NAME¶
gradm - Administration program for the grsecurity RBAC system
SYNOPSIS¶
gradm [
-E ] [
-R ] [
-C ] [
-F ] [
-L
<logfile> ] [
-O <filename|stream> ] [
-M
<filename|uid> ] [
-D ] [
-P [rolename] ] [
-a
<rolename> ] [
-n <rolename> ] [
-p
<rolename> ] [
-u ] [
-V ] [
-h ] [
-v ]
DESCRIPTION¶
gradm is the userspace RBAC parsing and authentication program for
grsecurity
grsecurity aims to be a complete security system for Linux 2.4. gradm performs
several tasks for the RBAC system including authenticated via a password to
the kernel and parsing rules to be passed to the kernel.
OPTIONS¶
-
All options to gradm are mutually exclusive, except for -L and -O.
- -E
- Enable the RBAC system
-
-R
- Reload the RBAC system (only valid while in admin
mode)
-
-C
- Perform a check of the RBAC policy, running the same
analysis against it that is performed when enabling.
-
-F
- Toggle full learning mode. If used only with -L, it enables
the RBAC system in full learning mode. If used with -L and -O, it parses
the full learning logs and generates a complete ruleset.
-
-M <filename|uid>
- Remove an execution ban on a given uid or filename that has
been put in place by the RES_CRASH resource restriction of the RBAC
system.
-
-L <logfile>
- Parses the learning logs. Accepts an argument which
specifies the logfile to scan for the learning logs. If "-" is
specified as the logfile, stdin will be used as the learning log. This
option can be used with -E, -O, or -F.
-
-O <filename|stream>
- Specifies output mode. Requires a single argument that can
be "stdout", "stderr", or a regular file. Only used
with -L or -F.
-
-D
- Disable the RBAC system
-
-P [rolename]
- Without an argument, it sets the password for administering
the RBAC system. With a role name as an argument, it sets the password for
that given special role.
-
-a <rolename>
- Authenticate to a special role that requires a
password.
-
-n <rolename>
- Authenticate to a special role that does not require a
password.
-
-p <rolename>
- Authenticate through PAM to a special role.
-
-u
- Removes yourself from your current special role, reverting
back to the normal role selection. To be used, for instance, for logging
out of an admin role without exiting your shell.
-
-V
- Displays verbose policy statistics when enabling the RBAC
system or checking the RBAC policy. Can only be used with -C, -E, or -F -L
<filename>
-
-h
- Display help information
-
-v
- Print version information and exit
-
-
REPORTING BUGS¶
Please include as much information as possible(using any available debugging
options) and send bug reports for gradm or the grsecurity RBAC system to
spender@grsecurity.net.
AUTHOR¶
grsecurity and gradm were created and are maintained by Brad Spengler
<spender@grsecurity.net>