On 12/13/2017 05:58 PM, Steve Grubb wrote: > Hello, > > > > Over the last month, the amount of seccomp events in audit logs is > sky-rocketing. I have over a million events in the last 2 days. Most of > this is generated by firefox and qt webkit. > > > > I am wondering if the audit package should ship a file for > > > > /usr/lib/sysctl.d/60-auditd.conf > > > > wherein it has > > > > kernel.seccomp.actions_logged = kill_process kill_thread errno
I agree with Kees here. IMO, you only want "kill_process kill_thread" which is the default. > Also, has anyone verified this sysctl is filtering audit events? Even > with the above, I have over a million events on a 4.14.3 kernel. Firefox > alone is generating over 50,000 events per hour. Yes. I tested it a lot as the changes were being upstreamed and again when I backported the changes to Ubuntu releases 17.10, 17.04, and 16.04 LTS. Those kernels have been released for a month and a half now and I haven't heard of any issues. I'll install a Fedora VM and see if I can determine what's happening. Tyler > > > > Thanks, > > -Steve >
signature.asc
Description: OpenPGP digital signature
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
