On Wed, Dec 13, 2017 at 10:30 PM, Steve Grubb <[email protected]> wrote: > On Wednesday, December 13, 2017 8:43:38 PM EST Paul Moore wrote: >> On Wed, Dec 13, 2017 at 7:31 PM, Steve Grubb <[email protected]> wrote: >> > On Wednesday, December 13, 2017 7:16:47 PM EST Kees Cook wrote: >> >> On Wed, Dec 13, 2017 at 3:58 PM, Steve Grubb <[email protected]> wrote:
... >> Looking at the kernel code, it looks like the actions_logged knob >> isn't really intended to filter/drop seccomp events, > > That's unfortunate. I thought this was a way to suppress generation of > events. We have a requirement that audit events be selective by the > administrator. We need a knob to drop some events. I guess, the only knob > right now is the exclude filter. That is probably too course. > >> but rather force seccomp events to be loggged. Look at seccomp_log() to >> see what I mean; there is still a call to audit_seccomp() at the end. > > Hmm. What do we do? I imagine we could put together a rather coarse grained action filter, similar to what we have with "actions_logged" (maybe "actions_silent"?), and perhaps add some additional audit filters for seccomp for those who happen to have audit enabled. Both should be relatively easy, the "actions_silent" field especially so. -- paul moore www.paul-moore.com -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
