Subject: Re: kern/30817
To: None <erh@swapsimple.com>
From: Elad Efrat <elad@NetBSD.org>
List: netbsd-bugs
Date: 10/14/2005 00:19:13
Hello Eric.
erh@swapsimple.com wrote:
> So how I am supposed to know this? Given that the veriexec man page
> mentions NOTHING about how to turn it on (a mysterious reference to
> sysctl, especially just after a reference to kern.sercurelevel, doesn't
> count),
Veriexec does not care about securelevel:
phyre:work {13} man 4 veriexec | col -b | grep -i securelevel
phyre:work {14} man 8 veriexecctl | col -b | grep -i securelevel
phyre:work {15}
If there is a man-page in the ``SEE ALSO'' part of the man-page, then
you might have a look. sysctl(8) lists the entire hierarchy of the
sysctl tree, and sysctl(3) gives a description for each element.
veriexec(4) describes the veriexec pseudo-device and what ioctls
it accepts. veriexecctl(8) describes the program used to load
signatures.
> I think either this bug, or 30818, should still be open until
> the man page is updated a little.
With what? duplicate text from sysctl(3)?
> The solution of "man 3 sysctl" that you mentions in 30818 is bs, since
> just knowing that there is a veriexec sysctl setting is only marginally
> helpful when you don't know what changing it does.
Ah -- but you failed to read that man-page. Let me paste:
VERIEXEC_STRICT
Controls the strict level of Verified Exec. The strict
level defines how Verified Exec will treat various situa-
tions. In strict level 0, the system is in learning mode
and will only warn about fingerprint mismatches, aswell
as allow removal of fingerprinted files. It is the only
level where fingerprints can be loaded. In strict level
1, the system is in IDS mode. It will deny access to
files with mismatched fingerprints. In strict level 2,
the system is in IPS mode. It has all effects of strict
level 1, plus it will deny write access to monitored
files, prevent their removal, and enforce access type
(direct, indirect, file). Strict level 3 operates as
lockdown mode. It will have all effects of strict level
2, but it will also prevent access to non-monitored
files. Furthermore, it will prevent addition of new
files to the system, and allow writing only to files
opened before the strict level was raised.
There is also an entire chapter in the NetBSD guide dedicated to
Veriexec:
http://netbsd.org/guide/en/chap-veriexec.html
And here's the part talking about strict levels:
http://netbsd.org/guide/en/chap-veriexec.html#chap-veriexec-strict
Please take a moment to read veriexecctl(8), veriexec(4),
and relevant parts from sysctl(3). If you are still not sure about
what each knob does or how to use Veriexec, and the online chapter
in the NetBSD guide does not help you, *then* open a PR.
-e.
--
Elad Efrat
PGP Key ID: 0x666EB914