intrusion detection system

netblue30 · Jul 28, 2021 · a627071 · a627071
1 parent 8b50039
commit a627071
Show file tree

Hide file tree

Showing 18 changed files with 1,118 additions and 10 deletions.
diff --git a/.gitignore b/.gitignore
@@ -22,12 +22,13 @@ firejail-users.5
 firejail.1
 firemon.1
 firecfg.1
-jailcheck.5
+jailcheck.1
 mkdeb.sh
 src/firejail/firejail
 src/firemon/firemon
 src/firecfg/firecfg
 src/ftee/ftee
+src/fids/fids
 src/tags
 src/faudit/faudit
 src/fnet/fnet

diff --git a/Makefile.in b/Makefile.in
@@ -26,7 +26,7 @@ COMPLETIONDIRS = src/zsh_completion src/bash_completion
 .PHONY: all
 all: all_items mydirs $(MAN_TARGET) filters
 APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailcheck/jailcheck
-SBOX_APPS = src/fbuilder/fbuilder src/ftee/ftee
+SBOX_APPS = src/fbuilder/fbuilder src/ftee/ftee src/fids/fids
 SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter
 MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS)
 MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so
@@ -135,7 +135,7 @@ endif
  install -m 0644 -t $(DESTDIR)$(DOCDIR) COPYING README RELNOTES etc/templates/*
  # profiles and settings
  install -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail
- install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/*.profile etc/profile-m-z/*.profile etc/inc/*.inc etc/net/*.net etc/firejail.config
+ install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/*.profile etc/profile-m-z/*.profile etc/inc/*.inc etc/net/*.net etc/firejail.config etc/ids.config
  sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
 ifeq ($(BUSYBOX_WORKAROUND),yes)
  ./mketc.sh $(DESTDIR)$(sysconfdir)/firejail/disable-common.inc

diff --git a/README.md b/README.md
@@ -202,6 +202,36 @@ The old whitelist/blacklist will remain as aliasses for the next one or two rele
 in order to give users a chance to switch their local profiles.
 The latest discussion on this issue is here: https://github.com/netblue30/firejail/issues/4379
 
+### Intrusion Detection System ###
+
+We are adding IDS capabilities in the next release. We have the list of files in [/etc/firejail/ids.config](https://github.com/netblue30/firejail/blob/master/etc/ids.config),
+and we generate a [BLAKE2](https://en.wikipedia.org/wiki/BLAKE_%28hash_function%29) checksum in /var/lib/firejail/username.ids.
+The program runs as regular user, each user has his own file in /var/lib/firejail.
+
+Initialize the database:
+`````
+$ firejail --ids-init
+Loading /etc/firejail/ids.config config file
+500 1000 1500 2000
+2457 files scanned
+IDS database initialized
+`````
+
+Later, we check it:
+`````
+$ firejail --ids-check
+Loading /etc/firejail/ids.config config file
+500 1000 1500
+Warning: modified /home/netblue/.bashrc
+2000
+2457 files scanned: modified 1, permissions 0, new 0, removed 0
+`````
+The program will print the files that have been modified since the database was created, or the files with different access permissions.
+New files and deleted files are also flagged.
+
+Currently while scanning the file system symbolic links are not followed, and files the user doesn't have read access are silently dropped.
+The program can also be run as root (sudo firejail --ids-init/--ids-check).
+
 ### Profile Statistics
 
 A small tool to print profile statistics. Compile as usual and run in /etc/profiles:

diff --git a/configure b/configure
@@ -4350,7 +4350,7 @@ fi
 
 ac_config_files="$ac_config_files mkdeb.sh"
 
-ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile src/jailcheck/Makefile"
+ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile src/jailcheck/Makefile src/fids/Makefile"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -5084,6 +5084,7 @@ do
  "src/bash_completion/Makefile") CONFIG_FILES="$CONFIG_FILES src/bash_completion/Makefile" ;;
  "test/Makefile") CONFIG_FILES="$CONFIG_FILES test/Makefile" ;;
  "src/jailcheck/Makefile") CONFIG_FILES="$CONFIG_FILES src/jailcheck/Makefile" ;;
+ "src/fids/Makefile") CONFIG_FILES="$CONFIG_FILES src/fids/Makefile" ;;
 
  *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
  esac

diff --git a/configure.ac b/configure.ac
@@ -300,7 +300,7 @@ AC_CONFIG_FILES([Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/
 src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \
 src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \
 src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile \
-src/jailcheck/Makefile])
+src/jailcheck/Makefile src/fids/Makefile])
 AC_OUTPUT
 
 cat <<EOF

diff --git a/etc/ids.config b/etc/ids.config
@@ -0,0 +1,134 @@
+# /etc/firejail/ids.config - configuration file for Firejail's Intrusion Detection System
+#
+# Each line is a file or directory name such as
+# /usr/bin
+# or
+# ${HOME}/Desktop/*.desktop
+#
+# ${HOME} is expanded to user home directory, and * is the regular
+# globbing match for zero or more characters.
+#
+# File or directory names starting with ! are not scanned. For example
+# !${HOME}/.ssh/known_hosts
+# ${HOME}/.ssh
+# will scan all files in ~/.ssh directory with the exception of knonw_hosts
+#
+# This config file is overwritten when a new version of Firejail is installed.
+# For global customization use /etc/firejal/ids.config.local.
+
+include ids.config.local
+
+### system executables ###
+/bin
+/sbin
+/usr/bin
+/usr/sbin
+/usr/games
+/usr/libexec
+
+### user executables ###
+#/usr/local
+#/opt
+
+### system libraries ###
+#/lib
+#/usr/lib
+#/usr/lib32
+#/usr/lib64
+#/usr/libx32
+
+### shells local ###
+${HOME}/.bashrc # bash
+${HOME}/.bash_profile
+${HOME}/.bash_login
+${HOME}/.bash_logout
+${HOME}/.zshenv #zsh
+${HOME}/.zshprofile
+${HOME}/.zshrc
+${HOME}/.zlogin
+${HOME}/.zlogout
+${HOME}/.config/fish/config.fish # fish
+${HOME}/.profile # others
+${HOME}/.login
+${HOME}/.logout
+${HOME}/.cshrc
+${HOME}/.tcshrc
+${HOME}/.kshrc
+
+### shells global ###
+/etc/shells # all
+/etc/profile
+/etc/profile.d
+/etc/environment
+/etc/skel
+/etc/dircolors
+/etc/bash.bashrc # bash
+/etc/bash_completion*
+/etc/bashrc
+/etc/zshenv # zsh
+/etc/zprofile
+/etc/zshrc
+/etc/zlogin
+/etc/zlogout
+/etc/fish # fish
+/etc/complete.tcsh # tcsh
+/etc/csh.cshrc
+/etc/csh.login
+/etc/csh.logout
+/etc/ksh.kshrc # ksh
+
+### X11 ###
+${HOME}/.xsessionrc
+${HOME}/.xsession
+${HOME}/.Xsession
+${HOME}/.xinitrc
+${HOME}/.xprofile
+${HOME}/.xmodmaprc
+${HOME}/.xserverrc
+${HOME}/.Xresurces
+/etc/X11
+
+### window/desktop manager ###
+${HOME}/.config/autostart
+${HOME}/Desktop/*.desktop
+${HOME}/.config/lxsession/LXDE/autostart
+${HOME}/.gnomerc
+${HOME}/.gtkrc
+${HOME}/.kderc
+
+### security ###
+${HOME}/.gnupg
+${HOME}/.config/firejail
+/etc/apparmor*
+/etc/selinux
+/etc/security
+/etc/group*
+/etc/gshadow*
+/etc/passwd*
+/etc/shadow*
+/etc/pam.*
+/etc/sudoers*
+/etc/securetty
+/etc/cracklib
+/etc/libaudit.conf
+/etc/tripwire
+/etc/aide
+/etc/chkrootkit.conf
+/etc/rkhunter.conf
+
+*** network security ***
+/etc/services
+/etc/hosts.*
+/etc/ssl
+/etc/ca-certificates*
+/usr/share/ca-certificates
+!${HOME}/.ssh/known_hosts # excluding
+${HOME}/.ssh
+/etc/ssh
+/etc/snort
+/etc/wireshark
+
+### system config ###
+/etc/default
+/etc/crontab
+/etc/cron.*
diff --git a/src/common.mk.in b/src/common.mk.in
@@ -40,7 +40,7 @@ BINOBJS = $(foreach file, $(OBJS), $file)
 
 CFLAGS = @CFLAGS@
 CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)
-CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"'
+CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' -DVARDIR='"/var/lib/firejail"'
 MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS)
 CFLAGS += $(MANFLAGS)
 CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security

diff --git a/src/fids/Makefile.in b/src/fids/Makefile.in
@@ -0,0 +1,18 @@
+.PHONY: all
+all: fids
+
+include ../common.mk
+
+%.o : %.c $(H_FILE_LIST) ../include/common.h
+ $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
+
+#fseccomp: $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o
+fids: $(OBJS)
+ $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+
+.PHONY: clean
+clean:; rm -fr *.o fids *.gcov *.gcda *.gcno *.plist
+
+.PHONY: distclean
+distclean: clean
+ rm -fr Makefile