Limiting SECCOMP audit events
Steve Grubb
sgrubb at redhat.com
Thu Dec 14 15:29:38 UTC 2017
On Thursday, December 14, 2017 7:42:26 AM EST Paul Moore wrote:
> >> Looking at the kernel code, it looks like the actions_logged knob
> >> isn't really intended to filter/drop seccomp events,
> >
> > That's unfortunate. I thought this was a way to suppress generation of
> > events. We have a requirement that audit events be selective by the
> > administrator. We need a knob to drop some events. I guess, the only knob
> > right now is the exclude filter. That is probably too course.
> >
> >> but rather force seccomp events to be loggged. Look at seccomp_log() to
> >> see what I mean; there is still a call to audit_seccomp() at the end.
> >
> > Hmm. What do we do?
>
> I imagine we could put together a rather coarse grained action filter,
> similar to what we have with "actions_logged" (maybe
> "actions_silent"?), and perhaps add some additional audit filters for
> seccomp for those who happen to have audit enabled. Both should be
> relatively easy, the "actions_silent" field especially so.
OK. That would be helpful. This is eating up my log space. The biggest offenders
seem to be doing trap kind of events. I suppose if an errno was returned the
program would respond by erroring out. But since its a trap, I suspect something
looks around at data and then OK's it to proceed on which results in another trap.
-Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20171214/7f720421/attachment.htm>
More information about the Linux-audit
mailing list