diff options
-rw-r--r-- | README.md | 81 | ||||
-rw-r--r-- | src/man/firejail.txt | 79 |
2 files changed, 135 insertions, 25 deletions
@@ -183,34 +183,65 @@ in order to give users a chance to switch their local profiles. | |||
183 | The latest discussion on this issue is here: https://github.com/netblue30/firejail/issues/4379 | 183 | The latest discussion on this issue is here: https://github.com/netblue30/firejail/issues/4379 |
184 | 184 | ||
185 | ### Intrusion Detection System ### | 185 | ### Intrusion Detection System ### |
186 | |||
187 | We are adding IDS capabilities in the next release. We have the list of files in [/etc/firejail/ids.config](https://github.com/netblue30/firejail/blob/master/etc/ids.config), | ||
188 | and we generate a [BLAKE2](https://en.wikipedia.org/wiki/BLAKE_%28hash_function%29) checksum in /var/lib/firejail/username.ids. | ||
189 | The program runs as regular user, each user has his own file in /var/lib/firejail. | ||
190 | |||
191 | Initialize the database: | ||
192 | ````` | ||
193 | $ firejail --ids-init | ||
194 | Loading /etc/firejail/ids.config config file | ||
195 | 500 1000 1500 2000 | ||
196 | 2457 files scanned | ||
197 | IDS database initialized | ||
198 | ````` | 186 | ````` |
187 | --ids-check | ||
188 | Check file hashes previously generated by --ids-check. See IN‐ | ||
189 | TRUSION DETECTION SYSTEM section for more details. | ||
190 | |||
191 | Example: | ||
192 | $ firejail --ids-check | ||
193 | |||
194 | --ids-init | ||
195 | Initialize file hashes. See INTRUSION DETECTION SYSTEM section | ||
196 | for more details. | ||
197 | |||
198 | Example: | ||
199 | $ firejail --ids-init | ||
200 | |||
201 | INTRUSION DETECTION SYSTEM (IDS) | ||
202 | The host-based intrusion detection system tracks down and audits user | ||
203 | and system file modifications. The feature is configured using | ||
204 | /etc/firejail/ids.config file, the checksums are stored in | ||
205 | /var/lib/firejail/USERNAME.ids, where USERNAME is the name of the cur‐ | ||
206 | rent user. We use BLAKE2 cryptographic function for hashing. | ||
207 | |||
208 | As a regular user, initialize the database: | ||
209 | |||
210 | $ firejail --ids-init | ||
211 | Opening config file /etc/firejail/ids.config | ||
212 | Loading config file /etc/firejail/ids.config | ||
213 | Opening config file /etc/firejail/ids.config.local | ||
214 | 500 1000 1500 2000 | ||
215 | 2466 files scanned | ||
216 | IDS database initialized | ||
217 | |||
218 | The default configuration targets several system executables in direc‐ | ||
219 | tories such as /bin, /sbin, /usr/bin, /usr/sbin, and several critical | ||
220 | config files in user home directory such as ~/.bashrc, ~/.xinitrc, and | ||
221 | ~/.config/autostart. Several system config files in /etc directory are | ||
222 | also hashed. | ||
223 | |||
224 | Run --ids-check to audit the system: | ||
225 | |||
226 | $ firejail --ids-check | ||
227 | Opening config file /etc/firejail/ids.config | ||
228 | Loading config file /etc/firejail/ids.config | ||
229 | Opening config file /etc/firejail/ids.config.local | ||
230 | 500 1000 1500 | ||
231 | Warning: modified /home/netblue/.bashrc | ||
232 | 2000 | ||
233 | 2466 files scanned: modified 1, permissions 0, new 0, removed 0 | ||
234 | |||
235 | The program will print the files that have been modified since the | ||
236 | database was created, or the files with different access permissions. | ||
237 | New files and deleted files are also flagged. | ||
238 | |||
239 | Currently while scanning the file system symbolic links are not fol‐ | ||
240 | lowed, and files the user doesn't have read access to are silently | ||
241 | dropped. The program can also be run as root (sudo firejail --ids- | ||
242 | init/--ids-check). | ||
199 | 243 | ||
200 | Later, we check it: | ||
201 | ````` | 244 | ````` |
202 | $ firejail --ids-check | ||
203 | Loading /etc/firejail/ids.config config file | ||
204 | 500 1000 1500 | ||
205 | Warning: modified /home/netblue/.bashrc | ||
206 | 2000 | ||
207 | 2457 files scanned: modified 1, permissions 0, new 0, removed 0 | ||
208 | ````` | ||
209 | The program will print the files that have been modified since the database was created, or the files with different access permissions. | ||
210 | New files and deleted files are also flagged. | ||
211 | |||
212 | Currently while scanning the file system symbolic links are not followed, and files the user doesn't have read access to are silently dropped. | ||
213 | The program can also be run as root (sudo firejail --ids-init/--ids-check). | ||
214 | 245 | ||
215 | ### Deteministic Shutdown | 246 | ### Deteministic Shutdown |
216 | ````` | 247 | ````` |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 499339264..b5cb1e7c2 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -821,6 +821,26 @@ Example: | |||
821 | $ firejail \-\-hosts-file=~/myhosts firefox | 821 | $ firejail \-\-hosts-file=~/myhosts firefox |
822 | 822 | ||
823 | .TP | 823 | .TP |
824 | \fB\-\-ids-check | ||
825 | Check file hashes previously generated by \-\-ids-check. See INTRUSION DETECTION SYSTEM section for more details. | ||
826 | .br | ||
827 | |||
828 | .br | ||
829 | Example: | ||
830 | .br | ||
831 | $ firejail \-\-ids-check | ||
832 | |||
833 | .TP | ||
834 | \fB\-\-ids-init | ||
835 | Initialize file hashes. See INTRUSION DETECTION SYSTEM section for more details. | ||
836 | .br | ||
837 | |||
838 | .br | ||
839 | Example: | ||
840 | .br | ||
841 | $ firejail \-\-ids-init | ||
842 | |||
843 | .TP | ||
824 | \fB\-\-ignore=command | 844 | \fB\-\-ignore=command |
825 | Ignore command in profile file. | 845 | Ignore command in profile file. |
826 | .br | 846 | .br |
@@ -3208,6 +3228,65 @@ $ firejail \-\-put=mybrowser xpra-clipboard.png ~/Downloads/xpra-clipboard.png | |||
3208 | $ firejail \-\-cat=mybrowser ~/.bashrc | 3228 | $ firejail \-\-cat=mybrowser ~/.bashrc |
3209 | .br | 3229 | .br |
3210 | #endif | 3230 | #endif |
3231 | |||
3232 | .SH INTRUSION DETECTION SYSTEM (IDS) | ||
3233 | The host-based intrusion detection system tracks down and audits user and system file modifications. | ||
3234 | The feature is configured using /etc/firejail/ids.config file, the checksums are stored in /var/lib/firejail/USERNAME.ids, | ||
3235 | where USERNAME is the name of the current user. We use BLAKE2 cryptographic function for hashing. | ||
3236 | |||
3237 | As a regular user, initialize the database: | ||
3238 | .br | ||
3239 | |||
3240 | .br | ||
3241 | $ firejail --ids-init | ||
3242 | .br | ||
3243 | Opening config file /etc/firejail/ids.config | ||
3244 | .br | ||
3245 | Loading config file /etc/firejail/ids.config | ||
3246 | .br | ||
3247 | Opening config file /etc/firejail/ids.config.local | ||
3248 | .br | ||
3249 | 500 1000 1500 2000 | ||
3250 | .br | ||
3251 | 2466 files scanned | ||
3252 | .br | ||
3253 | IDS database initialized | ||
3254 | .br | ||
3255 | |||
3256 | .br | ||
3257 | The default configuration targets several system executables in directories such as /bin, /sbin, /usr/bin, /usr/sbin, and several critical config files in user home directory | ||
3258 | such as ~/.bashrc, ~/.xinitrc, and ~/.config/autostart. Several system config files in /etc directory are also hashed. | ||
3259 | .br | ||
3260 | |||
3261 | .br | ||
3262 | Run --ids-check to audit the system: | ||
3263 | .br | ||
3264 | |||
3265 | .br | ||
3266 | $ firejail --ids-check | ||
3267 | .br | ||
3268 | Opening config file /etc/firejail/ids.config | ||
3269 | .br | ||
3270 | Loading config file /etc/firejail/ids.config | ||
3271 | .br | ||
3272 | Opening config file /etc/firejail/ids.config.local | ||
3273 | .br | ||
3274 | 500 1000 1500 | ||
3275 | .br | ||
3276 | Warning: modified /home/netblue/.bashrc | ||
3277 | .br | ||
3278 | 2000 | ||
3279 | .br | ||
3280 | 2466 files scanned: modified 1, permissions 0, new 0, removed 0 | ||
3281 | .br | ||
3282 | |||
3283 | .br | ||
3284 | The program will print the files that have been modified since the database was created, or the files with different access permissions. | ||
3285 | New files and deleted files are also flagged. | ||
3286 | |||
3287 | Currently while scanning the file system, symbolic links are not followed, and files the user doesn't have read access to are silently dropped. | ||
3288 | The program can also be run as root (sudo firejail --ids-init/--ids-check). | ||
3289 | |||
3211 | .SH MONITORING | 3290 | .SH MONITORING |
3212 | Option \-\-list prints a list of all sandboxes. The format | 3291 | Option \-\-list prints a list of all sandboxes. The format |
3213 | for each process entry is as follows: | 3292 | for each process entry is as follows: |