Updated: 2025/Nov/16
Please read Privacy Policy. It's for your privacy.
VERIEXECGEN(8) System Manager's Manual VERIEXECGEN(8)
NAME
veriexecgen - generate fingerprints for Veriexec
SYNOPSIS
veriexecgen [-AaDrSTvW] [-d dir] [-f file] [-o fingerprintdb] [-p prefix]
[-t algorithm]
veriexecgen [-h]
DESCRIPTION
veriexecgen can be used to create a fingerprint database for use with
Veriexec.
If no command line arguments were specified, veriexecgen will resort to
default operation, implying -D -o /etc/signatures -t sha256.
If the output file already exists, veriexecgen will save a backup copy in
the same file only with a ".old" suffix.
The following options are available:
-A Append to the output file, don't overwrite it.
-a Add fingerprints for non-executable files as well.
-D Search system directories, /bin, /sbin, /usr/bin,
/usr/sbin, /lib, /usr/lib, /libexec, and /usr/libexec.
-d dir Scan for files in dir. Multiple uses of this flag can
specify more than one directory.
-f file Read files from file, or if file is "-" read from stdin.
-h Display the help screen.
-o fingerprintdb
Save the generated fingerprint database to
fingerprintdb.
-p prefix When storing files in the fingerprint database, store
the full pathnames of files with the leading "prefix" of
the filenames removed.
-r Scan recursively.
-S Set the immutable flag on the created signatures file
when done writing it.
-T Put a timestamp on the generated file.
-t algorithm Use algorithm for the fingerprints. Must be one of
"sha256", "sha384", or "sha512".
-v Verbose mode. Print messages describing what operations
are being done.
-W By default, veriexecgen will exit when an error
condition is encountered. This option will treat errors
such as not being able to follow a symbolic link, not
being able to find the real path for a directory entry,
or not being able to calculate a hash of an entry as a
warning, rather than an error. If errors are treated as
warnings, veriexecgen will continue processing. The
default behaviour is to treat errors as fatal.
FILES
/etc/signatures
EXAMPLES
Fingerprint files in the common system directories using the default
hashing algorithm "sha256" and save to the default fingerprint database
in /etc/signatures:
# veriexecgen
Fingerprint files in /etc, appending to the default fingerprint database:
# veriexecgen -A -a -d /etc
Fingerprint files in /path/to/somewhere using "sha512" as the hashing
algorithm, saving to /etc/somewhere.fp:
# veriexecgen -d /path/to/somewhere -t sha512 -o /etc/somewhere.fp
SEE ALSO
veriexec(4), veriexec(5), security(7), veriexec(8), veriexecctl(8)
NetBSD 11.99 July 31, 2019 NetBSD 11.99