Home | History | Annotate | Download | only in veriexecgen
History log of /src/usr.sbin/veriexecgen/veriexecgen.c
RevisionDateAuthorComments
 1.21  01-Aug-2019  alnsn Move case 'f' to go right after case 'F'.
 1.20  31-Jul-2019  alnsn Add an option to read entries from a file.
 1.19  23-Apr-2019  sevan Omit files not marked executable from the signature database by default.

Closes PR kern/41669
Reviewed by <agc>
 1.18  09-Sep-2017  sevan branches: 1.18.4;
Remove the ability to generate a signature database with the hash algorithms
MD5, SHA1 & RMD160 which are either broken or on their way to being broken.

Discussed on tech-security
http://mail-index.netbsd.org/tech-security/2017/08/21/msg000936.html

ok riastradh
 1.17  21-Aug-2009  elad branches: 1.17.38;
PR/41911: Jukka Ruohonen: A bug in veriexecgen

Do as suggested and add the missing 'T' to getopt() and update usage.

Thanks for the PR!
 1.16  29-Apr-2008  martin Convert to new 2 clause license
 1.15  15-May-2007  elad branches: 1.15.10;
Some Veriexec stuff that's been rotting in my tree for months.

Bug fixes:
- Fix crash reported by Scott Ellis on current-users@.

- Fix race conditions in enforcing the Veriexec rename and remove
policies. These are NOT security issues.

- Fix memory leak in rename handling when overwriting a monitored
file.

- Fix table deletion logic.

- Don't prevent query requests if not in learning mode.


KPI updates:
- fileassoc_table_run() now takes a cookie to pass to the callback.

- veriexec_table_add() was removed, it is now done internally. As a
result, there's no longer a need for VERIEXEC_TABLESIZE.

- veriexec_report() was removed, it is now internal.

- Perform sanity checks on the entry type, and enforce default type
in veriexec_file_add() rather than in veriexecctl.

- Add veriexec_flush(), used to delete all Veriexec tables, and
veriexec_dump(), used to fill an array with all Veriexec entries.


New features:
- Add a '-k' flag to veriexecctl, to keep the filenames in the kernel
database. This allows Veriexec to produce slightly more accurate
logs under certain circumstances. In the future, this can be either
replaced by vnode->pathname translation, or combined with it.

- Add a VERIEXEC_DUMP ioctl, to dump the entire Veriexec database.
This can be used to recover a database if the file was lost.
Example usage:

# veriexecctl dump > /etc/signatures

Note that only entries with the filename kept (that is, were loaded
with the '-k' flag) will be dumped.

Idea from Brett Lymn.

- Add a VERIEXEC_FLUSH ioctl, to delete all Veriexec entries. Sample
usage:

# veriexecctl flush

- Add a 'veriexec_flags' rc(8) variable, and make its default have
the '-k' flag. On systems using the default signatures file
(generaetd from running 'veriexecgen' with no arguments), this will
use additional 32kb of kernel memory on average.

- Add a '-e' flag to veriexecctl, to evaluate the fingerprint during
load. This is done automatically for files marked as 'untrusted'.


Misc. stuff:
- The code for veriexecctl was massively simplified as a result of
eliminating the need for VERIEXEC_TABLESIZE, and now uses a single
pass of the signatures file, making the loading somewhat faster.

- Lots of minor fixes found using the (still under development)
Veriexec regression testsuite.

- Some of the messages Veriexec prints were improved.

- Various documentation fixes.


All relevant man-pages were updated to reflect the above changes.

Binary compatibility with existing veriexecctl binaries is maintained.
 1.14  16-Jan-2007  hubertf * Don't include headers twice
* Remove a few trailing whitespaces
* Rearrange and join to one #if for some headers

Patch contributed by Slava Semushin <slava.semushin@gmail.com>
in private mail.
 1.13  09-Jan-2007  mjf Delete advertising clause.
 1.12  23-Dec-2006  wiz Sync usage with man page.
 1.11  19-Dec-2006  agc + some minor cosmetic changes

+ rather than using global variables, accessed all over the place, create
a local structure, and pass it down.

+ add a -p argument to denote a prefix, so that it's possible to record
a different directory hierarchy from the one that was scanned. One
typical use would be:

# ./veriexecgen -v -d /usr/dest/i386 -a -p /usr/dest/i386 -r -o fingers

to create a fingerprint database called fingers from the files located
in the /usr/dest/i386 hierarchy, but without the leading /usr/dest/i386
prefix:

# Generated by agc, Tue Dec 19 13:10:34 2006
/bin/domainname SHA256 12622c8f3698e51f090abf84ce81aaaaa1ed72135291b41a3e7d6c7b6a2a9847
/bin/chmod SHA256 5c3f8fec48601e0eaf7f47522ad8ff9fabb442b123ada97a71de285b4f6bf658

+ make veriexecgen into a host tool
 1.10  04-Dec-2006  agc Minor cosmetic changes:

1. use EXIT_SUCCESS and EXIT_FAILURE, rather than 0 or 1, throughout
2. add some comments
3. use descriptive names for variables, so that their use is easily
gleaned.
 1.9  04-Dec-2006  agc Normally, veriexecgen will treat an error such as a dangling symlink,
or an inability to get the real path, as fatal.

Be a bit more verbose about this in the default case - tell the user
which directory entry caused the failure.

Also introduce a new -W flag, which will warn the user about the
error, but will still continue processing - it treats errors as
warnings, and allows a signatures file to be built.
 1.8  30-Oct-2006  christos branches: 1.8.2;
kill crypto/rmd160.h and crypto/sha2.h, and instead make symlinks to
/usr/include from /usr/include/sys. This makes all the one way hash
header handling identical.
 1.7  27-Oct-2006  elad For now, also mark "file" entries as "indirect".
 1.6  23-Sep-2006  elad Add /lib, /libexec, and /usr/libexec to -D. Update man page.
 1.5  19-Sep-2006  elad Oops, fix test. Pointed out by Matt Fleming, thanks!
 1.4  18-Sep-2006  elad Oops, -S is supposed to be optional. Pointed out by Matt Fleming, thanks!
 1.3  18-Sep-2006  elad Add the -S flag, for setting the signatures file immutable after creating
it.
 1.2  16-Sep-2006  elad crypto/sha1.h -> sha1.h
 1.1  16-Sep-2006  elad Add a C version of Veriexec's fingerprint generator, written by Matt
Fleming.

This one has some nice options -- for example, an admin can run right
after installing a system:

fpgen -D

and it will fingerprint a set of "common" system directories to the
default loaction. See the man-page for more stuff.

Performance-wise, here are results for both fpgen.sh (old) and this
new tool:

474.599u 574.335s 13:53.05 125.9% 0+0k 0+307io 0pf+0w

0.424u 0.131s 0:00.56 98.2% 0+0k 0+2io 0pf+0w

...guess which is which? (that's ~1500 times *faster*)
 1.8.2.1  09-Dec-2006  bouyer Pull up following revision(s) (requested by elad in ticket #255):
usr.sbin/veriexecgen/veriexecgen.c: revision 1.9
usr.sbin/veriexecgen/veriexecgen.8: revision 1.9
Normally, veriexecgen will treat an error such as a dangling symlink,
or an inability to get the real path, as fatal.
Be a bit more verbose about this in the default case - tell the user
which directory entry caused the failure.
Also introduce a new -W flag, which will warn the user about the
error, but will still continue processing - it treats errors as
warnings, and allows a signatures file to be built.
 1.15.10.1  18-May-2008  yamt sync with head.
 1.17.38.1  11-Sep-2017  snj Pull up following revision(s) (requested by sevan in ticket #272):
usr.sbin/veriexecgen/veriexecgen.c: 1.18
usr.sbin/veriexecgen/veriexecgen.8: 1.18-1.19
Remove the ability to generate a signature database with the hash algorithms
MD5, SHA1 & RMD160 which are either broken or on their way to being broken.
Discussed on tech-security
http://mail-index.netbsd.org/tech-security/2017/08/21/msg000936.html
ok riastradh
--
Fix enumeration.
 1.18.4.2  13-Apr-2020  martin Mostly merge changes from HEAD upto 20200411
 1.18.4.1  10-Jun-2019  christos Sync with HEAD

RSS XML Feed