NAME
veriexec —
file integrity
subsystem
DESCRIPTION
Veriexec is an in-kernel, real-time, file-system independent,
file integrity subsystem. It can be used for a variety of purposes, including
defense against trojaned binaries, indirect attacks via third-party remote
file-systems, and malicious configuration file corruption.
CONFIGURATION
Signatures Database
Veriexec requires a signatures database -- a list of monitored
files, along with their digital fingerprint and (optionally) access modes. The
format of this file is described by
veriexec(5).
NetBSD provides a tool,
veriexecgen(8), for
generating the signatures database. Example usage:
Although it should be loaded on system boot (see “RC Configuration”
below), this list can be loaded manually using
veriexecctl(8):
Kernel Configuration
Veriexec requires a kernel with
fileassoc(9) support and a
pseudo-device to run:
options FILEASSOC
pseudo-device veriexec
Additionally, one or more options for digital fingerprint algorithm support:
options VERIFIED_EXEC_FP_SHA256
options VERIFIED_EXEC_FP_SHA384
options VERIFIED_EXEC_FP_SHA512
Some kernels already enable
Veriexec by default. See your
kernel's config file for more information.
RC Configuration
Veriexec also allows loading signatures and setting the strict
level (see below) during the boot process using the following variables set in
rc.conf(5):
veriexec=YES
veriexec_strict=1 # IDS mode
STRICT LEVELS
Veriexec can operate in four modes, also referred to as strict
levels:
-
-
- Learning mode (strict level
0)
- The only level at which the fingerprint tables can be
modified, this level is used to help fine-tune the signature database. No
enforcement is made, and verbose information is provided (fingerprint
matches and mismatches, file removals, incorrect access, etc.).
-
-
- IDS mode (strict level
1)
- IDS (intrusion detection system) mode provides an adequate
level of integrity for the files it monitors. Implications:
- Monitored files cannot be
removed
- If raw disk access is
granted to a disk with monitored files on it, all monitored files'
fingerprints will be invalidated
- Access to files with
mismatched fingerprints is denied
- Write access to monitored
files is allowed
- Access type is not
enforced
-
-
- IPS mode (strict level
2)
- IPS (intrusion prevention system) mode provides a high
level of integrity for the files it monitors. Implications:
- All implications of IDS
mode
- Write access to monitored
files is denied
- Access type is
enforced
- Raw disk access to disk
devices with monitored files on them is denied
- Execution of non-monitored
files is denied
- Write access to kernel
memory via /dev/mem and /dev/kmem
is denied
-
-
- Lockdown mode (strict level
3)
- Lockdown mode provides high assurance integrity for the
entire system. Implications:
- All implications of IPS
mode
- Access to non-monitored
files is denied
- Write access to files is
allowed only if the file was opened before the strict level was raised
to this mode
- Creation of new files is
denied
- Raw access to system disks
is denied
Veriexec exports runtime information that may be useful for
various purposes.
It reports the currently supported fingerprinting algorithms, for example:
# /sbin/sysctl kern.veriexec.algorithms
kern.veriexec.algorithms = SHA256 SHA384 SHA512
It reports the current verbosity and strict levels, for example:
# /sbin/sysctl kern.veriexec.{verbose,strict}
kern.veriexec.verbose = 0
kern.veriexec.strict = 1
It reports a summary of currently loaded files and the mount-points they're on,
for example:
# /sbin/sysctl kern.veriexec.count
kern.veriexec.count.table0.mntpt = /
kern.veriexec.count.table0.fstype = ffs
kern.veriexec.count.table0.nentries = 33
Other information may be retrieved using
veriexecctl(8).
SEE ALSO
options(4),
veriexec(5),
sysctl(7),
sysctl(8),
veriexecctl(8),
veriexecgen(8)
AUTHORS
Elad Efrat
<
elad@NetBSD.org>