On Wed, Dec 13, 2017 at 7:31 PM, Steve Grubb <[email protected]> wrote: > On Wednesday, December 13, 2017 7:16:47 PM EST Kees Cook wrote: >> On Wed, Dec 13, 2017 at 3:58 PM, Steve Grubb <[email protected]> wrote: >> > Hello, >> > >> > Over the last month, the amount of seccomp events in audit logs is >> > sky-rocketing. I have over a million events in the last 2 days. Most of >> > this is generated by firefox and qt webkit. >> > >> > I am wondering if the audit package should ship a file for >> > >> > /usr/lib/sysctl.d/60-auditd.conf >> > >> > wherein it has >> > >> > kernel.seccomp.actions_logged = kill_process kill_thread errno >> > >> > Also, has anyone verified this sysctl is filtering audit events? Even >> > with >> > the above, I have over a million events on a 4.14.3 kernel. Firefox >> > alone >> > is generating over 50,000 events per hour. >> >> I don't think you'd want to log errno -- AIUI, that's used regularly >> by a lot of seccomp policy. > > I'm not seeing any reporting errno. The ones reporting trap are coming in > over 50,000 per hour. I don't think the filter is working. > > [root@x2 ~]# cat /proc/sys/kernel/seccomp/actions_logged > kill_process kill_thread errno > [root@x2 ~]# date > Wed Dec 13 19:24:40 EST 2017 > [root@x2 ~]# ausearch --start 19:24:40 -m seccomp --raw | aureport --event > --summary -i > Event Summary Report > ====================== > total type > ====================== > 170 SECCOMP > > In the time it took to type the command 170 seccomp events were recorded > from firefox. > > [root@x2 ~]# ausearch --start 19:24:40 -m seccomp --just-one -i > ---- > node=x2 type=SECCOMP msg=audit(12/13/2017 19:24:56.454:199666) : auid=sgrubb > uid=sgrubb gid=sgrubb ses=3 > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=3394 comm=Web > Content exe=/usr/lib64/firefox/firefox sig=SIG0 arch=x86_64 syscall=stat > compat=0 ip=0x7f909c828635 code=trap > ^^ trap. With the sheer amount of events being recorded, I think it's > necessary to add a sysctl file to systems to suppress the logging. > Especially when you consider that systemd-journal also gratuitously grabs > audit logs and sends them to rsyslog.
Looking at the kernel code, it looks like the actions_logged knob isn't really intended to filter/drop seccomp events, but rather force seccomp events to be loggged. Look at seccomp_log() to see what I mean; there is still a call to audit_seccomp() at the end. -- paul moore www.paul-moore.com -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
