VERIEXEC(8)             NetBSD System Manager's Manual             VERIEXEC(8)

     veriexec -- file integrity subsystem

     Veriexec is an in-kernel, real-time, file-system independent, file
     integrity subsystem.  It can be used for a variety of purposes, including
     defense against trojaned binaries, indirect attacks via third-party
     remote file-systems, and malicious configuration file corruption.

   Signatures Database
     Veriexec requires a signatures database -- a list of monitored files,
     along with their digital fingerprint and (optionally) access modes.  The
     format of this file is described by veriexec(5).

     NetBSD provides a tool, veriexecgen(8), for generating the signatures
     database.  Example usage:

           # veriexecgen

     Although it should be loaded on system boot (see ``RC Configuration''
     below), this list can be loaded manually using veriexecctl(8):

           # veriexecctl load

   Kernel Configuration
     Veriexec requires a pseudo-device to run:

           pseudo-device veriexec

     Additionally, one or more options for digital fingerprint algorithm sup-

           options VERIFIED_EXEC_FP_SHA256
           options VERIFIED_EXEC_FP_SHA384
           options VERIFIED_EXEC_FP_SHA512

     Some kernels already enable Veriexec by default.  See your kernel's con-
     fig file for more information.

   RC Configuration
     Veriexec also allows loading signatures and setting the strict level (see
     below) during the boot process using the following variables set in

           veriexec_strict=1 # IDS mode

     Veriexec can operate in four modes, also referred to as strict levels:

     Learning mode (strict level 0)
           The only level at which the fingerprint tables can be modified,
           this level is used to help fine-tune the signature database.  No
           enforcement is made, and verbose information is provided (finger-
           print matches and mismatches, file removals, incorrect access,

     IDS mode (strict level 1)
           IDS (intrusion detection system) mode provides an adequate level of
           integrity for the files it monitors.  Implications:

           -   Monitored files cannot be removed
           -   If raw disk access is granted to a disk with monitored files on
               it, all monitored files' fingerprints will be invalidated
           -   Access to files with mismatched fingerprints is denied
           -   Write access to monitored files is allowed
           -   Access type is not enforced

     IPS mode (strict level 2)
           IPS (intrusion prevention system) mode provides a high level of
           integrity for the files it monitors.  Implications:

           -   All implications of IDS mode
           -   Write access to monitored files is denied
           -   Access type is enforced
           -   Raw disk access to disk devices with monitored files on them is
           -   Execution of non-monitored files is denied
           -   Write access to kernel memory via /dev/mem and /dev/kmem is

     Lockdown mode (strict level 3)
           Lockdown mode provides high assurance integrity for the entire sys-
           tem.  Implications:

           -   All implications of IPS mode
           -   Access to non-monitored files is denied
           -   Write access to files is allowed only if the file was opened
               before the strict level was raised to this mode
           -   Creation of new files is denied
           -   Raw access to system disks is denied

     Veriexec exports runtime information that may be useful for various pur-

     It reports the currently supported fingerprinting algorithms, for exam-

           # /sbin/sysctl kern.veriexec.algorithms
           kern.veriexec.algorithms = RMD160 SHA256 SHA384 SHA512 SHA1 MD5

     It reports the current verbosity and strict levels, for example:

           # /sbin/sysctl kern.veriexec.{verbose,strict}
           kern.veriexec.verbose = 0
           kern.veriexec.strict = 1

     It reports a summary of currently loaded files and the mount-points
     they're on, for example:

           # /sbin/sysctl kern.veriexec.count
           kern.veriexec.count.table0.mntpt = /
           kern.veriexec.count.table0.fstype = ffs
           kern.veriexec.count.table0.nentries = 33

     Other information may be retrieved using veriexecctl(8).

     options(4), veriexec(5), sysctl(7), sysctl(8), veriexecctl(8),

     Elad Efrat <>

NetBSD 8.1                    September 13, 2017                    NetBSD 8.1

You can also request any man page by name and (optionally) by section:


Use the DEFAULT collection to view manual pages for third-party software.

©1994 Man-cgi 1.15, Panagiotis Christias
©1996-2019 Modified for NetBSD by Kimmo Suominen