- Document the signatures file format in a veriexec(5) man-page,
- Document the strict levels and a general Veriexec intro in veriexec(8)
instead of security(8).
Okay blymn@.
Bug fixes:
- Fix crash reported by Scott Ellis on current-users@.
- Fix race conditions in enforcing the Veriexec rename and remove
policies. These are NOT security issues.
- Fix memory leak in rename handling when overwriting a monitored
file.
- Fix table deletion logic.
- Don't prevent query requests if not in learning mode.
KPI updates:
- fileassoc_table_run() now takes a cookie to pass to the callback.
- veriexec_table_add() was removed, it is now done internally. As a
result, there's no longer a need for VERIEXEC_TABLESIZE.
- veriexec_report() was removed, it is now internal.
- Perform sanity checks on the entry type, and enforce default type
in veriexec_file_add() rather than in veriexecctl.
- Add veriexec_flush(), used to delete all Veriexec tables, and
veriexec_dump(), used to fill an array with all Veriexec entries.
New features:
- Add a '-k' flag to veriexecctl, to keep the filenames in the kernel
database. This allows Veriexec to produce slightly more accurate
logs under certain circumstances. In the future, this can be either
replaced by vnode->pathname translation, or combined with it.
- Add a VERIEXEC_DUMP ioctl, to dump the entire Veriexec database.
This can be used to recover a database if the file was lost.
Example usage:
# veriexecctl dump > /etc/signatures
Note that only entries with the filename kept (that is, were loaded
with the '-k' flag) will be dumped.
Idea from Brett Lymn.
- Add a VERIEXEC_FLUSH ioctl, to delete all Veriexec entries. Sample
usage:
# veriexecctl flush
- Add a 'veriexec_flags' rc(8) variable, and make its default have
the '-k' flag. On systems using the default signatures file
(generaetd from running 'veriexecgen' with no arguments), this will
use additional 32kb of kernel memory on average.
- Add a '-e' flag to veriexecctl, to evaluate the fingerprint during
load. This is done automatically for files marked as 'untrusted'.
Misc. stuff:
- The code for veriexecctl was massively simplified as a result of
eliminating the need for VERIEXEC_TABLESIZE, and now uses a single
pass of the signatures file, making the loading somewhat faster.
- Lots of minor fixes found using the (still under development)
Veriexec regression testsuite.
- Some of the messages Veriexec prints were improved.
- Various documentation fixes.
All relevant man-pages were updated to reflect the above changes.
Binary compatibility with existing veriexecctl binaries is maintained.
* Remove a few trailing whitespaces
* Rearrange and join to one #if for some headers
Patch contributed by Slava Semushin <slava.semushin@gmail.com>
in private mail.
+ rather than using global variables, accessed all over the place, create
a local structure, and pass it down.
+ add a -p argument to denote a prefix, so that it's possible to record
a different directory hierarchy from the one that was scanned. One
typical use would be:
# ./veriexecgen -v -d /usr/dest/i386 -a -p /usr/dest/i386 -r -o fingers
to create a fingerprint database called fingers from the files located
in the /usr/dest/i386 hierarchy, but without the leading /usr/dest/i386
prefix:
# Generated by agc, Tue Dec 19 13:10:34 2006
/bin/domainname SHA256 12622c8f3698e51f090abf84ce81aaaaa1ed72135291b41a3e7d6c7b6a2a9847
/bin/chmod SHA256 5c3f8fec48601e0eaf7f47522ad8ff9fabb442b123ada97a71de285b4f6bf658
+ make veriexecgen into a host tool
1. use EXIT_SUCCESS and EXIT_FAILURE, rather than 0 or 1, throughout
2. add some comments
3. use descriptive names for variables, so that their use is easily
gleaned.
or an inability to get the real path, as fatal.
Be a bit more verbose about this in the default case - tell the user
which directory entry caused the failure.
Also introduce a new -W flag, which will warn the user about the
error, but will still continue processing - it treats errors as
warnings, and allows a signatures file to be built.
Fleming.
This one has some nice options -- for example, an admin can run right
after installing a system:
fpgen -D
and it will fingerprint a set of "common" system directories to the
default loaction. See the man-page for more stuff.
Performance-wise, here are results for both fpgen.sh (old) and this
new tool:
474.599u 574.335s 13:53.05 125.9% 0+0k 0+307io 0pf+0w
0.424u 0.131s 0:00.56 98.2% 0+0k 0+2io 0pf+0w
...guess which is which? (that's ~1500 times *faster*)
alnsn