diff options
-rw-r--r-- | README.md | 126 |
1 files changed, 2 insertions, 124 deletions
@@ -207,133 +207,11 @@ You can also use this tool to get a list of syscalls needed by a program: [contr | |||
207 | 207 | ||
208 | We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory. | 208 | We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory. |
209 | 209 | ||
210 | ## Latest released version: 0.9.66 | 210 | ## Latest released version: 0.9.68 |
211 | 211 | ||
212 | ## Current development version: 0.9.67 | 212 | ## Current development version: 0.9.69 |
213 | 213 | ||
214 | Milestone page: https://github.com/netblue30/firejail/milestone/1 | 214 | Milestone page: https://github.com/netblue30/firejail/milestone/1 |
215 | Release discussion: https://github.com/netblue30/firejail/issues/3696 | ||
216 | |||
217 | Moving from whitelist/blacklist to allow/deny is under way! We are still open to other options, so it might change! | ||
218 | |||
219 | The old whitelist/blacklist will remain as aliasses for the next one or two releases | ||
220 | in order to give users a chance to switch their local profiles. | ||
221 | The latest discussion on this issue is here: https://github.com/netblue30/firejail/issues/4379 | ||
222 | |||
223 | ### Intrusion Detection System ### | ||
224 | ````` | ||
225 | --ids-check | ||
226 | Check file hashes previously generated by --ids-check. See IN‐ | ||
227 | TRUSION DETECTION SYSTEM section for more details. | ||
228 | |||
229 | Example: | ||
230 | $ firejail --ids-check | ||
231 | |||
232 | --ids-init | ||
233 | Initialize file hashes. See INTRUSION DETECTION SYSTEM section | ||
234 | for more details. | ||
235 | |||
236 | Example: | ||
237 | $ firejail --ids-init | ||
238 | |||
239 | INTRUSION DETECTION SYSTEM (IDS) | ||
240 | The host-based intrusion detection system tracks down and audits user | ||
241 | and system file modifications. The feature is configured using | ||
242 | /etc/firejail/ids.config file, the checksums are stored in | ||
243 | /var/lib/firejail/USERNAME.ids, where USERNAME is the name of the cur‐ | ||
244 | rent user. We use BLAKE2 cryptographic function for hashing. | ||
245 | |||
246 | As a regular user, initialize the database: | ||
247 | |||
248 | $ firejail --ids-init | ||
249 | Opening config file /etc/firejail/ids.config | ||
250 | Loading config file /etc/firejail/ids.config | ||
251 | Opening config file /etc/firejail/ids.config.local | ||
252 | 500 1000 1500 2000 | ||
253 | 2466 files scanned | ||
254 | IDS database initialized | ||
255 | |||
256 | The default configuration targets several system executables in direc‐ | ||
257 | tories such as /bin, /sbin, /usr/bin, /usr/sbin, and several critical | ||
258 | config files in user home directory such as ~/.bashrc, ~/.xinitrc, and | ||
259 | ~/.config/autostart. Several system config files in /etc directory are | ||
260 | also hashed. | ||
261 | |||
262 | Run --ids-check to audit the system: | ||
263 | |||
264 | $ firejail --ids-check | ||
265 | Opening config file /etc/firejail/ids.config | ||
266 | Loading config file /etc/firejail/ids.config | ||
267 | Opening config file /etc/firejail/ids.config.local | ||
268 | 500 1000 1500 | ||
269 | Warning: modified /home/netblue/.bashrc | ||
270 | 2000 | ||
271 | 2466 files scanned: modified 1, permissions 0, new 0, removed 0 | ||
272 | |||
273 | The program will print the files that have been modified since the | ||
274 | database was created, or the files with different access permissions. | ||
275 | New files and deleted files are also flagged. | ||
276 | |||
277 | Currently while scanning the file system symbolic links are not fol‐ | ||
278 | lowed, and files the user doesn't have read access to are silently | ||
279 | dropped. The program can also be run as root (sudo firejail --ids- | ||
280 | init/--ids-check). | ||
281 | |||
282 | ````` | ||
283 | |||
284 | ### File descriptors | ||
285 | ````` | ||
286 | --keep-fd=all | ||
287 | Inherit all open file descriptors to the sandbox. By default | ||
288 | only file descriptors 0, 1 and 2 are inherited to the sandbox, | ||
289 | and all other file descriptors are closed. | ||
290 | |||
291 | Example: | ||
292 | $ firejail --keep-fd=all | ||
293 | |||
294 | --keep-fd=file_descriptor | ||
295 | Don't close specified open file descriptors. By default only | ||
296 | file descriptors 0, 1 and 2 are inherited to the sandbox, and | ||
297 | all other file descriptors are closed. | ||
298 | |||
299 | Example: | ||
300 | $ firejail --keep-fd=3,4,5 | ||
301 | ````` | ||
302 | |||
303 | ### Deteministic Shutdown | ||
304 | ````` | ||
305 | --deterministic-exit-code | ||
306 | Always exit firejail with the first child's exit status. The de‐ | ||
307 | fault behavior is to use the exit status of the final child to | ||
308 | exit, which can be nondeterministic. | ||
309 | |||
310 | --deterministic-shutdown | ||
311 | Always shut down the sandbox after the first child has termi‐ | ||
312 | nated. The default behavior is to keep the sandbox alive as long | ||
313 | as it contains running processes. | ||
314 | ````` | ||
315 | |||
316 | ### Network Monitor | ||
317 | ````` | ||
318 | --nettrace=name|pid | ||
319 | Monitor TCP and UDP traffic coming into the sandbox specified by | ||
320 | name or pid. Only networked sandboxes created with --net are | ||
321 | supported. | ||
322 | |||
323 | $ firejail --nettrace=browser | ||
324 | 86 KB/s ********* 64.222.84.207:443 United States | ||
325 | 76 KB/s ******** 192.229.210.163:443 MCI | ||
326 | 111 B/s 9.9.9.9:53 Quad9 DNS | ||
327 | 32 KB/s *** 142.250.179.182:443 Google | ||
328 | |||
329 | If /usr/bin/geoiplookup is installed (geoip-bin packet in De‐ | ||
330 | bian), the country the IP address originates from is added to | ||
331 | the trace. We also use the static IP map in /etc/firejail/host‐ | ||
332 | names to print the domain names for some of the more common web‐ | ||
333 | sites and cloud platforms. No external services are contacted | ||
334 | for reverse IP lookup. | ||
335 | |||
336 | ````` | ||
337 | 215 | ||
338 | ### Profile Statistics | 216 | ### Profile Statistics |
339 | 217 | ||