VERIEXEC(4)             NetBSD Kernel Interfaces Manual            VERIEXEC(4)

NAME
     veriexec -- Veriexec pseudo-device

SYNOPSIS
     pseudo-device veriexec

DESCRIPTION
     Veriexec verifies the integrity of specified executables and files before
     they are run or read.  This makes it much more difficult to insert a tro-
     jan horse into the system and also makes it more difficult to run bina-
     ries that are not supposed to be running, for example, packet sniffers,
     DDoS clients and so on.

     The veriexec pseudo-device is used to load and delete entries to and from
     the in-kernel Veriexec databases, as well as query information about
     them.  It can also be used to dump the entire database.

   Kernel-userland interaction
     Veriexec uses proplib(3) for communication between the kernel and user-
     land.

     VERIEXEC_LOAD
           Load an entry for a file to be monitored by Veriexec.

           The dictionary passed contains the following elements:

           Name          Type      Purpose
           file          string    filename for this entry
           entry-type    uint8     entry type (see below)
           fp-type       string    fingerprint hashing algorithm
           fp            data      the fingerprint

           ``entry-type'' can be one or more (binary-OR'd) of the following:

           Type                  Effect
           VERIEXEC_DIRECT       can execute directly
           VERIEXEC_INDIRECT     can execute indirectly (interpreter, mmap(2))
           VERIEXEC_FILE         can be opened
           VERIEXEC_UNTRUSTED    located on untrusted storage

     VERIEXEC_DELETE
           Removes either an entry for a single file or entries for an entire
           mount from Veriexec.

           The dictionary passed contains the following elements:

           Name    Type      Purpose
           file    string    filename or mount-point

     VERIEXEC_DUMP
           Dump the Veriexec monitored files database from the kernel.

           Only files that the filename is kept for them will be dumped.  The
           returned array contains dictionaries with the following elements:

           Name          Type      Purpose
           file          string    filename
           fp-type       string    fingerprint hashing algorithm
           fp            data      the fingerprint
           entry-type    uint8     entry type (see above)

     VERIEXEC_FLUSH
           Flush the Veriexec database, removing all entries.

           This command has no parameters.

     VERIEXEC_QUERY
           Queries Veriexec about a file, returning information that may be
           useful about it.

           The dictionary passed contains the following elements:

           Name    Type      Purpose
           file    string    filename

           The dictionary returned contains the following elements:

           Name          Type      Purpose
           entry-type    uint8     entry type (see above)
           status        uint8     entry status
           fp-type       string    fingerprint hashing algorithm
           fp            data      the fingerprint

           ``status'' can be one of the following:

           Status                  Meaning
           FINGERPRINT_NOTEVAL     not evaluated
           FINGERPRINT_VALID       fingerprint match
           FINGERPRINT_MISMATCH    fingerprint mismatch

     Note that the requests VERIEXEC_LOAD, VERIEXEC_DELETE, and VERIEXEC_FLUSH
     are not permitted once the strict level has been raised past 0.

SEE ALSO
     proplib(3), sysctl(3), security(7), sysctl(8), veriexecctl(8),
     veriexecgen(8), veriexec(9)

NOTES
     veriexec is part of the default configuration on the following architec-
     tures: amd64, i386, prep, sparc64.

AUTHORS
     Brett Lymn <blymn@NetBSD.org>
     Elad Efrat <elad@NetBSD.org>

NetBSD 7.0                      March 19, 2011                      NetBSD 7.0

You can also request any man page by name and (optionally) by section:

Command: 
Section: 
Architecture: 
Collection: 
 

Use the DEFAULT collection to view manual pages for third-party software.


©1994 Man-cgi 1.15, Panagiotis Christias <christia@softlab.ntua.gr>
©1996-2014 Modified for NetBSD by Kimmo Suominen