NAME
veriexec
- format for the
Veriexec
signatures file
DESCRIPTION
Veriexec
loads entries to the in-kernel database from a file describing files to be
monitored and the type of monitoring.
This file is often referred to as the
`signatures database'
or
`signatures file'.
The signatures file can be easily created using
veriexecgen(8).
The signatures database has a line based structure, where each line has several
fields separated by white-space (space, tabs, etc.) taking the following form:
path type fingerprint flags
The description for each field is as follows:
- path
-
The full path to the file.
White-space characters can be escaped if prefixed with a
`\'.
- type
-
Type of fingerprinting algorithm used for the file.
Requires kernel support for the specified algorithm.
List of fingerprinting algorithms supported by the kernel can be obtained by
using the following command:
-
# sysctl kern.veriexec.algorithms
- fingerprint
-
The fingerprint for the file.
Can (usually) be generated using the following command:
-
% cksum -a <algorithm> <file>
- flags
-
Optional listing of entry flags, separated by a comma.
These may include:
- direct
-
Allow direct execution only.
Execution of a program is said to be
``direct''
when the program is invoked by the user (either in a script, manually typing it,
etc.) via the
execve(2)
syscall.
- indirect
-
Allow indirect execution only.
Execution of a program is said to be
``indirect''
if it is invoked by the kernel to interpret a script
(``hash-bang'').
- file
-
Allow opening the file only, via the
open(2)
syscall (no execution is allowed).
- untrusted
-
Indicate that the file is located on untrusted storage and its fingerprint
evaluation status should not be cached, but rather re-calculated each time
it is accessed.
Fingerprints for untrusted files will always be evaluated on load.
To improve readaibility of the signatures file, the following aliases are
provided:
- program
-
An alias for
``direct''.
- interpreter
-
An alias for
``indirect''
- script
-
An alias for both
``direct''
and
``file''.
- library
-
An alias for both
``file''
and
``indirect''.
If no flags are specified,
``direct''
is assumed.
Comments begin with a
`#'
character and span to the end of the line.
SEE ALSO
veriexec(4),
security(8),
veriexec(8),
veriexecctl(8),
veriexecgen(8)
HISTORY
veriexec
first appeared in
NetBSD2.0.
AUTHORS
Brett Lymn <blymn@NetBSD.org>
Elad Efrat <elad@NetBSD.org>