3 files changed, 91 insertions, 1 deletions
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt
index 7e0a57f92..189e9cc8d 100644
--- a/src/man/firecfg.txt
+++ b/src/man/firecfg.txt
@@ -27,7 +27,7 @@ desktop managers are supported in this moment
 To set it up, run "sudo firecfg" after installing Firejail software.
 The same command should also be run after
 installing new programs. If the program is supported by Firejail, the symbolic link in /usr/local/bin
-will be created. For a full list of programs supported by default run "cat /usr/lib/firejail/firecfg.config".
+will be created. For a full list of programs supported by default run "cat /etc/firejail/firecfg.config".
 For user-driven manual integration, see \fBDESKTOP INTEGRATION\fR section in \fBman 1 firejail\fR.
 .SH DEFAULT ACTIONS
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index a1eccaa5e..f6c905d59 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -954,12 +954,17 @@ be created and configured using "ip netns".
 Use this name for the interface connected to the bridge for --net=bridge_interface commands,
 instead of the default one.
 #endif
 .SH Other
 .TP
 \fBdeterministic-exit-code
 Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic.
 .TP
+\fBdeterministic-shutdown
+Always shut down the sandbox after the first child has terminated. The default behavior is to keep the sandbox alive as long as it contains running processes.
+.TP
 \fBjoin-or-start sandboxname
 Join the sandbox identified by name or start a new one.
 Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname".
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index e724e4bb9..b5cb1e7c2 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -706,6 +706,12 @@ $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox
 \fB\-\-deterministic-exit-code
 Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic.
 .br
+.TP
+\fB\-\-deterministic-shutdown
+Always shut down the sandbox after the first child has terminated. The default behavior is to keep the sandbox alive as long as it contains running processes.
+.br
 .TP
 \fB\-\-disable-mnt
 Blacklist /mnt, /media, /run/mount and /run/media access.
@@ -815,6 +821,26 @@ Example:
 $ firejail \-\-hosts-file=~/myhosts firefox
 .TP
+\fB\-\-ids-check
+Check file hashes previously generated by \-\-ids-check. See INTRUSION DETECTION SYSTEM section for more details.
+.br
+.br
+Example:
+.br
+$ firejail \-\-ids-check
+.TP
+\fB\-\-ids-init
+Initialize file hashes. See INTRUSION DETECTION SYSTEM section for more details.
+.br
+.br
+Example:
+.br
+$ firejail \-\-ids-init
+.TP
 \fB\-\-ignore=command
 Ignore command in profile file.
 .br
@@ -3202,6 +3228,65 @@ $ firejail \-\-put=mybrowser xpra-clipboard.png ~/Downloads/xpra-clipboard.png
 $ firejail \-\-cat=mybrowser ~/.bashrc
 .br
 #endif
+.SH INTRUSION DETECTION SYSTEM (IDS)
+The host-based intrusion detection system tracks down and audits user and system file modifications.
+The feature is configured using /etc/firejail/ids.config file, the checksums are stored in /var/lib/firejail/USERNAME.ids,
+where USERNAME is the name of the current user. We use BLAKE2 cryptographic function for hashing.
+As a regular user, initialize the database:
+.br
+.br
+$ firejail --ids-init
+.br
+Opening config file /etc/firejail/ids.config
+.br
+Loading config file /etc/firejail/ids.config
+.br
+Opening config file /etc/firejail/ids.config.local
+.br
+500 1000 1500 2000
+.br
+2466 files scanned
+.br
+IDS database initialized
+.br
+.br
+The default configuration targets several system executables in directories such as /bin, /sbin, /usr/bin, /usr/sbin, and several critical config files in user home directory
+such as ~/.bashrc, ~/.xinitrc, and ~/.config/autostart. Several system config files in /etc directory are also hashed.
+.br
+.br
+Run --ids-check to audit the system:
+.br
+.br
+$ firejail --ids-check
+.br
+Opening config file /etc/firejail/ids.config
+.br
+Loading config file /etc/firejail/ids.config
+.br
+Opening config file /etc/firejail/ids.config.local
+.br
+500 1000 1500
+.br
+Warning: modified /home/netblue/.bashrc
+.br
+2000
+.br
+2466 files scanned: modified 1, permissions 0, new 0, removed 0
+.br
+.br
+The program will print the files that have been modified since the database was created, or the files with different access permissions.
+New files and deleted files are also flagged.
+Currently while scanning the file system, symbolic links are not followed, and files the user doesn't have read access to are silently dropped.
+The program can also be run as root (sudo firejail --ids-init/--ids-check).
 .SH MONITORING
 Option \-\-list prints a list of all sandboxes. The format
 for each process entry is as follows:

diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt index 7e0a57f92..189e9cc8d 100644 --- a/src/man/firecfg.txt +++ b/src/man/firecfg.txt
@@ -27,7 +27,7 @@ desktop managers are supported in this moment
27	To set it up, run "sudo firecfg" after installing Firejail software.	27	To set it up, run "sudo firecfg" after installing Firejail software.
28	The same command should also be run after	28	The same command should also be run after
29	installing new programs. If the program is supported by Firejail, the symbolic link in /usr/local/bin	29	installing new programs. If the program is supported by Firejail, the symbolic link in /usr/local/bin
30	will be created. For a full list of programs supported by default run "cat /usr/lib/firejail/firecfg.config".	30	will be created. For a full list of programs supported by default run "cat /etc/firejail/firecfg.config".
31		31
32	For user-driven manual integration, see \fBDESKTOP INTEGRATION\fR section in \fBman 1 firejail\fR.	32	For user-driven manual integration, see \fBDESKTOP INTEGRATION\fR section in \fBman 1 firejail\fR.
33	.SH DEFAULT ACTIONS	33	.SH DEFAULT ACTIONS


diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index a1eccaa5e..f6c905d59 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt
@@ -954,12 +954,17 @@ be created and configured using "ip netns".
954	Use this name for the interface connected to the bridge for --net=bridge_interface commands,	954	Use this name for the interface connected to the bridge for --net=bridge_interface commands,
955	instead of the default one.	955	instead of the default one.
956	#endif	956	#endif
		957
957	.SH Other	958	.SH Other
958	.TP	959	.TP
959	\fBdeterministic-exit-code	960	\fBdeterministic-exit-code
960	Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic.	961	Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic.
961		962
962	.TP	963	.TP
		964	\fBdeterministic-shutdown
		965	Always shut down the sandbox after the first child has terminated. The default behavior is to keep the sandbox alive as long as it contains running processes.
		966
		967	.TP
963	\fBjoin-or-start sandboxname	968	\fBjoin-or-start sandboxname
964	Join the sandbox identified by name or start a new one.	969	Join the sandbox identified by name or start a new one.
965	Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname".	970	Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname".


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index e724e4bb9..b5cb1e7c2 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -706,6 +706,12 @@ $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox
706	\fB\-\-deterministic-exit-code	706	\fB\-\-deterministic-exit-code
707	Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic.	707	Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic.
708	.br	708	.br
		709
		710	.TP
		711	\fB\-\-deterministic-shutdown
		712	Always shut down the sandbox after the first child has terminated. The default behavior is to keep the sandbox alive as long as it contains running processes.
		713	.br
		714
709	.TP	715	.TP
710	\fB\-\-disable-mnt	716	\fB\-\-disable-mnt
711	Blacklist /mnt, /media, /run/mount and /run/media access.	717	Blacklist /mnt, /media, /run/mount and /run/media access.
@@ -815,6 +821,26 @@ Example:
815	$ firejail \-\-hosts-file=~/myhosts firefox	821	$ firejail \-\-hosts-file=~/myhosts firefox
816		822
817	.TP	823	.TP
		824	\fB\-\-ids-check
		825	Check file hashes previously generated by \-\-ids-check. See INTRUSION DETECTION SYSTEM section for more details.
		826	.br
		827
		828	.br
		829	Example:
		830	.br
		831	$ firejail \-\-ids-check
		832
		833	.TP
		834	\fB\-\-ids-init
		835	Initialize file hashes. See INTRUSION DETECTION SYSTEM section for more details.
		836	.br
		837
		838	.br
		839	Example:
		840	.br
		841	$ firejail \-\-ids-init
		842
		843	.TP
818	\fB\-\-ignore=command	844	\fB\-\-ignore=command
819	Ignore command in profile file.	845	Ignore command in profile file.
820	.br	846	.br
@@ -3202,6 +3228,65 @@ $ firejail \-\-put=mybrowser xpra-clipboard.png ~/Downloads/xpra-clipboard.png
3202	$ firejail \-\-cat=mybrowser ~/.bashrc	3228	$ firejail \-\-cat=mybrowser ~/.bashrc
3203	.br	3229	.br
3204	#endif	3230	#endif
		3231
		3232	.SH INTRUSION DETECTION SYSTEM (IDS)
		3233	The host-based intrusion detection system tracks down and audits user and system file modifications.
		3234	The feature is configured using /etc/firejail/ids.config file, the checksums are stored in /var/lib/firejail/USERNAME.ids,
		3235	where USERNAME is the name of the current user. We use BLAKE2 cryptographic function for hashing.
		3236
		3237	As a regular user, initialize the database:
		3238	.br
		3239
		3240	.br
		3241	$ firejail --ids-init
		3242	.br
		3243	Opening config file /etc/firejail/ids.config
		3244	.br
		3245	Loading config file /etc/firejail/ids.config
		3246	.br
		3247	Opening config file /etc/firejail/ids.config.local
		3248	.br
		3249	500 1000 1500 2000
		3250	.br
		3251	2466 files scanned
		3252	.br
		3253	IDS database initialized
		3254	.br
		3255
		3256	.br
		3257	The default configuration targets several system executables in directories such as /bin, /sbin, /usr/bin, /usr/sbin, and several critical config files in user home directory
		3258	such as ~/.bashrc, ~/.xinitrc, and ~/.config/autostart. Several system config files in /etc directory are also hashed.
		3259	.br
		3260
		3261	.br
		3262	Run --ids-check to audit the system:
		3263	.br
		3264
		3265	.br
		3266	$ firejail --ids-check
		3267	.br
		3268	Opening config file /etc/firejail/ids.config
		3269	.br
		3270	Loading config file /etc/firejail/ids.config
		3271	.br
		3272	Opening config file /etc/firejail/ids.config.local
		3273	.br
		3274	500 1000 1500
		3275	.br
		3276	Warning: modified /home/netblue/.bashrc
		3277	.br
		3278	2000
		3279	.br
		3280	2466 files scanned: modified 1, permissions 0, new 0, removed 0
		3281	.br
		3282
		3283	.br
		3284	The program will print the files that have been modified since the database was created, or the files with different access permissions.
		3285	New files and deleted files are also flagged.
		3286
		3287	Currently while scanning the file system, symbolic links are not followed, and files the user doesn't have read access to are silently dropped.
		3288	The program can also be run as root (sudo firejail --ids-init/--ids-check).
		3289
3205	.SH MONITORING	3290	.SH MONITORING
3206	Option \-\-list prints a list of all sandboxes. The format	3291	Option \-\-list prints a list of all sandboxes. The format
3207	for each process entry is as follows:	3292	for each process entry is as follows: