[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: about veriexec
Elad Efrat, 12/15/08 03:43:
Cem Kayali wrote:
It looks like sysctl.conf modifies strict value before veriexec loads
signature file and there is no way to update/load signature file
Load the fingerprint entries contained in file, if
the default signatures file otherwise.
This operation is only allowed in learning mode (strict level
This is confusing, it is hard to guess such order.
Ah, but Veriexec's strict levels shouldn't be modified using
sysctl.conf, but rather the Veriexec flags in rc.conf. From veriexec(8):
Veriexec also allows loading signatures and setting the strict
level (see below) during the boot process using the following
variables set in rc.conf(5):
veriexec_strict=1 # IDS mode
Maybe we should document this better, perhaps a note in sysctl(7)? (see
diff attached, for real this time :)
Thanks for everything.
Thank you, a note in 'man sysctl.conf' is good plus and maybe in 'man
veriexec' too because sysctl.conf performs same tasks of 'sysctl -w'
during boot. --- though i accept i had to read 'man veriexec' more
Actually, NetBSD guide requires a chapter about security, instead of
standard manual page... I have seen one in wiki.netbsd.se, but there
should be official one. It should mention about
- Type of securities NetBSD offer - a list and short descriptions
- Securities enabled by default - out of box, what end-user gets after
- Securities that an end-user can enable - advantages, disadvantages and
'how to' sections; including kernel security levels, cgd, veriexec, pax...
Main Index |
Thread Index |