VERIEXEC(5) | File Formats Manual | VERIEXEC(5) |
veriexec
— format
for the Veriexec signatures file
Veriexec loads entries to the in-kernel database from a file describing files to be monitored and the type of monitoring. This file is often referred to as the ‘signatures database’ or ‘signatures file’.
The signatures file can be easily created using veriexecgen(8).
The signatures database has a line based structure, where each line has several fields separated by white-space (space, tabs, etc.) taking the following form:
path type fingerprint flags
The description for each field is as follows:
Requires kernel support for the specified algorithm. List of fingerprinting algorithms supported by the kernel can be obtained by using the following command:
# sysctl kern.veriexec.algorithms
% cksum -a <algorithm> <file>
Execution of a program is said to be “direct” when the program is invoked by the user (either in a script, manually typing it, etc.) via the execve(2) syscall.
Execution of a program is said to be “indirect” if it is invoked by the kernel to interpret a script (“hash-bang”).
Fingerprints for untrusted files will always be evaluated on load.
To improve readability of the signatures file, the following aliases are provided:
If no flags are specified, “direct” is assumed.
Comments begin with a ‘#’ character and span to the end of the line.
veriexec(4), security(7), veriexec(8), veriexecctl(8), veriexecgen(8)
veriexec
first appeared in
NetBSD 2.0.
Brett Lymn
<blymn@NetBSD.org>
Elad Efrat
<elad@NetBSD.org>
March 18, 2011 | NetBSD 10.99 |