1.\" $NetBSD: veriexecgen.8,v 1.17 2011/04/28 11:24:28 wiz Exp $ 2.\" 3.\" Copyright (c) 2006 The NetBSD Foundation, Inc. 4.\" All rights reserved. 5.\" 6.\" This code is derived from software contributed to The NetBSD Foundation 7.\" by Matt Fleming. 8.\" 9.\" Redistribution and use in source and binary forms, with or without 10.\" modification, are permitted provided that the following conditions 11.\" are met: 12.\" 1. Redistributions of source code must retain the above copyright 13.\" notice, this list of conditions and the following disclaimer. 14.\" 2. Redistributions in binary form must reproduce the above copyright 15.\" notice, this list of conditions and the following disclaimer in the 16.\" documentation and/or other materials provided with the distribution. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 19.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 20.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 21.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 22.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28.\" POSSIBILITY OF SUCH DAMAGE. 29.\" 30.Dd February 18, 2008 31.Dt VERIEXECGEN 8 32.Os 33.Sh NAME 34.Nm veriexecgen 35.Nd generate fingerprints for Veriexec 36.Sh SYNOPSIS 37.Nm 38.Op Fl AaDrSTvW 39.Op Fl d Pa dir 40.Op Fl o Pa fingerprintdb 41.Op Fl p Pa prefix 42.Op Fl t Ar algorithm 43.Nm 44.Op Fl h 45.Sh DESCRIPTION 46.Nm 47can be used to create a fingerprint database for use with 48.Em Veriexec . 49.Pp 50If no command line arguments were specified, 51.Nm 52will resort to default operation, implying 53.Fl D Fl o Ar /etc/signatures Fl t Ar sha256 . 54.Pp 55If the output file already exists, 56.Nm 57will save a backup copy in the same file only with a 58.Dq .old 59suffix. 60.Pp 61The following options are available: 62.Bl -tag -width ".Fl p Ar prefix" 63.It Fl A 64Append to the output file, don't overwrite it. 65.It Fl a 66Add fingerprints for non-executable files as well. 67.It Fl D 68Search system directories, 69.Pa /bin , 70.Pa /sbin , 71.Pa /usr/bin , 72.Pa /usr/sbin , 73.Pa /lib , 74.Pa /usr/lib , 75.Pa /libexec , 76and 77.Pa /usr/libexec . 78.It Fl d Ar dir 79Scan for files in 80.Ar dir . 81Multiple uses of this flag can specify more than one directory. 82.\" .It Fl F 83.\" Try to guess the correct flags for every file. 84.It Fl h 85Display the help screen. 86.It Fl o Ar fingerprintdb 87Save the generated fingerprint database to 88.Ar fingerprintdb . 89.It Fl p Ar prefix 90When storing files in the fingerprint database, 91store the full pathnames of files with the leading 92.Dq prefix 93of the filenames removed. 94.It Fl r 95Scan recursively. 96.It Fl S 97Set the immutable flag on the created signatures file when done writing it. 98.It Fl T 99Put a timestamp on the generated file. 100.It Fl t Ar algorithm 101Use 102.Ar algorithm 103for the fingerprints. 104Must be one of 105.Dq md5 , 106.Dq sha1 , 107.Dq sha256 , 108.Dq sha384 , 109.Dq sha512 , 110or 111.Dq rmd160 . 112.It Fl v 113Verbose mode. 114Print messages describing what operations are being done. 115.It Fl W 116By default, 117.Nm 118will exit when an error condition is encountered. 119This option will 120treat errors such as not being able to follow a symbolic link, 121not being able to find the real path for a directory entry, or 122not being able to calculate a hash of an entry as a warning, 123rather than an error. 124If errors are treated as warnings, 125.Nm 126will continue processing. 127The default behaviour is to treat errors as fatal. 128.El 129.Sh FILES 130.Pa /etc/signatures 131.Sh EXAMPLES 132Fingerprint files in the common system directories using the default hashing 133algorithm 134.Dq sha256 135and save to the default fingerprint database in 136.Pa /etc/signatures : 137.Bd -literal -offset indent 138# veriexecgen 139.Ed 140.Pp 141Fingerprint files in 142.Pa /etc , 143appending to the default fingerprint database: 144.Bd -literal -offset indent 145# veriexecgen -A -d /etc 146.Ed 147.Pp 148Fingerprint files in 149.Pa /path/to/somewhere using 150.Dq rmd160 151as the hashing algorithm, saving to 152.Pa /etc/somewhere.fp : 153.Bd -literal -offset indent 154# veriexecgen -d /path/to/somewhere -t rmd160 -o /etc/somewhere.fp 155.Ed 156.Sh SEE ALSO 157.Xr veriexec 4 , 158.Xr veriexec 5 , 159.Xr security 7 , 160.Xr veriexec 8 , 161.Xr veriexecctl 8 162