Limiting SECCOMP audit events
paul at paul-moore.com
Wed Jan 3 14:25:12 UTC 2018
On Tue, Jan 2, 2018 at 9:52 PM, Tyler Hicks <tyhicks at canonical.com> wrote:
> On 01/02/2018 02:03 PM, Steve Grubb wrote:
>> I know people have been busy with the holidays and things...but I just wanted
>> to mention I'm still seeing 100's of thousands of seccomp events hitting the
>> audit logs every day.
>> # ausearch --start today -m seccomp --raw | aureport -x --summary
>> Executable Summary Report
>> total file
>> 209843 /usr/lib64/firefox/firefox
>> 2196 /usr/lib64/qt5/libexec/QtWebEngineProcess
>> Has anyone looked at it beyond pseudo code?
> I started to throw together a quick couple of patches prior to the
> holidays but didn't finish. Things aren't looking good for the next few
> weeks for me so someone else should take over if it is important for 4.16.
This is also on my todo list, but it sits behind fixing one last
libseccomp bug and getting a new release out. I made some good
progress on the libseccomp bug right before the holiday, but I think
there is still a days worth of work left before it is ready to be
merged. I'm also traveling for the next week so I doubt I'll have any
serious time to devote to the kernel patch(es).
I can't remember what Tyler's last thought was on the logic, but I
imagine I'll just wait until I see some patches to review/merge, or I
can go back in the thread if I happen to have time before anyone else.
Also, to set expectations, since we are currently at -rc6, this is
likely going to need to wait until 4.17 at the earliest as I generally
don't like merging new functionality in the last week or two before
the merge window.
Also (part two), we should add a test case to the audit-testsuite for
any new knobs that affect the SECCOMP records.
More information about the Linux-audit