documentation:rsbac_handbook:architecture_implementation:framework_components:logging_facility
=>  Releases

Current version
Git/Latestdiff: 1.5.6

Latest Snapshots
Produced after each commit or rebase to new upstream version

GIT
RSBAC source code, can be unstable sometimes

=>  Events

No events planned

Logging Facility

The Access Control Decision Facility (ADF) also provides a powerful logging system.

It is possible to log events, depending on the request, target type, user, executable and target object (with individual settings for the files, directories, fifos, links, devices, and network objects).

Some of the features have to be enabled in the kernel configuration to be available.

It is also possible to log pseudonyms instead of real user IDs, thus providing some user privacy. The current implementation also hides some of the user specific directory names (e.g. /home/userid/..)

Logged items are:

  • request
  • process ID
  • parent process ID
  • process name
  • program file
  • real or pseudonymous user ID who triggered the event
  • real or pseudonymous original user ID of the process itself (if different from above)
  • IP address the user connected from (if any)
  • target type
  • target ID
  • attribute type
  • attribute value
  • ADF decision
  • names of the modules that returned the above ADF decision

The logging format is standardised for automatic log processing or/and intrusion detection.

The following algorithm is used:

  1. If individual user logging is active and the user's log level for this request type is
    • none: go to step 2
    • full: log
  2. If individual program logging is active and the program's log level for this request type is
    • none: go to step 3
    • full: log
  3. If individual object logging is active, the object is of type file, dir, fifo, symlink, device or network object and the object's log level for the request type is:
    • none: no logging
    • denied: log, if result is NOT_GRANTED, else no logging
    • full: log
    • request based (default value): go to step 4
  4. If the log level for the request and target type combination is
    • none: no logging
    • denied: log, if result is NOT_GRANTED, else no logging
    • full: log

Logging can be very useful in many situations. E.g. you can find out, what a program is really doing for debugging purposes. You can also monitor a suspicious program or user, or simply have a program analysing the output to either help create new security policies, or check for suspicious activity automatically.


Table of Contents: RSBAC Handbook
Previous: Interfaces
Next: Runtime Registration

//
documentation/rsbac_handbook/architecture_implementation/framework_components/logging_facility.txt · Last modified: 2007/03/10 22:23 by 127.0.0.1

documentation/rsbac_handbook/architecture_implementation/framework_components/logging_facility.txt · Last modified: 2007/03/10 22:23 by 127.0.0.1
This website is kindly hosted by m-privacy