NAME
veriexecgen
- generate fingerprints for Veriexec
SYNOPSIS
veriexecgen
[-AaDrSTvW]
[-d
dir
]
[-o
fingerprintdb
]
[-p
prefix
]
[-t algorithm]
veriexecgen
[-h]
DESCRIPTION
veriexecgen
can be used to create a fingerprint database for use with
Veriexec.
If no command line arguments were specified,
veriexecgen
will resort to default operation, implying
-D -o /etc/signatures -t sha256.
If the output file already exists,
veriexecgen
will save a backup copy in the same file only with a
``.old''
suffix.
The following options are available:
- -A
-
Append to the output file, don't overwrite it.
- -a
-
Add fingerprints for non-executable files as well.
- -D
-
Search system directories,
/bin
,
/sbin
,
/usr/bin
,
/usr/sbin
,
/lib
,
/usr/lib
,
/libexec
,
and
/usr/libexec
.
- -d dir
-
Scan for files in
dir.
Multiple uses of this flag can specify more than one directory.
- -h
-
Display the help screen.
- -o fingerprintdb
-
Save the generated fingerprint database to
fingerprintdb.
- -p prefix
-
When storing files in the fingerprint database,
store the full pathnames of files with the leading
``prefix''
of the filenames removed.
- -r
-
Scan recursively.
- -S
-
Set the immutable flag on the created signatures file when done writing it.
- -T
-
Put a timestamp on the generated file.
- -t algorithm
-
Use
algorithm
for the fingerprints.
Must be one of
``md5'',
``sha1'',
``sha256'',
``sha384'',
``sha512'',
or
``rmd160''.
- -v
-
Verbose mode.
Print messages describing what operations are being done.
- -W
-
By default,
veriexecgen
will exit when an error condition is encountered.
This option will
treat errors such as not being able to follow a symbolic link,
not being able to find the real path for a directory entry, or
not being able to calculate a hash of an entry as a warning,
rather than an error.
If errors are treated as warnings,
veriexecgen
will continue processing.
The default behaviour is to treat errors as fatal.
FILES
/etc/signatures
EXAMPLES
Fingerprint files in the common system directories using the default hashing
algorithm
``sha256''
and save to the default fingerprint database in
/etc/signatures
:
-
# veriexecgen
Fingerprint files in
/etc
,
appending to the default fingerprint database:
-
# veriexecgen -A -d /etc
Fingerprint files in
/path/to/somewhere
using
``rmd160''
as the hashing algorithm, saving to
/etc/somewhere.fp
:
-
# veriexecgen -d /path/to/somewhere -t rmd160 -o /etc/somewhere.fp
SEE ALSO
veriexec(4),
veriexec(5),
security(8),
veriexec(8),
veriexecctl(8)