VERIEXECCTL(8) System Manager's Manual VERIEXECCTL(8)
NAME
veriexecctlmanage the Veriexec subsystem
SYNOPSIS
veriexecctl
[-ekv] load [file]
veriexecctl
delete file | mount_point
veriexecctl
dump
veriexecctl
flush
veriexecctl
query file
DESCRIPTION
The veriexecctl command is used to manipulate Veriexec, the NetBSD file integrity subsystem.
Commands
load [file]
Load the fingerprint entries contained in file, if specified, or the default signatures file otherwise.
 
This operation is only allowed in learning mode (strict level zero).
 
The following flags are allowed with this command:
-e
Evaluate fingerprint on load, as opposed to when the file is accessed.
-k
Keep the filenames in the entry for more accurate logging.
-v
Enable verbose output.
delete file | mount_point
Delete either a single entry file or all entries on mount_point from being monitored by Veriexec.
dump
Dump the Veriexec database from the kernel. Only entries that have the filename will be presented.
 
This can be used to recover a lost database:
# veriexecctl dump > /etc/signatures
flush
Delete all entries in the Veriexec database.
query file
Query Veriexec for information associated with file: Filename, mount, fingerprint, fingerprint algorithm, evaluation status, and entry type.
FILES
/dev/veriexec
Veriexec pseudo-device
/etc/signatures
default signatures file
SEE ALSO
HISTORY
veriexecctl first appeared in NetBSD 2.0.
AUTHORS
Brett Lymn <blymn@NetBSD.org> Elad Efrat <elad@NetBSD.org>
NOTES
The kernel is expected to have the “veriexec” pseudo-device.