167 lines
4.5 KiB
Groff
167 lines
4.5 KiB
Groff
.\" $NetBSD: veriexecgen.8,v 1.22 2019/07/31 21:50:25 wiz Exp $
|
|
.\"
|
|
.\" Copyright (c) 2006 The NetBSD Foundation, Inc.
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" This code is derived from software contributed to The NetBSD Foundation
|
|
.\" by Matt Fleming.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
|
|
.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
|
.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
|
.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
|
|
.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
.\" POSSIBILITY OF SUCH DAMAGE.
|
|
.\"
|
|
.Dd July 31, 2019
|
|
.Dt VERIEXECGEN 8
|
|
.Os
|
|
.Sh NAME
|
|
.Nm veriexecgen
|
|
.Nd generate fingerprints for Veriexec
|
|
.Sh SYNOPSIS
|
|
.Nm
|
|
.Op Fl AaDrSTvW
|
|
.Op Fl d Pa dir
|
|
.Op Fl f Pa file
|
|
.Op Fl o Pa fingerprintdb
|
|
.Op Fl p Pa prefix
|
|
.Op Fl t Ar algorithm
|
|
.Nm
|
|
.Op Fl h
|
|
.Sh DESCRIPTION
|
|
.Nm
|
|
can be used to create a fingerprint database for use with
|
|
.Em Veriexec .
|
|
.Pp
|
|
If no command line arguments were specified,
|
|
.Nm
|
|
will resort to default operation, implying
|
|
.Fl D Fl o Ar /etc/signatures Fl t Ar sha256 .
|
|
.Pp
|
|
If the output file already exists,
|
|
.Nm
|
|
will save a backup copy in the same file only with a
|
|
.Dq .old
|
|
suffix.
|
|
.Pp
|
|
The following options are available:
|
|
.Bl -tag -width ".Fl p Ar prefix"
|
|
.It Fl A
|
|
Append to the output file, don't overwrite it.
|
|
.It Fl a
|
|
Add fingerprints for non-executable files as well.
|
|
.It Fl D
|
|
Search system directories,
|
|
.Pa /bin ,
|
|
.Pa /sbin ,
|
|
.Pa /usr/bin ,
|
|
.Pa /usr/sbin ,
|
|
.Pa /lib ,
|
|
.Pa /usr/lib ,
|
|
.Pa /libexec ,
|
|
and
|
|
.Pa /usr/libexec .
|
|
.It Fl d Ar dir
|
|
Scan for files in
|
|
.Ar dir .
|
|
Multiple uses of this flag can specify more than one directory.
|
|
.\" .It Fl F
|
|
.\" Try to guess the correct flags for every file.
|
|
.It Fl f Ar file
|
|
Read files from
|
|
.Ar file ,
|
|
or if
|
|
.Ar file
|
|
is "-" read from
|
|
.Ar stdin .
|
|
.It Fl h
|
|
Display the help screen.
|
|
.It Fl o Ar fingerprintdb
|
|
Save the generated fingerprint database to
|
|
.Ar fingerprintdb .
|
|
.It Fl p Ar prefix
|
|
When storing files in the fingerprint database,
|
|
store the full pathnames of files with the leading
|
|
.Dq prefix
|
|
of the filenames removed.
|
|
.It Fl r
|
|
Scan recursively.
|
|
.It Fl S
|
|
Set the immutable flag on the created signatures file when done writing it.
|
|
.It Fl T
|
|
Put a timestamp on the generated file.
|
|
.It Fl t Ar algorithm
|
|
Use
|
|
.Ar algorithm
|
|
for the fingerprints.
|
|
Must be one of
|
|
.Dq sha256 ,
|
|
.Dq sha384 ,
|
|
or
|
|
.Dq sha512 .
|
|
.It Fl v
|
|
Verbose mode.
|
|
Print messages describing what operations are being done.
|
|
.It Fl W
|
|
By default,
|
|
.Nm
|
|
will exit when an error condition is encountered.
|
|
This option will
|
|
treat errors such as not being able to follow a symbolic link,
|
|
not being able to find the real path for a directory entry, or
|
|
not being able to calculate a hash of an entry as a warning,
|
|
rather than an error.
|
|
If errors are treated as warnings,
|
|
.Nm
|
|
will continue processing.
|
|
The default behaviour is to treat errors as fatal.
|
|
.El
|
|
.Sh FILES
|
|
.Pa /etc/signatures
|
|
.Sh EXAMPLES
|
|
Fingerprint files in the common system directories using the default hashing
|
|
algorithm
|
|
.Dq sha256
|
|
and save to the default fingerprint database in
|
|
.Pa /etc/signatures :
|
|
.Bd -literal -offset indent
|
|
# veriexecgen
|
|
.Ed
|
|
.Pp
|
|
Fingerprint files in
|
|
.Pa /etc ,
|
|
appending to the default fingerprint database:
|
|
.Bd -literal -offset indent
|
|
# veriexecgen -A -a -d /etc
|
|
.Ed
|
|
.Pp
|
|
Fingerprint files in
|
|
.Pa /path/to/somewhere using
|
|
.Dq sha512
|
|
as the hashing algorithm, saving to
|
|
.Pa /etc/somewhere.fp :
|
|
.Bd -literal -offset indent
|
|
# veriexecgen -d /path/to/somewhere -t sha512 -o /etc/somewhere.fp
|
|
.Ed
|
|
.Sh SEE ALSO
|
|
.Xr veriexec 4 ,
|
|
.Xr veriexec 5 ,
|
|
.Xr security 7 ,
|
|
.Xr veriexec 8 ,
|
|
.Xr veriexecctl 8
|