man/man8/veriexec.8

.\" $NetBSD: veriexec.8,v 1.8 2018/01/17 12:49:06 sevan Exp $
.\"
.\" Copyright (c) 2008 Elad Efrat <elad@NetBSD.org>
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\" 3. The name of the author may not be used to endorse or promote products
.\"    derived from this software without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd September 13, 2017
.Dt VERIEXEC 8
.Os
.Sh NAME
.Nm veriexec
.Nd
file integrity subsystem
.Sh DESCRIPTION
.Em Veriexec
is an in-kernel, real-time, file-system independent, file integrity
subsystem.
It can be used for a variety of purposes, including defense against trojaned
binaries, indirect attacks via third-party remote file-systems, and malicious
configuration file corruption.
.Sh CONFIGURATION
.Ss Signatures Database
.Em Veriexec
requires a signatures database -- a list of monitored files, along with their
digital fingerprint and (optionally) access modes.
The format of this file is described by
.Xr veriexec 5 .
.Pp
.Nx
provides a tool,
.Xr veriexecgen 8 ,
for generating the signatures database.
Example usage:
.Bd -literal -offset indent
# veriexecgen
.Ed
.Pp
Although it should be loaded on system boot (see
.Dq RC Configuration
below), this list can be loaded manually using
.Xr veriexecctl 8 :
.Bd -literal -offset indent
# veriexecctl load
.Ed
.Ss Kernel Configuration
.Em Veriexec
requires a kernel with
.Xr fileassoc 9
support and a pseudo-device to run:
.Bd -literal -offset indent
options FILEASSOC
pseudo-device veriexec
.Ed
.Pp
Additionally, one or more options for digital fingerprint algorithm support:
.Bd -literal -offset indent
options VERIFIED_EXEC_FP_SHA256
options VERIFIED_EXEC_FP_SHA384
options VERIFIED_EXEC_FP_SHA512
.Ed
.Pp
Some kernels already enable
.Em Veriexec
by default.
See your kernel's config file for more information.
.Ss RC Configuration
.Em Veriexec
also allows loading signatures and setting the strict level (see below) during
the boot process using the following variables set in
.Xr rc.conf 5 :
.Bd -literal -offset indent
veriexec=YES
veriexec_strict=1 # IDS mode
.Ed
.Sh STRICT LEVELS
.Em Veriexec
can operate in four modes, also referred to as strict levels:
.Bl -tag -width flag
.It Learning mode ( strict level 0 )
The only level at which the fingerprint tables can be modified, this level is
used to help fine-tune the signature database.
No enforcement is made, and verbose information is provided (fingerprint
matches and mismatches, file removals, incorrect access, etc.).
.It IDS mode ( strict level 1 )
IDS (intrusion detection system) mode provides an adequate level of integrity
for the files it monitors.
Implications:
.Pp
.Bl -hyphen -compact
.It
Monitored files cannot be removed
.It
If raw disk access is granted to a disk with monitored files on it, all
monitored files' fingerprints will be invalidated
.It
Access to files with mismatched fingerprints is denied
.It
Write access to monitored files is allowed
.It
Access type is not enforced
.El
.It IPS mode ( strict level 2 )
IPS (intrusion prevention system) mode provides a high level of integrity
for the files it monitors.
Implications:
.Pp
.Bl -hyphen -compact
.It
All implications of IDS mode
.It
Write access to monitored files is denied
.It
Access type is enforced
.It
Raw disk access to disk devices with monitored files on them is denied
.It
Execution of non-monitored files is denied
.It
Write access to kernel memory via
.Pa /dev/mem
and
.Pa /dev/kmem
is denied
.El
.It Lockdown mode ( strict level 3 )
Lockdown mode provides high assurance integrity for the entire system.
Implications:
.Pp
.Bl -hyphen -compact
.It
All implications of IPS mode
.It
Access to non-monitored files is denied
.It
Write access to files is allowed only if the file was opened before the
strict level was raised to this mode
.It
Creation of new files is denied
.It
Raw access to system disks is denied
.El
.El
.Sh RUNTIME INFORMATION
.Em Veriexec
exports runtime information that may be useful for various purposes.
.Pp
It reports the currently supported fingerprinting algorithms, for example:
.Bd -literal -offset indent
# /sbin/sysctl kern.veriexec.algorithms
kern.veriexec.algorithms = SHA256 SHA384 SHA512
.Ed
.Pp
It reports the current verbosity and strict levels, for example:
.Bd -literal -offset indent
# /sbin/sysctl kern.veriexec.{verbose,strict}
kern.veriexec.verbose = 0
kern.veriexec.strict = 1
.Ed
.Pp
It reports a summary of currently loaded files and the mount-points they're on,
for example:
.Bd -literal -offset indent
# /sbin/sysctl kern.veriexec.count
kern.veriexec.count.table0.mntpt = /
kern.veriexec.count.table0.fstype = ffs
kern.veriexec.count.table0.nentries = 33
.Ed
.Pp
Other information may be retrieved using
.Xr veriexecctl 8 .
.Sh SEE ALSO
.Xr options 4 ,
.Xr veriexec 5 ,
.Xr sysctl 7 ,
.Xr sysctl 8 ,
.Xr veriexecctl 8 ,
.Xr veriexecgen 8
.Sh AUTHORS
.An Elad Efrat Aq Mt elad@NetBSD.org