These docs are under active development.

Inspecting

Concept
Inspecting tokens, sessions, and processes

The kernel exposes several read-only surfaces for inspecting live KACS state — /proc/<pid>/token, /sys/kernel/security/kacs/self, /sys/kernel/security/kacs/sessions, and the KACS_IOC_QUERY ioctl on token fds. This page is the map for what each surface gives you and the access rules for reading them.

reference
Inspecting tokens

A token's contents are read via KACS_IOC_QUERY on a token fd. Token fds come from kacs_open_self_token, /proc/<pid>/token, /sys/kernel/security/kacs/self, and a few other paths. Each query is a numbered class returning structured data. This page covers the query mechanism, the catalog of classes, and the two-call pattern for variable-length data.

Concept
Inspecting sessions

Active logon sessions are exposed at /sys/kernel/security/kacs/sessions as a text listing. Each token references its session via auth_id, so finding the session associated with a process means querying its primary token's auth_id and looking up that ID in the listing. This page covers the listing format, the lookup pattern, and how to track session lifecycle.

Concept
Inspecting processes

A process's inspectable state spans its token (covered separately), its PSB (PIP fields and mitigation flags), and its process SD. Inspection of another process requires PROCESS_QUERY_INFORMATION on the target plus PIP dominance. This page covers the surfaces and the rules.

reference
The event stream

revstrm is a low-level diagnostic probe that attaches directly to the KMES per-CPU ring buffers and prints every audit event it drains. It is the reference consumer for the KMES consumption protocol — not eventd, not an everyday tool. This page documents its command-line surface, output format, and operator caveats.