I would appreciate any donations. Wishlist or send e-mail type donations to maekawa AT daemon-systems.org.
VERIEXEC(4) Kernel Interfaces Manual VERIEXEC(4) NAME veriexec -- Veriexec pseudo-device SYNOPSIS pseudo-device veriexec DESCRIPTION Veriexec verifies the integrity of specified executables and files before they are run or read. This makes it much more difficult to insert a trojan horse into the system and also makes it more difficult to run binaries that are not supposed to be running, for example, packet sniffers, DDoS clients and so on. The veriexec pseudo-device is used to load and delete entries to and from the in-kernel Veriexec databases, as well as query information about them. It can also be used to dump the entire database. Kernel-userland interaction Veriexec uses proplib(3) for communication between the kernel and userland. VERIEXEC_LOAD Load an entry for a file to be monitored by Veriexec. The dictionary passed contains the following elements: Name Type Purpose file string filename for this entry entry-type uint8 entry type (see below) fp-type string fingerprint hashing algorithm fp data the fingerprint ``entry-type'' can be one or more (binary-OR'd) of the following: Type Effect VERIEXEC_DIRECT can execute directly VERIEXEC_INDIRECT can execute indirectly (interpreter, mmap(2)) VERIEXEC_FILE can be opened VERIEXEC_UNTRUSTED located on untrusted storage VERIEXEC_DELETE Removes either an entry for a single file or entries for an entire mount from Veriexec. The dictionary passed contains the following elements: Name Type Purpose file string filename or mount-point VERIEXEC_DUMP Dump the Veriexec monitored files database from the kernel. Only files that the filename is kept for them will be dumped. The returned array contains dictionaries with the following elements: Name Type Purpose file string filename fp-type string fingerprint hashing algorithm fp data the fingerprint entry-type uint8 entry type (see above) VERIEXEC_FLUSH Flush the Veriexec database, removing all entries. This command has no parameters. VERIEXEC_QUERY Queries Veriexec about a file, returning information that may be useful about it. The dictionary passed contains the following elements: Name Type Purpose file string filename The dictionary returned contains the following elements: Name Type Purpose entry-type uint8 entry type (see above) status uint8 entry status fp-type string fingerprint hashing algorithm fp data the fingerprint ``status'' can be one of the following: Status Meaning FINGERPRINT_NOTEVAL not evaluated FINGERPRINT_VALID fingerprint match FINGERPRINT_MISMATCH fingerprint mismatch Note that the requests VERIEXEC_LOAD, VERIEXEC_DELETE, and VERIEXEC_FLUSH are not permitted once the strict level has been raised past 0. SEE ALSO proplib(3), sysctl(3), security(7), sysctl(8), veriexecctl(8), veriexecgen(8), veriexec(9) NOTES veriexec is part of the default configuration on the following architectures: amd64, i386, prep, sparc64. AUTHORS Brett Lymn <blymn@NetBSD.org> Elad Efrat <elad@NetBSD.org> NetBSD 7.1.2 March 19, 2011 NetBSD 7.1.2