Updated: 2022/Sep/29

Please read Privacy Policy. It's for your privacy.

VERIEXEC(8)                 System Manager's Manual                VERIEXEC(8)

     veriexec - file integrity subsystem

     Veriexec is an in-kernel, real-time, file-system independent, file
     integrity subsystem.  It can be used for a variety of purposes, including
     defense against trojaned binaries, indirect attacks via third-party
     remote file-systems, and malicious configuration file corruption.

   Signatures Database
     Veriexec requires a signatures database -- a list of monitored files,
     along with their digital fingerprint and (optionally) access modes.  The
     format of this file is described by veriexec(5).

     NetBSD provides a tool, veriexecgen(8), for generating the signatures
     database.  Example usage:

           # veriexecgen

     Although it should be loaded on system boot (see "RC Configuration"
     below), this list can be loaded manually using veriexecctl(8):

           # veriexecctl load

   Kernel Configuration
     Veriexec requires a kernel with fileassoc(9) support and a pseudo-device
     to run:

           options FILEASSOC
           pseudo-device veriexec

     Additionally, one or more options for digital fingerprint algorithm

           options VERIFIED_EXEC_FP_SHA256
           options VERIFIED_EXEC_FP_SHA384
           options VERIFIED_EXEC_FP_SHA512

     Some kernels already enable Veriexec by default.  See your kernel's
     config file for more information.

   RC Configuration
     Veriexec also allows loading signatures and setting the strict level (see
     below) during the boot process using the following variables set in

           veriexec_strict=1 # IDS mode

     Veriexec can operate in four modes, also referred to as strict levels:

     Learning mode (strict level 0)
           The only level at which the fingerprint tables can be modified,
           this level is used to help fine-tune the signature database.  No
           enforcement is made, and verbose information is provided
           (fingerprint matches and mismatches, file removals, incorrect
           access, etc.).

     IDS mode (strict level 1)
           IDS (intrusion detection system) mode provides an adequate level of
           integrity for the files it monitors.  Implications:

           -   Monitored files cannot be removed
           -   If raw disk access is granted to a disk with monitored files on
               it, all monitored files' fingerprints will be invalidated
           -   Access to files with mismatched fingerprints is denied
           -   Write access to monitored files is allowed
           -   Access type is not enforced

     IPS mode (strict level 2)
           IPS (intrusion prevention system) mode provides a high level of
           integrity for the files it monitors.  Implications:

           -   All implications of IDS mode
           -   Write access to monitored files is denied
           -   Access type is enforced
           -   Raw disk access to disk devices with monitored files on them is
           -   Execution of non-monitored files is denied
           -   Write access to kernel memory via /dev/mem and /dev/kmem is

     Lockdown mode (strict level 3)
           Lockdown mode provides high assurance integrity for the entire
           system.  Implications:

           -   All implications of IPS mode
           -   Access to non-monitored files is denied
           -   Write access to files is allowed only if the file was opened
               before the strict level was raised to this mode
           -   Creation of new files is denied
           -   Raw access to system disks is denied

     Veriexec exports runtime information that may be useful for various

     It reports the currently supported fingerprinting algorithms, for

           # /sbin/sysctl kern.veriexec.algorithms
           kern.veriexec.algorithms = SHA256 SHA384 SHA512

     It reports the current verbosity and strict levels, for example:

           # /sbin/sysctl kern.veriexec.{verbose,strict}
           kern.veriexec.verbose = 0
           kern.veriexec.strict = 1

     It reports a summary of currently loaded files and the mount-points
     they're on, for example:

           # /sbin/sysctl kern.veriexec.count
           kern.veriexec.count.table0.mntpt = /
           kern.veriexec.count.table0.fstype = ffs
           kern.veriexec.count.table0.nentries = 33

     Other information may be retrieved using veriexecctl(8).

     options(4), veriexec(5), sysctl(7), sysctl(8), veriexecctl(8),

     Elad Efrat <elad@NetBSD.org>

NetBSD 10.99                  September 13, 2017                  NetBSD 10.99