Limiting SECCOMP audit events
Paul Moore
paul at paul-moore.com
Thu Dec 14 12:42:26 UTC 2017
On Wed, Dec 13, 2017 at 10:30 PM, Steve Grubb <sgrubb at redhat.com> wrote:
> On Wednesday, December 13, 2017 8:43:38 PM EST Paul Moore wrote:
>> On Wed, Dec 13, 2017 at 7:31 PM, Steve Grubb <sgrubb at redhat.com> wrote:
>> > On Wednesday, December 13, 2017 7:16:47 PM EST Kees Cook wrote:
>> >> On Wed, Dec 13, 2017 at 3:58 PM, Steve Grubb <sgrubb at redhat.com> wrote:
...
>> Looking at the kernel code, it looks like the actions_logged knob
>> isn't really intended to filter/drop seccomp events,
>
> That's unfortunate. I thought this was a way to suppress generation of
> events. We have a requirement that audit events be selective by the
> administrator. We need a knob to drop some events. I guess, the only knob
> right now is the exclude filter. That is probably too course.
>
>> but rather force seccomp events to be loggged. Look at seccomp_log() to
>> see what I mean; there is still a call to audit_seccomp() at the end.
>
> Hmm. What do we do?
I imagine we could put together a rather coarse grained action filter,
similar to what we have with "actions_logged" (maybe
"actions_silent"?), and perhaps add some additional audit filters for
seccomp for those who happen to have audit enabled. Both should be
relatively easy, the "actions_silent" field especially so.
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list