Home Man
Today's Posts

Linux & Unix Commands - Search Man Pages
Man Page or Keyword Search:
Select Section of Man Page:
Select Man Page Repository:

NetBSD 6.1.5 - man page for veriexec (netbsd section 8)

VERIEXEC(8)			   BSD System Manager's Manual			      VERIEXEC(8)

     veriexec -- file integrity subsystem

     Veriexec is an in-kernel, real-time, file-system independent, file integrity subsystem.  It
     can be used for a variety of purposes, including defense against trojaned binaries, indirect
     attacks via third-party remote file-systems, and malicious configuration file corruption.

   Signatures Database
     Veriexec requires a signatures database -- a list of monitored files, along with their digi-
     tal fingerprint and (optionally) access modes.  The format of this file is described by

     NetBSD provides a tool, veriexecgen(8), for generating the signatures database.  Example

	   # veriexecgen

     Although it should be loaded on system boot (see ``RC Configuration'' below), this list can
     be loaded manually using veriexecctl(8):

	   # veriexecctl load

   Kernel Configuration
     Veriexec requires a pseudo-device to run:

	   pseudo-device veriexec 1

     Additionally, one or more options for digital fingerprint algorithm support:

	   options VERIFIED_EXEC_FP_SHA256
	   options VERIFIED_EXEC_FP_SHA512

     Some kernels already enable Veriexec by default.  See your kernel's config file for more

   RC Configuration
     Veriexec also allows loading signatures and setting the strict level (see below) during the
     boot process using the following variables set in rc.conf(5):

	   veriexec_strict=1 # IDS mode

     Veriexec can operate in four modes, also referred to as strict levels:

     Learning mode (strict level 0)
	   The only level at which the fingerprint tables can be modified, this level is used to
	   help fine-tune the signature database.  No enforcement is made, and verbose informa-
	   tion is provided (fingerprint matches and mismatches, file removals, incorrect access,

     IDS mode (strict level 1)
	   IDS (intrusion detection system) mode provides an adequate level of integrity for the
	   files it monitors.  Implications:

	   -   Monitored files cannot be removed
	   -   If raw disk access is granted to a disk with monitored files on it, all monitored
	       files' fingerprints will be invalidated
	   -   Access to files with mismatched fingerprints is denied
	   -   Write access to monitored files is allowed
	   -   Access type is not enforced

     IPS mode (strict level 2)
	   IPS (intrusion prevention system) mode provides a high level of integrity for the
	   files it monitors.  Implications:

	   -   All implications of IDS mode
	   -   Write access to monitored files is denied
	   -   Access type is enforced
	   -   Raw disk access to disk devices with monitored files on them is denied
	   -   Execution of non-monitored files is denied
	   -   Write access to kernel memory via /dev/mem and /dev/kmem is denied

     Lockdown mode (strict level 3)
	   Lockdown mode provides high assurance integrity for the entire system.  Implications:

	   -   All implications of IPS mode
	   -   Access to non-monitored files is denied
	   -   Write access to files is allowed only if the file was opened before the strict
	       level was raised to this mode
	   -   Creation of new files is denied
	   -   Raw access to system disks is denied

     Veriexec exports runtime information that may be useful for various purposes.

     It reports the currently supported fingerprinting algorithms, for example:

	   # /sbin/sysctl kern.veriexec.algorithms
	   kern.veriexec.algorithms = RMD160 SHA256 SHA384 SHA512 SHA1 MD5

     It reports the current verbosity and strict levels, for example:

	   # /sbin/sysctl kern.veriexec.{verbose,strict}
	   kern.veriexec.verbose = 0
	   kern.veriexec.strict = 1

     It reports a summary of currently loaded files and the mount-points they're on, for example:

	   # /sbin/sysctl kern.veriexec.count
	   kern.veriexec.count.table0.mntpt = /
	   kern.veriexec.count.table0.fstype = ffs
	   kern.veriexec.count.table0.nentries = 33

     Other information may be retrieved using veriexecctl(8).

     options(4), veriexec(5), sysctl(7), sysctl(8), veriexecctl(8), veriexecgen(8)

     Elad Efrat <elad@NetBSD.org>

BSD					February 18, 2008				      BSD

All times are GMT -4. The time now is 05:22 PM.

Unix & Linux Forums Content Copyrightę1993-2018. All Rights Reserved.
Show Password

Not a Forum Member?
Forgot Password?