Logging Facility

The Access Control Decision Facility (ADF) also provides a powerful logging system.

It is possible to log events, depending on the request, target type, user, executable and target object (with individual settings for the files, directories, fifos, links, devices, and network objects).

Some of the features have to be enabled in the kernel configuration to be available.

It is also possible to log pseudonyms instead of real user IDs, thus providing some user privacy. The current implementation also hides some of the user specific directory names (e.g. /home/userid/..)

Logged items are:

The logging format is standardised for automatic log processing or/and intrusion detection.

The following algorithm is used:

  1. If individual user logging is active and the user's log level for this request type is
    • none: go to step 2
    • full: log
  2. If individual program logging is active and the program's log level for this request type is
    • none: go to step 3
    • full: log
  3. If individual object logging is active, the object is of type file, dir, fifo, symlink, device or network object and the object's log level for the request type is:
    • none: no logging
    • denied: log, if result is NOT_GRANTED, else no logging
    • full: log
    • request based (default value): go to step 4
  4. If the log level for the request and target type combination is
    • none: no logging
    • denied: log, if result is NOT_GRANTED, else no logging
    • full: log

Logging can be very useful in many situations. E.g. you can find out, what a program is really doing for debugging purposes. You can also monitor a suspicious program or user, or simply have a program analysing the output to either help create new security policies, or check for suspicious activity automatically.


Table of Contents: RSBAC Handbook
Previous: Interfaces
Next: Runtime Registration