unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (NetBSD-2.0)
Page:
Section:
Apropos / Subsearch:
optional field

VERIEXECCTL(8)            BSD System Manager's Manual           VERIEXECCTL(8)

NAME
     veriexecctl -- load verified exec fingerprints

SYNOPSIS
     veriexecctl fingerprints

DESCRIPTION
     The veriexecctl command loads the in-kernel fingerprint table from the
     fingerprints given in the fingerprints file.  Once loaded the kernel can
     then validate executed programs or files against the loaded fingerprints
     and report when fingerprints do not match.

     The fingerprints file contains lines of fields (separated by one or more
     whitespace characters) of the form:

           path type fingerprint    options

     Where path is the full path to the file and type is the type of finger-
     print used, currently this may be either md5 or sha1.  Other fingerprints
     may be available depending on kernel support.  The fingerprint field is a
     hexadecimal representation of the fingerprint for the file.  The field
     options contains the associated options for the file.  Currently there
     are two valid options:

     INDIRECT  If this option is set then the executable cannot be invoked
               directly, it can only be used as an interpreter in shell
               scripts.
     FILE      Indicates that the fingerprint is associated with a file, not
               an executable.  Files have their fingerprints verified during
               open(2) and are automatically made read only.  This option may
               be used to verify shared libraries have not been tampered with.

     There must be only one executable/fingerprint pair per line.  Comments
     are indicated by the first character of a line being a '#' character.

FILES
     /dev/veriexec  verified executable device node

HISTORY
     veriexecctl first appeared in NetBSD 2.0.

NOTES
     veriexecctl requires the kernel to have been configured with the
     VERIFIED_EXEC option and the verifiedexec pseudo-device.

BSD                              March 7, 2004                             BSD