Limiting SECCOMP audit events

Steve Grubb sgrubb at redhat.com
Thu Dec 14 00:31:44 UTC 2017 

On Wednesday, December 13, 2017 7:16:47 PM EST Kees Cook wrote:
> On Wed, Dec 13, 2017 at 3:58 PM, Steve Grubb <sgrubb at redhat.com> wrote:
> > Hello,
> > 
> > Over the last month, the amount of seccomp events in audit logs is
> > sky-rocketing. I have over a million events in the last 2 days. Most of
> > this is generated by firefox and qt webkit.
> > 
> > I am wondering if the audit package should ship a file for
> > 
> > /usr/lib/sysctl.d/60-auditd.conf
> > 
> > wherein it has
> > 
> > kernel.seccomp.actions_logged = kill_process kill_thread errno
> > 
> > Also, has anyone verified this sysctl is filtering audit events? Even with
> > the above, I have over a million events on a 4.14.3 kernel. Firefox alone
> > is generating over 50,000 events per hour.
> 
> I don't think you'd want to log errno -- AIUI, that's used regularly
> by a lot of seccomp policy.

I'm not seeing any reporting errno. The ones reporting trap are coming in over 
50,000 per hour. I don't think the filter is working.

[root at x2 ~]# cat /proc/sys/kernel/seccomp/actions_logged
kill_process kill_thread errno
[root at x2 ~]# date
Wed Dec 13 19:24:40 EST 2017
[root at x2 ~]# ausearch --start 19:24:40 -m seccomp --raw | aureport --event --
summary -i

Event Summary Report
======================
total  type
======================
170  SECCOMP

In the time it took to type the command 170 seccomp events were recorded from 
firefox.

[root at x2 ~]# ausearch --start 19:24:40 -m seccomp --just-one -i
----
node=x2 type=SECCOMP msg=audit(12/13/2017 19:24:56.454:199666) : 
auid=sgrubb uid=sgrubb gid=sgrubb ses=3 
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=3394 
comm=Web Content exe=/usr/lib64/firefox/firefox sig=SIG0 arch=x86_64 
syscall=stat compat=0 ip=0x7f909c828635 code=trap 

^^ trap.  With the sheer amount of events being recorded, I think it's necessary to 
add a sysctl file to systems to suppress the logging. Especially when you consider 
that systemd-journal also gratuitously grabs audit logs and sends them to rsyslog.

-Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20171213/14af1979/attachment.htm>

More information about the Linux-audit mailing list