1.\" $NetBSD: veriexecgen.8,v 1.19 2017/09/10 10:13:47 wiz Exp $ 2.\" 3.\" Copyright (c) 2006 The NetBSD Foundation, Inc. 4.\" All rights reserved. 5.\" 6.\" This code is derived from software contributed to The NetBSD Foundation 7.\" by Matt Fleming. 8.\" 9.\" Redistribution and use in source and binary forms, with or without 10.\" modification, are permitted provided that the following conditions 11.\" are met: 12.\" 1. Redistributions of source code must retain the above copyright 13.\" notice, this list of conditions and the following disclaimer. 14.\" 2. Redistributions in binary form must reproduce the above copyright 15.\" notice, this list of conditions and the following disclaimer in the 16.\" documentation and/or other materials provided with the distribution. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 19.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 20.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 21.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 22.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28.\" POSSIBILITY OF SUCH DAMAGE. 29.\" 30.Dd September 9, 2017 31.Dt VERIEXECGEN 8 32.Os 33.Sh NAME 34.Nm veriexecgen 35.Nd generate fingerprints for Veriexec 36.Sh SYNOPSIS 37.Nm 38.Op Fl AaDrSTvW 39.Op Fl d Pa dir 40.Op Fl o Pa fingerprintdb 41.Op Fl p Pa prefix 42.Op Fl t Ar algorithm 43.Nm 44.Op Fl h 45.Sh DESCRIPTION 46.Nm 47can be used to create a fingerprint database for use with 48.Em Veriexec . 49.Pp 50If no command line arguments were specified, 51.Nm 52will resort to default operation, implying 53.Fl D Fl o Ar /etc/signatures Fl t Ar sha256 . 54.Pp 55If the output file already exists, 56.Nm 57will save a backup copy in the same file only with a 58.Dq .old 59suffix. 60.Pp 61The following options are available: 62.Bl -tag -width ".Fl p Ar prefix" 63.It Fl A 64Append to the output file, don't overwrite it. 65.It Fl a 66Add fingerprints for non-executable files as well. 67.It Fl D 68Search system directories, 69.Pa /bin , 70.Pa /sbin , 71.Pa /usr/bin , 72.Pa /usr/sbin , 73.Pa /lib , 74.Pa /usr/lib , 75.Pa /libexec , 76and 77.Pa /usr/libexec . 78.It Fl d Ar dir 79Scan for files in 80.Ar dir . 81Multiple uses of this flag can specify more than one directory. 82.\" .It Fl F 83.\" Try to guess the correct flags for every file. 84.It Fl h 85Display the help screen. 86.It Fl o Ar fingerprintdb 87Save the generated fingerprint database to 88.Ar fingerprintdb . 89.It Fl p Ar prefix 90When storing files in the fingerprint database, 91store the full pathnames of files with the leading 92.Dq prefix 93of the filenames removed. 94.It Fl r 95Scan recursively. 96.It Fl S 97Set the immutable flag on the created signatures file when done writing it. 98.It Fl T 99Put a timestamp on the generated file. 100.It Fl t Ar algorithm 101Use 102.Ar algorithm 103for the fingerprints. 104Must be one of 105.Dq sha256 , 106.Dq sha384 , 107or 108.Dq sha512 . 109.It Fl v 110Verbose mode. 111Print messages describing what operations are being done. 112.It Fl W 113By default, 114.Nm 115will exit when an error condition is encountered. 116This option will 117treat errors such as not being able to follow a symbolic link, 118not being able to find the real path for a directory entry, or 119not being able to calculate a hash of an entry as a warning, 120rather than an error. 121If errors are treated as warnings, 122.Nm 123will continue processing. 124The default behaviour is to treat errors as fatal. 125.El 126.Sh FILES 127.Pa /etc/signatures 128.Sh EXAMPLES 129Fingerprint files in the common system directories using the default hashing 130algorithm 131.Dq sha256 132and save to the default fingerprint database in 133.Pa /etc/signatures : 134.Bd -literal -offset indent 135# veriexecgen 136.Ed 137.Pp 138Fingerprint files in 139.Pa /etc , 140appending to the default fingerprint database: 141.Bd -literal -offset indent 142# veriexecgen -A -d /etc 143.Ed 144.Pp 145Fingerprint files in 146.Pa /path/to/somewhere using 147.Dq sha512 148as the hashing algorithm, saving to 149.Pa /etc/somewhere.fp : 150.Bd -literal -offset indent 151# veriexecgen -d /path/to/somewhere -t sha512 -o /etc/somewhere.fp 152.Ed 153.Sh SEE ALSO 154.Xr veriexec 4 , 155.Xr veriexec 5 , 156.Xr security 7 , 157.Xr veriexec 8 , 158.Xr veriexecctl 8 159