Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Veriexec Overview

 

Verified Exec (also known as veriexec) is a file-signing and verification scheme that protects the Junos operating system (OS) against unauthorized software and activity that might compromise the integrity of your device. Originally developed for the NetBSD OS, veriexec was adapted for Junos OS and enabled by default from Junos OS Release 7.5 onward.

How Veriexec Works

Veriexec provides the kernel with a digitally signed manifest consisting of a set of fingerprints for all the executables and other files that should remain immutable. The veriexec loader feeds the contents of the manifest to the kernel only if the digital signature of the manifest is successfully verified. The kernel can then verify if a file matches its fingerprint. If veriexec is being enforced, only executables with a verified fingerprint will run. The protected files cannot be written to, modified, or changed.

Each install image contains a manifest. The manifest is read-only. It contains entries such as the following:

If a file has been modified and the resulting fingerprint differs from the one in the manifest, you will see a log message, such as the following example:

The log message is in the following format:

The fingerprint mismatch indicates that the file has been modified. Don’t try to run the file. It could contain corrupted code. Contact JTAC.

The Importance of Veriexec

Veriexec is an effective and important tool for protecting against those seeking to breach the system security of Juniper Networks routers, switches, and firewalls. It thwarts threat actors who might want to establish a foothold on the system, gain persistent unauthorized access, or otherwise transition the system into a failure state. If such actors can run arbitrary unsigned binaries, they can make unauthorized modifications and run malware or other code that violates security policy.

Customers can add signed and authorized code with veriexec enforced to Junos OS by using the JET SDK. For more on the SDK solution, see On-Device Applications in the Juniper Extension Toolkit Developer Guide.

How to Verify If Veriexec Is Enforced on a Device Running Junos OS

The following subsections give procedures on how to check if veriexec is enforced or not.

Some Junos OS platforms offer an optional version of Junos OS with veriexec enforcement disabled (referred to as Junos Enhanced Automation or Junos Flex). For more information about Junos Enhanced Automation, see Overview of Junos Automation Enhancements on Devices Running Junos OS with Enhanced Automation.

Use the sysctl security.mac.veriexec.state Command for Junos OS Release 15.1 and Later

Administrators can check whether veriexec is enforced by running the following commands from the Junos CLI shell:

  1. Start the shell.
    username@hostname> start shell
  2. Use the sysctl security.mac.veriexec.state command.
    % sysctl security.mac.veriexec.state

    If veriexec is enforced, the output is security.mac.veriexec.state: loaded active enforce. If veriexec is not enforced, the output is security.mac.veriexec.state: loaded active.

Note

The security.mac.veriexec.state command is only valid in Junos OS Release 15.1 and later.

An Alternative Method to Check If Veriexec Is Enforced

You can double-check whether veriexec is enforced by using this method.

  1. Create a shell script named hello.sh.
  2. Add execute permission for hello.sh.
    % chmod + x hello.sh
  3. Run the script.
    % sh hello.sh

    Alternatively, you can use ./ to run the script.

    % ./hello.sh

    Authentication error in the output indicates that veriexec is enforced.