diff options
Diffstat (limited to 'static/netbsd/man5/veriexec.5')
| -rw-r--r-- | static/netbsd/man5/veriexec.5 | 155 |
1 files changed, 155 insertions, 0 deletions
diff --git a/static/netbsd/man5/veriexec.5 b/static/netbsd/man5/veriexec.5 new file mode 100644 index 00000000..42450745 --- /dev/null +++ b/static/netbsd/man5/veriexec.5 @@ -0,0 +1,155 @@ +.\" $NetBSD: veriexec.5,v 1.8 2017/07/03 21:30:59 wiz Exp $ +.\" +.\" Copyright (c) 1999 +.\" Brett Lymn - blymn@baea.com.au, brett_lymn@yahoo.com.au +.\" +.\" This code is donated to The NetBSD Foundation by the author. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. The name of the Author may not be used to endorse or promote +.\" products derived from this software without specific prior written +.\" permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: veriexec.5,v 1.8 2017/07/03 21:30:59 wiz Exp $ +.\" +.Dd March 18, 2011 +.Dt VERIEXEC 5 +.Os +.Sh NAME +.Nm veriexec +.Nd format for the +.Em Veriexec +signatures file +.Sh DESCRIPTION +.Em Veriexec +loads entries to the in-kernel database from a file describing files to be +monitored and the type of monitoring. +This file is often referred to as the +.Sq signatures database +or +.Sq signatures file . +.Pp +The signatures file can be easily created using +.Xr veriexecgen 8 . +.Sh SIGNATURES DATABASE FORMAT +The signatures database has a line based structure, where each line has several +fields separated by white-space (space, tabs, etc.) taking the following form: +.Pp +.Dl path type fingerprint flags +.Pp +The description for each field is as follows: +.Bl -tag -width "fingerprint" +.It Em path +The full path to the file. +White-space characters can be escaped if prefixed with a +.Sq \e . +.It Em type +Type of fingerprinting algorithm used for the file. +.Pp +Requires kernel support for the specified algorithm. +List of fingerprinting algorithms supported by the kernel can be obtained by +using the following command: +.Bd -literal -offset indent +# sysctl kern.veriexec.algorithms +.Ed +.It Em fingerprint +The fingerprint for the file. +Can (usually) be generated using the following command: +.Bd -literal -offset indent +% cksum -a <algorithm> <file> +.Ed +.It Em flags +Optional listing of entry flags, separated by a comma. +These may include: +.Bl -tag -width "untrusted" +.It Em direct +Allow direct execution only. +.Pp +Execution of a program is said to be +.Dq direct +when the program is invoked by the user (either in a script, manually typing it, +etc.) via the +.Xr execve 2 +syscall. +.It Em indirect +Allow indirect execution only. +.Pp +Execution of a program is said to be +.Dq indirect +if it is invoked by the kernel to interpret a script +.Pq Dq hash-bang . +.It Em file +Allow opening the file only, via the +.Xr open 2 +syscall (no execution is allowed). +.It Em untrusted +Indicate that the file is located on untrusted storage and its fingerprint +evaluation status should not be cached, but rather re-calculated each time +it is accessed. +.\"It also enabled per-page fingerprints for the file, causing pages it as +.\"backing store to be verified for their integrity as well. +.Pp +Fingerprints for untrusted files will always be evaluated on load. +.El +.Pp +To improve readability of the signatures file, the following aliases are +provided: +.Bl -tag -width "interpreter" +.It Em program +An alias for +.Dq direct . +.It Em interpreter +An alias for +.Dq indirect +.It Em script +An alias for both +.Dq direct +and +.Dq file . +.It Em library +An alias for both +.Dq file +and +.Dq indirect . +.El +.Pp +If no flags are specified, +.Dq direct +is assumed. +.El +.Pp +Comments begin with a +.Sq \&# +character and span to the end of the line. +.Sh SEE ALSO +.Xr veriexec 4 , +.Xr security 7 , +.Xr veriexec 8 , +.Xr veriexecctl 8 , +.Xr veriexecgen 8 +.Sh HISTORY +.Nm +first appeared in +.Nx 2.0 . +.Sh AUTHORS +.An Brett Lymn Aq Mt blymn@NetBSD.org +.An Elad Efrat Aq Mt elad@NetBSD.org |