Diff for /wikisrc/guide/veriexec.mdwn between versions 1.5 and 1.6

version 1.5, 2013/03/21 11:11:21 version 1.6, 2015/06/19 19:18:31
Line 4 Line 4
   
 # NetBSD Veriexec subsystem  # NetBSD Veriexec subsystem
   
 [veriexec(8)](http://netbsd.gw.com/cgi-bin/man-cgi?veriexec+8+NetBSD-current)  [[!template id=man name="veriexec" section="8"]]
 is a file integrity subsystem in NetBSD (introduced in 3.0). It is kernel  is a file integrity subsystem in NetBSD (introduced in 3.0). It is kernel
 based, hence can provide some protection even in the case of a root compromise.  based, hence can provide some protection even in the case of a root compromise.
   
Line 17  about files Veriexec should monitor, as  Line 17  about files Veriexec should monitor, as 
 various flags that will be discussed later.  various flags that will be discussed later.
   
 Then, whenever an application tries to open a file, there is a  Then, whenever an application tries to open a file, there is a
 [kauth(9)](http://netbsd.gw.com/cgi-bin/man-cgi?kauth+9+NetBSD-current) check  [[!template id=man name="kauth" section="9"]] check
 before actually doing so if the application is permitted to do so. Veriexec  before actually doing so if the application is permitted to do so. Veriexec
 hooks in here and checks whether the file has the fingerprint as recorded in  hooks in here and checks whether the file has the fingerprint as recorded in
 the signature file. If not, it acts depending on its mode, e.g., it could deny  the signature file. If not, it acts depending on its mode, e.g., it could deny
Line 67  And to generate a SHA512 fingerprint for Line 67  And to generate a SHA512 fingerprint for
   
 #### veriexecgen  #### veriexecgen
   
 [veriexecgen(8)](http://netbsd.gw.com/cgi-bin/man-cgi?veriexecgen+8+NetBSD-current)  [[!template id=man name="veriexecgen" section="8"]]
 is a tool which automatically creates fingerprints for files or directories.  is a tool which automatically creates fingerprints for files or directories.
 By default, it will create SHA256 fingerprints for `/bin`, `/sbin`, `/usr/bin`,  By default, it will create SHA256 fingerprints for `/bin`, `/sbin`, `/usr/bin`,
 `/usr/sbin`, `/lib`, `/usr/lib`, `/libexec` and `/usr/libexec` and save them to  `/usr/sbin`, `/lib`, `/usr/lib`, `/libexec` and `/usr/libexec` and save them to
Line 80  have to be careful to recreate fingerpri Line 80  have to be careful to recreate fingerpri
 ### veriexecctl  ### veriexecctl
   
 For controlling the database inside the kernel, you have the tool  For controlling the database inside the kernel, you have the tool
 [veriexecctl(8)](http://netbsd.gw.com/cgi-bin/man-cgi?veriexecctl+8+NetBSD-current).  [[!template id=man name="veriexecctl" section="8"]].
 It can be used for dumping the whole database (`dump`), flushing it (`flush`),  It can be used for dumping the whole database (`dump`), flushing it (`flush`),
 i.e., deleting all entries in the kernel's table, query an entry, etc.  i.e., deleting all entries in the kernel's table, query an entry, etc.
   

Removed from v.1.5  
changed lines
  Added in v.1.6


CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb