Operating mode¶

Permissive

Whether the daemon is running in permissive mode. In permissive mode, policy denials are reported as denied decisions, but the response sent to the kernel allows access.

Integrity

The configured file integrity mode used for trust checks.

reset_strategy

The active metrics reset strategy: never keeps metrics growing for the daemon lifetime, auto resets timer-generated metrics reports, and manual allows privileged signal-generated reset requests such as fapolicyd-cli --reset-metrics.

Timing collection mode

The configured timing collection control mode.

Timing collection armed

Whether a manual timing run is currently active.

Timing collection last start time

The wall-clock time of the last successful timing start request, or never when timing has not been started.

Timing collection last stop time

The wall-clock time of the last successful timing stop request, or never when timing has not been stopped.

Ruleset generation

The current in-memory ruleset generation. This value increments each time a fully validated ruleset is published by the daemon.

Headline activity¶

Allowed accesses

The number of policy decisions that allowed access.

Denied accesses

The number of policy decisions that denied access. In permissive mode these decisions are still counted as denials even though the daemon permits kernel access.

Resource configuration¶

CPU cores

The number of online processor cores reported by the system.

q_size

The configured size of the internal event queue.

Subject defer array size

The number of preallocated entries available for subject-slot deferral.

Subject cache size

The configured number of entries in the subject cache.

Object cache size

The configured number of entries in the object cache.

Trust database max pages

The configured maximum LMDB page count for the trust database.

Resource utilization¶

Trust database pages in use

The number and percentage of LMDB pages currently used by the trust database.

Subject slots in use

The number and percentage of subject cache slots currently occupied.

Object slots in use

The number and percentage of object cache slots currently occupied.

glibc arena (total memory) is

The current total glibc heap arena size in KiB, followed by the value from the previous report. This field is printed only when the daemon is built with mallinfo2(3) support.

glibc uordblks (in use memory) is

The current allocated heap memory in KiB, followed by the value from the previous report. This field is printed only when mallinfo2(3) support is available.

glibc fordblks (total free space) is

The current free heap memory in KiB, followed by the value from the previous report. This field is printed only when mallinfo2(3) support is available.

Health indicators¶

Any non-zero counter in this section warrants investigation.

Kernel queue overflow

The number of FAN_Q_OVERFLOW events reported by the kernel. A non-zero value means kernel fanotify events were lost before the daemon could process them.

Filesystem errors

The number of FAN_FS_ERROR events reported by the kernel. These are filesystem health events, not policy decisions.

Filesystem error last status

Parser status for the most recent FAN_FS_ERROR event: none , ok , missing_error_record , or malformed .

Filesystem error last seen

The wall-clock time of the most recent FAN_FS_ERROR event, or never when no filesystem error has been reported.

Filesystem error last errno

The errno-style error code from the most recent parseable filesystem error event.

Filesystem error last suppressed count

The kernel-reported count of additional filesystem errors suppressed behind the most recent error notification.

Reply errors

The number of failed or short writes when sending fanotify permission responses back to the kernel.

Subject defer fallbacks

The number of times the defer array was full and fapolicyd fell back to the historical subject cache eviction behavior.

Early subject cache evictions

The number of subject cache entries evicted before process startup state was complete.

Subject BUILDING tracer evictions

The number of BUILDING subject cache entries evicted because the owning process was traced and could hold the slot indefinitely.

Subject BUILDING stale evictions

The number of BUILDING subject cache entries evicted because their startup state stayed incomplete past the bounded stale window.

Subject defer oldest age

The age of the oldest currently deferred subject event, formatted with a human-readable unit such as ms or s.

Failure action queue_full (observe)

Number of times the internal userspace event queue was full.

Failure action kernel_queue_overflow (observe)

Number of kernel fanotify queue overflow events.

Failure action worker_stall (observe)

Number of decision worker stall detections.

Failure action rule_reload_failure (observe)

Number of rule reload failures. A failed transactional reload preserves the previous published policy when one exists.

Failure action trust_reload_failure (observe)

Number of trust database reload failures.

Failure action response_write_failure (observe)

Number of failed or incomplete fanotify response writes to the kernel.

Failure action fanotify_filesystem_error (observe)

Number of FAN_FS_ERROR filesystem health events reported by the kernel.

Watched mounts¶

watching mount

One line is printed for each mount point currently marked for fanotify monitoring.