rsbacl5s.gif (2243 Byte)  

Rule Set Based Access Control (RSBAC) for Linux - Logging


The Logging System

The Access Control Decision Facility (ADF) contains a powerful logging system. It is possible to specify the event to be logged in dependence of the request and target type, user, executable and target object (file, fifo, symlink, directory, device, network device or network object (through template)). Some of these features have to be turned on in the kernel configuration.

Logged items are the request, process ID, parent process ID (new in 1.2.1), program name, real or pseudonymous user ID, target type, target ID, attribute type, attribute value, ADF decision and the names of the modules that made this decision.

For each logging switch, the log level can be set individually for each request type:

The request based logging is administrated via the switch_adf_log command line tool or the menu rsbac_menu, the current values can also be seen in /proc/rsbac-info/adf_loglevel. The individual log settings are implemented as attributes and are set via the usual tools.

As all accesses to log settings are access controlled, each model can implement its own access control scheme for their protection.

Whenever a request has run through all modules, the decision dispatcher goes through the following algorithm to decide, whether the request is to be logged. Please note that logging takes place, if at least one of these steps decides that logging is needed. So the decision 'log' terminates the algorithm.

  1. If individual user logging is on and the user's log level for this request type is
  2. If individual program logging is on and the program's log level for this request type is
  3. If individual object logging is on, the object is of type file, fifo, symlink, dir, device, network device or network object and the object's log level for the request type is:
  4. If the log level for the request and target type combination is

The algorithm is also used to determine, whether an rsbac_adf_set_attr() call has to be logged - just replace 'result is NOT_GRANTED' by 'function returned an error'.

The rsbac_adf_set_attr() notification function is called from most interception points to inform the decision modules that the intercepted functionality has been performed successfully and that they should adjust their attribute values. It is also the only way to tell the decision modules about newly created objects.


Questions, tips, etc.

05-Aug-02, -ao