Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

veriexec(4) [netbsd man page]

VERIEXEC(4)						   BSD Kernel Interfaces Manual 					       VERIEXEC(4)

NAME

     veriexec -- Veriexec pseudo-device

SYNOPSIS

     pseudo-device veriexec

DESCRIPTION

     Veriexec verifies the integrity of specified executables and files before they are run or read.  This makes it much more difficult to insert
     a trojan horse into the system and also makes it more difficult to run binaries that are not supposed to be running, for example, packet
     sniffers, DDoS clients and so on.

     The veriexec pseudo-device is used to load and delete entries to and from the in-kernel Veriexec databases, as well as query information
     about them.  It can also be used to dump the entire database.

   Kernel-userland interaction
     Veriexec uses proplib(3) for communication between the kernel and userland.

     VERIEXEC_LOAD
	   Load an entry for a file to be monitored by Veriexec.

	   The dictionary passed contains the following elements:

	   Name 	 Type	   Purpose
	   file 	 string    filename for this entry
	   entry-type	 uint8	   entry type (see below)
	   fp-type	 string    fingerprint hashing algorithm
	   fp		 data	   the fingerprint

	   ``entry-type'' can be one or more (binary-OR'd) of the following:

	   Type 		 Effect
	   VERIEXEC_DIRECT	 can execute directly
	   VERIEXEC_INDIRECT	 can execute indirectly (interpreter, mmap(2))
	   VERIEXEC_FILE	 can be opened
	   VERIEXEC_UNTRUSTED	 located on untrusted storage

     VERIEXEC_DELETE
	   Removes either an entry for a single file or entries for an entire mount from Veriexec.

	   The dictionary passed contains the following elements:

	   Name    Type      Purpose
	   file    string    filename or mount-point

     VERIEXEC_DUMP
	   Dump the Veriexec monitored files database from the kernel.

	   Only files that the filename is kept for them will be dumped.  The returned array contains dictionaries with the following elements:

	   Name 	 Type	   Purpose
	   file 	 string    filename
	   fp-type	 string    fingerprint hashing algorithm
	   fp		 data	   the fingerprint
	   entry-type	 uint8	   entry type (see above)

     VERIEXEC_FLUSH
	   Flush the Veriexec database, removing all entries.

	   This command has no parameters.

     VERIEXEC_QUERY
	   Queries Veriexec about a file, returning information that may be useful about it.

	   The dictionary passed contains the following elements:

	   Name    Type      Purpose
	   file    string    filename

	   The dictionary returned contains the following elements:

	   Name 	 Type	   Purpose
	   entry-type	 uint8	   entry type (see above)
	   status	 uint8	   entry status
	   fp-type	 string    fingerprint hashing algorithm
	   fp		 data	   the fingerprint

	   ``status'' can be one of the following:

	   Status		   Meaning
	   FINGERPRINT_NOTEVAL	   not evaluated
	   FINGERPRINT_VALID	   fingerprint match
	   FINGERPRINT_MISMATCH    fingerprint mismatch

     Note that the requests VERIEXEC_LOAD, VERIEXEC_DELETE, and VERIEXEC_FLUSH are not permitted once the strict level has been raised past 0.

SEE ALSO

     proplib(3), sysctl(3), security(7), sysctl(8), veriexecctl(8), veriexecgen(8), veriexec(9)

NOTES

     veriexec is part of the default configuration on the following architectures: amd64, i386, prep, sparc64.

AUTHORS

     Brett Lymn <blymn@NetBSD.org>
     Elad Efrat <elad@NetBSD.org>

BSD
								  March 19, 2011							       BSD

Check Out this Related Man Page

Net::DNS::RR::SSHFP(3)					User Contributed Perl Documentation				    Net::DNS::RR::SSHFP(3)

NAME

       Net::DNS::RR::SSHFP - DNS SSHFP resource record

SYNOPSIS

	   use Net::DNS;
	   $rr = new Net::DNS::RR('name SSHFP algorithm fptype fp');

DESCRIPTION

       DNS SSH Fingerprint (SSHFP) resource records.

METHODS

       The available methods are those inherited from the base class augmented by the type-specific methods defined in this package.

       Use of undocumented package features or direct access to internal data structures is discouraged and could result in program termination or
       other unpredictable behaviour.

   algorithm
	   $algorithm = $rr->algorithm;

       The 8-bit algorithm number describes the algorithm used to construct the public key.

   fptype
	   $fptype = $rr->fptype;

       The 8-bit fingerprint type number describes the message-digest algorithm used to calculate the fingerprint of the public key.

   fp
	   $fp = $rr->fp;

       Hexadecimal representation of the fingerprint digest.

   fpbin
	   $fpbin = $rr->fpbin;

       Returns opaque octet string representing the fingerprint digest.

   babble
	   print $rr->babble;

       The babble() method returns the 'BabbleBubble' representation of the fingerprint if the Digest::BubbleBabble package is available,
       otherwise an empty string is returned.

       Bubble babble represents a message digest as a string of "real" words, to make the fingerprint easier to remember. The "words" are not
       necessarily real words, but they look more like words than a string of hex characters.

       Bubble babble fingerprinting is used by the SSH2 suite (and consequently by Net::SSH::Perl, the Perl SSH implementation) to display easy-
       to-remember key fingerprints.

       The 'BubbleBabble' string is appended as a comment to the RDATA when the string method is called.

COPYRIGHT

       Copyright (c)2007 Olaf Kolkman, NLnet Labs.

       Package template (c)2009,2012 O.M.Kolkman and R.W.Franks.

       All rights reserved.

       This program is free software; you may redistribute it and/or modify it under the same terms as Perl itself.

SEE ALSO

       perl, Net::DNS, Net::DNS::RR, RFC4255

perl v5.18.2							    2014-01-16						    Net::DNS::RR::SSHFP(3)
Man Page