From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Limiting SECCOMP audit events Date: Wed, 13 Dec 2017 22:30:21 -0500 Message-ID: <17198747.0Wk1AduiP0@x2> References: <58203247.sCqcla2mis@x2> <2483555.uM3AbUoQxj@x2> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5574989825683947579==" Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Paul Moore Cc: Linux Audit List-Id: linux-audit@redhat.com This is a multi-part message in MIME format. --===============5574989825683947579== Content-Type: multipart/alternative; boundary="nextPart3175413.1ar6XzAcRI" Content-Transfer-Encoding: 7Bit This is a multi-part message in MIME format. --nextPart3175413.1ar6XzAcRI Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" On Wednesday, December 13, 2017 8:43:38 PM EST Paul Moore wrote: > On Wed, Dec 13, 2017 at 7:31 PM, Steve Grubb wrote: > > On Wednesday, December 13, 2017 7:16:47 PM EST Kees Cook wrote: > >> On Wed, Dec 13, 2017 at 3:58 PM, Steve Grubb wrote: > >> > Hello, > >> > > >> > Over the last month, the amount of seccomp events in audit logs is > >> > sky-rocketing. I have over a million events in the last 2 days. Most of > >> > this is generated by firefox and qt webkit. > >> > > >> > I am wondering if the audit package should ship a file for > >> > > >> > /usr/lib/sysctl.d/60-auditd.conf > >> > > >> > wherein it has > >> > > >> > kernel.seccomp.actions_logged = kill_process kill_thread errno > >> > > >> > Also, has anyone verified this sysctl is filtering audit events? Even > >> > with > >> > the above, I have over a million events on a 4.14.3 kernel. Firefox > >> > alone > >> > is generating over 50,000 events per hour. > >> > >> I don't think you'd want to log errno -- AIUI, that's used regularly > >> by a lot of seccomp policy. > > > > I'm not seeing any reporting errno. The ones reporting trap are coming in > > over 50,000 per hour. I don't think the filter is working. > > > > [root@x2 ~]# cat /proc/sys/kernel/seccomp/actions_logged > > kill_process kill_thread errno > > [root@x2 ~]# date > > Wed Dec 13 19:24:40 EST 2017 > > [root@x2 ~]# ausearch --start 19:24:40 -m seccomp --raw | aureport --event > > --summary -i > > Event Summary Report > > ====================== > > total type > > ====================== > > 170 SECCOMP > > > > In the time it took to type the command 170 seccomp events were recorded > > from firefox. > > > > [root@x2 ~]# ausearch --start 19:24:40 -m seccomp --just-one -i > > ---- > > node=x2 type=SECCOMP msg=audit(12/13/2017 19:24:56.454:199666) : > > auid=sgrubb uid=sgrubb gid=sgrubb ses=3 > > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=3394 > > comm=Web Content exe=/usr/lib64/firefox/firefox sig=SIG0 arch=x86_64 > > syscall=stat compat=0 ip=0x7f909c828635 code=trap > > ^^ trap. With the sheer amount of events being recorded, I think it's > > necessary to add a sysctl file to systems to suppress the logging. > > Especially when you consider that systemd-journal also gratuitously grabs > > audit logs and sends them to rsyslog. > > Looking at the kernel code, it looks like the actions_logged knob > isn't really intended to filter/drop seccomp events, That's unfortunate. I thought this was a way to suppress generation of events. We have a requirement that audit events be selective by the administrator. We need a knob to drop some events. I guess, the only knob right now is the exclude filter. That is probably too course. > but rather force seccomp events to be loggged. Look at seccomp_log() to see > what I mean; there is still a call to audit_seccomp() at the end. Hmm. What do we do? I have more than a million seccomp events in 2 days. I'm getting 14 events a second for seccomp just using my system. It's flooding everything. I mean maybe the firefox and webkit people meant well using seccomp, but how does a normal user get control back of their logs? Thanks, -Steve --nextPart3175413.1ar6XzAcRI Content-Transfer-Encoding: 7Bit Content-Type: text/html; charset="us-ascii"

On Wednesday, December 13, 2017 8:43:38 PM EST Paul Moore wrote:

> On Wed, Dec 13, 2017 at 7:31 PM, Steve Grubb <sgrubb@redhat.com> wrote:

> > On Wednesday, December 13, 2017 7:16:47 PM EST Kees Cook wrote:

> >> On Wed, Dec 13, 2017 at 3:58 PM, Steve Grubb <sgrubb@redhat.com> wrote:

> >> > Hello,

> >> >

> >> > Over the last month, the amount of seccomp events in audit logs is

> >> > sky-rocketing. I have over a million events in the last 2 days. Most of

> >> > this is generated by firefox and qt webkit.

> >> >

> >> > I am wondering if the audit package should ship a file for

> >> >

> >> > /usr/lib/sysctl.d/60-auditd.conf

> >> >

> >> > wherein it has

> >> >

> >> > kernel.seccomp.actions_logged = kill_process kill_thread errno

> >> >

> >> > Also, has anyone verified this sysctl is filtering audit events? Even

> >> > with

> >> > the above, I have over a million events on a 4.14.3 kernel. Firefox

> >> > alone

> >> > is generating over 50,000 events per hour.

> >>

> >> I don't think you'd want to log errno -- AIUI, that's used regularly

> >> by a lot of seccomp policy.

> >

> > I'm not seeing any reporting errno. The ones reporting trap are coming in

> > over 50,000 per hour. I don't think the filter is working.

> >

> > [root@x2 ~]# cat /proc/sys/kernel/seccomp/actions_logged

> > kill_process kill_thread errno

> > [root@x2 ~]# date

> > Wed Dec 13 19:24:40 EST 2017

> > [root@x2 ~]# ausearch --start 19:24:40 -m seccomp --raw | aureport --event

> > --summary -i

> > Event Summary Report

> > ======================

> > total type

> > ======================

> > 170 SECCOMP

> >

> > In the time it took to type the command 170 seccomp events were recorded

> > from firefox.

> >

> > [root@x2 ~]# ausearch --start 19:24:40 -m seccomp --just-one -i

> > ----

> > node=x2 type=SECCOMP msg=audit(12/13/2017 19:24:56.454:199666) :

> > auid=sgrubb uid=sgrubb gid=sgrubb ses=3

> > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=3394

> > comm=Web Content exe=/usr/lib64/firefox/firefox sig=SIG0 arch=x86_64

> > syscall=stat compat=0 ip=0x7f909c828635 code=trap

> > ^^ trap. With the sheer amount of events being recorded, I think it's

> > necessary to add a sysctl file to systems to suppress the logging.

> > Especially when you consider that systemd-journal also gratuitously grabs

> > audit logs and sends them to rsyslog.

>

> Looking at the kernel code, it looks like the actions_logged knob

> isn't really intended to filter/drop seccomp events,

 

That's unfortunate. I thought this was a way to suppress generation of events. We have a requirement that audit events be selective by the administrator. We need a knob to drop some events. I guess, the only knob right now is the exclude filter. That is probably too course.

 

> but rather force seccomp events to be loggged. Look at seccomp_log() to see

> what I mean; there is still a call to audit_seccomp() at the end.

 

Hmm. What do we do? I have more than a million seccomp events in 2 days. I'm getting 14 events a second for seccomp just using my system. It's flooding everything. I mean maybe the firefox and webkit people meant well using seccomp, but how does a normal user get control back of their logs?

 

Thanks,

-Steve

--nextPart3175413.1ar6XzAcRI-- --===============5574989825683947579== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============5574989825683947579==--