ADC

Binary signing and verification for enhanced system security

December 12, 2024

Contributed by:

Binary signing and verification (BSV) is a security enhancement for NetScaler that improves monitoring of system security. This feature cryptographically signs binaries and libraries during the build process, embedding a unique signature within each file. The signing of binary executables ensures that the files have not been tampered with or modified, either intentionally or maliciously. During the system boot, these signatures are verified to ensure that only authorized executables are run. Verified executables are enrolled with the operating system. The system continuously monitors for and logs any attempts to run unauthorized or modified binaries. BSV logs provide detailed information about any unauthorized execution attempts, aiding in forensic investigations.

Note:

BSV is enabled by default. It can be disabled using the CLI command disable system signedExeReport and re-enabled with enable system signedExeReport command. These changes require a system reboot to take effect.

Logging and reporting

BSV events are logged to /var/log/messages. These logs include details such as the file path, file ID, and process ID of the unauthorized executable.

Logs contain the following details for each event:

Timestamp: The exact date and time when the event occurred.
Log Level: The severity of the event, for example, error or warning.
Event Details: A description of the event, including the file or executable that triggered the log.
Additional Parameters: Specific file and process identifiers that can be used to trace the event.

The following types of security events are related to file integrity checks:

No fingerprint event: This event occurs when a file does not have a valid cryptographic fingerprint or is created after the system has booted. This event can also be triggered when newly created scripts are run. The absence of a fingerprint suggests that the file has not been registered with a known cryptographic signature, which is essential for verifying its integrity. An example of this event is shown in the log entry:

Example:
```
 Jul 17 11:42:20 <kern.err> ns kernel: MAC/veriexec: no fingerprint (file=/var/example fsid=96 fileid=3538 gen=89 uid=0 pid=6253 ppid=6250 gppid=1)
  
```
Fingerprint mismatch event: This event is logged when the fingerprint of a file or executable does not match the previously registered fingerprint. This discrepancy indicates that the file is modified after the system is booted, which might be a sign of unauthorized changes or tampering. An example of this event is shown in the log entry:

Example:
```
 Jul 17 11:44:25 <kern.err> ns kernel: MAC/veriexec: fingerprint does not match loaded value (file=/bin/example fsid=20 fileid=2567 gen=81 uid=0 pid=6515 ppid=6003 gppid=6002)
  
```

The following parameters in the log entries provide detailed information about the events that occur within a file system:

file: The path of the file that triggered the event.
fsid: The file system identifier, which helps to uniquely identify the file system in use.
fileid: A unique identifier for the file within the file system.
gen: The generation number of the file, which helps track changes to the file over time.
uid: The user ID of the process running the executable.
pid: The process ID of the running process.
ppid: The parent process ID.
gppid: The grandparent process ID provides further context on the process hierarchy.

Limitations

BSV logs events for newly created scripts, even though these scripts are not individually signed.

Any new script created after the system has booted generates a log entry, regardless of whether it has a cryptographic signature or not. This behavior can result in numerous log entries for scripts that are not necessarily a security threat, potentially making it more challenging to identify genuine security issues.
The initial verification process during boot might introduce a slight delay.

When the system boots, BSV performs a verification process to ensure the integrity of files and executables. This process involves checking cryptographic fingerprints and can take some time to complete.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

Binary signing and verification for enhanced system security

December 12, 2024

Contributed by:

Binary signing and verification for enhanced system security

Logging and reporting

Limitations

In this article