NAME
veriexec —
Veriexec
pseudo-device
SYNOPSIS
pseudo-device veriexec
DESCRIPTION
Veriexec verifies the integrity of specified executables and
files before they are run or read. This makes it much more difficult to insert
a trojan horse into the system and also makes it more difficult to run
binaries that are not supposed to be running, for example, packet sniffers,
DDoS clients and so on.
The
veriexec pseudo-device is used to load and delete entries
to and from the in-kernel
Veriexec databases, as well as
query information about them. It can also be used to dump the entire database.
Kernel-userland interaction
Veriexec uses
proplib(3) for communication
between the kernel and userland.
-
-
VERIEXEC_LOAD
- Load an entry for a file to be monitored by
Veriexec.
The dictionary passed contains the following elements:
Name |
Type |
Purpose |
file |
string |
filename for this entry |
entry-type |
uint8 |
entry type (see below) |
fp-type |
string |
fingerprint hashing algorithm |
fp |
data |
the fingerprint |
keep-filename |
bool |
whether or not to retain the entry's filename |
“entry-type” can be one or more (binary-OR'd) of the following:
Type |
Effect |
VERIEXEC_DIRECT |
can execute directly |
VERIEXEC_INDIRECT |
can execute indirectly (interpreter,
mmap(2)) |
VERIEXEC_FILE |
can be opened |
VERIEXEC_UNTRUSTED |
located on untrusted storage |
-
-
VERIEXEC_DELETE
- Removes either an entry for a single file or entries for an
entire mount from Veriexec.
The dictionary passed contains the following elements:
Name |
Type |
Purpose |
file |
string |
filename or mount-point |
-
-
VERIEXEC_DUMP
- Dump the Veriexec monitored files
database from the kernel.
Only files for which the filename was kept will be dumped. The returned
array contains dictionaries with the following elements:
Name |
Type |
Purpose |
file |
string |
filename |
fp-type |
string |
fingerprint hashing algorithm |
fp |
data |
the fingerprint |
entry-type |
uint8 |
entry type (see above) |
-
-
VERIEXEC_FLUSH
- Flush the Veriexec database, removing all
entries.
This command has no parameters.
-
-
VERIEXEC_QUERY
- Queries Veriexec about a file, returning
information that may be useful about it.
The dictionary passed contains the following elements:
Name |
Type |
Purpose |
file |
string |
filename |
The dictionary returned contains the following elements:
Name |
Type |
Purpose |
entry-type |
uint8 |
entry type (see above) |
status |
uint8 |
entry status |
fp-type |
string |
fingerprint hashing algorithm |
fp |
data |
the fingerprint |
“status” can be one of the following:
Status |
Meaning |
FINGERPRINT_NOTEVAL |
not evaluated |
FINGERPRINT_VALID |
fingerprint match |
FINGERPRINT_MISMATCH |
fingerprint mismatch |
Note that the requests
VERIEXEC_LOAD
,
VERIEXEC_DELETE
, and
VERIEXEC_FLUSH
are not permitted once the strict level
has been raised past 0.
SEE ALSO
proplib(3),
sysctl(3),
security(7),
sysctl(8),
veriexecctl(8),
veriexecgen(8),
veriexec(9)
NOTES
veriexec is part of the default configuration on the following
architectures: amd64, i386, macppc, prep, sparc64.
AUTHORS
Brett Lymn
<
blymn@NetBSD.org>
Elad Efrat
<
elad@NetBSD.org>