Re: about veriexec

To: Cem Kayali <cemkayali%eticaret.com.tr@localhost>
Subject: Re: about veriexec
From: Elad Efrat <elad%NetBSD.org@localhost>
Date: Mon, 15 Dec 2008 03:43:02 +0200

Cem Kayali wrote:

It looks like sysctl.conf modifies strict value before veriexec loadssignature file and there is no way to update/load signature file afterkern.veriexec.strict>0.
    load [file]
          Load the fingerprint entries contained in file, if specified, or
          the default signatures file otherwise.
          This operation is only allowed in learning mode (strict level
          zero).


This is confusing, it is hard to guess such order.


Ah, but Veriexec's strict levels shouldn't be modified using
sysctl.conf, but rather the Veriexec flags in rc.conf. From veriexec(8):

   RC Configuration
     Veriexec also allows loading signatures and setting the strict
     level (see below) during the boot process using the following
     variables set in rc.conf(5):

           veriexec=YES
           veriexec_strict=1 # IDS mode

Maybe we should document this better, perhaps a note in sysctl(7)? (see
diff attached, for real this time :)

Thanks,

-e.

Index: sysctl.7
===================================================================
RCS file: /usr/cvs/src/share/man/man7/sysctl.7,v
retrieving revision 1.17
diff -u -p -r1.17 sysctl.7
--- sysctl.7    12 Nov 2008 12:35:53 -0000      1.17
+++ sysctl.7    14 Dec 2008 17:59:13 -0000
@@ -838,6 +838,11 @@ The number of raw input characters.
 Random integer value.
 .It Li kern.veriexec
 Tunings for Verixec.
+Veriexec's strict and verbose levels should be set from
+.Xr rc.conf 5 ,
+see
+.Xr veriexec 8
+for more information.
 .Bl -tag -width "123456"
 .It Li kern.veriexec.algorithms
 Returns a string with the supported algorithms in Veriexec.
@@ -2009,6 +2014,16 @@ security model will be available under t
 See
 .Xr secmodel 9
 for more information.
+.It Li security.tpe
+Trusted Path Execution (TPE) settings.
+For more information please see
+.Xr security 8 .
+.Pp
+.Bl -tag -width "123456"
+.It Li security.tpe.enabled
+Enables TPE if non-zero, otherwise disables TPE.
+TPE is disabled by default.
+.El
 .It Li security.pax
 Settings for PaX -- exploit mitigation features.
 For more information on any of the PaX features, please see

Follow-Ups:
- Re: about veriexec
  - From: Cem Kayali

References:
- about veriexec
  - From: Cem Kayali
- Re: about veriexec
  - From: Elad Efrat
- Re: about veriexec
  - From: Cem Kayali
- Re: about veriexec
  - From: Elad Efrat
- Re: about veriexec
  - From: Cem Kayali
- Re: about veriexec
  - From: Cem Kayali
- Re: about veriexec
  - From: Cem Kayali

Prev by Date: should I need to set LD_LIBRARY_PATH for X11R7 for pkg binaries now?
Next by Date: Re: USB keyboard disconnects after a while
Previous by Thread: Re: about veriexec
Next by Thread: Re: about veriexec
Indexes:

Home | Main Index | Thread Index | Old Index