From: Paul Moore <paul@paul-moore.com>
To: Tyler Hicks <tyhicks@canonical.com>
Cc: linux-audit@redhat.com
Subject: Re: Limiting SECCOMP audit events
Date: Thu, 26 Apr 2018 10:41:24 -0400 [thread overview]
Message-ID: <CAHC9VhS4styUMet8JMhMGFD1pEwd1B-7XwZS=mX8ZwJewnsLUQ@mail.gmail.com> (raw)
In-Reply-To: <f9ef8bb8-9784-ff6b-6d83-14127d072786@canonical.com>
On Tue, Apr 24, 2018 at 8:00 PM, Tyler Hicks <tyhicks@canonical.com> wrote:
> On 04/17/2018 08:57 PM, Paul Moore wrote:
>> On Tue, Apr 17, 2018 at 6:54 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>>> Hello,
>>>
>>> Ping? SECCOMP events are still flooding the system. Can we do something
>>> hackish to turn this off until a better solution can be created?
>>
>> Pong?
>>
>> The only workarounds I can think of would be to disable audit or
>> create a filter rule excluding auditing for the noisy process. I've
>> never tried the latter, but I'm pretty sure it would work.
>
> I've pushed two branches which have slightly different behaviors. They
> only differ by the last patch in each branch. The tree is here:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/linux.git/
>
> 1) seccomp-auditing/option-1-consistent-behavior
> This branch removes all special casing around audited processes. The
> decision on whether or not to audit an action no longer considers
> whether or not the process is being audited. RET_TRAP, RET_TRACE,
> and RET_ERRNO actions will only be logged if the application loads
> the filter with the SECCOMP_FILTER_FLAG_LOG bit set. The admin has
> the final say via the kernel.seccomp.actions_logged sysctl.
>
> 2) seccomp-auditing/option-2-honor-sysctl
> This branch continues to special case audited processes. The decision
> to log RET_TRAP, RET_TRACE, and RET_ERRNO actions depends on if the
> SECCOMP_FILTER_FLAG_LOG bit being set OR if the process is being
> audited. The admin has the final say via the
> kernel.seccomp.actions_logged sysctl.
>
> I prefer option #1. Play with both implementations and let me know what
> works best for your requirements. Both branches share the same
> underlying patches for emitting audit records on writes to the
> kernel.seccomp.actions_logged sysctl.
Looking quickly at the two branches, I think I prefer the
option-1-consistent-behavior approach, although some changes are
needed. Could you post those patches to list for review/discussion?
--
paul moore
www.paul-moore.com
prev parent reply other threads:[~2018-04-26 14:41 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-13 23:58 Limiting SECCOMP audit events Steve Grubb
2017-12-14 0:16 ` Kees Cook
2017-12-14 0:31 ` Steve Grubb
2017-12-14 1:43 ` Paul Moore
2017-12-14 3:30 ` Steve Grubb
2017-12-14 12:42 ` Paul Moore
2017-12-14 15:29 ` Steve Grubb
2017-12-14 15:04 ` Tyler Hicks
2017-12-14 15:19 ` Steve Grubb
2017-12-14 23:06 ` Tyler Hicks
2017-12-14 23:16 ` Kees Cook
2017-12-15 14:08 ` Paul Moore
2017-12-15 15:47 ` Tyler Hicks
2017-12-15 16:09 ` Steve Grubb
2017-12-15 20:54 ` Paul Moore
2017-12-15 16:02 ` Steve Grubb
2018-01-02 20:03 ` Steve Grubb
2018-01-03 2:52 ` Tyler Hicks
2018-01-03 14:25 ` Paul Moore
2018-04-17 22:54 ` Steve Grubb
2018-04-18 1:57 ` Paul Moore
2018-04-25 0:00 ` Tyler Hicks
2018-04-26 14:41 ` Paul Moore [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHC9VhS4styUMet8JMhMGFD1pEwd1B-7XwZS=mX8ZwJewnsLUQ@mail.gmail.com' \
--to=paul@paul-moore.com \
--cc=linux-audit@redhat.com \
--cc=tyhicks@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.