NAME

veriexecgen - generate fingerprints for Veriexec

SYNOPSIS

veriexecgen [-AaDrSTvW] [-d dir] [-o fingerprintdb] [-p prefix] [-t algorithm] veriexecgen [-h]

DESCRIPTION

veriexecgen can be used to create a fingerprint database for use with Veriexec.

If no command line arguments were specified, veriexecgen will resort to default operation, implying -D -o /etc/signatures -t sha256.

If the output file already exists, veriexecgen will save a backup copy in the same file only with a ``.old'' suffix.

The following options are available:

-A
Append to the output file, don't overwrite it.

-a
Add fingerprints for non-executable files as well.

-D
Search system directories, /bin, /sbin, /usr/bin, /usr/sbin, /lib, /usr/lib, /libexec, and /usr/libexec.

-d dir
Scan for files in dir. Multiple uses of this flag can specify more than one directory.

-h
Display the help screen.

-o fingerprintdb
Save the generated fingerprint database to fingerprintdb.

-p prefix
When storing files in the fingerprint database, store the full pathnames of files with the leading ``prefix'' of the filenames removed.

-r
Scan recursively.

-S
Set the immutable flag on the created signatures file when done writing it.

-T
Put a timestamp on the generated file.

-t algorithm
Use algorithm for the fingerprints. Must be one of ``md5'', ``sha1'', ``sha256'', ``sha384'', ``sha512'', or ``rmd160''.

-v
Verbose mode. Print messages describing what operations are being done.

-W
By default, veriexecgen will exit when an error condition is encountered. This option will treat errors such as not being able to follow a symbolic link, not being able to find the real path for a directory entry, or not being able to calculate a hash of an entry as a warning, rather than an error. If errors are treated as warnings, veriexecgen will continue processing. The default behaviour is to treat errors as fatal.

FILES

/etc/signatures

EXAMPLES

Fingerprint files in the common system directories using the default hashing algorithm ``sha256'' and save to the default fingerprint database in /etc/signatures:
# veriexecgen

Fingerprint files in /etc, appending to the default fingerprint database:

# veriexecgen -A -d /etc

Fingerprint files in /path/to/somewhere using ``rmd160'' as the hashing algorithm, saving to /etc/somewhere.fp:

# veriexecgen -d /path/to/somewhere -t rmd160 -o /etc/somewhere.fp

SEE ALSO

veriexec(4), veriexec(5), security(8), veriexec(8), veriexecctl(8)