NAME
veriexecctl —
manage the
Veriexec subsystem
SYNOPSIS
veriexecctl |
[-ekv] load
[file] |
veriexecctl |
delete file |
mount_point |
DESCRIPTION
The
veriexecctl command is used to manipulate
Veriexec, the
NetBSD file integrity
subsystem.
Commands
-
-
- load
[file]
- Load the fingerprint entries contained in
file, if specified, or the default signatures file
otherwise.
This operation is only allowed in learning mode (strict level zero).
The following flags are allowed with this command:
-
-
- -e
- Evaluate fingerprint on load, as opposed to when the
file is accessed.
-
-
- -k
- Keep the filenames in the entry for more accurate
logging.
-
-
- -v
- Enable verbose output.
-
-
- delete
file | mount_point
- Delete either a single entry file or
all entries on mount_point from being monitored by
Veriexec.
-
-
- dump
- Dump the Veriexec database from the
kernel. Only entries that have the filename will be presented.
This can be used to recover a lost database:
# veriexecctl dump > /etc/signatures
-
-
- flush
- Delete all entries in the Veriexec
database.
-
-
- query
file
- Query Veriexec for information associated
with file: Filename, mount, fingerprint, fingerprint
algorithm, evaluation status, and entry type.
FILES
- /dev/veriexec
- Veriexec pseudo-device
- /etc/signatures
- default signatures file
SEE ALSO
veriexec(4),
veriexec(5),
security(7),
veriexec(8),
veriexecgen(8)
HISTORY
veriexecctl first appeared in
NetBSD
2.0.
AUTHORS
Brett Lymn
<
blymn@NetBSD.org>
Elad Efrat
<
elad@NetBSD.org>
NOTES
The kernel is expected to have the “veriexec” pseudo-device.