1.\" $NetBSD: veriexecctl.8,v 1.1 2002/11/23 10:52:49 blymn Exp $ 2.\" 3.\" Copyright (c) 1999 4.\" Brett Lymn - blymn@baea.com.au, brett_lymn@yahoo.com.au 5.\" 6.\" This code is donated to The NetBSD Foundation by the author. 7.\" 8.\" Redistribution and use in source and binary forms, with or without 9.\" modification, are permitted provided that the following conditions 10.\" are met: 11.\" 1. Redistributions of source code must retain the above copyright 12.\" notice, this list of conditions and the following disclaimer. 13.\" 2. Redistributions in binary form must reproduce the above copyright 14.\" notice, this list of conditions and the following disclaimer in the 15.\" documentation and/or other materials provided with the distribution. 16.\" 3. The name of the Author may not be used to endorse or promote 17.\" products derived from this software without specific prior written 18.\" permission. 19.\" 20.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND 21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE 24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30.\" SUCH DAMAGE. 31.\" 32.\" $Id: veriexecctl.8,v 1.1 2002/11/23 10:52:49 blymn Exp $ 33.\" 34.Dd October 29, 2002 35.Dt VERIEXECCTL 8 36.Os 37.Sh NAME 38.Nm veriexecctl 39.Nd load verified exec fingerprints 40.Sh SYNOPSIS 41.Nm 42.Ar fingerprints 43.Sh DESCRIPTION 44The 45.Nm 46command loads the in-kernel fingerprint table from the fingerprints 47given in the 48.Ar fingerprints 49file. 50Once loaded the kernel can then validate executed programs 51or files against the loaded fingerprints and report when fingerprints 52do not match. 53.Pp 54The 55.Ar fingerprints 56file contains lines of fields (separated by one or more whitespace 57characters) of the form: 58.Dl path fingerprint type options 59Where path is the full path to the executable and fingerprint is a 60hexadecimal representation of the fingerprint for the executable. 61Type is the type of fingerprint used, currently this may be either 62md5 or sha1. 63Other fingerprints may be available depending on kernel support. 64Options are the associated options for the executable. 65Currently there are two valid options: 66.Bl -tag -width INDIRECT -compact 67.It Pa INDIRECT 68If this option is set then the executable cannot be invoked directly, it 69can only be used as an interpreter in shell scripts. 70.It Pa FILE 71Indicates that the fingerprint is associated with a file, not an 72executable. 73Files have their fingerprints verified during 74.Xr open 2 75and are automatically made read only. 76.El 77There must be only one executable/fingerprint pair per line. 78Comments are indicated by the first character of a line being a 79.Sq \&# 80character. 81.Sh FILES 82.Bl -tag -width /dev/verifiedexec -compact 83.It Pa /dev/verifiedexec 84verified executable device node 85.El 86.Sh HISTORY 87.Nm 88first appeared in 89.Nx 1.7 . 90.Sh NOTES 91.Nm 92requires the kernel to have been configured with the 93.Dv VERIFIED_EXEC 94option and the verifiedexec pseudo-device. 95