github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

build: remove remnants of IDS/fids

Browse source 
Remove what remains of the Intrusion Detection System (IDS)/fids,
`--ids` commands and the `--enable-ids` configure option.

Commands:

* `--ids-check`
* `--ids-init`

Related commits:

* 5e962ff78 ("removed IDS feature, it was never enabled by default in
  our builds", 2025-12-17)

Relates to #6995.
This commit is contained in:
Kelvin M. Klann 2025-12-19 10:09:02 -03:00
parent 8d927220b5
commit 381c3cf1a3
6 changed files with 0 additions and 275 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored
View file

@ -28,7 +28,6 @@ src/firejail/firejail
src/firemon/firemon src/firemon/firemon
src/firecfg/firecfg src/firecfg/firecfg
src/ftee/ftee src/ftee/ftee
src/fids/fids
src/tags src/tags
src/faudit/faudit src/faudit/faudit
src/fnet/fnet src/fnet/fnet

3
Makefile
View file

@ -251,9 +251,6 @@ endif
sh -c "if [ ! -f $(DESTDIR)$(sysconfdir)/firejail/login.users ]; then \ sh -c "if [ ! -f $(DESTDIR)$(sysconfdir)/firejail/login.users ]; then \
$(INSTALL) -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/login.users; \ $(INSTALL) -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/login.users; \
fi" fi"
ifeq ($(HAVE_IDS),-DHAVE_IDS)
$(INSTALL) -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/ids.config
endif
ifeq ($(BUSYBOX_WORKAROUND),yes) ifeq ($(BUSYBOX_WORKAROUND),yes)
./mketc.sh $(DESTDIR)$(sysconfdir)/firejail/disable-common.inc ./mketc.sh $(DESTDIR)$(sysconfdir)/firejail/disable-common.inc
endif endif

164
etc/ids.config
View file

@ -1,164 +0,0 @@
# /etc/firejail/ids.config - configuration file for Firejail's Intrusion Detection System
# This config file is overwritten when a new version of Firejail is installed.
# For global customization use /etc/firejail/ids.config.local.
include ids.config.local
#
# Each line is a file or directory name such as
# /usr/bin
# or
# ${HOME}/Desktop/*.desktop
#
# ${HOME} is expanded to the user's home directory, and * is the regular
# globbing match for zero or more characters.
#
# File or directory names starting with ! are not scanned. For example
# !${HOME}/.ssh/known_hosts
# ${HOME}/.ssh
# will scan all files in ~/.ssh directory with the exception of known_hosts
### system executables ###
/bin
/sbin
/usr/bin
/usr/games
/usr/libexec
/usr/sbin
### user executables ###
#/opt
#/usr/local
### system libraries ###
#/lib
#/usr/lib
#/usr/lib32
#/usr/lib64
#/usr/libx32
### shells local ###
# bash
${HOME}/.bash_aliases
${HOME}/.bash_login
${HOME}/.bash_logout
${HOME}/.bash_profile
${HOME}/.bashrc
# fish
${HOME}/.config/fish/config.fish
# others
${HOME}/.cshrc
${HOME}/.kshrc
${HOME}/.login
${HOME}/.logout
${HOME}/.profile
${HOME}/.tcshrc
# zsh
${HOME}/.zlogin
${HOME}/.zlogout
${HOME}/.zshenv
${HOME}/.zshprofile
${HOME}/.zshrc
# Note: This list should be kept in sync with the one in inc/disable-shell.inc.
### shells global ###
# all
/etc/dircolors
/etc/environment
/etc/profile
/etc/profile.d
/etc/shells
/etc/skel
# bash
/etc/bash
/etc/bash.bashrc
/etc/bash_completion*
/etc/bashrc
# fish
/etc/fish
# ksh
/etc/ksh.kshrc
/etc/suid_profile
# tcsh
/etc/complete.tcsh
/etc/csh.cshrc
/etc/csh.login
/etc/csh.logout
# zsh
/etc/zlogin
/etc/zlogout
/etc/zprofile
/etc/zsh
/etc/zshenv
/etc/zshrc
### X11 ###
/etc/X11
${HOME}/.xinitrc
${HOME}/.xmodmaprc
${HOME}/.xprofile
${HOME}/.Xresources
${HOME}/.xserverrc
${HOME}/.Xsession
${HOME}/.xsession
${HOME}/.xsessionrc
### window/desktop manager ###
${HOME}/Desktop/*.desktop
${HOME}/.config/autostart
${HOME}/.config/autostart-scripts
${HOME}/.config/lxsession/LXDE/autostart
${HOME}/.config/openbox/autostart
${HOME}/.config/openbox/environment
${HOME}/.config/plasma-workspace/env
${HOME}/.config/plasma-workspace/shutdown
${HOME}/.gnomerc
${HOME}/.gtkrc
${HOME}/.kde/Autostart
${HOME}/.kde/env
${HOME}/.kde/share/autostart
${HOME}/.kde/shutdown
${HOME}/.kde4/Autostart
${HOME}/.kde4/env
${HOME}/.kde4/share/autostart
${HOME}/.kde4/shutdown
${HOME}/.kderc
${HOME}/.local/share/autostart
### security ###
/etc/aide
/etc/apparmor*
/etc/chkrootkit.conf
/etc/cracklib
/etc/doas.conf
/etc/libaudit.conf
/etc/group*
/etc/gshadow*
/etc/pam.*
/etc/passwd*
/etc/rkhunter*
/etc/securetty
/etc/security
/etc/selinux
/etc/shadow*
/etc/sudo*.conf
/etc/sudoers*
/etc/tripwire
${HOME}/.config/firejail
${HOME}/.gnupg
${HOME}/.pam_environment
### network security ###
/etc/ca-certificates*
/etc/hosts.*
/etc/services
/etc/snort
/etc/ssh
/etc/ssl
/etc/wireshark
!${HOME}/.ssh/known_hosts # excluding
${HOME}/.ssh
/usr/share/ca-certificates
### system config ###
/etc/cron.*
/etc/crontab
/etc/default

82
src/man/firejail.1.in
View file

@ -957,28 +957,6 @@ $ sudo firejail --icmptrace
20:53:55 192.168.1.60 -> 1.1.1.1 - 154 bytes - Destination unreachable/Port unreachable 20:53:55 192.168.1.60 -> 1.1.1.1 - 154 bytes - Destination unreachable/Port unreachable
.br .br
#ifdef HAVE_IDS
.TP
\fB\-\-ids-check
Check file hashes previously generated by \-\-ids-check. See INTRUSION DETECTION SYSTEM section for more details.
.br
.br
Example:
.br
$ firejail \-\-ids-check
.TP
\fB\-\-ids-init
Initialize file hashes. See INTRUSION DETECTION SYSTEM section for more details.
.br
.br
Example:
.br
$ firejail \-\-ids-init
#endif
.TP .TP
\fB\-\-ignore=command \fB\-\-ignore=command
Ignore command in profile file. Ignore command in profile file.
@ -3645,66 +3623,6 @@ $ firejail \-\-cat=mybrowser ~/.bashrc
.br .br
#endif #endif
#ifdef HAVE_IDS
.SH INTRUSION DETECTION SYSTEM (IDS)
The host-based intrusion detection system tracks down and audits user and system file modifications.
The feature is configured using /etc/firejail/ids.config file, the checksums are stored in /var/lib/firejail/USERNAME.ids,
where USERNAME is the name of the current user. We use BLAKE2 cryptographic function for hashing.
As a regular user, initialize the database:
.br
.br
$ firejail --ids-init
.br
Opening config file /etc/firejail/ids.config
.br
Loading config file /etc/firejail/ids.config
.br
Opening config file /etc/firejail/ids.config.local
.br
500 1000 1500 2000
.br
2466 files scanned
.br
IDS database initialized
.br
.br
The default configuration targets several system executables in directories such as /bin, /sbin, /usr/bin, /usr/sbin, and several critical config files in user home directory
such as ~/.bashrc, ~/.xinitrc, and ~/.config/autostart. Several system config files in /etc directory are also hashed.
.br
.br
Run --ids-check to audit the system:
.br
.br
$ firejail --ids-check
.br
Opening config file /etc/firejail/ids.config
.br
Loading config file /etc/firejail/ids.config
.br
Opening config file /etc/firejail/ids.config.local
.br
500 1000 1500
.br
Warning: modified /home/netblue/.bashrc
.br
2000
.br
2466 files scanned: modified 1, permissions 0, new 0, removed 0
.br
.br
The program will print the files that have been modified since the database was created, or the files with different access permissions.
New files and deleted files are also flagged.
Currently while scanning the file system, symbolic links are not followed, and files the user doesn't have read access to are silently dropped.
The program can also be run as root (sudo firejail --ids-init/--ids-check).
#endif
#ifdef HAVE_LANDLOCK #ifdef HAVE_LANDLOCK
.SH LANDLOCK .SH LANDLOCK
Warning: Landlock support in firejail is considered experimental and unstable. Warning: Landlock support in firejail is considered experimental and unstable.

3
src/zsh_completion/_firejail.in
View file

@ -62,9 +62,6 @@ _firejail_args=(
'--tree[print a tree of all sandboxed processes]' '--tree[print a tree of all sandboxed processes]'
'--version[print program version and exit]' '--version[print program version and exit]'
'--ids-check[verify file system]'
'--ids-init[initialize IDS database]'
'--debug[print sandbox debug messages]' '--debug[print sandbox debug messages]'
'--debug-blacklists[debug blacklisting]' '--debug-blacklists[debug blacklisting]'
'--debug-caps[print all recognized capabilities]' '--debug-caps[print all recognized capabilities]'

22
test/compile/compile.sh
View file

@ -31,7 +31,6 @@ arr[15]="TEST 15: compile private-home disabled"
arr[16]="TEST 16: compile disable manpages" arr[16]="TEST 16: compile disable manpages"
arr[17]="TEST 17: disable tmpfs as regular user" arr[17]="TEST 17: disable tmpfs as regular user"
arr[18]="TEST 18: disable private home" arr[18]="TEST 18: disable private home"
arr[19]="TEST 19: enable ids"
# remove previous reports and output file # remove previous reports and output file
cleanup() { cleanup() {
@ -412,26 +411,6 @@ cp output-configure oc18
cp output-make om18 cp output-make om18
rm output-configure output-make rm output-configure output-make
#*****************************************************************
# TEST 19
#*****************************************************************
# - enable ids
#*****************************************************************
print_title "${arr[19]}"
cd firejail || exit 1
make distclean
./configure --prefix=/usr --enable-fatal-warnings \
--enable-ids \
2>&1 | tee ../output-configure
make -j "$(nproc)" 2>&1 | tee ../output-make
cd ..
grep Warning output-configure output-make > ./report-test19
grep Error output-configure output-make >> ./report-test19
cp output-configure oc19
cp output-make om19
rm output-configure output-make
#***************************************************************** #*****************************************************************
# PRINT REPORTS # PRINT REPORTS
#***************************************************************** #*****************************************************************
@ -463,4 +442,3 @@ echo "${arr[15]}"
echo "${arr[16]}" echo "${arr[16]}"
echo "${arr[17]}" echo "${arr[17]}"
echo "${arr[18]}" echo "${arr[18]}"
echo "${arr[19]}"