table of contents
GRADM(8) | System Manager's Manual | GRADM(8) |
NAME¶
gradm - Administration program for the grsecurity RBAC systemSYNOPSIS¶
gradm [ -E ] [ -R ] [ -C ] [ -F ] [ -L <logfile> ] [ -O <filename|stream> ] [ -M <filename|uid> ] [ -D ] [ -P [rolename] ] [ -a <rolename> ] [ -n <rolename> ] [ -p <rolename> ] [ -u ] [ -V ] [ -h ] [ -v ]DESCRIPTION¶
gradm is the userspace RBAC parsing and authentication program for grsecuritygrsecurity aims to be a complete security system for Linux 2.4. gradm performs several tasks for the RBAC system including authenticated via a password to the kernel and parsing rules to be passed to the kernel.
OPTIONS¶
- All options to gradm are mutually exclusive, except for -L and -O.
- -E
- Enable the RBAC system
- -R
- Reload the RBAC system (only valid while in admin mode)
- -C
- Perform a check of the RBAC policy, running the same analysis against it that is performed when enabling.
- -F
- Toggle full learning mode. If used only with -L, it enables the RBAC system in full learning mode. If used with -L and -O, it parses the full learning logs and generates a complete ruleset.
- -M <filename|uid>
- Remove an execution ban on a given uid or filename that has been put in place by the RES_CRASH resource restriction of the RBAC system.
- -L <logfile>
- Parses the learning logs. Accepts an argument which specifies the logfile to scan for the learning logs. If "-" is specified as the logfile, stdin will be used as the learning log. This option can be used with -E, -O, or -F.
- -O <filename|stream>
- Specifies output mode. Requires a single argument that can be "stdout", "stderr", or a regular file. Only used with -L or -F.
- -D
- Disable the RBAC system
- -P [rolename]
- Without an argument, it sets the password for administering the RBAC system. With a role name as an argument, it sets the password for that given special role.
- -a <rolename>
- Authenticate to a special role that requires a password.
- -n <rolename>
- Authenticate to a special role that does not require a password.
- -p <rolename>
- Authenticate through PAM to a special role.
- -u
- Removes yourself from your current special role, reverting back to the normal role selection. To be used, for instance, for logging out of an admin role without exiting your shell.
- -V
- Displays verbose policy statistics when enabling the RBAC system or checking the RBAC policy. Can only be used with -C, -E, or -F -L <filename>
- -h
- Display help information
- -v
- Print version information and exit