From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Limiting SECCOMP audit events Date: Wed, 13 Dec 2017 19:31:44 -0500 Message-ID: <2483555.uM3AbUoQxj@x2> References: <58203247.sCqcla2mis@x2> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5850651208211452881==" Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Kees Cook Cc: Linux Audit List-Id: linux-audit@redhat.com This is a multi-part message in MIME format. --===============5850651208211452881== Content-Type: multipart/alternative; boundary="nextPart9118612.eFxMmO8GZk" Content-Transfer-Encoding: 7Bit This is a multi-part message in MIME format. --nextPart9118612.eFxMmO8GZk Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" On Wednesday, December 13, 2017 7:16:47 PM EST Kees Cook wrote: > On Wed, Dec 13, 2017 at 3:58 PM, Steve Grubb wrote: > > Hello, > > > > Over the last month, the amount of seccomp events in audit logs is > > sky-rocketing. I have over a million events in the last 2 days. Most of > > this is generated by firefox and qt webkit. > > > > I am wondering if the audit package should ship a file for > > > > /usr/lib/sysctl.d/60-auditd.conf > > > > wherein it has > > > > kernel.seccomp.actions_logged = kill_process kill_thread errno > > > > Also, has anyone verified this sysctl is filtering audit events? Even with > > the above, I have over a million events on a 4.14.3 kernel. Firefox alone > > is generating over 50,000 events per hour. > > I don't think you'd want to log errno -- AIUI, that's used regularly > by a lot of seccomp policy. I'm not seeing any reporting errno. The ones reporting trap are coming in over 50,000 per hour. I don't think the filter is working. [root@x2 ~]# cat /proc/sys/kernel/seccomp/actions_logged kill_process kill_thread errno [root@x2 ~]# date Wed Dec 13 19:24:40 EST 2017 [root@x2 ~]# ausearch --start 19:24:40 -m seccomp --raw | aureport --event -- summary -i Event Summary Report ====================== total type ====================== 170 SECCOMP In the time it took to type the command 170 seccomp events were recorded from firefox. [root@x2 ~]# ausearch --start 19:24:40 -m seccomp --just-one -i ---- node=x2 type=SECCOMP msg=audit(12/13/2017 19:24:56.454:199666) : auid=sgrubb uid=sgrubb gid=sgrubb ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=3394 comm=Web Content exe=/usr/lib64/firefox/firefox sig=SIG0 arch=x86_64 syscall=stat compat=0 ip=0x7f909c828635 code=trap ^^ trap. With the sheer amount of events being recorded, I think it's necessary to add a sysctl file to systems to suppress the logging. Especially when you consider that systemd-journal also gratuitously grabs audit logs and sends them to rsyslog. -Steve --nextPart9118612.eFxMmO8GZk Content-Transfer-Encoding: 7Bit Content-Type: text/html; charset="us-ascii"

On Wednesday, December 13, 2017 7:16:47 PM EST Kees Cook wrote:

> On Wed, Dec 13, 2017 at 3:58 PM, Steve Grubb <sgrubb@redhat.com> wrote:

> > Hello,

> >

> > Over the last month, the amount of seccomp events in audit logs is

> > sky-rocketing. I have over a million events in the last 2 days. Most of

> > this is generated by firefox and qt webkit.

> >

> > I am wondering if the audit package should ship a file for

> >

> > /usr/lib/sysctl.d/60-auditd.conf

> >

> > wherein it has

> >

> > kernel.seccomp.actions_logged = kill_process kill_thread errno

> >

> > Also, has anyone verified this sysctl is filtering audit events? Even with

> > the above, I have over a million events on a 4.14.3 kernel. Firefox alone

> > is generating over 50,000 events per hour.

> I don't think you'd want to log errno -- AIUI, that's used regularly

> by a lot of seccomp policy.

I'm not seeing any reporting errno. The ones reporting trap are coming in over 50,000 per hour. I don't think the filter is working.

[root@x2 ~]# cat /proc/sys/kernel/seccomp/actions_logged

kill_process kill_thread errno

[root@x2 ~]# date

Wed Dec 13 19:24:40 EST 2017

[root@x2 ~]# ausearch --start 19:24:40 -m seccomp --raw | aureport --event --summary -i

Event Summary Report

======================

total type

======================

170 SECCOMP

In the time it took to type the command 170 seccomp events were recorded from firefox.

[root@x2 ~]# ausearch --start 19:24:40 -m seccomp --just-one -i

----

node=x2 type=SECCOMP msg=audit(12/13/2017 19:24:56.454:199666) : auid=sgrubb uid=sgrubb gid=sgrubb ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=3394 comm=Web Content exe=/usr/lib64/firefox/firefox sig=SIG0 arch=x86_64 syscall=stat compat=0 ip=0x7f909c828635 code=trap

^^ trap. With the sheer amount of events being recorded, I think it's necessary to add a sysctl file to systems to suppress the logging. Especially when you consider that systemd-journal also gratuitously grabs audit logs and sends them to rsyslog.

-Steve

--nextPart9118612.eFxMmO8GZk-- --===============5850651208211452881== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============5850651208211452881==--