documentation:rsbac_handbook:appendixes:rsbac_reference:kernel_parameters
=>  Releases

Current version
Git/Latestdiff: 1.5.6

Latest Snapshots
Produced after each commit or rebase to new upstream version

GIT
RSBAC source code, can be unstable sometimes

=>  Events

No events planned

Kernel Boot Parameters

The RSBAC kernel accepts the following boot parameters:

General

  • rsbac_no_defaults: suppress creation of default settings, useful for restore from existing backup. Warning: An unconfigured system will only come up in softmode or maint mode, and softmode will produce loads of logging (see rsbac_nosyslog option…).
  • rsbac_dac_disable (only, if enabled in kernel config): disable Linux DAC
  • rsbac_nosyslog: do not log to syslog for this boot time
  • rsbac_no_init_delay: disable delayed init for this single boot (if init delay is enabled in kernel config)
  • rsbac_delayed_root=major[:minor]: initialize, when this device gets mounted. Omit minor or set to 00 to match all devices with this major number. Delayed init must be enabled in kernel config.
  • rsbac_fd_cache_disable: Disable FD cache for this uptime

Softmode, Freezing and Module Switching

  • rsbac_softmode (only, if enabled on kernel config): switch to global softmode
  • rsbac_softmode_once (only, if enabled on kernel config): switch to global softmode and disallow to switch it on again later
  • rsbac_softmode_never (only, if softmode enabled on kernel config): disallow to switch global softmode on during this runtime
  • rsbac_softmode_<mod> (module name in lowercase, e.g. rc, only if enabled): switch individual module softmode to on
  • rsbac_freeze (only, if enabled in kernel config): Disallow RSBAC administration for this runtime. Freezing does not depend on softmode, it always works.
  • rsbac_switch_off_<mod> (module name in lowercase, e.g. rc, only if switching off is enabled in kernel config): switch individual module off

Module Specific

  • rsbac_auth_enable_login: Sets auth_may_setuid for /bin/login, if AUTH module is on. A good emergency helper, if you cannot login anymore.
  • rsbac_auth_learn (only, if enabled in kernel config): enable AUTH learning mode, where AUTH module adds all missing capabilities automatically instead of denying the request.
  • rsbac_rc_learn (only, if enabled in kernel config): enable RC learning mode, where RC module adds all missing rights automatically instead of denying the request.
  • rsbac_acl_learn and rsbac_acl_learn_fd (only, if enabled in kernel config): enable ACL learning mode for user rights to filesystem objects
  • rsbac_um_no_excl: Disable exlusive user management for this uptime.
  • rsbac_daz_ttl=n: Set DAZ cache item ttl to n seconds for this boot.
  • rsbac_cap_process_hiding: process hiding
  • rsbac_cap_log_missing: Log all failed calls to capable() for caps, which are not in the CAP user or program max_caps set. Use to see which caps should be added to make a program work.
  • rsbac_cap_learn (only, if enabled in kernel config): enable CAP learning mode, where CAP module adds all missing capabilities to max_caps of user and program automatically instead of denying the request.
  • rsbac_jail_log_missing (new in 1.2.5): Log all failed calls to capable() for caps, which are not in the JAIL call max_caps parameter. Use to see which caps should be added to make a program work.

Logging

  • rsbac_syslog_rate=n: Max. number of kernel log messages from RSBAC per second
  • rsbac_rmsg_maxentries=n: Set number of messages to be held in local RSBAC log buffer
  • rsbac_log_remote_maxentries=n: Set number of messages to be held in remote RSBAC log buffer
  • rsbac_log_remote_addr=a.b.c.d: Set remote logging address to a.b.c.d
  • rsbac_log_remote_port=n: Set remote logging port to n. Remote logging must be enabled in kernel config.

Debugging

  • rsbac_debug_all: Sets all debug options - in fact turns on a huge amount of logging. Beware of a fast growing system log. Hardly ever recommended.
  • rsbac_debug_ds: Debug messages from the Data Structures component.
  • rsbac_debug_aef: Debug messages from the enforcement component (AEF).
  • rsbac_debug_no_adf: Set default log level value for all request types to 0: Do not log.
  • rsbac_debug_adf (default, so obsolete): Set default log level value for all request types to 1: Logging messages from the decision component (ADF) for all requests that were denied (highly recommended for testing, even in normal use). If provided, pseudonyms of users are used.
  • rsbac_debug_adf_all: Set default log level value for all request types to 2: Logging messages from the decision component (ADF) for all requests. If provided, pseudonyms of users are used. Gives a real lot of logging stuff. Never try this, if checking of sys_syslog is turned on and log levels have not yet been saved to keep them permanent…
  • rsbac_debug_ds_pm: Debug messages from the Data Structures component, on access to privacy model data.
  • rsbac_debug_aef_pm: Debug messages for privacy model specific system calls.
  • rsbac_debug_adf_pm: Debug messages for access control in privacy module.
  • rsbac_debug_pm: Sets rsbac_debug_ds_pm, rsbac_debug_aef_pm, rsbac_debug_adf_pm (recommended for testing privacy model).
  • rsbac_debug_adf_ms: Debug messages for access control in Malware Scan.
  • rsbac_debug_ds_rc: Debug messages from the Data Structures component, on access to Role Compatibility model data.
  • rsbac_debug_aef_rc: Debug messages for Role Compatibility model specific system calls.
  • rsbac_debug_adf_rc: Debug messages for access control in RC module.
  • rsbac_debug_rc: Sets rsbac_debug_ds_rc, rsbac_debug_aef_rc, rsbac_debug_adf_rc.
  • rsbac_debug_ds_auth: Debug messages from the Data Structures component, on access to AUTH model data.
  • rsbac_debug_aef_auth: Debug messages for AUTH model specific system calls.
  • rsbac_debug_adf_auth: Debug messages for access control in AUTH module.
  • rsbac_debug_auth: Sets rsbac_debug_ds_auth, rsbac_debug_aef_auth, rsbac_debug_adf_auth.
  • rsbac_debug_ds_acl: Debug messages from the Data Structures component, on access to Access Control Lists (ACL) model data.
  • rsbac_debug_aef_acl: Debug messages for ACL model specific system calls.
  • rsbac_debug_adf_acl: Debug messages for access control in ACL module.
  • rsbac_debug_acl: Sets rsbac_debug_ds_acl, rsbac_debug_aef_acl, rsbac_debug_adf_acl.
  • rsbac_debug_no_write: Turn writing to disk off for this single boot time. For testing.
  • rsbac_debug_auto: Debug messages from auto-write / rsbacd. Recommended for a good disk saving overview.
  • rsbac_debug_write: Debug messages from all attribute writing related procedures.



Table of Contents: RSBAC Handbook

//
documentation/rsbac_handbook/appendixes/rsbac_reference/kernel_parameters.txt · Last modified: 2009/11/12 13:22 by 127.0.0.1

documentation/rsbac_handbook/appendixes/rsbac_reference/kernel_parameters.txt · Last modified: 2009/11/12 13:22 by 127.0.0.1
This website is kindly hosted by m-privacy