Updated: 2022/Sep/29

Please read Privacy Policy. It's for your privacy.

VERIEXECGEN(8)              System Manager's Manual             VERIEXECGEN(8)

     veriexecgen - generate fingerprints for Veriexec

     veriexecgen [-AaDrSTvW] [-d dir] [-f file] [-o fingerprintdb] [-p prefix]
                 [-t algorithm]
     veriexecgen [-h]

     veriexecgen can be used to create a fingerprint database for use with

     If no command line arguments were specified, veriexecgen will resort to
     default operation, implying -D -o /etc/signatures -t sha256.

     If the output file already exists, veriexecgen will save a backup copy in
     the same file only with a ".old" suffix.

     The following options are available:

     -A               Append to the output file, don't overwrite it.

     -a               Add fingerprints for non-executable files as well.

     -D               Search system directories, /bin, /sbin, /usr/bin,
                      /usr/sbin, /lib, /usr/lib, /libexec, and /usr/libexec.

     -d dir           Scan for files in dir.  Multiple uses of this flag can
                      specify more than one directory.

     -f file          Read files from file, or if file is "-" read from stdin.

     -h               Display the help screen.

     -o fingerprintdb
                      Save the generated fingerprint database to

     -p prefix        When storing files in the fingerprint database, store
                      the full pathnames of files with the leading "prefix" of
                      the filenames removed.

     -r               Scan recursively.

     -S               Set the immutable flag on the created signatures file
                      when done writing it.

     -T               Put a timestamp on the generated file.

     -t algorithm     Use algorithm for the fingerprints.  Must be one of
                      "sha256", "sha384", or "sha512".

     -v               Verbose mode.  Print messages describing what operations
                      are being done.

     -W               By default, veriexecgen will exit when an error
                      condition is encountered.  This option will treat errors
                      such as not being able to follow a symbolic link, not
                      being able to find the real path for a directory entry,
                      or not being able to calculate a hash of an entry as a
                      warning, rather than an error.  If errors are treated as
                      warnings, veriexecgen will continue processing.  The
                      default behaviour is to treat errors as fatal.


     Fingerprint files in the common system directories using the default
     hashing algorithm "sha256" and save to the default fingerprint database
     in /etc/signatures:

           # veriexecgen

     Fingerprint files in /etc, appending to the default fingerprint database:

           # veriexecgen -A -a -d /etc

     Fingerprint files in /path/to/somewhere using "sha512" as the hashing
     algorithm, saving to /etc/somewhere.fp:

           # veriexecgen -d /path/to/somewhere -t sha512 -o /etc/somewhere.fp

     veriexec(4), veriexec(5), security(7), veriexec(8), veriexecctl(8)

NetBSD 10.99                     July 31, 2019                    NetBSD 10.99