Home Man
Today's Posts

Linux & Unix Commands - Search Man Pages
Man Page or Keyword Search:
Select Section of Man Page:
Select Man Page Repository:

NetBSD 6.1.5 - man page for veriexec (netbsd section 5)

VERIEXEC(5)			     BSD File Formats Manual			      VERIEXEC(5)

     veriexec -- format for the Veriexec signatures file

     Veriexec loads entries to the in-kernel database from a file describing files to be moni-
     tored and the type of monitoring.	This file is often referred to as the 'signatures
     database' or 'signatures file'.

     The signatures file can be easily created using veriexecgen(8).

     The signatures database has a line based structure, where each line has several fields sepa-
     rated by white-space (space, tabs, etc.) taking the following form:

	   path type fingerprint    flags

     The description for each field is as follows:

     path	  The full path to the file.  White-space characters can be escaped if prefixed
		  with a '\'.

     type	  Type of fingerprinting algorithm used for the file.

		  Requires kernel support for the specified algorithm.	List of fingerprinting
		  algorithms supported by the kernel can be obtained by using the following com-

			# sysctl kern.veriexec.algorithms

     fingerprint  The fingerprint for the file.  Can (usually) be generated using the following

			% cksum -a <algorithm> <file>

     flags	  Optional listing of entry flags, separated by a comma.  These may include:

		  direct     Allow direct execution only.

			     Execution of a program is said to be ``direct'' when the program is
			     invoked by the user (either in a script, manually typing it, etc.)
			     via the execve(2) syscall.

		  indirect   Allow indirect execution only.

			     Execution of a program is said to be ``indirect'' if it is invoked
			     by the kernel to interpret a script (``hash-bang'').

		  file	     Allow opening the file only, via the open(2) syscall (no execution
			     is allowed).

		  untrusted  Indicate that the file is located on untrusted storage and its fin-
			     gerprint evaluation status should not be cached, but rather re-cal-
			     culated each time it is accessed.

			     Fingerprints for untrusted files will always be evaluated on load.

		  To improve readaibility of the signatures file, the following aliases are pro-

		  program      An alias for ``direct''.

		  interpreter  An alias for ``indirect''

		  script       An alias for both ``direct'' and ``file''.

		  library      An alias for both ``file'' and ``indirect''.

		  If no flags are specified, ``direct'' is assumed.

     Comments begin with a '#' character and span to the end of the line.

     veriexec(4), security(7), veriexec(8), veriexecctl(8), veriexecgen(8)

     veriexec first appeared in NetBSD 2.0.

     Brett Lymn <blymn@NetBSD.org>
     Elad Efrat <elad@NetBSD.org>

BSD					  March 18, 2011				      BSD

All times are GMT -4. The time now is 08:27 PM.

Unix & Linux Forums Content Copyrightę1993-2018. All Rights Reserved.
Show Password