Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: about veriexec

Cem Kayali wrote:

Thank you, a note in 'man sysctl.conf' is good plus and maybe in 'man veriexec' too because sysctl.conf performs same tasks of 'sysctl -w' during boot. --- though i accept i had to read 'man veriexec' more carefully.

See diff attached.

Actually, NetBSD guide requires a chapter about security, instead of standard manual page... I have seen one in, but there should be official one. It should mention about

- Type of securities NetBSD offer - a list and short descriptions
- Securities enabled by default - out of box, what end-user gets after first boot - Securities that an end-user can enable - advantages, disadvantages and 'how to' sections; including kernel security levels, cgd, veriexec, pax...

I agree, and will address part of that in security(8) sometime soon. No
promises for the guide, though.


Index: man7/sysctl.7
RCS file: /cvsroot/src/share/man/man7/sysctl.7,v
retrieving revision 1.17
diff -u -p -r1.17 sysctl.7
--- man7/sysctl.7       12 Nov 2008 12:35:53 -0000      1.17
+++ man7/sysctl.7       15 Dec 2008 22:55:56 -0000
@@ -837,7 +837,12 @@ The number of raw input characters.
 .It Li kern.urandom ( KERN_URND )
 Random integer value.
 .It Li kern.veriexec
-Tunings for Verixec.
+Tunings for Veriexec.
+Veriexec's strict and verbose levels should be set from
+.Xr rc.conf 5 ,
+.Xr veriexec 8
+for more information.
 .Bl -tag -width "123456"
 .It Li kern.veriexec.algorithms
 Returns a string with the supported algorithms in Veriexec.
Index: man8/veriexec.8
RCS file: /cvsroot/src/share/man/man8/veriexec.8,v
retrieving revision 1.1
diff -u -p -r1.1 veriexec.8
--- man8/veriexec.8     18 Feb 2008 10:37:20 -0000      1.1
+++ man8/veriexec.8     15 Dec 2008 22:55:56 -0000
@@ -90,6 +90,11 @@ the boot process using the following var
 veriexec_strict=1 # IDS mode
+Please note that while
+.Xr sysctl 8
+is used to set the strict and verbose levels, you should not use
+.Xr sysctl.conf 5
+to set them as it may be interpreted too late in the boot process.
 .Em Veriexec
 can operate in four modes, also referred to as strict levels:

Home | Main Index | Thread Index | Old Index