Verified Exec (also known as veriexec) is a file-signing and verification scheme that protects the Junos operating system (OS) against unauthorized software and activity that might compromise the integrity of your device. Originally developed for the NetBSD OS, veriexec was adapted for Junos OS and enabled by default from Junos OS Release 7.5 onward.
How Veriexec Works
Veriexec provides the kernel with a digitally signed manifest consisting of a set of fingerprints for all the executables and other files that should remain immutable. The veriexec loader feeds the contents of the manifest to the kernel only if the digital signature of the manifest is successfully verified. The kernel can then verify if a file matches its fingerprint. If veriexec is being enforced, only executables with a verified fingerprint will run. The protected files cannot be written to, modified, or changed.
Each install image contains a manifest. The manifest is read-only. It contains entries such as the following:
etc/rc sha1=478eeda6750c455fbfc18eeb06093e32a341911b uid=0 gid=0 mode=644 etc/rc.verify sha1=15566bb2731abee890fabd0ae8799e02071e006c uid=0 gid=0 mode=644 usr/libexec/veriexec-ext.so.1 sha1=8929292d008d12cd5beb2b9d9537458d4974dd22 uid=0 gid=0 mode=550 no_fips sbin/verify-sig sha1=cd3ffd45f30f1f9441e1d4a366955d8e2c284834 uid=0 gid=0 mode=555 no_ptrace sbin/veriexec sha1=7b40c1eae9658f4a450eb1aa3df74506be701baf uid=0 gid=0 mode=555 no_ptrace jail/usr/bin/php sha1=c444144fef5d65f7bbc376dc3ebb24373f1433a2 uid=0 gid=0 mode=555 indirect no_fips usr/sbin/chassisd sha1=61b82b36da9c6fb7eeb413d809ae2764a8a3cebc uid=0 gid=0 mode=555 trusted
If a file has been modified and the resulting fingerprint differs from the one in the manifest, you will see a log message, such as the following example:
/kernel:veriexec:fingerprintfordev100728577,file70750 64ea873ed0ca43b113f87fa25fb30f9f60030cec!= 0d9457c041bb3646eb4b9708ba605facb84a2cd0
The log message is in the following format:
The fingerprint mismatch indicates that the file has been modified. Don’t try to run the file. It could contain corrupted code. Contact JTAC.
The Importance of Veriexec
Veriexec is an effective and important tool for protecting against those seeking to breach the system security of Juniper Networks routers, switches, and firewalls. It thwarts threat actors who might want to establish a foothold on the system, gain persistent unauthorized access, or otherwise transition the system into a failure state. If such actors can run arbitrary unsigned binaries, they can make unauthorized modifications and run malware or other code that violates security policy.
Customers can add signed and authorized code with veriexec enforced to Junos OS by using the JET SDK. For more on the SDK solution, see On-Device Applications in the Juniper Extension Toolkit Developer Guide.
How to Verify If Veriexec Is Enforced on a Device Running Junos OS
The following subsections give procedures on how to check if veriexec is enforced or not.
Some Junos OS platforms offer an optional version of Junos OS with veriexec enforcement disabled (referred to as Junos Enhanced Automation or Junos Flex). For more information about Junos Enhanced Automation, see Overview of Junos Automation Enhancements on Devices Running Junos OS with Enhanced Automation.
Use the Juniper Malware Removal Tool
The Juniper Malware Removal Tool (JMRT) scans for and removes malware running on Junos OS. You can use the JMRT to check if veriexec is enforced on a device running Junos OS. For more information, see request system malware-scan.
Use the sysctl security.mac.veriexec.state Command for Junos OS Release 15.1 and Later
Administrators can check whether veriexec is enforced by running the following commands from the Junos CLI shell:
- Start the shell.
username@hostname> start shell
- Use the
% sysctl security.mac.veriexec.state
security.mac.veriexec.state: loaded active enforce %
If veriexec is enforced, the output is security.mac.veriexec.state: loaded active enforce. If veriexec is not enforced, the output is security.mac.veriexec.state: loaded active.
is only valid in Junos OS Release 15.1 and later.
An Alternative Method to Check If Veriexec Is Enforced
You can double-check whether veriexec is enforced by using this method.
- Create a shell script named
hello.sh.% vi hello.sh#!/bin/shecho "Hello world"
- Add execute permission for
% chmod + x hello.sh
- Run the script.
% sh hello.sh
Alternatively, you can use ./ to run the script.
./hello.sh: Authentication error.
Authentication errorin the output indicates that veriexec is enforced.