Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

veriexec(4) [netbsd man page]

VERIEXEC(4)						   BSD Kernel Interfaces Manual 					       VERIEXEC(4)

NAME

     veriexec -- Veriexec pseudo-device

SYNOPSIS

     pseudo-device veriexec

DESCRIPTION

     Veriexec verifies the integrity of specified executables and files before they are run or read.  This makes it much more difficult to insert
     a trojan horse into the system and also makes it more difficult to run binaries that are not supposed to be running, for example, packet
     sniffers, DDoS clients and so on.

     The veriexec pseudo-device is used to load and delete entries to and from the in-kernel Veriexec databases, as well as query information
     about them.  It can also be used to dump the entire database.

   Kernel-userland interaction
     Veriexec uses proplib(3) for communication between the kernel and userland.

     VERIEXEC_LOAD
	   Load an entry for a file to be monitored by Veriexec.

	   The dictionary passed contains the following elements:

	   Name 	 Type	   Purpose
	   file 	 string    filename for this entry
	   entry-type	 uint8	   entry type (see below)
	   fp-type	 string    fingerprint hashing algorithm
	   fp		 data	   the fingerprint

	   ``entry-type'' can be one or more (binary-OR'd) of the following:

	   Type 		 Effect
	   VERIEXEC_DIRECT	 can execute directly
	   VERIEXEC_INDIRECT	 can execute indirectly (interpreter, mmap(2))
	   VERIEXEC_FILE	 can be opened
	   VERIEXEC_UNTRUSTED	 located on untrusted storage

     VERIEXEC_DELETE
	   Removes either an entry for a single file or entries for an entire mount from Veriexec.

	   The dictionary passed contains the following elements:

	   Name    Type      Purpose
	   file    string    filename or mount-point

     VERIEXEC_DUMP
	   Dump the Veriexec monitored files database from the kernel.

	   Only files that the filename is kept for them will be dumped.  The returned array contains dictionaries with the following elements:

	   Name 	 Type	   Purpose
	   file 	 string    filename
	   fp-type	 string    fingerprint hashing algorithm
	   fp		 data	   the fingerprint
	   entry-type	 uint8	   entry type (see above)

     VERIEXEC_FLUSH
	   Flush the Veriexec database, removing all entries.

	   This command has no parameters.

     VERIEXEC_QUERY
	   Queries Veriexec about a file, returning information that may be useful about it.

	   The dictionary passed contains the following elements:

	   Name    Type      Purpose
	   file    string    filename

	   The dictionary returned contains the following elements:

	   Name 	 Type	   Purpose
	   entry-type	 uint8	   entry type (see above)
	   status	 uint8	   entry status
	   fp-type	 string    fingerprint hashing algorithm
	   fp		 data	   the fingerprint

	   ``status'' can be one of the following:

	   Status		   Meaning
	   FINGERPRINT_NOTEVAL	   not evaluated
	   FINGERPRINT_VALID	   fingerprint match
	   FINGERPRINT_MISMATCH    fingerprint mismatch

     Note that the requests VERIEXEC_LOAD, VERIEXEC_DELETE, and VERIEXEC_FLUSH are not permitted once the strict level has been raised past 0.

SEE ALSO

     proplib(3), sysctl(3), security(7), sysctl(8), veriexecctl(8), veriexecgen(8), veriexec(9)

NOTES

     veriexec is part of the default configuration on the following architectures: amd64, i386, prep, sparc64.

AUTHORS

     Brett Lymn <blymn@NetBSD.org>
     Elad Efrat <elad@NetBSD.org>

BSD
								  March 19, 2011							       BSD

Check Out this Related Man Page

VERIEXECGEN(8)						    BSD System Manager's Manual 					    VERIEXECGEN(8)

NAME

     veriexecgen -- generate fingerprints for Veriexec

SYNOPSIS

     veriexecgen [-AaDrSTvW] [-d dir] [-o fingerprintdb] [-p prefix] [-t algorithm]
     veriexecgen [-h]

DESCRIPTION

     veriexecgen can be used to create a fingerprint database for use with Veriexec.

     If no command line arguments were specified, veriexecgen will resort to default operation, implying -D -o /etc/signatures -t sha256.

     If the output file already exists, veriexecgen will save a backup copy in the same file only with a ``.old'' suffix.

     The following options are available:

     -A 	Append to the output file, don't overwrite it.

     -a 	Add fingerprints for non-executable files as well.

     -D 	Search system directories, /bin, /sbin, /usr/bin, /usr/sbin, /lib, /usr/lib, /libexec, and /usr/libexec.

     -d dir	Scan for files in dir.	Multiple uses of this flag can specify more than one directory.

     -h 	Display the help screen.

     -o fingerprintdb
		Save the generated fingerprint database to fingerprintdb.

     -p prefix	When storing files in the fingerprint database, store the full pathnames of files with the leading ``prefix'' of the filenames
		removed.

     -r 	Scan recursively.

     -S 	Set the immutable flag on the created signatures file when done writing it.

     -T 	Put a timestamp on the generated file.

     -t algorithm
		Use algorithm for the fingerprints.  Must be one of ``md5'', ``sha1'', ``sha256'', ``sha384'', ``sha512'', or ``rmd160''.

     -v 	Verbose mode.  Print messages describing what operations are being done.

     -W 	By default, veriexecgen will exit when an error condition is encountered.  This option will treat errors such as not being able to
		follow a symbolic link, not being able to find the real path for a directory entry, or not being able to calculate a hash of an
		entry as a warning, rather than an error.  If errors are treated as warnings, veriexecgen will continue processing.  The default
		behaviour is to treat errors as fatal.

FILES

     /etc/signatures

EXAMPLES

     Fingerprint files in the common system directories using the default hashing algorithm ``sha256'' and save to the default fingerprint data-
     base in /etc/signatures:

	   # veriexecgen

     Fingerprint files in /etc, appending to the default fingerprint database:

	   # veriexecgen -A -d /etc

     Fingerprint files in /path/to/somewhere using ``rmd160'' as the hashing algorithm, saving to /etc/somewhere.fp:

	   # veriexecgen -d /path/to/somewhere -t rmd160 -o /etc/somewhere.fp

SEE ALSO

     veriexec(4), veriexec(5), security(7), veriexec(8), veriexecctl(8)

BSD
								 February 18, 2008							       BSD
Man Page