The Access Control Decision Facility (ADF) also provides a powerful logging system.
It is possible to log events, depending on the request, target type, user, executable and target object (with individual settings for the files, directories, fifos, links, devices, and network objects).
Some of the features have to be enabled in the kernel configuration to be available.
It is also possible to log pseudonyms instead of real user IDs, thus providing some user privacy. The current implementation also hides some of the user specific directory names (e.g. /home/userid/..
)
Logged items are:
The logging format is standardised for automatic log processing or/and intrusion detection.
The following algorithm is used:
Logging can be very useful in many situations. E.g. you can find out, what a program is really doing for debugging purposes. You can also monitor a suspicious program or user, or simply have a program analysing the output to either help create new security policies, or check for suspicious activity automatically.
Table of Contents: RSBAC Handbook
Previous: Interfaces
Next: Runtime Registration