblue30 <netblue30@protonmail.com> | 2021-11-13 09:01:18 -0500 |
---|---|---|
committer | netblue30 <netblue30@protonmail.com> | 2021-11-13 09:01:18 -0500 |
commit | 1f6767c90605be5b0fd75b8b41f3f36937691bd9 (patch) | |
tree | b4a32cf60d6c6e7d017ddd9424fc4d05b7061494 /README.md | |
parent | merges (diff) | |
download | firejail-1f6767c90605be5b0fd75b8b41f3f36937691bd9.tar.gz firejail-1f6767c90605be5b0fd75b8b41f3f36937691bd9.tar.zst firejail-1f6767c90605be5b0fd75b8b41f3f36937691bd9.zip |
--ids-check/--ids-init documentation
Diffstat (limited to 'README.md')
-rw-r--r-- | README.md | 81 |
1 files changed, 56 insertions, 25 deletions
@@ -183,34 +183,65 @@ in order to give users a chance to switch their local profiles. | |||
183 | The latest discussion on this issue is here: https://github.com/netblue30/firejail/issues/4379 | 183 | The latest discussion on this issue is here: https://github.com/netblue30/firejail/issues/4379 |
184 | 184 | ||
185 | ### Intrusion Detection System ### | 185 | ### Intrusion Detection System ### |
186 | |||
187 | We are adding IDS capabilities in the next release. We have the list of files in [/etc/firejail/ids.config](https://github.com/netblue30/firejail/blob/master/etc/ids.config), | ||
188 | and we generate a [BLAKE2](https://en.wikipedia.org/wiki/BLAKE_%28hash_function%29) checksum in /var/lib/firejail/username.ids. | ||
189 | The program runs as regular user, each user has his own file in /var/lib/firejail. | ||
190 | |||
191 | Initialize the database: | ||
192 | ````` | ||
193 | $ firejail --ids-init | ||
194 | Loading /etc/firejail/ids.config config file | ||
195 | 500 1000 1500 2000 | ||
196 | 2457 files scanned | ||
197 | IDS database initialized | ||
198 | ````` | 186 | ````` |
187 | --ids-check | ||
188 | Check file hashes previously generated by --ids-check. See IN‐ | ||
189 | TRUSION DETECTION SYSTEM section for more details. | ||
190 | |||
191 | Example: | ||
192 | $ firejail --ids-check | ||
193 | |||
194 | --ids-init | ||
195 | Initialize file hashes. See INTRUSION DETECTION SYSTEM section | ||
196 | for more details. | ||
197 | |||
198 | Example: | ||
199 | $ firejail --ids-init | ||
200 | |||
201 | INTRUSION DETECTION SYSTEM (IDS) | ||
202 | The host-based intrusion detection system tracks down and audits user | ||
203 | and system file modifications. The feature is configured using | ||
204 | /etc/firejail/ids.config file, the checksums are stored in | ||
205 | /var/lib/firejail/USERNAME.ids, where USERNAME is the name of the cur‐ | ||
206 | rent user. We use BLAKE2 cryptographic function for hashing. | ||
207 | |||
208 | As a regular user, initialize the database: | ||
209 | |||
210 | $ firejail --ids-init | ||
211 | Opening config file /etc/firejail/ids.config | ||
212 | Loading config file /etc/firejail/ids.config | ||
213 | Opening config file /etc/firejail/ids.config.local | ||
214 | 500 1000 1500 2000 | ||
215 | 2466 files scanned | ||
216 | IDS database initialized | ||
217 | |||
218 | The default configuration targets several system executables in direc‐ | ||
219 | tories such as /bin, /sbin, /usr/bin, /usr/sbin, and several critical | ||
220 | config files in user home directory such as ~/.bashrc, ~/.xinitrc, and | ||
221 | ~/.config/autostart. Several system config files in /etc directory are | ||
222 | also hashed. | ||
223 | |||
224 | Run --ids-check to audit the system: | ||
225 | |||
226 | $ firejail --ids-check | ||
227 | Opening config file /etc/firejail/ids.config | ||
228 | Loading config file /etc/firejail/ids.config | ||
229 | Opening config file /etc/firejail/ids.config.local | ||
230 | 500 1000 1500 | ||
231 | Warning: modified /home/netblue/.bashrc | ||
232 | 2000 | ||
233 | 2466 files scanned: modified 1, permissions 0, new 0, removed 0 | ||
234 | |||
235 | The program will print the files that have been modified since the | ||
236 | database was created, or the files with different access permissions. | ||
237 | New files and deleted files are also flagged. | ||
238 | |||
239 | Currently while scanning the file system symbolic links are not fol‐ | ||
240 | lowed, and files the user doesn't have read access to are silently | ||
241 | dropped. The program can also be run as root (sudo firejail --ids- | ||
242 | init/--ids-check). | ||
199 | 243 | ||
200 | Later, we check it: | ||
201 | ````` | 244 | ````` |
202 | $ firejail --ids-check | ||
203 | Loading /etc/firejail/ids.config config file | ||
204 | 500 1000 1500 | ||
205 | Warning: modified /home/netblue/.bashrc | ||
206 | 2000 | ||
207 | 2457 files scanned: modified 1, permissions 0, new 0, removed 0 | ||
208 | ````` | ||
209 | The program will print the files that have been modified since the database was created, or the files with different access permissions. | ||
210 | New files and deleted files are also flagged. | ||
211 | |||
212 | Currently while scanning the file system symbolic links are not followed, and files the user doesn't have read access to are silently dropped. | ||
213 | The program can also be run as root (sudo firejail --ids-init/--ids-check). | ||
214 | 245 | ||
215 | ### Deteministic Shutdown | 246 | ### Deteministic Shutdown |
216 | ````` | 247 | ````` |