VERIEXECGEN(8) BSD System Manager's Manual VERIEXECGEN(8)NAMEveriexecgen — generate fingerprints for Veriexec
SYNOPSISveriexecgen [-AaDrSTvW] [-d dir] [-o fingerprintdb] [-p prefix]
[-t algorithm]
veriexecgen [-h]
DESCRIPTIONveriexecgen can be used to create a fingerprint database for use with
Veriexec.
If no command line arguments were specified, veriexecgen will resort to
default operation, implying -D -o /etc/signatures -t sha256.
If the output file already exists, veriexecgen will save a backup copy in
the same file only with a “.old” suffix.
The following options are available:
-A Append to the output file, don't overwrite it.
-a Add fingerprints for non-executable files as well.
-D Search system directories, /bin, /sbin, /usr/bin, /usr/sbin,
/lib, /usr/lib, /libexec, and /usr/libexec.
-d dir Scan for files in dir. Multiple uses of this flag can specify
more than one directory.
-h Display the help screen.
-o fingerprintdb
Save the generated fingerprint database to fingerprintdb.
-p prefix When storing files in the fingerprint database, store the full
pathnames of files with the leading “prefix” of the filenames
removed.
-r Scan recursively.
-S Set the immutable flag on the created signatures file when
done writing it.
-T Put a timestamp on the generated file.
-t algorithm
Use algorithm for the fingerprints. Must be one of “md5”,
“sha1”, “sha256”, “sha384”, “sha512”, or “rmd160”.
-v Verbose mode. Print messages describing what operations are
being done.
-W By default, veriexecgen will exit when an error condition is
encountered. This option will treat errors such as not being
able to follow a symbolic link, not being able to find the
real path for a directory entry, or not being able to calcu‐
late a hash of an entry as a warning, rather than an error.
If errors are treated as warnings, veriexecgen will continue
processing. The default behaviour is to treat errors as
fatal.
FILES
/etc/signatures
EXAMPLES
Fingerprint files in the common system directories using the default
hashing algorithm “sha256” and save to the default fingerprint database
in /etc/signatures:
# veriexecgen
Fingerprint files in /etc, appending to the default fingerprint database:
# veriexecgen-A -d /etc
Fingerprint files in /path/to/somewhere using “rmd160” as the hashing
algorithm, saving to /etc/somewhere.fp:
# veriexecgen-d /path/to/somewhere -t rmd160 -o /etc/somewhere.fp
SEE ALSOveriexec(4), veriexec(5), security(7), veriexec(8), veriexecctl(8)BSD February 18, 2008 BSD