Hello,

Over the last month, the amount of seccomp events in audit logs is sky-rocketing. I have over a million events in the last 2 days. Most of this is generated by firefox and qt webkit.

I am wondering if the audit package should ship a file for

/usr/lib/sysctl.d/60-auditd.conf

wherein it has

kernel.seccomp.actions_logged = kill_process kill_thread errno

Also, has anyone verified this sysctl is filtering audit events? Even with the above, I have over a million events on a 4.14.3 kernel. Firefox alone is generating over 50,000 events per hour.

Thanks,

-Steve