VERIEXEC(8) | NetBSD System Manager's Manual | VERIEXEC(8) |
NetBSD provides a tool, veriexecgen(8), for generating the signatures database. Example usage:
# veriexecgen
Although it should be loaded on system boot (see “RC Configuration” below), this list can be loaded manually using veriexecctl(8):
# veriexecctl load
pseudo-device veriexec 1
Additionally, one or more options for digital fingerprint algorithm support:
options VERIFIED_EXEC_FP_SHA256 options VERIFIED_EXEC_FP_SHA512
Some kernels already enable Veriexec by default. See your kernel's config file for more information.
veriexec=YES veriexec_strict=1 # IDS mode
It reports the currently supported fingerprinting algorithms, for example:
# /sbin/sysctl kern.veriexec.algorithms kern.veriexec.algorithms = RMD160 SHA256 SHA384 SHA512 SHA1 MD5
It reports the current verbosity and strict levels, for example:
# /sbin/sysctl kern.veriexec.{verbose,strict} kern.veriexec.verbose = 0 kern.veriexec.strict = 1
It reports a summary of currently loaded files and the mount-points they're on, for example:
# /sbin/sysctl kern.veriexec.count kern.veriexec.count.table0.mntpt = / kern.veriexec.count.table0.fstype = ffs kern.veriexec.count.table0.nentries = 33
Other information may be retrieved using veriexecctl(8).
February 18, 2008 | NetBSD 5.99 |