If enabled in the kernel configuration, RSBAC adds one directory to the main proc dir: /proc/rsbac-info. Since proc is treated as a normal read-only fs, rsbac could not be used.

All successful write accesses are logged via syslog at KERN_INFO level. The rsbac-info dir contains the following entries:

• active: short summary of version, mode and module states, good for scripts
• stats: shows rsbac status, same contents as sys_rsbac_stats writes into syslog
• stats_pm (if PM is enabled): shows PM status, same contents as sys_rsbac_stats_pm writes into syslog
• stats_rc (if RC is enabled): shows RC status
• stats_auth (if AUTH is enabled): shows AUTH status
• stats_acl (if ACL is enabled): shows ACL status
• xstats (if extended status is enabled): shows extended status, e.g. table of call counts for requests and targets
• devices: shows all rsbac-mounted devices in n:m notation and their no_write status (no_write is set on fd-list read, if wrong version). No_write status can be changed by calling echo “devices no_write n:m k” > /proc/rsbac-info/devices with n:m as the device in major:minor notation, k is 0 or 1.
• acl_devices, auth_devices: same for ACL and AUTH data structures
• versions: shows aci versions for dev and user list and adf request array version for log_level array and the no_write status of each (set on boot, if wrong version is tried to be read). No_write status can be changed by calling echo “no_write listname n” >versions with listname is one of dev, user, log_levels, n is 0 or 1.

• auto_write (if auto-write is enabled): shows auto write status, currently auto interval in jiffies and auto debug level only. Auto interval can be changed by calling echo “auto interval n” > /proc/rsbac-info/auto_write with n = number of jiffies, debug level (0 or 1) by calling echo “auto debug n” > /proc/rsbac-info/auto_write.

• log_levels: shows adf log levels for all requests. Log levels can be changed by calling echo “log_levels request n” > /proc/rsbac-info/log_levels with request = request name, e.g. WRITE, n = level.
• rmsg (if own logging is enabled): similar to kmsg in main proc dir, logging of RSBAC requests. This file can be used by programs like klogd, or simply make a cat rmsg.
• Max. number of kernel log messages from RSBAC per second: echo “debug syslog_rate n” > /proc/rsbac_info/debug
• The RSBAC log buffer size is changed by echo “debug rmsg_maxentries n” > debug
• The RSBAC remote log buffer size is changed by echo “debug log_remote_maxentries n” > debug
• Remote logging address and port can be changed with echo “debug log_remote_addr a.b.c.d” >debug echo “debug log_remote_port n” > /proc/rsbac-info/debug.

• auth_caplist (if AUTH is enabled): shows all AUTH capabilities currently set.
• reg_modules (if REG is enabled): shows currently registered additional decision modules and syscalls.
• acl_acllist (if ACL is enabled): Detailed listing of all ACL entries and masks in the system.

• debug: shows all RSBAC debug settings, softmode, dac_disable and nosyslog.
  • Levels can be changed by calling echo “debug name n” > /proc/rsbac-info/debug. Valid names are ds, aef, auth, no_write, ds_pm, aef_pm, adf_pm, adf_ms, ds_rc, aef_rc, adf_rc, ds_acl, aef_acl, adf_acl, adf_auth, auto, softmode, dac_disable and nosyslog, but only, if shown when reading this file. Valid levels are 0 and 1.
  • Debug levels can be preset to 1 by kernel parameters with same name as variable name shown, e.g. rsbac_debug_ds or rsbac_softmode.
  • Individual model softmode can be switched by calling echo “debug ind_softmode <modname> n” >debug
  • DAZ cache ttl is set via echo “debug daz_ttl n” > /proc/rsbac-info/debug
  • CAP log missing is set with echo “debug cap_log_missing n” >debug
  • JAIL log missing (new in 1.2.5) is set with echo “debug jail_log_missing n” >debug

• backup subdir: It contains backups of what would be current aci data files. You can use cp for backups of system independent aci data structures, e.g. rc_roles, rc_types, and the admin backup tools for system dependent ones, e.g. file/dir attributes or AUTH file capabilities. Using the backup_all script or single lines from it is however strongly recommended.

Table of Contents: RSBAC Handbook