Re: [PATCH] audit: Don't spam logs with SECCOMP_KILL/RET_ERRNO by default

Monday, 11 April 2016

On Monday, April 11, 2016 10:58:06 AM Eric Paris wrote:
...
 I'm all for a way to shut up unsolicited audit messages,
especially
 seccomp with errno or trap. I think it would be best to default 'KILL'
 to on and everything else to off. I'm no so sure a sysctl is the right
 way though. Enabling more forms of 'seccomp audit' should really be a
 part of the audit policy. 
The seccomp events are very useful for people who are working with seccomp 
filters and I want to ensure that we have the ability to emit these events 
regardless of if audit is enabled, or even compiled into the kernel using 
dmesg/syslog as we do today with other auditable events, e.g. SELinux.

Because of this desire to log regardless of audit, I figured a sysctl tunable 
made more sense than an audit based filter.  As I mentioned previously, I'm 
not completely sold on the sysctl based solution, but it is the best solution 
that I can think of at the moment.  Alternatives are welcome.

-- 
paul moore
www.paul-moore.com

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Re: [PATCH] audit: Don't spam logs with SECCOMP_KILL/RET_ERRNO by default