1.\" $NetBSD: veriexec.5,v 1.8 2017/07/03 21:30:59 wiz Exp $ 2.\" 3.\" Copyright (c) 1999 4.\" Brett Lymn - blymn@baea.com.au, brett_lymn@yahoo.com.au 5.\" 6.\" This code is donated to The NetBSD Foundation by the author. 7.\" 8.\" Redistribution and use in source and binary forms, with or without 9.\" modification, are permitted provided that the following conditions 10.\" are met: 11.\" 1. Redistributions of source code must retain the above copyright 12.\" notice, this list of conditions and the following disclaimer. 13.\" 2. Redistributions in binary form must reproduce the above copyright 14.\" notice, this list of conditions and the following disclaimer in the 15.\" documentation and/or other materials provided with the distribution. 16.\" 3. The name of the Author may not be used to endorse or promote 17.\" products derived from this software without specific prior written 18.\" permission. 19.\" 20.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND 21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE 24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30.\" SUCH DAMAGE. 31.\" 32.\" $Id: veriexec.5,v 1.8 2017/07/03 21:30:59 wiz Exp $ 33.\" 34.Dd March 18, 2011 35.Dt VERIEXEC 5 36.Os 37.Sh NAME 38.Nm veriexec 39.Nd format for the 40.Em Veriexec 41signatures file 42.Sh DESCRIPTION 43.Em Veriexec 44loads entries to the in-kernel database from a file describing files to be 45monitored and the type of monitoring. 46This file is often referred to as the 47.Sq signatures database 48or 49.Sq signatures file . 50.Pp 51The signatures file can be easily created using 52.Xr veriexecgen 8 . 53.Sh SIGNATURES DATABASE FORMAT 54The signatures database has a line based structure, where each line has several 55fields separated by white-space (space, tabs, etc.) taking the following form: 56.Pp 57.Dl path type fingerprint flags 58.Pp 59The description for each field is as follows: 60.Bl -tag -width "fingerprint" 61.It Em path 62The full path to the file. 63White-space characters can be escaped if prefixed with a 64.Sq \e . 65.It Em type 66Type of fingerprinting algorithm used for the file. 67.Pp 68Requires kernel support for the specified algorithm. 69List of fingerprinting algorithms supported by the kernel can be obtained by 70using the following command: 71.Bd -literal -offset indent 72# sysctl kern.veriexec.algorithms 73.Ed 74.It Em fingerprint 75The fingerprint for the file. 76Can (usually) be generated using the following command: 77.Bd -literal -offset indent 78% cksum -a <algorithm> <file> 79.Ed 80.It Em flags 81Optional listing of entry flags, separated by a comma. 82These may include: 83.Bl -tag -width "untrusted" 84.It Em direct 85Allow direct execution only. 86.Pp 87Execution of a program is said to be 88.Dq direct 89when the program is invoked by the user (either in a script, manually typing it, 90etc.) via the 91.Xr execve 2 92syscall. 93.It Em indirect 94Allow indirect execution only. 95.Pp 96Execution of a program is said to be 97.Dq indirect 98if it is invoked by the kernel to interpret a script 99.Pq Dq hash-bang . 100.It Em file 101Allow opening the file only, via the 102.Xr open 2 103syscall (no execution is allowed). 104.It Em untrusted 105Indicate that the file is located on untrusted storage and its fingerprint 106evaluation status should not be cached, but rather re-calculated each time 107it is accessed. 108.\"It also enabled per-page fingerprints for the file, causing pages it as 109.\"backing store to be verified for their integrity as well. 110.Pp 111Fingerprints for untrusted files will always be evaluated on load. 112.El 113.Pp 114To improve readability of the signatures file, the following aliases are 115provided: 116.Bl -tag -width "interpreter" 117.It Em program 118An alias for 119.Dq direct . 120.It Em interpreter 121An alias for 122.Dq indirect 123.It Em script 124An alias for both 125.Dq direct 126and 127.Dq file . 128.It Em library 129An alias for both 130.Dq file 131and 132.Dq indirect . 133.El 134.Pp 135If no flags are specified, 136.Dq direct 137is assumed. 138.El 139.Pp 140Comments begin with a 141.Sq \&# 142character and span to the end of the line. 143.Sh SEE ALSO 144.Xr veriexec 4 , 145.Xr security 7 , 146.Xr veriexec 8 , 147.Xr veriexecctl 8 , 148.Xr veriexecgen 8 149.Sh HISTORY 150.Nm 151first appeared in 152.Nx 2.0 . 153.Sh AUTHORS 154.An Brett Lymn Aq Mt blymn@NetBSD.org 155.An Elad Efrat Aq Mt elad@NetBSD.org 156