veriexec(5) [netbsd man page]
VERIEXEC(5) BSD File Formats Manual VERIEXEC(5) NAME
veriexec -- format for the Veriexec signatures file DESCRIPTION
Veriexec loads entries to the in-kernel database from a file describing files to be monitored and the type of monitoring. This file is often referred to as the 'signatures database' or 'signatures file'. The signatures file can be easily created using veriexecgen(8). SIGNATURES DATABASE FORMAT
The signatures database has a line based structure, where each line has several fields separated by white-space (space, tabs, etc.) taking the following form: path type fingerprint flags The description for each field is as follows: path The full path to the file. White-space characters can be escaped if prefixed with a ''. type Type of fingerprinting algorithm used for the file. Requires kernel support for the specified algorithm. List of fingerprinting algorithms supported by the kernel can be obtained by using the following command: # sysctl kern.veriexec.algorithms fingerprint The fingerprint for the file. Can (usually) be generated using the following command: % cksum -a <algorithm> <file> flags Optional listing of entry flags, separated by a comma. These may include: direct Allow direct execution only. Execution of a program is said to be ``direct'' when the program is invoked by the user (either in a script, manually typing it, etc.) via the execve(2) syscall. indirect Allow indirect execution only. Execution of a program is said to be ``indirect'' if it is invoked by the kernel to interpret a script (``hash-bang''). file Allow opening the file only, via the open(2) syscall (no execution is allowed). untrusted Indicate that the file is located on untrusted storage and its fingerprint evaluation status should not be cached, but rather re-calculated each time it is accessed. Fingerprints for untrusted files will always be evaluated on load. To improve readaibility of the signatures file, the following aliases are provided: program An alias for ``direct''. interpreter An alias for ``indirect'' script An alias for both ``direct'' and ``file''. library An alias for both ``file'' and ``indirect''. If no flags are specified, ``direct'' is assumed. Comments begin with a '#' character and span to the end of the line. SEE ALSO
veriexec(4), security(7), veriexec(8), veriexecctl(8), veriexecgen(8) HISTORY
veriexec first appeared in NetBSD 2.0. AUTHORS
Brett Lymn <blymn@NetBSD.org> Elad Efrat <elad@NetBSD.org> BSD
March 18, 2011 BSD
Check Out this Related Man Page
VERIEXEC(4) BSD Kernel Interfaces Manual VERIEXEC(4) NAME
veriexec -- Veriexec pseudo-device SYNOPSIS
pseudo-device veriexec DESCRIPTION
Veriexec verifies the integrity of specified executables and files before they are run or read. This makes it much more difficult to insert a trojan horse into the system and also makes it more difficult to run binaries that are not supposed to be running, for example, packet sniffers, DDoS clients and so on. The veriexec pseudo-device is used to load and delete entries to and from the in-kernel Veriexec databases, as well as query information about them. It can also be used to dump the entire database. Kernel-userland interaction Veriexec uses proplib(3) for communication between the kernel and userland. VERIEXEC_LOAD Load an entry for a file to be monitored by Veriexec. The dictionary passed contains the following elements: Name Type Purpose file string filename for this entry entry-type uint8 entry type (see below) fp-type string fingerprint hashing algorithm fp data the fingerprint ``entry-type'' can be one or more (binary-OR'd) of the following: Type Effect VERIEXEC_DIRECT can execute directly VERIEXEC_INDIRECT can execute indirectly (interpreter, mmap(2)) VERIEXEC_FILE can be opened VERIEXEC_UNTRUSTED located on untrusted storage VERIEXEC_DELETE Removes either an entry for a single file or entries for an entire mount from Veriexec. The dictionary passed contains the following elements: Name Type Purpose file string filename or mount-point VERIEXEC_DUMP Dump the Veriexec monitored files database from the kernel. Only files that the filename is kept for them will be dumped. The returned array contains dictionaries with the following elements: Name Type Purpose file string filename fp-type string fingerprint hashing algorithm fp data the fingerprint entry-type uint8 entry type (see above) VERIEXEC_FLUSH Flush the Veriexec database, removing all entries. This command has no parameters. VERIEXEC_QUERY Queries Veriexec about a file, returning information that may be useful about it. The dictionary passed contains the following elements: Name Type Purpose file string filename The dictionary returned contains the following elements: Name Type Purpose entry-type uint8 entry type (see above) status uint8 entry status fp-type string fingerprint hashing algorithm fp data the fingerprint ``status'' can be one of the following: Status Meaning FINGERPRINT_NOTEVAL not evaluated FINGERPRINT_VALID fingerprint match FINGERPRINT_MISMATCH fingerprint mismatch Note that the requests VERIEXEC_LOAD, VERIEXEC_DELETE, and VERIEXEC_FLUSH are not permitted once the strict level has been raised past 0. SEE ALSO
proplib(3), sysctl(3), security(7), sysctl(8), veriexecctl(8), veriexecgen(8), veriexec(9) NOTES
veriexec is part of the default configuration on the following architectures: amd64, i386, prep, sparc64. AUTHORS
Brett Lymn <blymn@NetBSD.org> Elad Efrat <elad@NetBSD.org> BSD
March 19, 2011 BSD