Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

veriexecgen(8) [netbsd man page]

VERIEXECGEN(8)						    BSD System Manager's Manual 					    VERIEXECGEN(8)

NAME

     veriexecgen -- generate fingerprints for Veriexec

SYNOPSIS

     veriexecgen [-AaDrSTvW] [-d dir] [-o fingerprintdb] [-p prefix] [-t algorithm]
     veriexecgen [-h]

DESCRIPTION

     veriexecgen can be used to create a fingerprint database for use with Veriexec.

     If no command line arguments were specified, veriexecgen will resort to default operation, implying -D -o /etc/signatures -t sha256.

     If the output file already exists, veriexecgen will save a backup copy in the same file only with a ``.old'' suffix.

     The following options are available:

     -A 	Append to the output file, don't overwrite it.

     -a 	Add fingerprints for non-executable files as well.

     -D 	Search system directories, /bin, /sbin, /usr/bin, /usr/sbin, /lib, /usr/lib, /libexec, and /usr/libexec.

     -d dir	Scan for files in dir.	Multiple uses of this flag can specify more than one directory.

     -h 	Display the help screen.

     -o fingerprintdb
		Save the generated fingerprint database to fingerprintdb.

     -p prefix	When storing files in the fingerprint database, store the full pathnames of files with the leading ``prefix'' of the filenames
		removed.

     -r 	Scan recursively.

     -S 	Set the immutable flag on the created signatures file when done writing it.

     -T 	Put a timestamp on the generated file.

     -t algorithm
		Use algorithm for the fingerprints.  Must be one of ``md5'', ``sha1'', ``sha256'', ``sha384'', ``sha512'', or ``rmd160''.

     -v 	Verbose mode.  Print messages describing what operations are being done.

     -W 	By default, veriexecgen will exit when an error condition is encountered.  This option will treat errors such as not being able to
		follow a symbolic link, not being able to find the real path for a directory entry, or not being able to calculate a hash of an
		entry as a warning, rather than an error.  If errors are treated as warnings, veriexecgen will continue processing.  The default
		behaviour is to treat errors as fatal.

FILES

     /etc/signatures

EXAMPLES

     Fingerprint files in the common system directories using the default hashing algorithm ``sha256'' and save to the default fingerprint data-
     base in /etc/signatures:

	   # veriexecgen

     Fingerprint files in /etc, appending to the default fingerprint database:

	   # veriexecgen -A -d /etc

     Fingerprint files in /path/to/somewhere using ``rmd160'' as the hashing algorithm, saving to /etc/somewhere.fp:

	   # veriexecgen -d /path/to/somewhere -t rmd160 -o /etc/somewhere.fp

SEE ALSO

     veriexec(4), veriexec(5), security(7), veriexec(8), veriexecctl(8)

BSD
								 February 18, 2008							       BSD

Check Out this Related Man Page

VERIEXEC(8)						    BSD System Manager's Manual 					       VERIEXEC(8)

NAME

     veriexec -- file integrity subsystem

DESCRIPTION

     Veriexec is an in-kernel, real-time, file-system independent, file integrity subsystem.  It can be used for a variety of purposes, including
     defense against trojaned binaries, indirect attacks via third-party remote file-systems, and malicious configuration file corruption.

CONFIGURATION

   Signatures Database
     Veriexec requires a signatures database -- a list of monitored files, along with their digital fingerprint and (optionally) access modes.
     The format of this file is described by veriexec(5).

     NetBSD provides a tool, veriexecgen(8), for generating the signatures database.  Example usage:

	   # veriexecgen

     Although it should be loaded on system boot (see ``RC Configuration'' below), this list can be loaded manually using veriexecctl(8):

	   # veriexecctl load

   Kernel Configuration
     Veriexec requires a pseudo-device to run:

	   pseudo-device veriexec 1

     Additionally, one or more options for digital fingerprint algorithm support:

	   options VERIFIED_EXEC_FP_SHA256
	   options VERIFIED_EXEC_FP_SHA512

     Some kernels already enable Veriexec by default.  See your kernel's config file for more information.

   RC Configuration
     Veriexec also allows loading signatures and setting the strict level (see below) during the boot process using the following variables set in
     rc.conf(5):

	   veriexec=YES
	   veriexec_strict=1 # IDS mode

STRICT LEVELS

     Veriexec can operate in four modes, also referred to as strict levels:

     Learning mode (strict level 0)
	   The only level at which the fingerprint tables can be modified, this level is used to help fine-tune the signature database.  No
	   enforcement is made, and verbose information is provided (fingerprint matches and mismatches, file removals, incorrect access, etc.).

     IDS mode (strict level 1)
	   IDS (intrusion detection system) mode provides an adequate level of integrity for the files it monitors.  Implications:

	   -   Monitored files cannot be removed
	   -   If raw disk access is granted to a disk with monitored files on it, all monitored files' fingerprints will be invalidated
	   -   Access to files with mismatched fingerprints is denied
	   -   Write access to monitored files is allowed
	   -   Access type is not enforced

     IPS mode (strict level 2)
	   IPS (intrusion prevention system) mode provides a high level of integrity for the files it monitors.  Implications:

	   -   All implications of IDS mode
	   -   Write access to monitored files is denied
	   -   Access type is enforced
	   -   Raw disk access to disk devices with monitored files on them is denied
	   -   Execution of non-monitored files is denied
	   -   Write access to kernel memory via /dev/mem and /dev/kmem is denied

     Lockdown mode (strict level 3)
	   Lockdown mode provides high assurance integrity for the entire system.  Implications:

	   -   All implications of IPS mode
	   -   Access to non-monitored files is denied
	   -   Write access to files is allowed only if the file was opened before the strict level was raised to this mode
	   -   Creation of new files is denied
	   -   Raw access to system disks is denied

RUNTIME INFORMATION

     Veriexec exports runtime information that may be useful for various purposes.

     It reports the currently supported fingerprinting algorithms, for example:

	   # /sbin/sysctl kern.veriexec.algorithms
	   kern.veriexec.algorithms = RMD160 SHA256 SHA384 SHA512 SHA1 MD5

     It reports the current verbosity and strict levels, for example:

	   # /sbin/sysctl kern.veriexec.{verbose,strict}
	   kern.veriexec.verbose = 0
	   kern.veriexec.strict = 1

     It reports a summary of currently loaded files and the mount-points they're on, for example:

	   # /sbin/sysctl kern.veriexec.count
	   kern.veriexec.count.table0.mntpt = /
	   kern.veriexec.count.table0.fstype = ffs
	   kern.veriexec.count.table0.nentries = 33

     Other information may be retrieved using veriexecctl(8).

SEE ALSO

     options(4), veriexec(5), sysctl(7), sysctl(8), veriexecctl(8), veriexecgen(8)

AUTHORS

     Elad Efrat <elad@NetBSD.org>

BSD
								 February 18, 2008							       BSD
Man Page