VERIEXEC(8) NetBSD System Manager's Manual VERIEXEC(8)
NAME
veriexec -- file integrity subsystem
DESCRIPTION
Veriexec is an in-kernel, real-time, file-system independent, file integrity subsystem. It can be used for a variety of purposes, including defense against trojaned binaries, indirect attacks via third-party remote file-systems, and malicious configuration file corruption.
CONFIGURATION
Signatures Database Veriexec requires a signatures database -- a list of monitored files, along with their digital fingerprint and (optionally) access modes. The format of this file is described by veriexec(5). NetBSD provides a tool, veriexecgen(8), for generating the signatures database. Example usage: # veriexecgen Although it should be loaded on system boot (see ``RC Configuration'' below), this list can be loaded manually using veriexecctl(8): # veriexecctl load Kernel Configuration Veriexec requires a pseudo-device to run: pseudo-device veriexec Additionally, one or more options for digital fingerprint algorithm sup- port: options VERIFIED_EXEC_FP_SHA256 options VERIFIED_EXEC_FP_SHA384 options VERIFIED_EXEC_FP_SHA512 Some kernels already enable Veriexec by default. See your kernel's con- fig file for more information. RC Configuration Veriexec also allows loading signatures and setting the strict level (see below) during the boot process using the following variables set in rc.conf(5): veriexec=YES veriexec_strict=1 # IDS mode
STRICT LEVELS
Veriexec can operate in four modes, also referred to as strict levels: Learning mode (strict level 0) The only level at which the fingerprint tables can be modified, this level is used to help fine-tune the signature database. No enforcement is made, and verbose information is provided (finger- print matches and mismatches, file removals, incorrect access, etc.). IDS mode (strict level 1) IDS (intrusion detection system) mode provides an adequate level of integrity for the files it monitors. Implications: - Monitored files cannot be removed - If raw disk access is granted to a disk with monitored files on it, all monitored files' fingerprints will be invalidated - Access to files with mismatched fingerprints is denied - Write access to monitored files is allowed - Access type is not enforced IPS mode (strict level 2) IPS (intrusion prevention system) mode provides a high level of integrity for the files it monitors. Implications: - All implications of IDS mode - Write access to monitored files is denied - Access type is enforced - Raw disk access to disk devices with monitored files on them is denied - Execution of non-monitored files is denied - Write access to kernel memory via /dev/mem and /dev/kmem is denied Lockdown mode (strict level 3) Lockdown mode provides high assurance integrity for the entire sys- tem. Implications: - All implications of IPS mode - Access to non-monitored files is denied - Write access to files is allowed only if the file was opened before the strict level was raised to this mode - Creation of new files is denied - Raw access to system disks is denied
RUNTIME INFORMATION
Veriexec exports runtime information that may be useful for various pur- poses. It reports the currently supported fingerprinting algorithms, for exam- ple: # /sbin/sysctl kern.veriexec.algorithms kern.veriexec.algorithms = RMD160 SHA256 SHA384 SHA512 SHA1 MD5 It reports the current verbosity and strict levels, for example: # /sbin/sysctl kern.veriexec.{verbose,strict} kern.veriexec.verbose = 0 kern.veriexec.strict = 1 It reports a summary of currently loaded files and the mount-points they're on, for example: # /sbin/sysctl kern.veriexec.count kern.veriexec.count.table0.mntpt = / kern.veriexec.count.table0.fstype = ffs kern.veriexec.count.table0.nentries = 33 Other information may be retrieved using veriexecctl(8).
SEE ALSO
options(4), veriexec(5), sysctl(7), sysctl(8), veriexecctl(8), veriexecgen(8)
AUTHORS
Elad Efrat <elad@NetBSD.org> NetBSD 8.1 September 13, 2017 NetBSD 8.1
Powered by man-cgi (2024-08-26). Maintained for NetBSD by Kimmo Suominen. Based on man-cgi by Panagiotis Christias.