Hello, Over the last month, the amount of seccomp events in audit logs is sky-rocketing. I have over a million events in the last 2 days. Most of this is generated by firefox and qt webkit.
I am wondering if the audit package should ship a file for /usr/lib/sysctl.d/60-auditd.conf wherein it has kernel.seccomp.actions_logged = kill_process kill_thread errno Also, has anyone verified this sysctl is filtering audit events? Even with the above, I have over a million events on a 4.14.3 kernel. Firefox alone is generating over 50,000 events per hour. Thanks, -Steve
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
