veriexecgen(8) - NetBSD Manual Pages

Command: Section: Arch: Collection:   
VERIEXECGEN(8)          NetBSD System Manager's Manual          VERIEXECGEN(8)


NAME

     veriexecgen -- generate fingerprints for Veriexec


SYNOPSIS

     veriexecgen [-AaDrSTvW] [-d dir] [-o fingerprintdb] [-p prefix]
                 [-t algorithm]
     veriexecgen [-h]


DESCRIPTION

     veriexecgen can be used to create a fingerprint database for use with
     Veriexec.

     If no command line arguments were specified, veriexecgen will resort to
     default operation, implying -D -o /etc/signatures -t sha256.

     If the output file already exists, veriexecgen will save a backup copy in
     the same file only with a ``.old'' suffix.

     The following options are available:

     -A         Append to the output file, don't overwrite it.

     -a         Add fingerprints for non-executable files as well.

     -D         Search system directories, /bin, /sbin, /usr/bin, /usr/sbin,
                /lib, /usr/lib, /libexec, and /usr/libexec.

     -d dir     Scan for files in dir.  Multiple uses of this flag can specify
                more than one directory.

     -h         Display the help screen.

     -o fingerprintdb
                Save the generated fingerprint database to fingerprintdb.

     -p prefix  When storing files in the fingerprint database, store the full
                pathnames of files with the leading ``prefix'' of the file-
                names removed.

     -r         Scan recursively.

     -S         Set the immutable flag on the created signatures file when
                done writing it.

     -T         Put a timestamp on the generated file.

     -t algorithm
                Use algorithm for the fingerprints.  Must be one of
                ``sha256'', ``sha384'', or ``sha512''.

     -v         Verbose mode.  Print messages describing what operations are
                being done.

     -W         By default, veriexecgen will exit when an error condition is
                encountered.  This option will treat errors such as not being
                able to follow a symbolic link, not being able to find the
                real path for a directory entry, or not being able to calcu-
                late a hash of an entry as a warning, rather than an error.
                If errors are treated as warnings, veriexecgen will continue
                processing.  The default behaviour is to treat errors as
                fatal.


FILES

     /etc/signatures


EXAMPLES

     Fingerprint files in the common system directories using the default
     hashing algorithm ``sha256'' and save to the default fingerprint database
     in /etc/signatures:

           # veriexecgen

     Fingerprint files in /etc, appending to the default fingerprint database:

           # veriexecgen -A -a -d /etc

     Fingerprint files in /path/to/somewhere using ``sha512'' as the hashing
     algorithm, saving to /etc/somewhere.fp:

           # veriexecgen -d /path/to/somewhere -t sha512 -o /etc/somewhere.fp


SEE ALSO

     veriexec(4), veriexec(5), security(7), veriexec(8), veriexecctl(8)

NetBSD 9.0                      January 8, 2019                     NetBSD 9.0
Powered by man-cgi (2021-06-01). Maintained for NetBSD by Kimmo Suominen. Based on man-cgi by Panagiotis Christias.