Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: about veriexec

Elad Efrat, 12/15/08 03:43:
Cem Kayali wrote:

It looks like sysctl.conf modifies strict value before veriexec loads signature file and there is no way to update/load signature file after kern.veriexec.strict>0.

    load [file]
Load the fingerprint entries contained in file, if specified, or
          the default signatures file otherwise.
          This operation is only allowed in learning mode (strict level

This is confusing, it is hard to guess such order.

Ah, but Veriexec's strict levels shouldn't be modified using
sysctl.conf, but rather the Veriexec flags in rc.conf. From veriexec(8):

   RC Configuration
     Veriexec also allows loading signatures and setting the strict
     level (see below) during the boot process using the following
     variables set in rc.conf(5):

           veriexec_strict=1 # IDS mode

Maybe we should document this better, perhaps a note in sysctl(7)? (see
diff attached, for real this time :)




Thanks for everything.

Thank you, a note in 'man sysctl.conf' is good plus and maybe in 'man veriexec' too because sysctl.conf performs same tasks of 'sysctl -w' during boot. --- though i accept i had to read 'man veriexec' more carefully.

Actually, NetBSD guide requires a chapter about security, instead of standard manual page... I have seen one in, but there should be official one. It should mention about

- Type of securities NetBSD offer - a list and short descriptions
- Securities enabled by default - out of box, what end-user gets after first boot - Securities that an end-user can enable - advantages, disadvantages and 'how to' sections; including kernel security levels, cgd, veriexec, pax...


Home | Main Index | Thread Index | Old Index