6700cfccd6
Bug fixes:
- Fix crash reported by Scott Ellis on current-users@.
- Fix race conditions in enforcing the Veriexec rename and remove
policies. These are NOT security issues.
- Fix memory leak in rename handling when overwriting a monitored
file.
- Fix table deletion logic.
- Don't prevent query requests if not in learning mode.
KPI updates:
- fileassoc_table_run() now takes a cookie to pass to the callback.
- veriexec_table_add() was removed, it is now done internally. As a
result, there's no longer a need for VERIEXEC_TABLESIZE.
- veriexec_report() was removed, it is now internal.
- Perform sanity checks on the entry type, and enforce default type
in veriexec_file_add() rather than in veriexecctl.
- Add veriexec_flush(), used to delete all Veriexec tables, and
veriexec_dump(), used to fill an array with all Veriexec entries.
New features:
- Add a '-k' flag to veriexecctl, to keep the filenames in the kernel
database. This allows Veriexec to produce slightly more accurate
logs under certain circumstances. In the future, this can be either
replaced by vnode->pathname translation, or combined with it.
- Add a VERIEXEC_DUMP ioctl, to dump the entire Veriexec database.
This can be used to recover a database if the file was lost.
Example usage:
# veriexecctl dump > /etc/signatures
Note that only entries with the filename kept (that is, were loaded
with the '-k' flag) will be dumped.
Idea from Brett Lymn.
- Add a VERIEXEC_FLUSH ioctl, to delete all Veriexec entries. Sample
usage:
# veriexecctl flush
- Add a 'veriexec_flags' rc(8) variable, and make its default have
the '-k' flag. On systems using the default signatures file
(generaetd from running 'veriexecgen' with no arguments), this will
use additional 32kb of kernel memory on average.
- Add a '-e' flag to veriexecctl, to evaluate the fingerprint during
load. This is done automatically for files marked as 'untrusted'.
Misc. stuff:
- The code for veriexecctl was massively simplified as a result of
eliminating the need for VERIEXEC_TABLESIZE, and now uses a single
pass of the signatures file, making the loading somewhat faster.
- Lots of minor fixes found using the (still under development)
Veriexec regression testsuite.
- Some of the messages Veriexec prints were improved.
- Various documentation fixes.
All relevant man-pages were updated to reflect the above changes.
Binary compatibility with existing veriexecctl binaries is maintained.
228 lines
5.9 KiB
Groff
228 lines
5.9 KiB
Groff
.\" $NetBSD: veriexecctl.8,v 1.30 2007/05/15 19:47:47 elad Exp $
|
|
.\"
|
|
.\" Copyright (c) 1999
|
|
.\" Brett Lymn - blymn@baea.com.au, brett_lymn@yahoo.com.au
|
|
.\"
|
|
.\" This code is donated to The NetBSD Foundation by the author.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\" 3. The name of the Author may not be used to endorse or promote
|
|
.\" products derived from this software without specific prior written
|
|
.\" permission.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.\" $Id: veriexecctl.8,v 1.30 2007/05/15 19:47:47 elad Exp $
|
|
.\"
|
|
.Dd May 15, 2007
|
|
.Dt VERIEXECCTL 8
|
|
.Os
|
|
.Sh NAME
|
|
.Nm veriexecctl
|
|
.Nd manage the
|
|
.Em Veriexec
|
|
subsystem
|
|
.Sh SYNOPSIS
|
|
.Nm
|
|
.Op Fl ek
|
|
.Cm load Ar file
|
|
.Nm
|
|
.Cm delete Ar file | mount_point
|
|
.Nm
|
|
.Cm dump
|
|
.Nm
|
|
.Cm flush
|
|
.Nm
|
|
.Cm query Ar file
|
|
.Sh DESCRIPTION
|
|
The
|
|
.Nm
|
|
command is used to manipulate
|
|
.Em Veriexec ,
|
|
the
|
|
.Nx
|
|
file integrity subsystem.
|
|
.Ss Commands
|
|
.Bl -tag -width XXXX
|
|
.It Cm load Ar file
|
|
Load the fingerprint entries contained in
|
|
.Ar file .
|
|
This operation is only allowed in learning mode (strict level zero).
|
|
.Pp
|
|
The following flags are allowed with this command:
|
|
.Bl -tag -width indent
|
|
.It Fl e
|
|
Evaluate fingerprint on load, as opposed to when the file is accessed.
|
|
.It Fl k
|
|
Keep the filenames in the entry for more accurate logging.
|
|
.El
|
|
.It Cm delete Ar file | mount_point
|
|
Delete either a single entry
|
|
.Ar file
|
|
or all entries on
|
|
.Ar mount_point
|
|
from being monitored by
|
|
.Em Veriexec .
|
|
.It Cm dump
|
|
Dump the
|
|
.Em Veriexec
|
|
database from the kernel.
|
|
Only entries that have the filename will be presented.
|
|
.Pp
|
|
This can be used to recover a lost database:
|
|
.Bd -literal -offset indent
|
|
# veriexecctl dump > /etc/signatures
|
|
.Ed
|
|
.It Cm flush
|
|
Delete all entries in the
|
|
.Em Veriexec
|
|
database.
|
|
.It Cm query Ar file
|
|
Query
|
|
.Em Veriexec
|
|
for information associated with
|
|
.Ar file :
|
|
Filename, mount, fingerprint, fingerprint algorithm, evaluation status,
|
|
and entry type.
|
|
.El
|
|
.Ss Signatures
|
|
.Em Veriexec
|
|
loads entries to the in-kernel database from a file describing files to be
|
|
monitored and the type of monitoring.
|
|
This file is often referred to as the
|
|
.Sq signatures
|
|
file.
|
|
It has a line based structure, where each line has several fields separated
|
|
by white-space (space, tabs, etc.) taking the following form:
|
|
.Pp
|
|
.Dl path type fingerprint flags
|
|
.Pp
|
|
The description for each field is as follows:
|
|
.Bl -tag -width XXXX
|
|
.It path
|
|
The full path to the file.
|
|
White-space characters can be escaped if prefixed with a
|
|
.Sq \ .
|
|
.It type
|
|
Type of fingerprinting algorithm used for the file.
|
|
.Pp
|
|
Requires kernel support for the specified algorithm.
|
|
List of fingerprinting algorithms supported by the kernel can be obtained by
|
|
using the following command:
|
|
.Bd -literal -offset indent
|
|
# sysctl kern.veriexec.algorithms
|
|
.Ed
|
|
.It fingerprint
|
|
The fingerprint for the file.
|
|
Can (usually) be generated using the following command:
|
|
.Bd -literal -offset indent
|
|
% cksum -a \*[Lt]algorithm\*[Gt] \*[Lt]file\*[Gt]
|
|
.Ed
|
|
.It flags
|
|
Optional listing of entry flags, separated by a comma.
|
|
These may include:
|
|
.Bl -tag -width XXXX
|
|
.It direct
|
|
Allow direct execution only.
|
|
.Pp
|
|
Execution of a program is said to be
|
|
.Dq direct
|
|
when the program is invoked by the user (either in a script, manually typing it,
|
|
etc.) via the
|
|
.Xr execve 2
|
|
syscall.
|
|
.It indirect
|
|
Allow indirect execution only.
|
|
.Pp
|
|
Execution of a program is said to be
|
|
.Dq indirect
|
|
if it is invoked by the kernel to interpret a script (
|
|
.Dq hash-bang ).
|
|
.It file
|
|
Allow opening the file only, via the
|
|
.Xr open 2
|
|
syscall (no execution is allowed).
|
|
.It untrusted
|
|
Indicate that the file is located on untrusted storage and its fingerprint
|
|
evaluation status should not be cached, but rather re-calculated each time
|
|
it is accessed.
|
|
.\"It also enabled per-page fingerprints for the file, causing pages it as
|
|
.\"backing store to be verified for their integrity as well.
|
|
.Pp
|
|
Fingerprints for untrusted files will always be evaluated on load.
|
|
.El
|
|
.Pp
|
|
To improve readaibility of the signatures file, the following aliases are
|
|
provided:
|
|
.Bl -tag -width XXXX
|
|
.It program
|
|
An alias for
|
|
.Dq direct .
|
|
.It interpreter
|
|
An alias for
|
|
.Dq indirect
|
|
.It script
|
|
An alias for both
|
|
.Dq direct
|
|
and
|
|
.Dq file .
|
|
.It library
|
|
An alias for both
|
|
.Dq file
|
|
and
|
|
.Dq indirect .
|
|
.El
|
|
.Pp
|
|
If no flags are specified,
|
|
.Dq direct
|
|
is assumed.
|
|
.El
|
|
.Pp
|
|
Comments begin with a
|
|
.Sq \&#
|
|
character and span to the end of the line.
|
|
.Pp
|
|
Automatic generation of the signatures file is possible using the
|
|
.Xr veriexecgen 8
|
|
program.
|
|
.Sh FILES
|
|
.Bl -tag -width /etc/signatures -compact
|
|
.It Pa /dev/veriexec
|
|
.Em Veriexec
|
|
pseudo-device
|
|
.It Pa /etc/signatures
|
|
default signatures file
|
|
.El
|
|
.Sh SEE ALSO
|
|
.Xr veriexec 4 ,
|
|
.Xr veriexecgen 8 ,
|
|
.Xr veriexec 9
|
|
.Sh HISTORY
|
|
.Nm
|
|
first appeared in
|
|
.Nx 2.0 .
|
|
.Sh AUTHORS
|
|
.An Brett Lymn Aq blymn@NetBSD.org
|
|
.An Elad Efrat Aq elad@NetBSD.org
|
|
.Sh NOTES
|
|
The kernel is expected to have the
|
|
.Dq veriexec
|
|
pseudo-device.
|