Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

about veriexec


I have enabled veriexec support and then created signature file including /usr/pkg/* binaries and libraries. I see signature file under etc. After rebooting, sysctl shows

kern.veriexec.verbose = 0
kern.veriexec.strict = 1

To test veriexec strict=1 level, i *updated* some of softwares ie; lynx and then noticed that system allows to replace monitored binaries and then execute them although their sha signatures mismatch.

I would expect kernel not to replace those files and not to execute since man veriexec mentions:

    IDS mode (strict level 1)
IDS (intrusion detection system) mode provides an adequate level of
          integrity for the files it monitors.  Implications:

          -   Monitored files cannot be removed********
- If raw disk access is granted to a disk with monitored files on
              it, all monitored files' fingerprints will be invalidated
- Access to files with mismatched fingerprints is denied**********
          -   Write access to monitored files is allowed
          -   Access type is not enforced

Well, maybe someone clarify, probabaly i mis-understand something.


Home | Main Index | Thread Index | Old Index