On Wed, Dec 13, 2017 at 3:58 PM, Steve Grubb <[email protected]> wrote: > Hello, > > Over the last month, the amount of seccomp events in audit logs is > sky-rocketing. I have over a million events in the last 2 days. Most of this > is generated by firefox and qt webkit. > > I am wondering if the audit package should ship a file for > > /usr/lib/sysctl.d/60-auditd.conf > > wherein it has > > kernel.seccomp.actions_logged = kill_process kill_thread errno > > Also, has anyone verified this sysctl is filtering audit events? Even with > the above, I have over a million events on a 4.14.3 kernel. Firefox alone is > generating over 50,000 events per hour.
I don't think you'd want to log errno -- AIUI, that's used regularly by a lot of seccomp policy. -Kees -- Kees Cook Pixel Security -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
