On 12/13/2017 05:58 PM, Steve Grubb wrote:
Hello,
Over the last month, the amount of seccomp events in audit logs is
sky-rocketing. I have over a million events in the last 2 days. Most of
this is generated by firefox and qt webkit.
I am wondering if the audit package should ship a file for
/usr/lib/sysctl.d/60-auditd.conf
wherein it has
kernel.seccomp.actions_logged = kill_process kill_thread errno
I agree with Kees here. IMO, you only want "kill_process kill_thread"
which is the default.
Also, has anyone verified this sysctl is filtering audit events?
Even
with the above, I have over a million events on a 4.14.3 kernel. Firefox
alone is generating over 50,000 events per hour.
Yes. I tested it a lot as the changes were being upstreamed and again
when I backported the changes to Ubuntu releases 17.10, 17.04, and 16.04
LTS. Those kernels have been released for a month and a half now and I
haven't heard of any issues.
I'll install a Fedora VM and see if I can determine what's happening.
Tyler
Thanks,
-Steve