feat: Added NetBSD man pages

1 files changed, 200 insertions, 0 deletions

diff --git a/static/netbsd/man8/veriexec.8 b/static/netbsd/man8/veriexec.8
new file mode 100644
index 00000000..429c3198
--- /dev/null
+++ b/static/netbsd/man8/veriexec.8
@@ -0,0 +1,200 @@
+.\" $NetBSD: veriexec.8,v 1.8 2018/01/17 12:49:06 sevan Exp $
+.\"
+.\" Copyright (c) 2008 Elad Efrat <elad@NetBSD.org>
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote products
+.\"    derived from this software without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd September 13, 2017
+.Dt VERIEXEC 8
+.Os
+.Sh NAME
+.Nm veriexec
+.Nd
+file integrity subsystem
+.Sh DESCRIPTION
+.Em Veriexec
+is an in-kernel, real-time, file-system independent, file integrity
+subsystem.
+It can be used for a variety of purposes, including defense against trojaned
+binaries, indirect attacks via third-party remote file-systems, and malicious
+configuration file corruption.
+.Sh CONFIGURATION
+.Ss Signatures Database
+.Em Veriexec
+requires a signatures database -- a list of monitored files, along with their
+digital fingerprint and (optionally) access modes.
+The format of this file is described by
+.Xr veriexec 5 .
+.Pp
+.Nx
+provides a tool,
+.Xr veriexecgen 8 ,
+for generating the signatures database.
+Example usage:
+.Bd -literal -offset indent
+# veriexecgen
+.Ed
+.Pp
+Although it should be loaded on system boot (see
+.Dq RC Configuration
+below), this list can be loaded manually using
+.Xr veriexecctl 8 :
+.Bd -literal -offset indent
+# veriexecctl load
+.Ed
+.Ss Kernel Configuration
+.Em Veriexec
+requires a kernel with
+.Xr fileassoc 9
+support and a pseudo-device to run:
+.Bd -literal -offset indent
+options FILEASSOC
+pseudo-device veriexec
+.Ed
+.Pp
+Additionally, one or more options for digital fingerprint algorithm support:
+.Bd -literal -offset indent
+options VERIFIED_EXEC_FP_SHA256
+options VERIFIED_EXEC_FP_SHA384
+options VERIFIED_EXEC_FP_SHA512
+.Ed
+.Pp
+Some kernels already enable
+.Em Veriexec
+by default.
+See your kernel's config file for more information.
+.Ss RC Configuration
+.Em Veriexec
+also allows loading signatures and setting the strict level (see below) during
+the boot process using the following variables set in
+.Xr rc.conf 5 :
+.Bd -literal -offset indent
+veriexec=YES
+veriexec_strict=1 # IDS mode
+.Ed
+.Sh STRICT LEVELS
+.Em Veriexec
+can operate in four modes, also referred to as strict levels:
+.Bl -tag -width flag
+.It Learning mode ( strict level 0 )
+The only level at which the fingerprint tables can be modified, this level is
+used to help fine-tune the signature database.
+No enforcement is made, and verbose information is provided (fingerprint
+matches and mismatches, file removals, incorrect access, etc.).
+.It IDS mode ( strict level 1 )
+IDS (intrusion detection system) mode provides an adequate level of integrity
+for the files it monitors.
+Implications:
+.Pp
+.Bl -hyphen -compact
+.It
+Monitored files cannot be removed
+.It
+If raw disk access is granted to a disk with monitored files on it, all
+monitored files' fingerprints will be invalidated
+.It
+Access to files with mismatched fingerprints is denied
+.It
+Write access to monitored files is allowed
+.It
+Access type is not enforced
+.El
+.It IPS mode ( strict level 2 )
+IPS (intrusion prevention system) mode provides a high level of integrity
+for the files it monitors.
+Implications:
+.Pp
+.Bl -hyphen -compact
+.It
+All implications of IDS mode
+.It
+Write access to monitored files is denied
+.It
+Access type is enforced
+.It
+Raw disk access to disk devices with monitored files on them is denied
+.It
+Execution of non-monitored files is denied
+.It
+Write access to kernel memory via
+.Pa /dev/mem
+and
+.Pa /dev/kmem
+is denied
+.El
+.It Lockdown mode ( strict level 3 )
+Lockdown mode provides high assurance integrity for the entire system.
+Implications:
+.Pp
+.Bl -hyphen -compact
+.It
+All implications of IPS mode
+.It
+Access to non-monitored files is denied
+.It
+Write access to files is allowed only if the file was opened before the
+strict level was raised to this mode
+.It
+Creation of new files is denied
+.It
+Raw access to system disks is denied
+.El
+.El
+.Sh RUNTIME INFORMATION
+.Em Veriexec
+exports runtime information that may be useful for various purposes.
+.Pp
+It reports the currently supported fingerprinting algorithms, for example:
+.Bd -literal -offset indent
+# /sbin/sysctl kern.veriexec.algorithms
+kern.veriexec.algorithms = SHA256 SHA384 SHA512
+.Ed
+.Pp
+It reports the current verbosity and strict levels, for example:
+.Bd -literal -offset indent
+# /sbin/sysctl kern.veriexec.{verbose,strict}
+kern.veriexec.verbose = 0
+kern.veriexec.strict = 1
+.Ed
+.Pp
+It reports a summary of currently loaded files and the mount-points they're on,
+for example:
+.Bd -literal -offset indent
+# /sbin/sysctl kern.veriexec.count
+kern.veriexec.count.table0.mntpt = /
+kern.veriexec.count.table0.fstype = ffs
+kern.veriexec.count.table0.nentries = 33
+.Ed
+.Pp
+Other information may be retrieved using
+.Xr veriexecctl 8 .
+.Sh SEE ALSO
+.Xr options 4 ,
+.Xr veriexec 5 ,
+.Xr sysctl 7 ,
+.Xr sysctl 8 ,
+.Xr veriexecctl 8 ,
+.Xr veriexecgen 8
+.Sh AUTHORS
+.An Elad Efrat Aq Mt elad@NetBSD.org