Limiting SECCOMP audit events
Paul Moore
paul at paul-moore.com
Thu Apr 26 14:41:24 UTC 2018
On Tue, Apr 24, 2018 at 8:00 PM, Tyler Hicks <tyhicks at canonical.com> wrote:
> On 04/17/2018 08:57 PM, Paul Moore wrote:
>> On Tue, Apr 17, 2018 at 6:54 PM, Steve Grubb <sgrubb at redhat.com> wrote:
>>> Hello,
>>>
>>> Ping? SECCOMP events are still flooding the system. Can we do something
>>> hackish to turn this off until a better solution can be created?
>>
>> Pong?
>>
>> The only workarounds I can think of would be to disable audit or
>> create a filter rule excluding auditing for the noisy process. I've
>> never tried the latter, but I'm pretty sure it would work.
>
> I've pushed two branches which have slightly different behaviors. They
> only differ by the last patch in each branch. The tree is here:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/linux.git/
>
> 1) seccomp-auditing/option-1-consistent-behavior
> This branch removes all special casing around audited processes. The
> decision on whether or not to audit an action no longer considers
> whether or not the process is being audited. RET_TRAP, RET_TRACE,
> and RET_ERRNO actions will only be logged if the application loads
> the filter with the SECCOMP_FILTER_FLAG_LOG bit set. The admin has
> the final say via the kernel.seccomp.actions_logged sysctl.
>
> 2) seccomp-auditing/option-2-honor-sysctl
> This branch continues to special case audited processes. The decision
> to log RET_TRAP, RET_TRACE, and RET_ERRNO actions depends on if the
> SECCOMP_FILTER_FLAG_LOG bit being set OR if the process is being
> audited. The admin has the final say via the
> kernel.seccomp.actions_logged sysctl.
>
> I prefer option #1. Play with both implementations and let me know what
> works best for your requirements. Both branches share the same
> underlying patches for emitting audit records on writes to the
> kernel.seccomp.actions_logged sysctl.
Looking quickly at the two branches, I think I prefer the
option-1-consistent-behavior approach, although some changes are
needed. Could you post those patches to list for review/discussion?
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list