Document Veriexec strict levels (hm, maybe we should have veriexec(8)?)
as requested by Adam Hamsik.
This commit is contained in:
elad
parent
ca4e1f8a92
commit
6d74a5fdc7
|
|
@ -1,4 +1,4 @@
|
|||
.\" $NetBSD: security.8,v 1.6 2006/11/22 13:00:02 elad Exp $
|
||||
.\" $NetBSD: security.8,v 1.7 2006/11/23 13:23:22 elad Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
|
||||
.\" All rights reserved.
|
||||
|
|
@ -28,7 +28,7 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd November 22, 2006
|
||||
.Dd November 23, 2006
|
||||
.Dt SECURITY 8
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
|
@ -48,11 +48,71 @@ It can be used for a variety of purposes, including defense against trojanned
|
|||
binaries, indirect attacks via third-party remote file-systems, and
|
||||
config file corruption.
|
||||
It can operate in four modes, also referred to as strict levels:
|
||||
.Em learning mode ,
|
||||
.Em IDS mode ,
|
||||
.Em IPS mode ,
|
||||
.Bl -tag -width flag
|
||||
.It Learning mode ( strict level 0 )
|
||||
The only level at which the fingerprint tables can be modified, this level is
|
||||
used to help fine-tune the signature database.
|
||||
No enforcement is made, and verbose information is provided (fingerprint
|
||||
matches and mismatches, file removals, incorrect access, etc.).
|
||||
.It IDS mode ( strict level 1 )
|
||||
IDS (intrusion detection system) mode provides an adequate level of integrity
|
||||
for the files it monitors.
|
||||
Implications:
|
||||
.Pp
|
||||
.Bl -hyphen -compact
|
||||
.It
|
||||
Monitored files cannot be removed
|
||||
.It
|
||||
If raw disk access is granted to a disk with monitored files on it, all
|
||||
monitored files' fingerprints will be invalidated
|
||||
.It
|
||||
Access to files with mismatched fingerprints is denied
|
||||
.It
|
||||
Write access to monitored files is allowed
|
||||
.It
|
||||
Access type is not enforced
|
||||
.El
|
||||
.It IPS mode ( strict level 2 )
|
||||
IPS (intrusion prevention system) mode provides a high level of integrity
|
||||
for the files it monitors.
|
||||
Implications:
|
||||
.Pp
|
||||
.Bl -hyphen -compact
|
||||
.It
|
||||
All implications of IDS mode
|
||||
.It
|
||||
Write access to monitored files is denied
|
||||
.It
|
||||
Access type is enforced
|
||||
.It
|
||||
Raw disk access to disk devices with monitored files on them is denied
|
||||
.It
|
||||
Execution of non-monitored files is denied
|
||||
.It
|
||||
Write access to kernel memory via
|
||||
.Pa /dev/mem
|
||||
and
|
||||
.Em lockdown mode .
|
||||
.Pa /dev/kmem
|
||||
is denied
|
||||
.El
|
||||
.It Lockdown mode ( strict level 3 )
|
||||
Lockdown mode provides high assurance integrity for the entire system.
|
||||
Implications:
|
||||
.Pp
|
||||
.Bl -hyphen -compact
|
||||
.It
|
||||
All implications of IPS mode
|
||||
.It
|
||||
Access to non-monitored files is denied
|
||||
.It
|
||||
Write access to files is allowed only if the file was opened before the
|
||||
strict level was raised to this mode
|
||||
.It
|
||||
Creation of new files is denied
|
||||
.It
|
||||
Raw access to system disks is denied
|
||||
.El
|
||||
.El
|
||||
.Pp
|
||||
.Em Veriexec
|
||||
requires a list of monitored files, along with their digital fingerprint and
|
||||
|
|
@ -179,7 +239,7 @@ can be done like this:
|
|||
.Bd -literal -offset indent
|
||||
# paxctl +g /bin/ls
|
||||
.Ed
|
||||
.Ss GCC Stack Smashing Protection (SSP)
|
||||
.Ss GCC Stack Smashing Protection ( SSP )
|
||||
Since
|
||||
.Nx 4.0 ,
|
||||
.Xr gcc 1
|
||||
|
|
@ -202,7 +262,7 @@ The system (userland, kernel) can be built with
|
|||
by using the
|
||||
.Dq USE_SSP
|
||||
flag in
|
||||
.Pa /etc/mk.conf:
|
||||
.Pa /etc/mk.conf :
|
||||
.Bd -literal -offset indent
|
||||
USE_SSP=yes
|
||||
.Ed
|
||||
|
|
|
|||
Loading…
Reference in New Issue