VERIEXECCTL(8) BSD System Manager's Manual VERIEXECCTL(8)
veriexecctl -- load verified exec fingerprints
The veriexecctl command loads the in-kernel fingerprint table from the
fingerprints given in the fingerprints file. Once loaded the kernel can
then validate executed programs or files against the loaded fingerprints
and report when fingerprints do not match.
The fingerprints file contains lines of fields (separated by one or more
whitespace characters) of the form:
path type fingerprint options
Where path is the full path to the file and type is the type of finger-
print used, currently this may be either md5 or sha1. Other fingerprints
may be available depending on kernel support. The fingerprint field is a
hexadecimal representation of the fingerprint for the file. The field
options contains the associated options for the file. Currently there
are two valid options:
INDIRECT If this option is set then the executable cannot be invoked
directly, it can only be used as an interpreter in shell
FILE Indicates that the fingerprint is associated with a file, not
an executable. Files have their fingerprints verified during
open(2) and are automatically made read only. This option may
be used to verify shared libraries have not been tampered with.
There must be only one executable/fingerprint pair per line. Comments
are indicated by the first character of a line being a '#' character.
/dev/veriexec verified executable device node
veriexecctl first appeared in NetBSD 2.0.
veriexecctl requires the kernel to have been configured with the
VERIFIED_EXEC option and the verifiedexec pseudo-device.
BSD March 7, 2004 BSD