Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

veriexecctl(8) [netbsd man page]

VERIEXECCTL(8)						    BSD System Manager's Manual 					    VERIEXECCTL(8)

NAME

     veriexecctl -- manage the Veriexec subsystem

SYNOPSIS

     veriexecctl [-ekv] load [file]
     veriexecctl delete file | mount_point
     veriexecctl dump
     veriexecctl flush
     veriexecctl query file

DESCRIPTION

     The veriexecctl command is used to manipulate Veriexec, the NetBSD file integrity subsystem.

   Commands
     load [file]
	   Load the fingerprint entries contained in file, if specified, or the default signatures file otherwise.

	   This operation is only allowed in learning mode (strict level zero).

	   The following flags are allowed with this command:

	   -e	   Evaluate fingerprint on load, as opposed to when the file is accessed.

	   -k	   Keep the filenames in the entry for more accurate logging.

	   -v	   Enable verbose output.

     delete file | mount_point
	   Delete either a single entry file or all entries on mount_point from being monitored by Veriexec.

     dump  Dump the Veriexec database from the kernel.	Only entries that have the filename will be presented.

	   This can be used to recover a lost database:

		 # veriexecctl dump > /etc/signatures

     flush
	   Delete all entries in the Veriexec database.

     query file
	   Query Veriexec for information associated with file: Filename, mount, fingerprint, fingerprint algorithm, evaluation status, and entry
	   type.

FILES

     /dev/veriexec    Veriexec pseudo-device
     /etc/signatures  default signatures file

SEE ALSO

     veriexec(4), veriexec(5), security(7), veriexec(8), veriexecgen(8)

HISTORY

     veriexecctl first appeared in NetBSD 2.0.

AUTHORS

     Brett Lymn <blymn@NetBSD.org>
     Elad Efrat <elad@NetBSD.org>

NOTES

     The kernel is expected to have the ``veriexec'' pseudo-device.

BSD
								  August 31, 2008							       BSD

Check Out this Related Man Page

VERIEXEC(5)						      BSD File Formats Manual						       VERIEXEC(5)

NAME

     veriexec -- format for the Veriexec signatures file

DESCRIPTION

     Veriexec loads entries to the in-kernel database from a file describing files to be monitored and the type of monitoring.	This file is often
     referred to as the 'signatures database' or 'signatures file'.

     The signatures file can be easily created using veriexecgen(8).

SIGNATURES DATABASE FORMAT

     The signatures database has a line based structure, where each line has several fields separated by white-space (space, tabs, etc.) taking
     the following form:

	   path type fingerprint    flags

     The description for each field is as follows:

     path	  The full path to the file.  White-space characters can be escaped if prefixed with a ''.

     type	  Type of fingerprinting algorithm used for the file.

		  Requires kernel support for the specified algorithm.	List of fingerprinting algorithms supported by the kernel can be obtained
		  by using the following command:

			# sysctl kern.veriexec.algorithms

     fingerprint  The fingerprint for the file.  Can (usually) be generated using the following command:

			% cksum -a <algorithm> <file>

     flags	  Optional listing of entry flags, separated by a comma.  These may include:

		  direct     Allow direct execution only.

			     Execution of a program is said to be ``direct'' when the program is invoked by the user (either in a script, manually
			     typing it, etc.) via the execve(2) syscall.

		  indirect   Allow indirect execution only.

			     Execution of a program is said to be ``indirect'' if it is invoked by the kernel to interpret a script
			     (``hash-bang'').

		  file	     Allow opening the file only, via the open(2) syscall (no execution is allowed).

		  untrusted  Indicate that the file is located on untrusted storage and its fingerprint evaluation status should not be cached,
			     but rather re-calculated each time it is accessed.

			     Fingerprints for untrusted files will always be evaluated on load.

		  To improve readaibility of the signatures file, the following aliases are provided:

		  program      An alias for ``direct''.

		  interpreter  An alias for ``indirect''

		  script       An alias for both ``direct'' and ``file''.

		  library      An alias for both ``file'' and ``indirect''.

		  If no flags are specified, ``direct'' is assumed.

     Comments begin with a '#' character and span to the end of the line.

SEE ALSO

     veriexec(4), security(7), veriexec(8), veriexecctl(8), veriexecgen(8)

HISTORY

     veriexec first appeared in NetBSD 2.0.

AUTHORS

     Brett Lymn <blymn@NetBSD.org>
     Elad Efrat <elad@NetBSD.org>

BSD
								  March 18, 2011							       BSD
Man Page