Re: Limiting SECCOMP audit events

On Wednesday, December 13, 2017 7:16:47 PM EST Kees Cook wrote: I'm not seeing any reporting errno. The ones reporting trap are coming in over 50,000 per hour. I don't think the filter is working. [root@x2 ~]# cat /proc/sys/kernel/seccomp/actions_logged kill_process kill_thread errno [root@x2 ~]# date Wed Dec 13 19:24:40 EST 2017 [root@x2 ~]# ausearch --start 19:24:40 -m seccomp --raw | aureport --event -- summary -i Event Summary Report ====================== total type ====================== 170 SECCOMP In the time it took to type the command 170 seccomp events were recorded from firefox. [root@x2 ~]# ausearch --start 19:24:40 -m seccomp --just-one -i ---- node=x2 type=SECCOMP msg=audit(12/13/2017 19:24:56.454:199666) : auid=sgrubb uid=sgrubb gid=sgrubb ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=3394 comm=Web Content exe=/usr/lib64/firefox/firefox sig=SIG0 arch=x86_64 syscall=stat compat=0 ip=0x7f909c828635 code=trap ^^ trap. With the sheer amount of events being recorded, I think it's necessary to add a sysctl file to systems to suppress the logging. Especially when you consider that systemd-journal also gratuitously grabs audit logs and sends them to rsyslog. -Steve