fapolicyd.metrics - Man Page

The /run/fapolicyd/fapolicyd.metrics file contains the most recent daemon metrics report requested through fapolicyd-cli --check-metrics, fapolicyd-cli --reset-metrics, or periodic interval reporting.

The metrics report answers where runtime hot paths and cache effects are. The state report, written to /run/fapolicyd/fapolicyd.state, answers whether the daemon is healthy and configured as expected. Each field is printed as a name: value line. Section headers end in a colon.

Last metrics reset

The wall-clock time of the last successful metrics reset, or never when metrics have not been reset since daemon start. Reset reports show the counter window that is about to be reset; later metrics reports show the new reset time.

Ruleset generation

The active ruleset generation that the counters and rule hit table apply to.

Allowed accesses

The number of policy decisions that allowed access.

Denied accesses

The number of policy decisions that denied access.

Allowed by rule

The number of allow decisions produced by a matching rule.

Allowed by fallthrough

The number of allow decisions produced when no rule had an opinion and the daemon used the default allow behavior. Detailed fallthrough dimensions are printed when this value is non-zero.

Inter-thread max queue depth

The highest internal event queue depth observed since the last metrics reset.

Subject deferred events

The cumulative number of fanotify permission events deferred since the last metrics reset because another process was still building subject pattern state in the same cache slot.

Subject defer max depth

The highest number of concurrently deferred subject events observed since the last metrics reset.

Subject defer fallbacks

The cumulative number of defer-array-full fallbacks since the last metrics reset. This field also appears in the state report because non-zero values are health indicators.

Subject hits

The number of subject cache hits.

Subject misses

The number of subject cache misses.

Subject collisions

The number of populated subject cache slots whose full process identity did not match the current event and therefore had to be evicted before reuse.

Subject evictions

The number of subject cache evictions and the eviction percentage relative to subject cache hits.

Early subject cache evictions

The number of subject cache entries evicted before process startup state was complete. This field also appears in the state report because non-zero values are health indicators.

Subject BUILDING tracer evictions

The number of BUILDING subject cache entries evicted because the owning process was traced and could hold the slot indefinitely. This field also appears in the state report because non-zero values are health indicators.

Subject BUILDING stale evictions

The number of BUILDING subject cache entries evicted because their startup state stayed incomplete past the bounded stale window. This field also appears in the state report because non-zero values are health indicators.

Object hits

The number of object cache hits.

Object misses

The number of object cache misses.

Object collisions

The number of populated object cache slots whose full file identity did not match the current event and therefore had to be evicted before reuse.

Object evictions

The number of object cache evictions and the eviction percentage relative to object cache hits.

Hits/rule

One line per configured rule in rule order. The line includes the one-based rule number, hit count, and rule text. Rule hit counters are naturally scoped to the active ruleset generation and start at zero when a new ruleset is loaded. A metrics reset also clears the counters after reporting them, which allows focused tests against the currently loaded rules without forcing a rule reload.

Subject attr

One line is printed for each counted subject attribute in the form name requests=count lookups=count. The requests count increments when policy evaluation or syslog formatting asks for the attribute. The lookups count increments only when that attribute was absent from the event subject cache and fapolicyd had to compute or fetch it.

Object attr

One line is printed for each counted object attribute in the form name requests=count lookups=count. The requests count increments when policy evaluation or syslog formatting asks for the attribute. The lookups count increments only when that attribute was absent from the event object cache and fapolicyd had to compute or fetch it.

Metrics resets affect counters in this report. Static configuration, current utilization snapshots, watched mounts, and health indicators are reported in fapolicyd.state(5) and are not reset by fapolicyd-cli --reset-metrics.

/run/fapolicyd/fapolicyd.metrics

Runtime metrics report file.

/run/fapolicyd/fapolicyd.state

Runtime state report file.

/run/fapolicyd/fapolicyd.timing

Manual decision timing report written when a privileged stop request ends an armed timing run, when a stop request finds timing unarmed, or when timing collection stops to avoid counter overflow.

fapolicyd(8), fapolicyd-cli(8), fapolicyd.conf(5), fapolicyd.rules(5), fapolicyd.state(5), fapolicyd.timing(5), and fapolicyd.trust(5).

fapolicyd(8), fapolicyd-cli(8), fapolicyd.conf(5), fapolicyd.state(5), fapolicyd.timing(5).