NetBSD/usr.sbin/veriexecgen/veriexecgen.8

167 lines
4.5 KiB
Groff

.\" $NetBSD: veriexecgen.8,v 1.22 2019/07/31 21:50:25 wiz Exp $
.\"
.\" Copyright (c) 2006 The NetBSD Foundation, Inc.
.\" All rights reserved.
.\"
.\" This code is derived from software contributed to The NetBSD Foundation
.\" by Matt Fleming.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd July 31, 2019
.Dt VERIEXECGEN 8
.Os
.Sh NAME
.Nm veriexecgen
.Nd generate fingerprints for Veriexec
.Sh SYNOPSIS
.Nm
.Op Fl AaDrSTvW
.Op Fl d Pa dir
.Op Fl f Pa file
.Op Fl o Pa fingerprintdb
.Op Fl p Pa prefix
.Op Fl t Ar algorithm
.Nm
.Op Fl h
.Sh DESCRIPTION
.Nm
can be used to create a fingerprint database for use with
.Em Veriexec .
.Pp
If no command line arguments were specified,
.Nm
will resort to default operation, implying
.Fl D Fl o Ar /etc/signatures Fl t Ar sha256 .
.Pp
If the output file already exists,
.Nm
will save a backup copy in the same file only with a
.Dq .old
suffix.
.Pp
The following options are available:
.Bl -tag -width ".Fl p Ar prefix"
.It Fl A
Append to the output file, don't overwrite it.
.It Fl a
Add fingerprints for non-executable files as well.
.It Fl D
Search system directories,
.Pa /bin ,
.Pa /sbin ,
.Pa /usr/bin ,
.Pa /usr/sbin ,
.Pa /lib ,
.Pa /usr/lib ,
.Pa /libexec ,
and
.Pa /usr/libexec .
.It Fl d Ar dir
Scan for files in
.Ar dir .
Multiple uses of this flag can specify more than one directory.
.\" .It Fl F
.\" Try to guess the correct flags for every file.
.It Fl f Ar file
Read files from
.Ar file ,
or if
.Ar file
is "-" read from
.Ar stdin .
.It Fl h
Display the help screen.
.It Fl o Ar fingerprintdb
Save the generated fingerprint database to
.Ar fingerprintdb .
.It Fl p Ar prefix
When storing files in the fingerprint database,
store the full pathnames of files with the leading
.Dq prefix
of the filenames removed.
.It Fl r
Scan recursively.
.It Fl S
Set the immutable flag on the created signatures file when done writing it.
.It Fl T
Put a timestamp on the generated file.
.It Fl t Ar algorithm
Use
.Ar algorithm
for the fingerprints.
Must be one of
.Dq sha256 ,
.Dq sha384 ,
or
.Dq sha512 .
.It Fl v
Verbose mode.
Print messages describing what operations are being done.
.It Fl W
By default,
.Nm
will exit when an error condition is encountered.
This option will
treat errors such as not being able to follow a symbolic link,
not being able to find the real path for a directory entry, or
not being able to calculate a hash of an entry as a warning,
rather than an error.
If errors are treated as warnings,
.Nm
will continue processing.
The default behaviour is to treat errors as fatal.
.El
.Sh FILES
.Pa /etc/signatures
.Sh EXAMPLES
Fingerprint files in the common system directories using the default hashing
algorithm
.Dq sha256
and save to the default fingerprint database in
.Pa /etc/signatures :
.Bd -literal -offset indent
# veriexecgen
.Ed
.Pp
Fingerprint files in
.Pa /etc ,
appending to the default fingerprint database:
.Bd -literal -offset indent
# veriexecgen -A -a -d /etc
.Ed
.Pp
Fingerprint files in
.Pa /path/to/somewhere using
.Dq sha512
as the hashing algorithm, saving to
.Pa /etc/somewhere.fp :
.Bd -literal -offset indent
# veriexecgen -d /path/to/somewhere -t sha512 -o /etc/somewhere.fp
.Ed
.Sh SEE ALSO
.Xr veriexec 4 ,
.Xr veriexec 5 ,
.Xr security 7 ,
.Xr veriexec 8 ,
.Xr veriexecctl 8