about veriexec

To: NetBSD-current Users's Discussion List <current-users%netbsd.org@localhost>
Subject: about veriexec
From: Cem Kayali <cemkayali%eticaret.com.tr@localhost>
Date: Sun, 14 Dec 2008 03:27:09 +0200


Hello!

I have enabled veriexec support and then created signature fileincluding /usr/pkg/* binaries and libraries. I see signature file underetc. After rebooting, sysctl shows


kern.veriexec.verbose = 0
kern.veriexec.strict = 1

To test veriexec strict=1 level, i *updated* some of softwares ie; lynxand then noticed that system allows to replace monitored binaries andthen execute them although their sha signatures mismatch.

I would expect kernel not to replace those files and not to executesince man veriexec mentions:


    IDS mode (strict level 1)

IDS (intrusion detection system) mode provides an adequatelevel of

          integrity for the files it monitors.  Implications:

          -   Monitored files cannot be removed********

- If raw disk access is granted to a disk with monitoredfiles on

              it, all monitored files' fingerprints will be invalidated

- Access to files with mismatched fingerprints isdenied**********

          -   Write access to monitored files is allowed
          -   Access type is not enforced



Well, maybe someone clarify, probabaly i mis-understand something.

Thanks
Cem

Follow-Ups:
- Re: about veriexec
  - From: Elad Efrat

Prev by Date: Re: Boot-time debug messages
Next by Date: daily NetBSD-5 branch CVS update output
Previous by Thread: Boot-time debug messages
Next by Thread: Re: about veriexec
Indexes:

Home | Main Index | Thread Index | Old Index