[PATCH] audit: Don't spam logs with SECCOMP_KILL/RET_ERRNO by default
Paul Moore
paul at paul-moore.com
Tue Apr 12 01:17:46 UTC 2016
On Monday, April 11, 2016 10:58:06 AM Eric Paris wrote:
> I'm all for a way to shut up unsolicited audit messages, especially
> seccomp with errno or trap. I think it would be best to default 'KILL'
> to on and everything else to off. I'm no so sure a sysctl is the right
> way though. Enabling more forms of 'seccomp audit' should really be a
> part of the audit policy.
The seccomp events are very useful for people who are working with seccomp
filters and I want to ensure that we have the ability to emit these events
regardless of if audit is enabled, or even compiled into the kernel using
dmesg/syslog as we do today with other auditable events, e.g. SELinux.
Because of this desire to log regardless of audit, I figured a sysctl tunable
made more sense than an audit based filter. As I mentioned previously, I'm
not completely sold on the sysctl based solution, but it is the best solution
that I can think of at the moment. Alternatives are welcome.
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list