201 lines
6.0 KiB
Groff
201 lines
6.0 KiB
Groff
.\" $NetBSD: veriexec.8,v 1.8 2018/01/17 12:49:06 sevan Exp $
|
|
.\"
|
|
.\" Copyright (c) 2008 Elad Efrat <elad@NetBSD.org>
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\" 3. The name of the author may not be used to endorse or promote products
|
|
.\" derived from this software without specific prior written permission.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
.\"
|
|
.Dd September 13, 2017
|
|
.Dt VERIEXEC 8
|
|
.Os
|
|
.Sh NAME
|
|
.Nm veriexec
|
|
.Nd
|
|
file integrity subsystem
|
|
.Sh DESCRIPTION
|
|
.Em Veriexec
|
|
is an in-kernel, real-time, file-system independent, file integrity
|
|
subsystem.
|
|
It can be used for a variety of purposes, including defense against trojaned
|
|
binaries, indirect attacks via third-party remote file-systems, and malicious
|
|
configuration file corruption.
|
|
.Sh CONFIGURATION
|
|
.Ss Signatures Database
|
|
.Em Veriexec
|
|
requires a signatures database -- a list of monitored files, along with their
|
|
digital fingerprint and (optionally) access modes.
|
|
The format of this file is described by
|
|
.Xr veriexec 5 .
|
|
.Pp
|
|
.Nx
|
|
provides a tool,
|
|
.Xr veriexecgen 8 ,
|
|
for generating the signatures database.
|
|
Example usage:
|
|
.Bd -literal -offset indent
|
|
# veriexecgen
|
|
.Ed
|
|
.Pp
|
|
Although it should be loaded on system boot (see
|
|
.Dq RC Configuration
|
|
below), this list can be loaded manually using
|
|
.Xr veriexecctl 8 :
|
|
.Bd -literal -offset indent
|
|
# veriexecctl load
|
|
.Ed
|
|
.Ss Kernel Configuration
|
|
.Em Veriexec
|
|
requires a kernel with
|
|
.Xr fileassoc 9
|
|
support and a pseudo-device to run:
|
|
.Bd -literal -offset indent
|
|
options FILEASSOC
|
|
pseudo-device veriexec
|
|
.Ed
|
|
.Pp
|
|
Additionally, one or more options for digital fingerprint algorithm support:
|
|
.Bd -literal -offset indent
|
|
options VERIFIED_EXEC_FP_SHA256
|
|
options VERIFIED_EXEC_FP_SHA384
|
|
options VERIFIED_EXEC_FP_SHA512
|
|
.Ed
|
|
.Pp
|
|
Some kernels already enable
|
|
.Em Veriexec
|
|
by default.
|
|
See your kernel's config file for more information.
|
|
.Ss RC Configuration
|
|
.Em Veriexec
|
|
also allows loading signatures and setting the strict level (see below) during
|
|
the boot process using the following variables set in
|
|
.Xr rc.conf 5 :
|
|
.Bd -literal -offset indent
|
|
veriexec=YES
|
|
veriexec_strict=1 # IDS mode
|
|
.Ed
|
|
.Sh STRICT LEVELS
|
|
.Em Veriexec
|
|
can operate in four modes, also referred to as strict levels:
|
|
.Bl -tag -width flag
|
|
.It Learning mode ( strict level 0 )
|
|
The only level at which the fingerprint tables can be modified, this level is
|
|
used to help fine-tune the signature database.
|
|
No enforcement is made, and verbose information is provided (fingerprint
|
|
matches and mismatches, file removals, incorrect access, etc.).
|
|
.It IDS mode ( strict level 1 )
|
|
IDS (intrusion detection system) mode provides an adequate level of integrity
|
|
for the files it monitors.
|
|
Implications:
|
|
.Pp
|
|
.Bl -hyphen -compact
|
|
.It
|
|
Monitored files cannot be removed
|
|
.It
|
|
If raw disk access is granted to a disk with monitored files on it, all
|
|
monitored files' fingerprints will be invalidated
|
|
.It
|
|
Access to files with mismatched fingerprints is denied
|
|
.It
|
|
Write access to monitored files is allowed
|
|
.It
|
|
Access type is not enforced
|
|
.El
|
|
.It IPS mode ( strict level 2 )
|
|
IPS (intrusion prevention system) mode provides a high level of integrity
|
|
for the files it monitors.
|
|
Implications:
|
|
.Pp
|
|
.Bl -hyphen -compact
|
|
.It
|
|
All implications of IDS mode
|
|
.It
|
|
Write access to monitored files is denied
|
|
.It
|
|
Access type is enforced
|
|
.It
|
|
Raw disk access to disk devices with monitored files on them is denied
|
|
.It
|
|
Execution of non-monitored files is denied
|
|
.It
|
|
Write access to kernel memory via
|
|
.Pa /dev/mem
|
|
and
|
|
.Pa /dev/kmem
|
|
is denied
|
|
.El
|
|
.It Lockdown mode ( strict level 3 )
|
|
Lockdown mode provides high assurance integrity for the entire system.
|
|
Implications:
|
|
.Pp
|
|
.Bl -hyphen -compact
|
|
.It
|
|
All implications of IPS mode
|
|
.It
|
|
Access to non-monitored files is denied
|
|
.It
|
|
Write access to files is allowed only if the file was opened before the
|
|
strict level was raised to this mode
|
|
.It
|
|
Creation of new files is denied
|
|
.It
|
|
Raw access to system disks is denied
|
|
.El
|
|
.El
|
|
.Sh RUNTIME INFORMATION
|
|
.Em Veriexec
|
|
exports runtime information that may be useful for various purposes.
|
|
.Pp
|
|
It reports the currently supported fingerprinting algorithms, for example:
|
|
.Bd -literal -offset indent
|
|
# /sbin/sysctl kern.veriexec.algorithms
|
|
kern.veriexec.algorithms = SHA256 SHA384 SHA512
|
|
.Ed
|
|
.Pp
|
|
It reports the current verbosity and strict levels, for example:
|
|
.Bd -literal -offset indent
|
|
# /sbin/sysctl kern.veriexec.{verbose,strict}
|
|
kern.veriexec.verbose = 0
|
|
kern.veriexec.strict = 1
|
|
.Ed
|
|
.Pp
|
|
It reports a summary of currently loaded files and the mount-points they're on,
|
|
for example:
|
|
.Bd -literal -offset indent
|
|
# /sbin/sysctl kern.veriexec.count
|
|
kern.veriexec.count.table0.mntpt = /
|
|
kern.veriexec.count.table0.fstype = ffs
|
|
kern.veriexec.count.table0.nentries = 33
|
|
.Ed
|
|
.Pp
|
|
Other information may be retrieved using
|
|
.Xr veriexecctl 8 .
|
|
.Sh SEE ALSO
|
|
.Xr options 4 ,
|
|
.Xr veriexec 5 ,
|
|
.Xr sysctl 7 ,
|
|
.Xr sysctl 8 ,
|
|
.Xr veriexecctl 8 ,
|
|
.Xr veriexecgen 8
|
|
.Sh AUTHORS
|
|
.An Elad Efrat Aq Mt elad@NetBSD.org
|