Limiting SECCOMP audit events
Tyler Hicks
tyhicks at canonical.com
Thu Dec 14 15:04:48 UTC 2017
On 12/13/2017 05:58 PM, Steve Grubb wrote:
> Hello,
>
>
>
> Over the last month, the amount of seccomp events in audit logs is
> sky-rocketing. I have over a million events in the last 2 days. Most of
> this is generated by firefox and qt webkit.
>
>
>
> I am wondering if the audit package should ship a file for
>
>
>
> /usr/lib/sysctl.d/60-auditd.conf
>
>
>
> wherein it has
>
>
>
> kernel.seccomp.actions_logged = kill_process kill_thread errno
I agree with Kees here. IMO, you only want "kill_process kill_thread"
which is the default.
> Also, has anyone verified this sysctl is filtering audit events? Even
> with the above, I have over a million events on a 4.14.3 kernel. Firefox
> alone is generating over 50,000 events per hour.
Yes. I tested it a lot as the changes were being upstreamed and again
when I backported the changes to Ubuntu releases 17.10, 17.04, and 16.04
LTS. Those kernels have been released for a month and a half now and I
haven't heard of any issues.
I'll install a Fedora VM and see if I can determine what's happening.
Tyler
>
>
>
> Thanks,
>
> -Steve
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20171214/232b0a04/attachment.sig>
More information about the Linux-audit
mailing list