Following input from Matthew Mondor, some Veriexec documentation changes:

- Document the signatures file format in a veriexec(5) man-page, - Document the strict levels and a general Veriexec intro in veriexec(8) instead of security(8). Okay blymn@.
2008-02-18 10:37:19 +00:00 · 2008-02-18 10:37:19 +00:00 · 52cf460a76
parent c2d76d9a5a
commit 52cf460a76
8 changed files with 383 additions and 221 deletions
--- a/distrib/sets/lists/man/mi
+++ b/distrib/sets/lists/man/mi
@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.1056 2008/02/04 20:33:11 jmmv Exp $
+# $NetBSD: mi,v 1.1057 2008/02/18 10:37:20 elad Exp $
 #
 # Note: don't delete entries from here - mark them as "obsolete" instead.
 #
@ -1782,6 +1782,7 @@
 ./usr/share/man/cat5/utmpx.0			man-sys-catman		.cat
 ./usr/share/man/cat5/uuencode.0			man-util-catman		.cat
 ./usr/share/man/cat5/uuencode.format.0		man-obsolete		obsolete
+./usr/share/man/cat5/veriexec.0			man-sys-catman		.cat
 ./usr/share/man/cat5/vgrindefs.0		man-groff-catman	.cat
 ./usr/share/man/cat5/virtual.0			man-postfix-catman	postfix,.cat
 ./usr/share/man/cat5/weekly.conf.0		man-sys-catman		.cat
@ -2510,6 +2511,7 @@
 ./usr/share/man/cat8/vax/format.0		man-sys-catman		.cat
 ./usr/share/man/cat8/vax/installboot.0		man-obsolete		obsolete
 ./usr/share/man/cat8/vax/makedev.0		man-obsolete		obsolete
+./usr/share/man/cat8/veriexec.0			man-sys-catman		.cat
 ./usr/share/man/cat8/veriexecctl.0		man-sysutil-catman	.cat
 ./usr/share/man/cat8/veriexecgen.0			man-sysutil-catman	.cat
 ./usr/share/man/cat8/verifiedexec_load.0	man-obsolete		obsolete
@ -4306,6 +4308,7 @@
 ./usr/share/man/man5/utmpx.5			man-sys-man		.man
 ./usr/share/man/man5/uuencode.5			man-util-man		.man
 ./usr/share/man/man5/uuencode.format.5		man-obsolete		obsolete
+./usr/share/man/man5/veriexec.5			man-sys-man		.man
 ./usr/share/man/man5/vgrindefs.5		man-groff-man		.man
 ./usr/share/man/man5/virtual.5			man-postfix-man		postfix,.man
 ./usr/share/man/man5/weekly.conf.5		man-sys-man		.man
@ -5034,6 +5037,7 @@
 ./usr/share/man/man8/vax/format.8		man-sys-man		.man
 ./usr/share/man/man8/vax/installboot.8		man-obsolete		obsolete
 ./usr/share/man/man8/vax/makedev.8		man-obsolete		obsolete
+./usr/share/man/man8/veriexec.8			man-sys-man		.man
 ./usr/share/man/man8/veriexecctl.8		man-sysutil-man		.man
 ./usr/share/man/man8/veriexecgen.8			man-sysutil-man		.man
 ./usr/share/man/man8/verifiedexec_load.8	man-obsolete		obsolete
--- a/sbin/veriexecctl/veriexecctl.8
+++ b/sbin/veriexecctl/veriexecctl.8
@ -1,4 +1,4 @@
-.\" $NetBSD: veriexecctl.8,v 1.33 2008/02/15 15:33:56 elad Exp $
+.\" $NetBSD: veriexecctl.8,v 1.34 2008/02/18 10:37:19 elad Exp $
 .\"
 .\" Copyright (c) 1999
 .\"	Brett Lymn - blymn@baea.com.au, brett_lymn@yahoo.com.au
@ -29,9 +29,9 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\"	$Id: veriexecctl.8,v 1.33 2008/02/15 15:33:56 elad Exp $
+.\"	$Id: veriexecctl.8,v 1.34 2008/02/18 10:37:19 elad Exp $
 .\"
-.Dd February 15, 2008
+.Dd February 18, 2008
 .Dt VERIEXECCTL 8
 .Os
 .Sh NAME
@ -104,106 +104,6 @@ for information associated with
 Filename, mount, fingerprint, fingerprint algorithm, evaluation status,
 and entry type.
 .El
-.Ss Signatures
-.Em Veriexec
-loads entries to the in-kernel database from a file describing files to be
-monitored and the type of monitoring.
-This file is often referred to as the
-.Sq signatures
-file.
-It has a line based structure, where each line has several fields separated
-by white-space (space, tabs, etc.) taking the following form:
-.Pp
-.Dl path	type	fingerprint	flags
-.Pp
-The description for each field is as follows:
-.Bl -tag -width XXXX
-.It path
-The full path to the file.
-White-space characters can be escaped if prefixed with a
-.Sq \ .
-.It type
-Type of fingerprinting algorithm used for the file.
-.Pp
-Requires kernel support for the specified algorithm.
-List of fingerprinting algorithms supported by the kernel can be obtained by
-using the following command:
-.Bd -literal -offset indent
-# sysctl kern.veriexec.algorithms
-.Ed
-.It fingerprint
-The fingerprint for the file.
-Can (usually) be generated using the following command:
-.Bd -literal -offset indent
-% cksum -a \*[Lt]algorithm\*[Gt] \*[Lt]file\*[Gt]
-.Ed
-.It flags
-Optional listing of entry flags, separated by a comma.
-These may include:
-.Bl -tag -width XXXX
-.It direct
-Allow direct execution only.
-.Pp
-Execution of a program is said to be
-.Dq direct
-when the program is invoked by the user (either in a script, manually typing it,
-etc.) via the
-.Xr execve 2
-syscall.
-.It indirect
-Allow indirect execution only.
-.Pp
-Execution of a program is said to be
-.Dq indirect
-if it is invoked by the kernel to interpret a script
-.Pq Dq hash-bang .
-.It file
-Allow opening the file only, via the
-.Xr open 2
-syscall (no execution is allowed).
-.It untrusted
-Indicate that the file is located on untrusted storage and its fingerprint
-evaluation status should not be cached, but rather re-calculated each time
-it is accessed.
-.\"It also enabled per-page fingerprints for the file, causing pages it as
-.\"backing store to be verified for their integrity as well.
-.Pp
-Fingerprints for untrusted files will always be evaluated on load.
-.El
-.Pp
-To improve readaibility of the signatures file, the following aliases are
-provided:
-.Bl -tag -width XXXX
-.It program
-An alias for
-.Dq direct .
-.It interpreter
-An alias for
-.Dq indirect
-.It script
-An alias for both
-.Dq direct
-and
-.Dq file .
-.It library
-An alias for both
-.Dq file
-and
-.Dq indirect .
-.El
-.Pp
-If no flags are specified,
-.Dq direct
-is assumed.
-.El
-.Pp
-Comments begin with a
-.Sq \&#
-character and span to the end of the line.
-.Pp
-Automatic generation of the signatures file is possible using the
-.Xr veriexecgen 8
-program.
 .Sh FILES
 .Bl -tag -width /etc/signatures -compact
 .It Pa /dev/veriexec
@ -214,9 +114,10 @@ default signatures file
 .El
 .Sh SEE ALSO
 .Xr veriexec 4 ,
+.Xr veriexec 5 ,
 .Xr security 8 ,
-.Xr veriexecgen 8 ,
-.Xr veriexec 9
+.Xr veriexec 8 ,
+.Xr veriexecgen 8
 .Sh HISTORY
 .Nm
 first appeared in
--- a/share/man/man5/Makefile
+++ b/share/man/man5/Makefile
@ -1,4 +1,4 @@
-#	$NetBSD: Makefile,v 1.59 2007/11/20 15:37:36 sborrill Exp $
+#	$NetBSD: Makefile,v 1.60 2008/02/18 10:37:19 elad Exp $
 #	@(#)Makefile	8.1 (Berkeley) 6/5/93

 # missing: dump.5 plot.5
@ -16,7 +16,7 @@ MAN=	a.out.5 acct.5 ar.5 boot.cfg.5 \
 	resolv.conf.5 route.conf.5 rpc.5 \
 	security.conf.5 services.5 shells.5 \
 	stab.5 statvfs.5 sysctl.conf.5 ttyaction.5 types.5 \
-	utmp.5 utmpx.5 weekly.conf.5 wscons.conf.5
+	utmp.5 utmpx.5 veriexec.5 weekly.conf.5 wscons.conf.5

 MLINKS=	dir.5 dirent.5 fs.5 inode.5 hosts.equiv.5 rhosts.5
 MLINKS+=utmp.5 wtmp.5 utmp.5 lastlog.5 passwd.5 master.passwd.5
--- a/share/man/man5/veriexec.5
+++ b/share/man/man5/veriexec.5
@ -0,0 +1,155 @@
+.\" $NetBSD: veriexec.5,v 1.1 2008/02/18 10:37:19 elad Exp $
+.\"
+.\" Copyright (c) 1999
+.\"	Brett Lymn - blymn@baea.com.au, brett_lymn@yahoo.com.au
+.\"
+.\" This code is donated to The NetBSD Foundation by the author.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the Author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"	$Id: veriexec.5,v 1.1 2008/02/18 10:37:19 elad Exp $
+.\"
+.Dd February 18, 2008
+.Dt VERIEXEC 5
+.Os
+.Sh NAME
+.Nm veriexec
+.Nd format for the
+.Em Veriexec
+signatures file
+.Sh DESCRIPTION
+.Em Veriexec
+loads entries to the in-kernel database from a file describing files to be
+monitored and the type of monitoring.
+This file is often referred to as the
+.Sq signatures database
+or
+.Sq signatures file .
+.Pp
+The signatures file can be easily created using
+.Xr veriexecgen 8 .
+.Sh SIGNATURES DATABASE FORMAT
+The signatures database has a line based structure, where each line has several
+fields separated by white-space (space, tabs, etc.) taking the following form:
+.Pp
+.Dl path	type	fingerprint	flags
+.Pp
+The description for each field is as follows:
+.Bl -tag -width XXXX
+.It path
+The full path to the file.
+White-space characters can be escaped if prefixed with a
+.Sq \e .
+.It type
+Type of fingerprinting algorithm used for the file.
+.Pp
+Requires kernel support for the specified algorithm.
+List of fingerprinting algorithms supported by the kernel can be obtained by
+using the following command:
+.Bd -literal -offset indent
+# sysctl kern.veriexec.algorithms
+.Ed
+.It fingerprint
+The fingerprint for the file.
+Can (usually) be generated using the following command:
+.Bd -literal -offset indent
+% cksum -a \*[Lt]algorithm\*[Gt] \*[Lt]file\*[Gt]
+.Ed
+.It flags
+Optional listing of entry flags, separated by a comma.
+These may include:
+.Bl -tag -width XXXX
+.It direct
+Allow direct execution only.
+.Pp
+Execution of a program is said to be
+.Dq direct
+when the program is invoked by the user (either in a script, manually typing it,
+etc.) via the
+.Xr execve 2
+syscall.
+.It indirect
+Allow indirect execution only.
+.Pp
+Execution of a program is said to be
+.Dq indirect
+if it is invoked by the kernel to interpret a script
+.Pq Dq hash-bang .
+.It file
+Allow opening the file only, via the
+.Xr open 2
+syscall (no execution is allowed).
+.It untrusted
+Indicate that the file is located on untrusted storage and its fingerprint
+evaluation status should not be cached, but rather re-calculated each time
+it is accessed.
+.\"It also enabled per-page fingerprints for the file, causing pages it as
+.\"backing store to be verified for their integrity as well.
+.Pp
+Fingerprints for untrusted files will always be evaluated on load.
+.El
+.Pp
+To improve readaibility of the signatures file, the following aliases are
+provided:
+.Bl -tag -width XXXX
+.It program
+An alias for
+.Dq direct .
+.It interpreter
+An alias for
+.Dq indirect
+.It script
+An alias for both
+.Dq direct
+and
+.Dq file .
+.It library
+An alias for both
+.Dq file
+and
+.Dq indirect .
+.El
+.Pp
+If no flags are specified,
+.Dq direct
+is assumed.
+.El
+.Pp
+Comments begin with a
+.Sq \&#
+character and span to the end of the line.
+.Sh SEE ALSO
+.Xr veriexec 4 ,
+.Xr security 8 ,
+.Xr veriexec 8 ,
+.Xr veriexecctl 8 ,
+.Xr veriexecgen 8
+.Sh HISTORY
+.Nm
+first appeared in
+.Nx 2.0 .
+.Sh AUTHORS
+.An Brett Lymn Aq blymn@NetBSD.org
+.An Elad Efrat Aq elad@NetBSD.org
--- a/share/man/man8/Makefile
+++ b/share/man/man8/Makefile
@ -1,4 +1,4 @@
-#	$NetBSD: Makefile,v 1.92 2007/12/31 13:33:37 ad Exp $
+#	$NetBSD: Makefile,v 1.93 2008/02/18 10:37:19 elad Exp $
 #	@(#)Makefile	8.1 (Berkeley) 6/5/93

 MAN=	MAKEDEV.8 MAKEDEV.local.8 afterboot.8 boot.8 compat_30.8 \
@ -6,7 +6,8 @@ MAN=	MAKEDEV.8 MAKEDEV.local.8 afterboot.8 boot.8 compat_30.8 \
 	compat_freebsd.8 compat_ibcs2.8 compat_linux.8 \
 	compat_netbsd32.8 compat_osf1.8 compat_pecoff.8 compat_sunos.8 \
 	compat_svr4.8 compat_ultrix.8 diskless.8 hpcboot.8 \
-	intro.8 nis.8 pam.8 rc.8 rc.subr.8 security.8 sysinst.8 wizd.8
+	intro.8 nis.8 pam.8 rc.8 rc.subr.8 security.8 sysinst.8 veriexec.8 \
+	wizd.8
 MLINKS+=MAKEDEV.8 makedev.8
 MLINKS+=MAKEDEV.local.8 makedev.local.8
 MLINKS+=compat_svr4.8 compat_sco.8
--- a/share/man/man8/security.8
+++ b/share/man/man8/security.8
@ -1,4 +1,4 @@
-.\" $NetBSD: security.8,v 1.16 2007/12/27 00:40:54 elad Exp $
+.\" $NetBSD: security.8,v 1.17 2008/02/18 10:37:20 elad Exp $
 .\"
 .\" Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
 .\" All rights reserved.
@ -25,7 +25,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd December 27, 2007
+.Dd February 18, 2008
 .Dt SECURITY 8
 .Os
 .Sh NAME
@ -54,115 +54,16 @@ Information filtering
 .El
 .Sh VERIEXEC
 .Em Veriexec
-is an in-kernel, real-time, file-system independent, file integrity
-subsystem.
-It can be used for a variety of purposes, including defense against trojaned
-binaries, indirect attacks via third-party remote file-systems, and
-configuration file corruption.
+is a file integrity subsystem.
+.Pp
+For more information about it, and a quick guide on how to use it, please see
+.Xr veriexec 8 .
+.Pp
+In a nutshell, once enabled,
 .Em Veriexec
-can operate in four modes, also referred to as strict levels:
-.Bl -tag -width flag
-.It Learning mode ( strict level 0 )
-The only level at which the fingerprint tables can be modified, this level is
-used to help fine-tune the signature database.
-No enforcement is made, and verbose information is provided (fingerprint
-matches and mismatches, file removals, incorrect access, etc.).
-.It IDS mode ( strict level 1 )
-IDS (intrusion detection system) mode provides an adequate level of integrity
-for the files it monitors.
-Implications:
-.Pp
-.Bl -hyphen -compact
-.It
-Monitored files cannot be removed
-.It
-If raw disk access is granted to a disk with monitored files on it, all
-monitored files' fingerprints will be invalidated
-.It
-Access to files with mismatched fingerprints is denied
-.It
-Write access to monitored files is allowed
-.It
-Access type is not enforced
-.El
-.It IPS mode ( strict level 2 )
-IPS (intrusion prevention system) mode provides a high level of integrity
-for the files it monitors.
-Implications:
-.Pp
-.Bl -hyphen -compact
-.It
-All implications of IDS mode
-.It
-Write access to monitored files is denied
-.It
-Access type is enforced
-.It
-Raw disk access to disk devices with monitored files on them is denied
-.It
-Execution of non-monitored files is denied
-.It
-Write access to kernel memory via
-.Pa /dev/mem
-and
-.Pa /dev/kmem
-is denied
-.El
-.It Lockdown mode ( strict level 3 )
-Lockdown mode provides high assurance integrity for the entire system.
-Implications:
-.Pp
-.Bl -hyphen -compact
-.It
-All implications of IPS mode
-.It
-Access to non-monitored files is denied
-.It
-Write access to files is allowed only if the file was opened before the
-strict level was raised to this mode
-.It
-Creation of new files is denied
-.It
-Raw access to system disks is denied
-.El
-.El
-.Pp
-.Em Veriexec
-requires a list of monitored files, along with their digital fingerprint and
-(optionally) access modes.
-.Nx
-provides a tool,
-.Xr veriexecgen 8 ,
-for this purpose.
-Example usage:
+can be started as follows:
 .Bd -literal -offset indent
-# veriexecgen
-.Ed
-.Pp
-.Em Veriexec
-requires a pseudo-device to run:
-.Bd -literal -offset indent
-pseudo-device veriexec 1
-.Ed
-.Pp
-Additionally, one or more options for digital fingerprint algorithm support:
-.Bd -literal -offset indent
-options VERIFIED_EXEC_FP_SHA256
-options VERIFIED_EXEC_FP_SHA512
-.Ed
-.Pp
-See your kernel's config file for an example.
-.Pp
-On amd64, i386, prep, and sparc64 GENERIC kernels,
-.Em Veriexec
-is enabled by default.
-.Pp
-.Em Veriexec
-also requires enabling in
-.Xr rc.conf 5 :
-.Bd -literal -offset indent
-veriexec=YES
-veriexec_strict=1 # IDS mode
+# veriexecgen && veriexec load
 .Ed
 .Sh EXPLOIT MITIGATION
 .Nx
@ -431,6 +332,7 @@ Information filtering is enabled as follows:
 .Xr options 4 ,
 .Xr paxctl 8 ,
 .Xr sysctl 8 ,
+.Xr veriexec 8 ,
 .Xr veriexecctl 8 ,
 .Xr veriexecgen 8
 .Sh AUTHORS
--- a/share/man/man8/veriexec.8
+++ b/share/man/man8/veriexec.8
@ -0,0 +1,197 @@
+.\" $NetBSD: veriexec.8,v 1.1 2008/02/18 10:37:20 elad Exp $
+.\"
+.\" Copyright (c) 2008 Elad Efrat <elad@NetBSD.org>
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote products
+.\"    derived from this software without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd February 18, 2008
+.Dt VERIEXEC 8
+.Os
+.Sh NAME
+.Nm veriexec
+.Nd
+file integrity subsystem
+.Sh DESCRIPTION
+.Em Veriexec
+is an in-kernel, real-time, file-system independent, file integrity
+subsystem.
+It can be used for a variety of purposes, including defense against trojaned
+binaries, indirect attacks via third-party remote file-systems, and malicious
+configuration file corruption.
+.Sh CONFIGURATION
+.Ss Signatures Database
+.Em Veriexec
+requires a signatures database -- a list of monitored files, along with their
+digital fingerprint and (optionally) access modes.
+The format of this file is described by
+.Xr veriexec 5 .
+.Pp
+.Nx
+provides a tool,
+.Xr veriexecgen 8 ,
+for generating the signatures database.
+Example usage:
+.Bd -literal -offset indent
+# veriexecgen
+.Ed
+.Pp
+Although it should be loaded on system boot (see
+.Dq RC Configuration
+below), this list can be loaded manually using
+.Xr veriexecctl 8 :
+.Bd -literal -offset indent
+# veriexecctl load
+.Ed
+.Ss Kernel Configuration
+.Em Veriexec
+requires a pseudo-device to run:
+.Bd -literal -offset indent
+pseudo-device veriexec 1
+.Ed
+.Pp
+Additionally, one or more options for digital fingerprint algorithm support:
+.Bd -literal -offset indent
+options VERIFIED_EXEC_FP_SHA256
+options VERIFIED_EXEC_FP_SHA512
+.Ed
+.Pp
+Some kernels already enable
+.Em Veriexec
+by default.
+See your kernel's config file for more information.
+.Pp
+.Ss RC Configuration
+.Em Veriexec
+also allows loading signatures and setting the strict level (see below) during
+the boot process using the following variables set in
+.Xr rc.conf 5 :
+.Bd -literal -offset indent
+veriexec=YES
+veriexec_strict=1 # IDS mode
+.Ed
+.Sh STRICT LEVELS
+.Em Veriexec
+can operate in four modes, also referred to as strict levels:
+.Bl -tag -width flag
+.It Learning mode ( strict level 0 )
+The only level at which the fingerprint tables can be modified, this level is
+used to help fine-tune the signature database.
+No enforcement is made, and verbose information is provided (fingerprint
+matches and mismatches, file removals, incorrect access, etc.).
+.It IDS mode ( strict level 1 )
+IDS (intrusion detection system) mode provides an adequate level of integrity
+for the files it monitors.
+Implications:
+.Pp
+.Bl -hyphen -compact
+.It
+Monitored files cannot be removed
+.It
+If raw disk access is granted to a disk with monitored files on it, all
+monitored files' fingerprints will be invalidated
+.It
+Access to files with mismatched fingerprints is denied
+.It
+Write access to monitored files is allowed
+.It
+Access type is not enforced
+.El
+.It IPS mode ( strict level 2 )
+IPS (intrusion prevention system) mode provides a high level of integrity
+for the files it monitors.
+Implications:
+.Pp
+.Bl -hyphen -compact
+.It
+All implications of IDS mode
+.It
+Write access to monitored files is denied
+.It
+Access type is enforced
+.It
+Raw disk access to disk devices with monitored files on them is denied
+.It
+Execution of non-monitored files is denied
+.It
+Write access to kernel memory via
+.Pa /dev/mem
+and
+.Pa /dev/kmem
+is denied
+.El
+.It Lockdown mode ( strict level 3 )
+Lockdown mode provides high assurance integrity for the entire system.
+Implications:
+.Pp
+.Bl -hyphen -compact
+.It
+All implications of IPS mode
+.It
+Access to non-monitored files is denied
+.It
+Write access to files is allowed only if the file was opened before the
+strict level was raised to this mode
+.It
+Creation of new files is denied
+.It
+Raw access to system disks is denied
+.El
+.El
+.Sh RUNTIME INFORMATION
+.Em Veriexec
+exports runtime information that may be useful for various purposes.
+.Pp
+It reports the currently supported fingerprinting algorithms, for example:
+.Bd -literal -offset indent
+# /sbin/sysctl kern.veriexec.algorithms
+kern.veriexec.algorithms = RMD160 SHA256 SHA384 SHA512 SHA1 MD5
+.Ed
+.Pp
+It reports the current verbosity and strict levels, for example:
+.Bd -literal -offset indent
+# /sbin/sysctl kern.veriexec.{verbose,strict}
+kern.veriexec.verbose = 0
+kern.veriexec.strict = 1
+.Ed
+.Pp
+It reports a summary of currently loaded files and the mount-points they're on,
+for example:
+.Bd -literal -offset indent
+# /sbin/sysctl kern.veriexec.count
+kern.veriexec.count.table0.mntpt = /
+kern.veriexec.count.table0.fstype = ffs
+kern.veriexec.count.table0.nentries = 33
+.Ed
+.Pp
+Other information may be retrieved using
+.Xr veriexecctl 8 .
+.Sh SEE ALSO
+.Xr options 4 ,
+.Xr veriexec 5 ,
+.Xr sysctl 7 ,
+.Xr sysctl 8 ,
+.Xr veriexecctl 8 ,
+.Xr veriexecgen 8
+.Sh AUTHORS
+.An Elad Efrat Aq elad@NetBSD.org
--- a/usr.sbin/veriexecgen/veriexecgen.8
+++ b/usr.sbin/veriexecgen/veriexecgen.8
@ -1,4 +1,4 @@
-.\" $NetBSD: veriexecgen.8,v 1.13 2008/02/10 19:32:23 elad Exp $
+.\" $NetBSD: veriexecgen.8,v 1.14 2008/02/18 10:37:19 elad Exp $
 .\"
 .\" Copyright (c) 2006 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@ -30,7 +30,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd February 10, 2008
+.Dd February 18, 2008
 .Dt VERIEXECGEN 8
 .Sh NAME
 .Nm veriexecgen
@ -157,5 +157,7 @@ as the hashing algorithm, saving to
 .Ed
 .Sh SEE ALSO
 .Xr veriexec 4 ,
+.Xr veriexec 5 ,
 .Xr security 8 ,
+.Xr veriexec 8 ,
 .Xr veriexecctl 8