NAME
veriexecgen —
generate fingerprints for
Veriexec
SYNOPSIS
veriexecgen |
[-AaDrSTvW]
[-d dir]
[-o
fingerprintdb]
[-p prefix]
[-t
algorithm] |
DESCRIPTION
veriexecgen can be used to create a fingerprint database for
use with
Veriexec.
If no command line arguments were specified,
veriexecgen will
resort to default operation, implying
-D
-o /etc/signatures
-t sha256.
If the output file already exists,
veriexecgen will save a
backup copy in the same file only with a “.old” suffix.
The following options are available:
-
-
- -A
- Append to the output file, don't overwrite it.
-
-
- -a
- Add fingerprints for non-executable files as well.
-
-
- -D
- Search system directories, /bin,
/sbin, /usr/bin,
/usr/sbin, /lib,
/usr/lib, /libexec, and
/usr/libexec.
-
-
- -d
dir
- Scan for files in dir. Multiple uses
of this flag can specify more than one directory.
-
-
- -h
- Display the help screen.
-
-
- -o
fingerprintdb
- Save the generated fingerprint database to
fingerprintdb.
-
-
- -p
prefix
- When storing files in the fingerprint database, store the
full pathnames of files with the leading “prefix” of the
filenames removed.
-
-
- -r
- Scan recursively.
-
-
- -S
- Set the immutable flag on the created signatures file when
done writing it.
-
-
- -T
- Put a timestamp on the generated file.
-
-
- -t
algorithm
- Use algorithm for the fingerprints.
Must be one of “sha256”, “sha384”, or
“sha512”.
-
-
- -v
- Verbose mode. Print messages describing what operations are
being done.
-
-
- -W
- By default, veriexecgen will exit when an
error condition is encountered. This option will treat errors such as not
being able to follow a symbolic link, not being able to find the real path
for a directory entry, or not being able to calculate a hash of an entry
as a warning, rather than an error. If errors are treated as warnings,
veriexecgen will continue processing. The default
behaviour is to treat errors as fatal.
FILES
/etc/signatures
EXAMPLES
Fingerprint files in the common system directories using the default hashing
algorithm “sha256” and save to the default fingerprint database in
/etc/signatures:
Fingerprint files in
/etc, appending to the default
fingerprint database:
Fingerprint files in
/path/to/somewhere using
“sha512” as the hashing algorithm, saving to
/etc/somewhere.fp:
# veriexecgen -d /path/to/somewhere -t sha512 -o /etc/somewhere.fp
SEE ALSO
veriexec(4),
veriexec(5),
security(7),
veriexec(8),
veriexecctl(8)