Re: about veriexec

To: Cem Kayali <cemkayali%eticaret.com.tr@localhost>
Subject: Re: about veriexec
From: Elad Efrat <elad%NetBSD.org@localhost>
Date: Tue, 16 Dec 2008 01:04:20 +0200

Cem Kayali wrote:

Thank you, a note in 'man sysctl.conf' is good plus and maybe in 'manveriexec' too because sysctl.conf performs same tasks of 'sysctl -w'during boot. --- though i accept i had to read 'man veriexec' morecarefully.


See diff attached.

Actually, NetBSD guide requires a chapter about security, instead ofstandard manual page... I have seen one in wiki.netbsd.se, but thereshould be official one. It should mention about
- Type of securities NetBSD offer - a list and short descriptions
- Securities enabled by default - out of box, what end-user gets afterfirst boot- Securities that an end-user can enable - advantages, disadvantages and'how to' sections; including kernel security levels, cgd, veriexec, pax...


I agree, and will address part of that in security(8) sometime soon. No
promises for the guide, though.

Thanks,

-e.

Index: man7/sysctl.7
===================================================================
RCS file: /cvsroot/src/share/man/man7/sysctl.7,v
retrieving revision 1.17
diff -u -p -r1.17 sysctl.7
--- man7/sysctl.7       12 Nov 2008 12:35:53 -0000      1.17
+++ man7/sysctl.7       15 Dec 2008 22:55:56 -0000
@@ -837,7 +837,12 @@ The number of raw input characters.
 .It Li kern.urandom ( KERN_URND )
 Random integer value.
 .It Li kern.veriexec
-Tunings for Verixec.
+Tunings for Veriexec.
+Veriexec's strict and verbose levels should be set from
+.Xr rc.conf 5 ,
+see
+.Xr veriexec 8
+for more information.
 .Bl -tag -width "123456"
 .It Li kern.veriexec.algorithms
 Returns a string with the supported algorithms in Veriexec.
Index: man8/veriexec.8
===================================================================
RCS file: /cvsroot/src/share/man/man8/veriexec.8,v
retrieving revision 1.1
diff -u -p -r1.1 veriexec.8
--- man8/veriexec.8     18 Feb 2008 10:37:20 -0000      1.1
+++ man8/veriexec.8     15 Dec 2008 22:55:56 -0000
@@ -90,6 +90,11 @@ the boot process using the following var
 veriexec=YES
 veriexec_strict=1 # IDS mode
 .Ed
+Please note that while
+.Xr sysctl 8
+is used to set the strict and verbose levels, you should not use
+.Xr sysctl.conf 5
+to set them as it may be interpreted too late in the boot process.
 .Sh STRICT LEVELS
 .Em Veriexec
 can operate in four modes, also referred to as strict levels:

References:
- about veriexec
  - From: Cem Kayali
- Re: about veriexec
  - From: Elad Efrat
- Re: about veriexec
  - From: Cem Kayali
- Re: about veriexec
  - From: Elad Efrat
- Re: about veriexec
  - From: Cem Kayali
- Re: about veriexec
  - From: Cem Kayali
- Re: about veriexec
  - From: Cem Kayali
- Re: about veriexec
  - From: Elad Efrat
- Re: about veriexec
  - From: Cem Kayali

Prev by Date: Re: Renaming interfaces in VM
Next by Date: Re: should I need to set LD_LIBRARY_PATH for X11R7 for pkg binaries now?
Previous by Thread: Re: about veriexec
Next by Thread: Re: about veriexec
Indexes:

Home | Main Index | Thread Index | Old Index