Limiting SECCOMP audit events
Steve Grubb
sgrubb at redhat.com
Wed Dec 13 23:58:46 UTC 2017
Hello,
Over the last month, the amount of seccomp events in audit logs is sky-rocketing. I
have over a million events in the last 2 days. Most of this is generated by firefox and
qt webkit.
I am wondering if the audit package should ship a file for
/usr/lib/sysctl.d/60-auditd.conf
wherein it has
kernel.seccomp.actions_logged = kill_process kill_thread errno
Also, has anyone verified this sysctl is filtering audit events? Even with the above, I
have over a million events on a 4.14.3 kernel. Firefox alone is generating over
50,000 events per hour.
Thanks,
-Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20171213/ac7799b0/attachment.htm>
More information about the Linux-audit
mailing list