diff options
Diffstat (limited to 'README.md')
-rw-r--r-- | README.md | 96 |
1 files changed, 70 insertions, 26 deletions
@@ -96,7 +96,7 @@ https://unparalleled.eu/blog/2021/20210208-rigged-race-against-firejail-for-loca | |||
96 | 96 | ||
97 | Try installing Firejail from your system packages first. Firejail is included in Alpine, ALT Linux, Arch, Artix, Chakra, Debian, Deepin, Devuan, Fedora, Gentoo, Manjaro, Mint, NixOS, Parabola, Parrot, PCLinuxOS, ROSA, Solus, Slackware/SlackBuilds, Trisquel, Ubuntu, Void and possibly others. | 97 | Try installing Firejail from your system packages first. Firejail is included in Alpine, ALT Linux, Arch, Artix, Chakra, Debian, Deepin, Devuan, Fedora, Gentoo, Manjaro, Mint, NixOS, Parabola, Parrot, PCLinuxOS, ROSA, Solus, Slackware/SlackBuilds, Trisquel, Ubuntu, Void and possibly others. |
98 | 98 | ||
99 | The firejail 0.9.52-LTS version is deprecated. On Ubuntu 18.04 LTS users are advised to use the [PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail). On Debian buster we recommend to use the [backports](https://packages.debian.org/buster-backports/firejail) package. | 99 | The firejail 0.9.52-LTS version is deprecated. On Ubuntu 18.04 LTS users are advised to use the [PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail). On Debian stable (bullseye) we recommend to use the [backports](https://packages.debian.org/bullseye-backports/firejail) package. |
100 | 100 | ||
101 | You can also install one of the [released packages](http://sourceforge.net/projects/firejail/files/firejail), or clone Firejail’s source code from our Git repository and compile manually: | 101 | You can also install one of the [released packages](http://sourceforge.net/projects/firejail/files/firejail), or clone Firejail’s source code from our Git repository and compile manually: |
102 | 102 | ||
@@ -150,7 +150,7 @@ PulseAudio changes. | |||
150 | Start your programs the way you are used to: desktop manager menus, file manager, desktop launchers. | 150 | Start your programs the way you are used to: desktop manager menus, file manager, desktop launchers. |
151 | The integration applies to any program supported by default by Firejail. There are about 250 default applications | 151 | The integration applies to any program supported by default by Firejail. There are about 250 default applications |
152 | in current Firejail version, and the number goes up with every new release. | 152 | in current Firejail version, and the number goes up with every new release. |
153 | We keep the application list in [/usr/lib/firejail/firecfg.config](https://github.com/netblue30/firejail/blob/master/src/firecfg/firecfg.config) file. | 153 | We keep the application list in [/etc/firejail/firecfg.config](https://github.com/netblue30/firejail/blob/master/src/firecfg/firecfg.config) file. |
154 | 154 | ||
155 | ## Security profiles | 155 | ## Security profiles |
156 | 156 | ||
@@ -183,34 +183,78 @@ in order to give users a chance to switch their local profiles. | |||
183 | The latest discussion on this issue is here: https://github.com/netblue30/firejail/issues/4379 | 183 | The latest discussion on this issue is here: https://github.com/netblue30/firejail/issues/4379 |
184 | 184 | ||
185 | ### Intrusion Detection System ### | 185 | ### Intrusion Detection System ### |
186 | |||
187 | We are adding IDS capabilities in the next release. We have the list of files in [/etc/firejail/ids.config](https://github.com/netblue30/firejail/blob/master/etc/ids.config), | ||
188 | and we generate a [BLAKE2](https://en.wikipedia.org/wiki/BLAKE_%28hash_function%29) checksum in /var/lib/firejail/username.ids. | ||
189 | The program runs as regular user, each user has his own file in /var/lib/firejail. | ||
190 | |||
191 | Initialize the database: | ||
192 | ````` | 186 | ````` |
193 | $ firejail --ids-init | 187 | --ids-check |
194 | Loading /etc/firejail/ids.config config file | 188 | Check file hashes previously generated by --ids-check. See IN‐ |
195 | 500 1000 1500 2000 | 189 | TRUSION DETECTION SYSTEM section for more details. |
196 | 2457 files scanned | 190 | |
197 | IDS database initialized | 191 | Example: |
192 | $ firejail --ids-check | ||
193 | |||
194 | --ids-init | ||
195 | Initialize file hashes. See INTRUSION DETECTION SYSTEM section | ||
196 | for more details. | ||
197 | |||
198 | Example: | ||
199 | $ firejail --ids-init | ||
200 | |||
201 | INTRUSION DETECTION SYSTEM (IDS) | ||
202 | The host-based intrusion detection system tracks down and audits user | ||
203 | and system file modifications. The feature is configured using | ||
204 | /etc/firejail/ids.config file, the checksums are stored in | ||
205 | /var/lib/firejail/USERNAME.ids, where USERNAME is the name of the cur‐ | ||
206 | rent user. We use BLAKE2 cryptographic function for hashing. | ||
207 | |||
208 | As a regular user, initialize the database: | ||
209 | |||
210 | $ firejail --ids-init | ||
211 | Opening config file /etc/firejail/ids.config | ||
212 | Loading config file /etc/firejail/ids.config | ||
213 | Opening config file /etc/firejail/ids.config.local | ||
214 | 500 1000 1500 2000 | ||
215 | 2466 files scanned | ||
216 | IDS database initialized | ||
217 | |||
218 | The default configuration targets several system executables in direc‐ | ||
219 | tories such as /bin, /sbin, /usr/bin, /usr/sbin, and several critical | ||
220 | config files in user home directory such as ~/.bashrc, ~/.xinitrc, and | ||
221 | ~/.config/autostart. Several system config files in /etc directory are | ||
222 | also hashed. | ||
223 | |||
224 | Run --ids-check to audit the system: | ||
225 | |||
226 | $ firejail --ids-check | ||
227 | Opening config file /etc/firejail/ids.config | ||
228 | Loading config file /etc/firejail/ids.config | ||
229 | Opening config file /etc/firejail/ids.config.local | ||
230 | 500 1000 1500 | ||
231 | Warning: modified /home/netblue/.bashrc | ||
232 | 2000 | ||
233 | 2466 files scanned: modified 1, permissions 0, new 0, removed 0 | ||
234 | |||
235 | The program will print the files that have been modified since the | ||
236 | database was created, or the files with different access permissions. | ||
237 | New files and deleted files are also flagged. | ||
238 | |||
239 | Currently while scanning the file system symbolic links are not fol‐ | ||
240 | lowed, and files the user doesn't have read access to are silently | ||
241 | dropped. The program can also be run as root (sudo firejail --ids- | ||
242 | init/--ids-check). | ||
243 | |||
198 | ````` | 244 | ````` |
199 | 245 | ||
200 | Later, we check it: | 246 | ### Deteministic Shutdown |
201 | ````` | 247 | ````` |
202 | $ firejail --ids-check | 248 | --deterministic-exit-code |
203 | Loading /etc/firejail/ids.config config file | 249 | Always exit firejail with the first child's exit status. The de‐ |
204 | 500 1000 1500 | 250 | fault behavior is to use the exit status of the final child to |
205 | Warning: modified /home/netblue/.bashrc | 251 | exit, which can be nondeterministic. |
206 | 2000 | 252 | |
207 | 2457 files scanned: modified 1, permissions 0, new 0, removed 0 | 253 | --deterministic-shutdown |
254 | Always shut down the sandbox after the first child has termi‐ | ||
255 | nated. The default behavior is to keep the sandbox alive as long | ||
256 | as it contains running processes. | ||
208 | ````` | 257 | ````` |
209 | The program will print the files that have been modified since the database was created, or the files with different access permissions. | ||
210 | New files and deleted files are also flagged. | ||
211 | |||
212 | Currently while scanning the file system symbolic links are not followed, and files the user doesn't have read access to are silently dropped. | ||
213 | The program can also be run as root (sudo firejail --ids-init/--ids-check). | ||
214 | 258 | ||
215 | ### Profile Statistics | 259 | ### Profile Statistics |
216 | 260 | ||
@@ -248,4 +292,4 @@ $ ./profstats *.profile | |||
248 | ### New profiles: | 292 | ### New profiles: |
249 | 293 | ||
250 | clion-eap, lifeograph, io.github.lainsce.Notejot, rednotebook, zim, microsoft-edge-beta, ncdu2, gallery-dl, yt-dlp, goldendict, bundle, | 294 | clion-eap, lifeograph, io.github.lainsce.Notejot, rednotebook, zim, microsoft-edge-beta, ncdu2, gallery-dl, yt-dlp, goldendict, bundle, |
251 | cmake, make, meson, pip, codium | 295 | cmake, make, meson, pip, codium, telnet, ftp, OpenStego, imv, retroarch, torbrowser |