Re: Limiting SECCOMP audit events
On Wed, Dec 13, 2017 at 3:58 PM, Steve Grubb <sgrubb(a)redhat.com> wrote:
Hello,
Over the last month, the amount of seccomp events in audit logs is
sky-rocketing. I have over a million events in the last 2 days. Most of this
is generated by firefox and qt webkit.
I am wondering if the audit package should ship a file for
/usr/lib/sysctl.d/60-auditd.conf
wherein it has
kernel.seccomp.actions_logged = kill_process kill_thread errno
Also, has anyone verified this sysctl is filtering audit events? Even with
the above, I have over a million events on a 4.14.3 kernel. Firefox alone is
generating over 50,000 events per hour.
I don't think you'd want to log errno -- AIUI, that's used regularly
by a lot of seccomp policy.
-Kees
--
Kees Cook
Pixel Security