Diff for /wikisrc/veriexec.mdwn between versions 1.1 and 1.2

version 1.1, 2011/11/20 21:35:54 version 1.2, 2012/02/05 07:14:36
Line 1 Line 1
 **Contents**  **Contents**
   
 [[!toc levels=3]]  [[!toc levels=3]]
   
 ##  What is verified executables?  ##  What is verified executables?
   
 veriexec adds a new function to the exec-Path of the kernel, thus allowing the kernel to check a cryptographic hash for a binary. With this feature, it is almost impossible to run manipulated binaries like a rootkit or a trojan.  veriexec adds a new function to the exec-Path of the kernel, thus allowing the kernel to check a cryptographic hash for a binary. With this feature, it is almost impossible to run manipulated binaries like a rootkit or a trojan. 
   
 #  How to enable it?  #  How to enable it?
   
 veriexec has been implemented on NetBSD 2.0. If you want to enable veriexec on your system, you have to build a release with veriexec supported, as described in this Document. Either you use **GENERIC_VERIEXEC** or you add  veriexec has been implemented on NetBSD 2.0. If you want to enable veriexec on your system, you have to build a release with veriexec supported, as described in this Document. Either you use **GENERIC_VERIEXEC** or you add 
          
     options VERIFIED_EXEC      options VERIFIED_EXEC
     #uncomment following 2 lines if you like verbose debugging      #uncomment following 2 lines if you like verbose debugging
     #options VERIFIED_EXEC_DEBUG      #options VERIFIED_EXEC_DEBUG
     #options VERIFIED_EXEC_DEBUG_VERBOSE      #options VERIFIED_EXEC_DEBUG_VERBOSE
     pseudo-device verifiedexec 1      pseudo-device verifiedexec 1 
          
   
 to your kernel configuration and recompile a new Kernel and Userland. If you boot into the new Kernel with veriexec enabled, you will receive warning messages about inappropriate checksums, ignore them until your Userland has been setup to support veriexec properly. After installing the new Userland, you are required to create **/dev/veriexec** with  to your kernel configuration and recompile a new Kernel and Userland. If you boot into the new Kernel with veriexec enabled, you will receive warning messages about inappropriate checksums, ignore them until your Userland has been setup to support veriexec properly. After installing the new Userland, you are required to create **/dev/veriexec** with 
          
     cd /dev && ./MAKEDEV veriexec      cd /dev && ./MAKEDEV veriexec
          
   
 If done so, you should now create a database containing the files and hashes, using '**usr/share/examples/veriexecctl/gen_sha1** as a helper skript. The system will now generate a file called signatures, containing all files and fingerprints. It is a good idea to move **./signatures** to a write-protected media, like a floppy or to encrypt or sign it with e.g. PGP/GnuPGP, to ensure it's integrity. Copy ./signatures to **/etc/** and add **veriexecctl ./signatures** to **/etc/rc.local** to load the signatures into kernelmemory. If you reboot now and raise the kernelsecuritylevel to 1, /netbsd warns of not matching fingerprints for binaries, if you raise the level to 2 /netbsd will refuse to execute binaries with non-matching fingerprints. Since you are required to use Kernelsecuritylevels, X won't run any longer on your machine, since it uses memory mapping to /dev/mem to acces your videocard.  If done so, you should now create a database containing the files and hashes, using '**usr/share/examples/veriexecctl/gen_sha1** as a helper skript. The system will now generate a file called signatures, containing all files and fingerprints. It is a good idea to move **./signatures** to a write-protected media, like a floppy or to encrypt or sign it with e.g. PGP/GnuPGP, to ensure it's integrity. Copy ./signatures to **/etc/** and add **veriexecctl ./signatures** to **/etc/rc.local** to load the signatures into kernelmemory. If you reboot now and raise the kernelsecuritylevel to 1, /netbsd warns of not matching fingerprints for binaries, if you raise the level to 2 /netbsd will refuse to execute binaries with non-matching fingerprints. Since you are required to use Kernelsecuritylevels, X won't run any longer on your machine, since it uses memory mapping to /dev/mem to acces your videocard. 
   
 To generate a default signatures file fingerprinting your system files:  To generate a default signatures file fingerprinting your system files: 
          
     veriexecgen -A -D      veriexecgen -A -D
          
   
 This will create a good base for your signatures file.  This will create a good base for your signatures file. 
   
 #  Strict levels  #  Strict levels 
   
 ##  Level 0  ##  Level 0 
   
 In strict level 0, learning mode, Veriexec will act passively and simply warn about any anomalies. Combined with verbose level 1, running the system in this mode can help you fine-tune the signatures file. This is also the only strict level in which you can load new entries to the kernel.  In strict level 0, learning mode, Veriexec will act passively and simply warn about any anomalies. Combined with verbose level 1, running the system in this mode can help you fine-tune the signatures file. This is also the only strict level in which you can load new entries to the kernel. 
   
 ##  Level 1  ##  Level 1 
   
 Strict level 1, or IDS mode, will deny access to files with a fingerprint mismatch. This mode suits mostly to users who simply want to prevent access to files which might've been maliciously modified by an attacker.  Strict level 1, or IDS mode, will deny access to files with a fingerprint mismatch. This mode suits mostly to users who simply want to prevent access to files which might've been maliciously modified by an attacker. 
   
 ##  Level 2  ##  Level 2 
   
 Strict level 2, IPS mode, takes a step towards trying to protect the integrity of monitored files. In addition to preventing access to files with a fingerprint mismatch, it will also deny write access and prevent the removal of monitored files, and enforce the way monitored files are accessed. (as the signatures file specifies).  Strict level 2, IPS mode, takes a step towards trying to protect the integrity of monitored files. In addition to preventing access to files with a fingerprint mismatch, it will also deny write access and prevent the removal of monitored files, and enforce the way monitored files are accessed. (as the signatures file specifies). 
   
 ##  Level 3  ##  Level 3 
   
 Lockdown mode (strict level 3) can be used in highly critical situations such as custom made special-purpose machines, or as a last line of defense after an attacker compromised the system and we want to prevent traces from being removed, so we can perform post-mortem analysis. It will prevent the creation of new files, and deny access to files not monitored by Veriexec.  Lockdown mode (strict level 3) can be used in highly critical situations such as custom made special-purpose machines, or as a last line of defense after an attacker compromised the system and we want to prevent traces from being removed, so we can perform post-mortem analysis. It will prevent the creation of new files, and deny access to files not monitored by Veriexec. 
   
 #  Using together with secure levels  #  Using together with secure levels 
   
 In addition to using file flags, a kernel security level greater than 0 will also deny any write-access to kernelmemory **/dev/mem** and **/dev/kmem** so it is impossible to manipulate the signatures loaded into kmem, but you are also required to reboot the machine to use new signatures e.g. after installing new binaries.  In addition to using file flags, a kernel security level greater than 0 will also deny any write-access to kernelmemory **/dev/mem** and **/dev/kmem** so it is impossible to manipulate the signatures loaded into kmem, but you are also required to reboot the machine to use new signatures e.g. after installing new binaries. 
   
 See [[Kernel secure levels]] for more details.  See [[Kernel secure levels]] for more details. 
   
   
 #  Further links  #  Further links
   
   * [http://www.netbsd.org/guide/en/chap-veriexec.html](http://www.netbsd.org/guide/en/chap-veriexec.html) - A chapter in the NetBSD guide    * [http://www.netbsd.org/guide/en/chap-veriexec.html](http://www.netbsd.org/guide/en/chap-veriexec.html) - A chapter in the NetBSD guide 
   * [http://www.free-x.ch/pub/proposal.txt](http://www.free-x.ch/pub/proposal.txt) - File Flags Proposal    * [http://www.free-x.ch/pub/proposal.txt](http://www.free-x.ch/pub/proposal.txt) - File Flags Proposal 
   * See [init(8)](http://netbsd.gw.com/cgi-bin/man-cgi?init+8+NetBSD-current) and [/usr/src/sys/sys/systm.h](http://cvsweb.de.netbsd.org/cgi-bin/cvsweb.cgi/src/sys/sys/systm.h?rev=1.183.2.1;content-type=text%2Fx-cvsweb-markup) for information about security levels    * See [init(8)](http://netbsd.gw.com/cgi-bin/man-cgi?init+8+NetBSD-current) and [/usr/src/sys/sys/systm.h](http://cvsweb.de.netbsd.org/cgi-bin/cvsweb.cgi/src/sys/sys/systm.h?rev=1.183.2.1;content-type=text%2Fx-cvsweb-markup) for information about security levels 
   * For securelevel in combination with X see also the program [sysutils/aperture](http://cvsweb.de.netbsd.org/cgi-bin/cvsweb.cgi/pkgsrc/sysutils/aperture/)    * For securelevel in combination with X see also the program [sysutils/aperture](http://cvsweb.de.netbsd.org/cgi-bin/cvsweb.cgi/pkgsrc/sysutils/aperture/)
   

Removed from v.1.1  
changed lines
  Added in v.1.2


CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb