Limiting SECCOMP audit events

Paul Moore paul at paul-moore.com
Thu Dec 14 01:43:38 UTC 2017 

On Wed, Dec 13, 2017 at 7:31 PM, Steve Grubb <sgrubb at redhat.com> wrote:
> On Wednesday, December 13, 2017 7:16:47 PM EST Kees Cook wrote:
>> On Wed, Dec 13, 2017 at 3:58 PM, Steve Grubb <sgrubb at redhat.com> wrote:
>> > Hello,
>> >
>> > Over the last month, the amount of seccomp events in audit logs is
>> > sky-rocketing. I have over a million events in the last 2 days. Most of
>> > this is generated by firefox and qt webkit.
>> >
>> > I am wondering if the audit package should ship a file for
>> >
>> > /usr/lib/sysctl.d/60-auditd.conf
>> >
>> > wherein it has
>> >
>> > kernel.seccomp.actions_logged = kill_process kill_thread errno
>> >
>> > Also, has anyone verified this sysctl is filtering audit events? Even
>> > with
>> > the above, I have over a million events on a 4.14.3 kernel. Firefox
>> > alone
>> > is generating over 50,000 events per hour.
>>
>> I don't think you'd want to log errno -- AIUI, that's used regularly
>> by a lot of seccomp policy.
>
> I'm not seeing any reporting errno. The ones reporting trap are coming in
> over 50,000 per hour. I don't think the filter is working.
>
> [root at x2 ~]# cat /proc/sys/kernel/seccomp/actions_logged
> kill_process kill_thread errno
> [root at x2 ~]# date
> Wed Dec 13 19:24:40 EST 2017
> [root at x2 ~]# ausearch --start 19:24:40 -m seccomp --raw | aureport --event
> --summary -i
> Event Summary Report
> ======================
> total type
> ======================
> 170 SECCOMP
>
> In the time it took to type the command 170 seccomp events were recorded
> from firefox.
>
> [root at x2 ~]# ausearch --start 19:24:40 -m seccomp --just-one -i
> ----
> node=x2 type=SECCOMP msg=audit(12/13/2017 19:24:56.454:199666) : auid=sgrubb
> uid=sgrubb gid=sgrubb ses=3
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=3394 comm=Web
> Content exe=/usr/lib64/firefox/firefox sig=SIG0 arch=x86_64 syscall=stat
> compat=0 ip=0x7f909c828635 code=trap
> ^^ trap. With the sheer amount of events being recorded, I think it's
> necessary to add a sysctl file to systems to suppress the logging.
> Especially when you consider that systemd-journal also gratuitously grabs
> audit logs and sends them to rsyslog.

Looking at the kernel code, it looks like the actions_logged knob
isn't really intended to filter/drop seccomp events, but rather force
seccomp events to be loggged.  Look at seccomp_log() to see what I
mean; there is still a call to audit_seccomp() at the end.

-- 
paul moore
www.paul-moore.com

More information about the Linux-audit mailing list