[Bug 1774711] Re: excessive seccomp audit logs
On 2019-11-30 21:44:33, A. Denton wrote: > Will the required pat set be backported to older kernel, such as Ubuntu > 4.15.0-70.79-generic 4.15.18? No, there are no plans to backport them at this time. If you'd like to make use of a kernel containing those patches in Ubuntu 18.04 LTS, please consider installing the enablement kernel: https://wiki.ubuntu.com/Kernel/LTSEnablementStack#Ubuntu_18.04_LTS_- _Bionic_Beaver > Will the patches be in 20.04 LTS (kernel >= 4.18), which is around the > corner? Yes. The patches landed upstream in 4.18 so they'll be in the 20.04 LTS kernel which will likely be based on upstream 5.4. ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Disco) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Bionic) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Xenial) Status: New => Won't Fix ** Changed in: linux (Ubuntu Bionic) Status: New => Won't Fix ** Changed in: linux (Ubuntu Disco) Status: New => Fix Released ** Changed in: linux (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1774711 Title: excessive seccomp audit logs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1774711/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1774711] Re: excessive seccomp audit logs
Will the required pat set be backported to older kernel, such as Ubuntu 4.15.0-70.79-generic 4.15.18? Will the patches be in 20.04 LTS (kernel >= 4.18), which is around the corner? NOTE: Unfortunately with issue #1774711 the use of "auditd" has become problematic on systems with SSDs, since systemd allows in-memory configuration (Storage=volatile; SplitMode=none), but auditd does not support such a complex configuration (write_logs = no; log_file = /var/log/audit/audit.log). That means with the excessive SECCOMP lines (i.e. tens/hundreds of thousands a day) we cannot re-enable auditd (sudo systemctl start|enable auditd.service) until this issue is resolved, UNLESS there is a way to make auditd not to write logs to disk but continue to function properly. We need auditd for enforcing audit.rules (complex ISO 27001, PCI-DSS, etc. compliant rulesets) and statistics (sudo aureport (-n)), which require log data stored (dmesg kernel bugger is insufficient for ISO compliant store and analysis of events and stats). Our tests show, that up to several hundred MiB of logs are written to the SSDs per pay, which accumulates to approx 0.5 TiB over the course of 4 years. With in avg. 50% of the SSD cells occupied and given the models, this translates to a slightly increased wear-out of our SSDs, even when a good wear-leveling algorithm and background garbage collector is in use (our desktop models: Samsung Enterprise SSD with super capacitor mod. SM/PM863(a)). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1774711 Title: excessive seccomp audit logs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1774711/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1774711] Re: excessive seccomp audit logs
** Tags added: cscc -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1774711 Title: excessive seccomp audit logs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1774711/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1774711] Re: excessive seccomp audit logs
For the record: My/our signature line is: Ubuntu 4.15.0-50.54-generic 4.15.18 Messages look like this: Jun 07 01:40:42 TDOG-ADM-AD-VM7 audit[25263]: SECCOMP auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=25263 comm="chromium-browse" exe="/usr/lib/chromium-browser/chromium-browser" sig=0 arch=c03e syscall=257 compat=0 ip=0x7f658fa04db1 code=0x5 Jun 07 01:40:42 TDOG-ADM-AD-VM7 audit[25263]: SECCOMP auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=25263 comm="chromium-browse" exe="/usr/lib/chromium-browser/chromium-browser" sig=0 arch=c03e syscall=257 compat=0 ip=0x7f658fa04db1 code=0x5 Jun 07 01:40:42 TDOG-ADM-AD-VM7 audit[25263]: SECCOMP auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=25263 comm="chromium-browse" exe="/usr/lib/chromium-browser/chromium-browser" sig=0 arch=c03e syscall=257 compat=0 ip=0x7f658fa04db1 code=0x5 Jun 07 01:40:42 TDOG-ADM-AD-VM7 audit[25263]: SECCOMP auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=25263 comm="chromium-browse" exe="/usr/lib/chromium-browser/chromium-browser" sig=0 arch=c03e syscall=257 compat=0 ip=0x7f658fa04db1 code=0x5 Jun 07 01:40:42 TDOG-ADM-AD-VM7 audit[25263]: SECCOMP auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=25263 comm="chromium-browse" exe="/usr/lib/chromium-browser/chromium-browser" sig=0 arch=c03e syscall=257 compat=0 ip=0x7f658fa04db1 code=0x5 ... Precondition is that auditd.service is started. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1774711 Title: excessive seccomp audit logs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1774711/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1774711] Re: excessive seccomp audit logs
After some research I can now safely confirm this bug. However, the log lines do not seem to be related to any rules in "/etc/audit/rules.d" or AppArmor profiles loaded. %‑) The only difference between the log lines in *this* bug report, my lines and the ones mentioned on https://bugzilla.redhat.com/show_bug.cgi?id=1507282 seems to be system- specific configuration, e.g. SELinux. Over the past 24 hours, I also had sometimes 100 lines at once in my log when opening or reloading a web page, in a new tab in Firefox. Therefore Firefox seems to be the only "offending" application at present. I also cleared the /etc/audit/rules.d and uninstalled the AppArmor extras packages (apparmor-profiles, apparmor-profiles-extra) with the Firefox profiles in it. Unfortunately the logs lines still poured in. Therefore I also changed the abstractions for Firefox (/etc/apparmor.d/abstractions/ubuntu-browsers) and commented out everything Firefox related, with no avail. The problem is somewhere deeper and not Firefox-specific. I hope Tyler Hicks (tyhicks) is correct and the fixes mentioned will soon be available. Due to the problem I generated several GiB of logs a day which is not so good for my SSD (even with wear-leveling). My temporary workaround is to stop auditd, since unlike /etc/systemd/journald.conf there is no Storage=volatile option for auditd. :-0 ',:-l >:/ ** Bug watch added: Red Hat Bugzilla #1507282 https://bugzilla.redhat.com/show_bug.cgi?id=1507282 ** Bug watch added: Red Hat Bugzilla #1117953 https://bugzilla.redhat.com/show_bug.cgi?id=1117953 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1774711 Title: excessive seccomp audit logs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1774711/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1774711] Re: excessive seccomp audit logs
Oh in short my /etc/audit/rules.d/audit.rules looks like this: -D -b 8192 -f 1 -i --backlog_wait_time 0 -w /etc/anacrontab -p w -k AU-FS01-0001 [some more -w `foo` -p w -k `bar` here ...] Has someone here tried https://bugzilla.redhat.com/show_bug.cgi?id=1117953 / adding a "-a task,never" to /etc/audit/rules.d/audit.rules? Is that a bit extendive? However, https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/kernel/seccomp.c?id=326bee0286d7f6b0d780f5b75a35ea9fe489a802 looks very promising! - /* -* Let the audit subsystem decide if the action should be audited based -* on whether the current task itself is being audited. -*/ - return audit_seccomp(syscall, signr, action); + audit_seccomp(syscall, signr, action); Thanks Tyler! :× -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1774711 Title: excessive seccomp audit logs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1774711/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1774711] Re: excessive seccomp audit logs
This is fixed by the following commits in the linux-next tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/kernel/seccomp.c?id=d013db029491b49e1459d5a55ecd9ec1be1447ca https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/kernel/seccomp.c?id=beb44acaf000c97d6c89de581f377df5757857f3 https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/kernel/seccomp.c?id=ea6eca778500b0aaf6e5f10dac4d2cd745c2a50b https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/kernel/seccomp.c?id=326bee0286d7f6b0d780f5b75a35ea9fe489a802 They should be safe to backport. I'll have a look at doing so once they land in Linus' tree. Thanks for the report! ** Package changed: linux-signed (Ubuntu) => linux (Ubuntu) ** Changed in: linux (Ubuntu) Importance: Undecided => Medium ** Changed in: linux (Ubuntu) Status: New => Triaged ** Changed in: linux (Ubuntu) Assignee: (unassigned) => Tyler Hicks (tyhicks) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1774711 Title: excessive seccomp audit logs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1774711/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs