From mboxrd@z Thu Jan 1 00:00:00 1970 From: Kees Cook Subject: Re: Limiting SECCOMP audit events Date: Wed, 13 Dec 2017 16:16:47 -0800 Message-ID: References: <58203247.sCqcla2mis@x2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx01.extmail.prod.ext.phx2.redhat.com [10.5.110.25]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 086F860C90 for ; Thu, 14 Dec 2017 00:16:50 +0000 (UTC) Received: from mail-vk0-f41.google.com (mail-vk0-f41.google.com [209.85.213.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 5AAC7793EC for ; Thu, 14 Dec 2017 00:16:49 +0000 (UTC) Received: by mail-vk0-f41.google.com with SMTP id f199so2548241vka.8 for ; Wed, 13 Dec 2017 16:16:49 -0800 (PST) In-Reply-To: <58203247.sCqcla2mis@x2> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: Linux Audit List-Id: linux-audit@redhat.com On Wed, Dec 13, 2017 at 3:58 PM, Steve Grubb wrote: > Hello, > > Over the last month, the amount of seccomp events in audit logs is > sky-rocketing. I have over a million events in the last 2 days. Most of this > is generated by firefox and qt webkit. > > I am wondering if the audit package should ship a file for > > /usr/lib/sysctl.d/60-auditd.conf > > wherein it has > > kernel.seccomp.actions_logged = kill_process kill_thread errno > > Also, has anyone verified this sysctl is filtering audit events? Even with > the above, I have over a million events on a 4.14.3 kernel. Firefox alone is > generating over 50,000 events per hour. I don't think you'd want to log errno -- AIUI, that's used regularly by a lot of seccomp policy. -Kees -- Kees Cook Pixel Security