Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
VERIEXEC(8)		  BSD System Manager's Manual		   VERIEXEC(8)

NAME
     veriexec -- file integrity	subsystem

DESCRIPTION
     Veriexec is an in-kernel, real-time, file-system independent, file	integ-
     rity subsystem.  It can be	used for a variety of purposes,	including de-
     fense against trojaned binaries, indirect attacks via third-party remote
     file-systems, and malicious configuration file corruption.

CONFIGURATION
   Signatures Database
     Veriexec requires a signatures database --	a list of monitored files,
     along with	their digital fingerprint and (optionally) access modes.  The
     format of this file is described by veriexec(5).

     NetBSD provides a tool, veriexecgen(8), for generating the	signatures
     database.	Example	usage:

	   # veriexecgen

     Although it should	be loaded on system boot (see "RC Configuration" be-
     low), this	list can be loaded manually using veriexecctl(8):

	   # veriexecctl load

   Kernel Configuration
     Veriexec requires a pseudo-device to run:

	   pseudo-device veriexec 1

     Additionally, one or more options for digital fingerprint algorithm sup-
     port:

	   options VERIFIED_EXEC_FP_SHA256
	   options VERIFIED_EXEC_FP_SHA512

     Some kernels already enable Veriexec by default.  See your	kernel's con-
     fig file for more information.

   RC Configuration
     Veriexec also allows loading signatures and setting the strict level (see
     below) during the boot process using the following	variables set in
     rc.conf(5):

	   veriexec=YES
	   veriexec_strict=1 # IDS mode

STRICT LEVELS
     Veriexec can operate in four modes, also referred to as strict levels:

     Learning mode (strict level 0)
	   The only level at which the fingerprint tables can be modified,
	   this	level is used to help fine-tune	the signature database.	 No
	   enforcement is made,	and verbose information	is provided (finger-
	   print matches and mismatches, file removals,	incorrect access,
	   etc.).

     IDS mode (strict level 1)
	   IDS (intrusion detection system) mode provides an adequate level of
	   integrity for the files it monitors.	 Implications:

	   -   Monitored files cannot be removed
	   -   If raw disk access is granted to	a disk with monitored files on
	       it, all monitored files'	fingerprints will be invalidated
	   -   Access to files with mismatched fingerprints is denied
	   -   Write access to monitored files is allowed
	   -   Access type is not enforced

     IPS mode (strict level 2)
	   IPS (intrusion prevention system) mode provides a high level	of in-
	   tegrity for the files it monitors.  Implications:

	   -   All implications	of IDS mode
	   -   Write access to monitored files is denied
	   -   Access type is enforced
	   -   Raw disk	access to disk devices with monitored files on them is
	       denied
	   -   Execution of non-monitored files	is denied
	   -   Write access to kernel memory via /dev/mem and /dev/kmem	is de-
	       nied

     Lockdown mode (strict level 3)
	   Lockdown mode provides high assurance integrity for the entire sys-
	   tem.	 Implications:

	   -   All implications	of IPS mode
	   -   Access to non-monitored files is	denied
	   -   Write access to files is	allowed	only if	the file was opened
	       before the strict level was raised to this mode
	   -   Creation	of new files is	denied
	   -   Raw access to system disks is denied

RUNTIME	INFORMATION
     Veriexec exports runtime information that may be useful for various pur-
     poses.

     It	reports	the currently supported	fingerprinting algorithms, for exam-
     ple:

	   # /sbin/sysctl kern.veriexec.algorithms
	   kern.veriexec.algorithms = RMD160 SHA256 SHA384 SHA512 SHA1 MD5

     It	reports	the current verbosity and strict levels, for example:

	   # /sbin/sysctl kern.veriexec.{verbose,strict}
	   kern.veriexec.verbose = 0
	   kern.veriexec.strict	= 1

     It	reports	a summary of currently loaded files and	the mount-points
     they're on, for example:

	   # /sbin/sysctl kern.veriexec.count
	   kern.veriexec.count.table0.mntpt = /
	   kern.veriexec.count.table0.fstype = ffs
	   kern.veriexec.count.table0.nentries = 33

     Other information may be retrieved	using veriexecctl(8).

SEE ALSO
     options(4), veriexec(5), sysctl(7), sysctl(8), veriexecctl(8),
     veriexecgen(8)

AUTHORS
     Elad Efrat	<elad@NetBSD.org>

BSD			       February	18, 2008			   BSD

NAME | DESCRIPTION | CONFIGURATION | STRICT LEVELS | RUNTIME INFORMATION | SEE ALSO | AUTHORS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=veriexec&sektion=8&manpath=NetBSD+6.0>

home | help