NetBSD/sbin/veriexecctl/veriexecctl.8

.\" $NetBSD: veriexecctl.8,v 1.30 2007/05/15 19:47:47 elad Exp $
.\"
.\" Copyright (c) 1999
.\"	Brett Lymn - blymn@baea.com.au, brett_lymn@yahoo.com.au
.\"
.\" This code is donated to The NetBSD Foundation by the author.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\" 3. The name of the Author may not be used to endorse or promote
.\"    products derived from this software without specific prior written
.\"    permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\"	$Id: veriexecctl.8,v 1.30 2007/05/15 19:47:47 elad Exp $
.\"
.Dd May 15, 2007
.Dt VERIEXECCTL 8
.Os
.Sh NAME
.Nm veriexecctl
.Nd manage the
.Em Veriexec
subsystem
.Sh SYNOPSIS
.Nm
.Op Fl ek
.Cm load Ar file
.Nm
.Cm delete Ar file | mount_point
.Nm
.Cm dump
.Nm
.Cm flush
.Nm
.Cm query Ar file
.Sh DESCRIPTION
The
.Nm
command is used to manipulate
.Em Veriexec ,
the
.Nx
file integrity subsystem.
.Ss Commands
.Bl -tag -width XXXX
.It Cm load Ar file
Load the fingerprint entries contained in
.Ar file .
This operation is only allowed in learning mode (strict level zero).
.Pp
The following flags are allowed with this command:
.Bl -tag -width indent
.It Fl e
Evaluate fingerprint on load, as opposed to when the file is accessed.
.It Fl k
Keep the filenames in the entry for more accurate logging.
.El
.It Cm delete Ar file | mount_point
Delete either a single entry
.Ar file
or all entries on
.Ar mount_point
from being monitored by
.Em Veriexec .
.It Cm dump
Dump the
.Em Veriexec
database from the kernel.
Only entries that have the filename will be presented.
.Pp
This can be used to recover a lost database:
.Bd -literal -offset indent
# veriexecctl dump > /etc/signatures
.Ed
.It Cm flush
Delete all entries in the
.Em Veriexec
database.
.It Cm query Ar file
Query
.Em Veriexec
for information associated with
.Ar file :
Filename, mount, fingerprint, fingerprint algorithm, evaluation status,
and entry type.
.El
.Ss Signatures
.Em Veriexec
loads entries to the in-kernel database from a file describing files to be
monitored and the type of monitoring.
This file is often referred to as the
.Sq signatures
file.
It has a line based structure, where each line has several fields separated
by white-space (space, tabs, etc.) taking the following form:
.Pp
.Dl path	type	fingerprint	flags
.Pp
The description for each field is as follows:
.Bl -tag -width XXXX
.It path
The full path to the file.
White-space characters can be escaped if prefixed with a
.Sq \ .
.It type
Type of fingerprinting algorithm used for the file.
.Pp
Requires kernel support for the specified algorithm.
List of fingerprinting algorithms supported by the kernel can be obtained by
using the following command:
.Bd -literal -offset indent
# sysctl kern.veriexec.algorithms
.Ed
.It fingerprint
The fingerprint for the file.
Can (usually) be generated using the following command:
.Bd -literal -offset indent
% cksum -a \*[Lt]algorithm\*[Gt] \*[Lt]file\*[Gt] 
.Ed
.It flags
Optional listing of entry flags, separated by a comma.
These may include:
.Bl -tag -width XXXX
.It direct
Allow direct execution only.
.Pp
Execution of a program is said to be
.Dq direct
when the program is invoked by the user (either in a script, manually typing it,
etc.) via the
.Xr execve 2
syscall.
.It indirect
Allow indirect execution only.
.Pp
Execution of a program is said to be
.Dq indirect
if it is invoked by the kernel to interpret a script (
.Dq hash-bang ).
.It file
Allow opening the file only, via the
.Xr open 2
syscall (no execution is allowed).
.It untrusted
Indicate that the file is located on untrusted storage and its fingerprint
evaluation status should not be cached, but rather re-calculated each time
it is accessed.
.\"It also enabled per-page fingerprints for the file, causing pages it as
.\"backing store to be verified for their integrity as well.
.Pp
Fingerprints for untrusted files will always be evaluated on load.
.El
.Pp
To improve readaibility of the signatures file, the following aliases are
provided:
.Bl -tag -width XXXX
.It program
An alias for
.Dq direct .
.It interpreter
An alias for
.Dq indirect
.It script
An alias for both
.Dq direct
and
.Dq file .
.It library
An alias for both
.Dq file
and
.Dq indirect .
.El
.Pp
If no flags are specified,
.Dq direct
is assumed.
.El
.Pp
Comments begin with a
.Sq \&#
character and span to the end of the line.
.Pp
Automatic generation of the signatures file is possible using the
.Xr veriexecgen 8
program.
.Sh FILES
.Bl -tag -width /etc/signatures -compact
.It Pa /dev/veriexec
.Em Veriexec
pseudo-device
.It Pa /etc/signatures
default signatures file
.El
.Sh SEE ALSO
.Xr veriexec 4 ,
.Xr veriexecgen 8 ,
.Xr veriexec 9
.Sh HISTORY
.Nm
first appeared in
.Nx 2.0 .
.Sh AUTHORS
.An Brett Lymn Aq blymn@NetBSD.org
.An Elad Efrat Aq elad@NetBSD.org
.Sh NOTES
The kernel is expected to have the
.Dq veriexec
pseudo-device.