veriexecctl —
manage the Veriexec subsystem
  
    | veriexecctl | [ -ekv]load[file] | 
  
    | veriexecctl | deletefile |
      mount_point | 
The veriexecctl command is used to manipulate
  Veriexec, the NetBSD file integrity
  subsystem.
  - load[file]
- Load the fingerprint entries contained in file, if
      specified, or the default signatures file otherwise.
    This operation is only allowed in learning mode (strict level
        zero). The following flags are allowed with this command: 
      - -e
- Evaluate fingerprint on load, as opposed to when the file is
        accessed.
- -k
- Keep the filenames in the entry for more accurate logging.
- -v
- Enable verbose output.
 
- deletefile | mount_point
- Delete either a single entry file or all entries on
      mount_point from being monitored by
      Veriexec.
- dump
- Dump the Veriexec database from the kernel. Only entries
      that have the filename will be presented.
    This can be used to recover a lost database: 
    
# veriexecctl dump > /etc/signatures
    
 
- flush
- Delete all entries in the Veriexec database.
- queryfile
- Query Veriexec for information associated with
      file: Filename, mount, fingerprint, fingerprint
      algorithm, evaluation status, and entry type.
  - /dev/veriexec
- Veriexec pseudo-device
- /etc/signatures
- default signatures file
veriexecctl first appeared in NetBSD
  2.0.
The kernel is expected to have the “veriexec” pseudo-device.