xref: /netbsd-src/usr.sbin/veriexecgen/veriexecgen.8 (revision 4f645668ed707e1f969c546666f8c8e45e6f8888)
1.\" $NetBSD: veriexecgen.8,v 1.22 2019/07/31 21:50:25 wiz Exp $
2.\"
3.\" Copyright (c) 2006 The NetBSD Foundation, Inc.
4.\" All rights reserved.
5.\"
6.\" This code is derived from software contributed to The NetBSD Foundation
7.\" by Matt Fleming.
8.\"
9.\" Redistribution and use in source and binary forms, with or without
10.\" modification, are permitted provided that the following conditions
11.\" are met:
12.\" 1. Redistributions of source code must retain the above copyright
13.\"    notice, this list of conditions and the following disclaimer.
14.\" 2. Redistributions in binary form must reproduce the above copyright
15.\"    notice, this list of conditions and the following disclaimer in the
16.\"    documentation and/or other materials provided with the distribution.
17.\"
18.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
19.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
20.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
21.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
22.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
23.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
24.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
25.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
26.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
27.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28.\" POSSIBILITY OF SUCH DAMAGE.
29.\"
30.Dd July 31, 2019
31.Dt VERIEXECGEN 8
32.Os
33.Sh NAME
34.Nm veriexecgen
35.Nd generate fingerprints for Veriexec
36.Sh SYNOPSIS
37.Nm
38.Op Fl AaDrSTvW
39.Op Fl d Pa dir
40.Op Fl f Pa file
41.Op Fl o Pa fingerprintdb
42.Op Fl p Pa prefix
43.Op Fl t Ar algorithm
44.Nm
45.Op Fl h
46.Sh DESCRIPTION
47.Nm
48can be used to create a fingerprint database for use with
49.Em Veriexec .
50.Pp
51If no command line arguments were specified,
52.Nm
53will resort to default operation, implying
54.Fl D Fl o Ar /etc/signatures Fl t Ar sha256 .
55.Pp
56If the output file already exists,
57.Nm
58will save a backup copy in the same file only with a
59.Dq .old
60suffix.
61.Pp
62The following options are available:
63.Bl -tag -width ".Fl p Ar prefix"
64.It Fl A
65Append to the output file, don't overwrite it.
66.It Fl a
67Add fingerprints for non-executable files as well.
68.It Fl D
69Search system directories,
70.Pa /bin ,
71.Pa /sbin ,
72.Pa /usr/bin ,
73.Pa /usr/sbin ,
74.Pa /lib ,
75.Pa /usr/lib ,
76.Pa /libexec ,
77and
78.Pa /usr/libexec .
79.It Fl d Ar dir
80Scan for files in
81.Ar dir .
82Multiple uses of this flag can specify more than one directory.
83.\" .It Fl F
84.\" Try to guess the correct flags for every file.
85.It Fl f Ar file
86Read files from
87.Ar file ,
88or if
89.Ar file
90is "-" read from
91.Ar stdin .
92.It Fl h
93Display the help screen.
94.It Fl o Ar fingerprintdb
95Save the generated fingerprint database to
96.Ar fingerprintdb .
97.It Fl p Ar prefix
98When storing files in the fingerprint database,
99store the full pathnames of files with the leading
100.Dq prefix
101of the filenames removed.
102.It Fl r
103Scan recursively.
104.It Fl S
105Set the immutable flag on the created signatures file when done writing it.
106.It Fl T
107Put a timestamp on the generated file.
108.It Fl t Ar algorithm
109Use
110.Ar algorithm
111for the fingerprints.
112Must be one of
113.Dq sha256 ,
114.Dq sha384 ,
115or
116.Dq sha512 .
117.It Fl v
118Verbose mode.
119Print messages describing what operations are being done.
120.It Fl W
121By default,
122.Nm
123will exit when an error condition is encountered.
124This option will
125treat errors such as not being able to follow a symbolic link,
126not being able to find the real path for a directory entry, or
127not being able to calculate a hash of an entry as a warning,
128rather than an error.
129If errors are treated as warnings,
130.Nm
131will continue processing.
132The default behaviour is to treat errors as fatal.
133.El
134.Sh FILES
135.Pa /etc/signatures
136.Sh EXAMPLES
137Fingerprint files in the common system directories using the default hashing
138algorithm
139.Dq sha256
140and save to the default fingerprint database in
141.Pa /etc/signatures :
142.Bd -literal -offset indent
143# veriexecgen
144.Ed
145.Pp
146Fingerprint files in
147.Pa /etc ,
148appending to the default fingerprint database:
149.Bd -literal -offset indent
150# veriexecgen -A -a -d /etc
151.Ed
152.Pp
153Fingerprint files in
154.Pa /path/to/somewhere using
155.Dq sha512
156as the hashing algorithm, saving to
157.Pa /etc/somewhere.fp :
158.Bd -literal -offset indent
159# veriexecgen -d /path/to/somewhere -t sha512 -o /etc/somewhere.fp
160.Ed
161.Sh SEE ALSO
162.Xr veriexec 4 ,
163.Xr veriexec 5 ,
164.Xr security 7 ,
165.Xr veriexec 8 ,
166.Xr veriexecctl 8
167