Re: about veriexec

[Cem Kayali <cemkayali%eticaret.com.tr@localhost>]

Elad Efrat, 12/15/08 03:43:
> Cem Kayali wrote:
>
> > It looks like sysctl.conf modifies strict value before veriexec loads 
> > signature file and there is no way to update/load signature file 
> > after kern.veriexec.strict>0.
> >
> >     load [file]
> >           Load the fingerprint entries contained in file, if 
> > specified, or
> >           the default signatures file otherwise.
> >           This operation is only allowed in learning mode (strict level
> >           zero).
> >
> >
> > This is confusing, it is hard to guess such order.
>
> Ah, but Veriexec's strict levels shouldn't be modified using
> sysctl.conf, but rather the Veriexec flags in rc.conf. From veriexec(8):
>
>    RC Configuration
>      Veriexec also allows loading signatures and setting the strict
>      level (see below) during the boot process using the following
>      variables set in rc.conf(5):
>
>            veriexec=YES
>            veriexec_strict=1 # IDS mode
>
> Maybe we should document this better, perhaps a note in sysctl(7)? (see
> diff attached, for real this time :)
>
> Thanks,
>
> -e.

Hi,

Thanks for everything.

Thank you, a note in 'man sysctl.conf' is good plus and maybe in 'man 
veriexec' too because sysctl.conf performs same tasks of 'sysctl -w' 
during boot. --- though i accept i had to read 'man veriexec' more 
carefully.


Actually, NetBSD guide requires a chapter about security, instead of 
standard manual page... I have seen one in wiki.netbsd.se, but there 
should be official one. It should mention about

- Type of securities NetBSD offer - a list and short descriptions
- Securities enabled by default - out of box, what end-user gets after 
first boot
- Securities that an end-user can enable - advantages, disadvantages and 
'how to' sections; including kernel security levels, cgd, veriexec, pax...


Regards,
Cem