1.\" $NetBSD: veriexecgen.8,v 1.22 2019/07/31 21:50:25 wiz Exp $ 2.\" 3.\" Copyright (c) 2006 The NetBSD Foundation, Inc. 4.\" All rights reserved. 5.\" 6.\" This code is derived from software contributed to The NetBSD Foundation 7.\" by Matt Fleming. 8.\" 9.\" Redistribution and use in source and binary forms, with or without 10.\" modification, are permitted provided that the following conditions 11.\" are met: 12.\" 1. Redistributions of source code must retain the above copyright 13.\" notice, this list of conditions and the following disclaimer. 14.\" 2. Redistributions in binary form must reproduce the above copyright 15.\" notice, this list of conditions and the following disclaimer in the 16.\" documentation and/or other materials provided with the distribution. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 19.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 20.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 21.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 22.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28.\" POSSIBILITY OF SUCH DAMAGE. 29.\" 30.Dd July 31, 2019 31.Dt VERIEXECGEN 8 32.Os 33.Sh NAME 34.Nm veriexecgen 35.Nd generate fingerprints for Veriexec 36.Sh SYNOPSIS 37.Nm 38.Op Fl AaDrSTvW 39.Op Fl d Pa dir 40.Op Fl f Pa file 41.Op Fl o Pa fingerprintdb 42.Op Fl p Pa prefix 43.Op Fl t Ar algorithm 44.Nm 45.Op Fl h 46.Sh DESCRIPTION 47.Nm 48can be used to create a fingerprint database for use with 49.Em Veriexec . 50.Pp 51If no command line arguments were specified, 52.Nm 53will resort to default operation, implying 54.Fl D Fl o Ar /etc/signatures Fl t Ar sha256 . 55.Pp 56If the output file already exists, 57.Nm 58will save a backup copy in the same file only with a 59.Dq .old 60suffix. 61.Pp 62The following options are available: 63.Bl -tag -width ".Fl p Ar prefix" 64.It Fl A 65Append to the output file, don't overwrite it. 66.It Fl a 67Add fingerprints for non-executable files as well. 68.It Fl D 69Search system directories, 70.Pa /bin , 71.Pa /sbin , 72.Pa /usr/bin , 73.Pa /usr/sbin , 74.Pa /lib , 75.Pa /usr/lib , 76.Pa /libexec , 77and 78.Pa /usr/libexec . 79.It Fl d Ar dir 80Scan for files in 81.Ar dir . 82Multiple uses of this flag can specify more than one directory. 83.\" .It Fl F 84.\" Try to guess the correct flags for every file. 85.It Fl f Ar file 86Read files from 87.Ar file , 88or if 89.Ar file 90is "-" read from 91.Ar stdin . 92.It Fl h 93Display the help screen. 94.It Fl o Ar fingerprintdb 95Save the generated fingerprint database to 96.Ar fingerprintdb . 97.It Fl p Ar prefix 98When storing files in the fingerprint database, 99store the full pathnames of files with the leading 100.Dq prefix 101of the filenames removed. 102.It Fl r 103Scan recursively. 104.It Fl S 105Set the immutable flag on the created signatures file when done writing it. 106.It Fl T 107Put a timestamp on the generated file. 108.It Fl t Ar algorithm 109Use 110.Ar algorithm 111for the fingerprints. 112Must be one of 113.Dq sha256 , 114.Dq sha384 , 115or 116.Dq sha512 . 117.It Fl v 118Verbose mode. 119Print messages describing what operations are being done. 120.It Fl W 121By default, 122.Nm 123will exit when an error condition is encountered. 124This option will 125treat errors such as not being able to follow a symbolic link, 126not being able to find the real path for a directory entry, or 127not being able to calculate a hash of an entry as a warning, 128rather than an error. 129If errors are treated as warnings, 130.Nm 131will continue processing. 132The default behaviour is to treat errors as fatal. 133.El 134.Sh FILES 135.Pa /etc/signatures 136.Sh EXAMPLES 137Fingerprint files in the common system directories using the default hashing 138algorithm 139.Dq sha256 140and save to the default fingerprint database in 141.Pa /etc/signatures : 142.Bd -literal -offset indent 143# veriexecgen 144.Ed 145.Pp 146Fingerprint files in 147.Pa /etc , 148appending to the default fingerprint database: 149.Bd -literal -offset indent 150# veriexecgen -A -a -d /etc 151.Ed 152.Pp 153Fingerprint files in 154.Pa /path/to/somewhere using 155.Dq sha512 156as the hashing algorithm, saving to 157.Pa /etc/somewhere.fp : 158.Bd -literal -offset indent 159# veriexecgen -d /path/to/somewhere -t sha512 -o /etc/somewhere.fp 160.Ed 161.Sh SEE ALSO 162.Xr veriexec 4 , 163.Xr veriexec 5 , 164.Xr security 7 , 165.Xr veriexec 8 , 166.Xr veriexecctl 8 167