intrusion detection system

1 files changed, 30 insertions, 0 deletions

diff --git a/README.md b/README.md
index 2fd8e3009..5fde0b74b 100644
--- a/README.md
+++ b/README.md
@@ -202,6 +202,36 @@ The old whitelist/blacklist will remain as aliasses for the next one or two rele
 in order to give users a chance to switch their local profiles.
 The latest discussion on this issue is here: https://github.com/netblue30/firejail/issues/4379
 
+### Intrusion Detection System ###
+
+We are adding IDS capabilities in the next release. We have the list of files in [/etc/firejail/ids.config](https://github.com/netblue30/firejail/blob/master/etc/ids.config),
+and we generate a [BLAKE2](https://en.wikipedia.org/wiki/BLAKE_%28hash_function%29) checksum in /var/lib/firejail/username.ids.
+The program runs as regular user, each user has his own file in /var/lib/firejail.
+
+Initialize the database:
+`````
+$ firejail --ids-init
+Loading /etc/firejail/ids.config config file
+500 1000 1500 2000
+2457 files scanned
+IDS database initialized
+`````
+
+Later, we check it:
+`````
+$ firejail --ids-check
+Loading /etc/firejail/ids.config config file
+500 1000 1500
+Warning: modified /home/netblue/.bashrc
+2000
+2457 files scanned: modified 1, permissions 0, new 0, removed 0
+`````
+The program will print the files that have been modified since the database was created, or the files with different access permissions.
+New files and deleted files are also flagged.
+
+Currently while scanning the file system symbolic links are not followed, and files the user doesn't have read access are silently dropped.
+The program can also be run as root (sudo firejail --ids-init/--ids-check).
+
 ### Profile Statistics
 
 A small tool to print profile statistics. Compile as usual and run in /etc/profiles: