audit-kernel icon indicating copy to clipboard operation
audit-kernel copied to clipboard
verified publisher icon linux-audit

RFE: provide a mechanism for tuning the seccomp records

Open pcmoore opened this issue 9 years ago • 1 comments

We should improve/fix the seccomp logging such that we can accomplish the following two things:

  • Enable/disable logging based on the seccomp action. One idea is to set a sysctl variable to the minimum action to allow, e.g. 0x00030000 to only log TRAP and KILL.
  • Ensure proper logging, following the filter above, to dmesg/syslog when auditing is disabled.

While we've discussed this previously in various threads, the most recent to bring this up is from Andi Kleen:

  • https://lkml.org/lkml/2016/4/9/70

pcmoore avatar Apr 10 '16 22:04 pcmoore

@stevegrubb added the comment below to a duplicate issue (#71):

The seccomp trap event is probably not suitable to log by default. I think people are writing some supervisor process that inspects process integrity before allowing it to proceed. This means you can get 10's of thousands of events a day drowning out everything in the logs. In contrast errno returns make well behaved program exit or otherwise stop accessing something. Same thing with terminating a process.

We need some way to limit the logging of seccomp events. Or make applications specifically enable auditing when a trap action is asked for. It should default to no logging.

pcmoore avatar Jan 29 '18 08:01 pcmoore