Limiting SECCOMP audit events
Kees Cook
keescook at chromium.org
Thu Dec 14 00:16:47 UTC 2017
On Wed, Dec 13, 2017 at 3:58 PM, Steve Grubb <sgrubb at redhat.com> wrote:
> Hello,
>
> Over the last month, the amount of seccomp events in audit logs is
> sky-rocketing. I have over a million events in the last 2 days. Most of this
> is generated by firefox and qt webkit.
>
> I am wondering if the audit package should ship a file for
>
> /usr/lib/sysctl.d/60-auditd.conf
>
> wherein it has
>
> kernel.seccomp.actions_logged = kill_process kill_thread errno
>
> Also, has anyone verified this sysctl is filtering audit events? Even with
> the above, I have over a million events on a 4.14.3 kernel. Firefox alone is
> generating over 50,000 events per hour.
I don't think you'd want to log errno -- AIUI, that's used regularly
by a lot of seccomp policy.
-Kees
--
Kees Cook
Pixel Security
More information about the Linux-audit
mailing list