diff options
author | netblue30 <netblue30@protonmail.com> | 2021-11-13 09:01:18 -0500 |
---|---|---|
committer | netblue30 <netblue30@protonmail.com> | 2021-11-13 09:01:18 -0500 |
commit | 1f6767c90605be5b0fd75b8b41f3f36937691bd9 (patch) | |
tree | b4a32cf60d6c6e7d017ddd9424fc4d05b7061494 /src | |
parent | merges (diff) | |
download | firejail-1f6767c90605be5b0fd75b8b41f3f36937691bd9.tar.gz firejail-1f6767c90605be5b0fd75b8b41f3f36937691bd9.tar.zst firejail-1f6767c90605be5b0fd75b8b41f3f36937691bd9.zip |
--ids-check/--ids-init documentation
Diffstat (limited to 'src')
-rw-r--r-- | src/man/firejail.txt | 79 |
1 files changed, 79 insertions, 0 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 499339264..b5cb1e7c2 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -821,6 +821,26 @@ Example: | |||
821 | $ firejail \-\-hosts-file=~/myhosts firefox | 821 | $ firejail \-\-hosts-file=~/myhosts firefox |
822 | 822 | ||
823 | .TP | 823 | .TP |
824 | \fB\-\-ids-check | ||
825 | Check file hashes previously generated by \-\-ids-check. See INTRUSION DETECTION SYSTEM section for more details. | ||
826 | .br | ||
827 | |||
828 | .br | ||
829 | Example: | ||
830 | .br | ||
831 | $ firejail \-\-ids-check | ||
832 | |||
833 | .TP | ||
834 | \fB\-\-ids-init | ||
835 | Initialize file hashes. See INTRUSION DETECTION SYSTEM section for more details. | ||
836 | .br | ||
837 | |||
838 | .br | ||
839 | Example: | ||
840 | .br | ||
841 | $ firejail \-\-ids-init | ||
842 | |||
843 | .TP | ||
824 | \fB\-\-ignore=command | 844 | \fB\-\-ignore=command |
825 | Ignore command in profile file. | 845 | Ignore command in profile file. |
826 | .br | 846 | .br |
@@ -3208,6 +3228,65 @@ $ firejail \-\-put=mybrowser xpra-clipboard.png ~/Downloads/xpra-clipboard.png | |||
3208 | $ firejail \-\-cat=mybrowser ~/.bashrc | 3228 | $ firejail \-\-cat=mybrowser ~/.bashrc |
3209 | .br | 3229 | .br |
3210 | #endif | 3230 | #endif |
3231 | |||
3232 | .SH INTRUSION DETECTION SYSTEM (IDS) | ||
3233 | The host-based intrusion detection system tracks down and audits user and system file modifications. | ||
3234 | The feature is configured using /etc/firejail/ids.config file, the checksums are stored in /var/lib/firejail/USERNAME.ids, | ||
3235 | where USERNAME is the name of the current user. We use BLAKE2 cryptographic function for hashing. | ||
3236 | |||
3237 | As a regular user, initialize the database: | ||
3238 | .br | ||
3239 | |||
3240 | .br | ||
3241 | $ firejail --ids-init | ||
3242 | .br | ||
3243 | Opening config file /etc/firejail/ids.config | ||
3244 | .br | ||
3245 | Loading config file /etc/firejail/ids.config | ||
3246 | .br | ||
3247 | Opening config file /etc/firejail/ids.config.local | ||
3248 | .br | ||
3249 | 500 1000 1500 2000 | ||
3250 | .br | ||
3251 | 2466 files scanned | ||
3252 | .br | ||
3253 | IDS database initialized | ||
3254 | .br | ||
3255 | |||
3256 | .br | ||
3257 | The default configuration targets several system executables in directories such as /bin, /sbin, /usr/bin, /usr/sbin, and several critical config files in user home directory | ||
3258 | such as ~/.bashrc, ~/.xinitrc, and ~/.config/autostart. Several system config files in /etc directory are also hashed. | ||
3259 | .br | ||
3260 | |||
3261 | .br | ||
3262 | Run --ids-check to audit the system: | ||
3263 | .br | ||
3264 | |||
3265 | .br | ||
3266 | $ firejail --ids-check | ||
3267 | .br | ||
3268 | Opening config file /etc/firejail/ids.config | ||
3269 | .br | ||
3270 | Loading config file /etc/firejail/ids.config | ||
3271 | .br | ||
3272 | Opening config file /etc/firejail/ids.config.local | ||
3273 | .br | ||
3274 | 500 1000 1500 | ||
3275 | .br | ||
3276 | Warning: modified /home/netblue/.bashrc | ||
3277 | .br | ||
3278 | 2000 | ||
3279 | .br | ||
3280 | 2466 files scanned: modified 1, permissions 0, new 0, removed 0 | ||
3281 | .br | ||
3282 | |||
3283 | .br | ||
3284 | The program will print the files that have been modified since the database was created, or the files with different access permissions. | ||
3285 | New files and deleted files are also flagged. | ||
3286 | |||
3287 | Currently while scanning the file system, symbolic links are not followed, and files the user doesn't have read access to are silently dropped. | ||
3288 | The program can also be run as root (sudo firejail --ids-init/--ids-check). | ||
3289 | |||
3211 | .SH MONITORING | 3290 | .SH MONITORING |
3212 | Option \-\-list prints a list of all sandboxes. The format | 3291 | Option \-\-list prints a list of all sandboxes. The format |
3213 | for each process entry is as follows: | 3292 | for each process entry is as follows: |