Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: about veriexec



Cem Kayali wrote:

It looks like sysctl.conf modifies strict value before veriexec loads signature file and there is no way to update/load signature file after kern.veriexec.strict>0.

    load [file]
          Load the fingerprint entries contained in file, if specified, or
          the default signatures file otherwise.
          This operation is only allowed in learning mode (strict level
          zero).


This is confusing, it is hard to guess such order.

Ah, but Veriexec's strict levels shouldn't be modified using
sysctl.conf, but rather the Veriexec flags in rc.conf. From veriexec(8):

   RC Configuration
     Veriexec also allows loading signatures and setting the strict
     level (see below) during the boot process using the following
     variables set in rc.conf(5):

           veriexec=YES
           veriexec_strict=1 # IDS mode

Maybe we should document this better, perhaps a note in sysctl(7)? (see
diff attached, for real this time :)

Thanks,

-e.
Index: sysctl.7
===================================================================
RCS file: /usr/cvs/src/share/man/man7/sysctl.7,v
retrieving revision 1.17
diff -u -p -r1.17 sysctl.7
--- sysctl.7    12 Nov 2008 12:35:53 -0000      1.17
+++ sysctl.7    14 Dec 2008 17:59:13 -0000
@@ -838,6 +838,11 @@ The number of raw input characters.
 Random integer value.
 .It Li kern.veriexec
 Tunings for Verixec.
+Veriexec's strict and verbose levels should be set from
+.Xr rc.conf 5 ,
+see
+.Xr veriexec 8
+for more information.
 .Bl -tag -width "123456"
 .It Li kern.veriexec.algorithms
 Returns a string with the supported algorithms in Veriexec.
@@ -2009,6 +2014,16 @@ security model will be available under t
 See
 .Xr secmodel 9
 for more information.
+.It Li security.tpe
+Trusted Path Execution (TPE) settings.
+For more information please see
+.Xr security 8 .
+.Pp
+.Bl -tag -width "123456"
+.It Li security.tpe.enabled
+Enables TPE if non-zero, otherwise disables TPE.
+TPE is disabled by default.
+.El
 .It Li security.pax
 Settings for PaX -- exploit mitigation features.
 For more information on any of the PaX features, please see


Home | Main Index | Thread Index | Old Index