veriexec man page on NetBSD
Man page or keyword search:  
man Server   9087 pages
apropos Keyword Search (all sections)
Output format
NetBSD logo
[printable version] 
VERIEXEC(5)		    BSD File Formats Manual		   VERIEXEC(5)

NAME
     veriexec — format for the Veriexec signatures file

DESCRIPTION
     Veriexec loads entries to the in-kernel database from a file describing
     files to be monitored and the type of monitoring.	This file is often
     referred to as the ‘signatures database’ or ‘signatures file’.

     The signatures file can be easily created using veriexecgen(8).

SIGNATURES DATABASE FORMAT
     The signatures database has a line based structure, where each line has
     several fields separated by white-space (space, tabs, etc.) taking the
     following form:

	   path type fingerprint    flags

     The description for each field is as follows:

     path	  The full path to the file.  White-space characters can be
		  escaped if prefixed with a ‘\’.

     type	  Type of fingerprinting algorithm used for the file.

		  Requires kernel support for the specified algorithm.	List
		  of fingerprinting algorithms supported by the kernel can be
		  obtained by using the following command:

			# sysctl kern.veriexec.algorithms

     fingerprint  The fingerprint for the file.	 Can (usually) be generated
		  using the following command:

			% cksum -a <algorithm> <file>

     flags	  Optional listing of entry flags, separated by a comma.
		  These may include:

		  direct     Allow direct execution only.

			     Execution of a program is said to be “direct”
			     when the program is invoked by the user (either
			     in a script, manually typing it, etc.) via the
			     execve(2) syscall.

		  indirect   Allow indirect execution only.

			     Execution of a program is said to be “indirect”
			     if it is invoked by the kernel to interpret a
			     script (“hash-bang”).

		  file	     Allow opening the file only, via the open(2)
			     syscall (no execution is allowed).

		  untrusted  Indicate that the file is located on untrusted
			     storage and its fingerprint evaluation status
			     should not be cached, but rather re-calculated
			     each time it is accessed.

			     Fingerprints for untrusted files will always be
			     evaluated on load.

		  To improve readaibility of the signatures file, the follow‐
		  ing aliases are provided:

		  program      An alias for “direct”.

		  interpreter  An alias for “indirect”

		  script       An alias for both “direct” and “file”.

		  library      An alias for both “file” and “indirect”.

		  If no flags are specified, “direct” is assumed.

     Comments begin with a ‘#’ character and span to the end of the line.

SEE ALSO
     veriexec(4), security(7), veriexec(8), veriexecctl(8), veriexecgen(8)

HISTORY
     veriexec first appeared in NetBSD 2.0.

AUTHORS
     Brett Lymn ⟨blymn@NetBSD.org⟩
     Elad Efrat ⟨elad@NetBSD.org⟩

BSD				March 18, 2011				   BSD
[top] 
                             _         _         _ 
                            | |       | |       | |     
                            | |       | |       | |     
                         __ | | __ __ | | __ __ | | __  
                         \ \| |/ / \ \| |/ / \ \| |/ /  
                          \ \ / /   \ \ / /   \ \ / /   
                           \   /     \   /     \   /    
                            \_/       \_/       \_/
More information is available in HTML format for server NetBSD

List of man pages available for NetBSD

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net