Oh in short my /etc/audit/rules.d/audit.rules looks like this: -D -b 8192 -f 1 -i --backlog_wait_time 0 -w /etc/anacrontab -p w -k AU-FS01-0001 [some more -w `foo` -p w -k `bar` here ...]
Has someone here tried https://bugzilla.redhat.com/show_bug.cgi?id=1117953 / adding a "-a task,never" to /etc/audit/rules.d/audit.rules? Is that a bit extendive? However, https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/kernel/seccomp.c?id=326bee0286d7f6b0d780f5b75a35ea9fe489a802 looks very promising! - /* - * Let the audit subsystem decide if the action should be audited based - * on whether the current task itself is being audited. - */ - return audit_seccomp(syscall, signr, action); + audit_seccomp(syscall, signr, action); Thanks Tyler! :× -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1774711 Title: excessive seccomp audit logs Status in linux package in Ubuntu: Triaged Bug description: Hello, my audit logs are currently filled with messages from Firefox's seccomp filters which looks like this: type=SECCOMP msg=audit(1527882167.659:223316): auid=1000 uid=1000 gid=1000 ses=1 pid=28901 comm=57656220436F6E74656E74 exe=2F7573722F6C69622F66697265666F782F66697265666F78202864656C6574656429 sig=0 arch=c000003e syscall=257 compat=0 ip=0x7f4329623d19 code=0x30000 type=SECCOMP msg=audit(1527882167.659:223317): auid=1000 uid=1000 gid=1000 ses=1 pid=28901 comm=57656220436F6E74656E74 exe=2F7573722F6C69622F66697265666F782F66697265666F78202864656C6574656429 sig=0 arch=c000003e syscall=4 compat=0 ip=0x7f4329623775 code=0x30000 type=SECCOMP msg=audit(1527882167.659:223318): auid=1000 uid=1000 gid=1000 ses=1 pid=28901 comm=57656220436F6E74656E74 exe=2F7573722F6C69622F66697265666F782F66697265666F78202864656C6574656429 sig=0 arch=c000003e syscall=87 compat=0 ip=0x7f4329625d47 code=0x30000 type=SECCOMP msg=audit(1527882167.687:223319): auid=1000 uid=1000 gid=1000 ses=1 pid=28901 comm=57656220436F6E74656E74 exe=2F7573722F6C69622F66697265666F782F66697265666F78202864656C6574656429 sig=0 arch=c000003e syscall=257 compat=0 ip=0x7f4329623d19 code=0x30000 type=SECCOMP msg=audit(1527882167.687:223320): auid=1000 uid=1000 gid=1000 ses=1 pid=28901 comm=57656220436F6E74656E74 exe=2F7573722F6C69622F66697265666F782F66697265666F78202864656C6574656429 sig=0 arch=c000003e syscall=4 compat=0 ip=0x7f4329623775 code=0x30000 type=SECCOMP msg=audit(1527882167.687:223321): auid=1000 uid=1000 gid=1000 ses=1 pid=28901 comm=57656220436F6E74656E74 exe=2F7573722F6C69622F66697265666F782F66697265666F78202864656C6574656429 sig=0 arch=c000003e syscall=87 compat=0 ip=0x7f4329625d47 code=0x30000 type=SECCOMP msg=audit(1527882167.691:223322): auid=1000 uid=1000 gid=1000 ses=1 pid=28901 comm=57656220436F6E74656E74 exe=2F7573722F6C69622F66697265666F782F66697265666F78202864656C6574656429 sig=0 arch=c000003e syscall=257 compat=0 ip=0x7f4329623d19 code=0x30000 type=SECCOMP msg=audit(1527882167.691:223323): auid=1000 uid=1000 gid=1000 ses=1 pid=28901 comm=57656220436F6E74656E74 exe=2F7573722F6C69622F66697265666F782F66697265666F78202864656C6574656429 sig=0 arch=c000003e syscall=4 compat=0 ip=0x7f4329623775 code=0x30000 type=SECCOMP msg=audit(1527882167.691:223324): auid=1000 uid=1000 gid=1000 ses=1 pid=28901 comm=57656220436F6E74656E74 exe=2F7573722F6C69622F66697265666F782F66697265666F78202864656C6574656429 sig=0 arch=c000003e syscall=87 compat=0 ip=0x7f4329625d47 code=0x30000 $ aa-decode 57656220436F6E74656E74 Decoded: Web Content $ aa-decode 2F7573722F6C69622F66697265666F782F66697265666F78202864656C6574656429 Decoded: /usr/lib/firefox/firefox (deleted) Over a recent 48 hour stretch it averaged out to nearly one message per second. My current audit rules are: ## This file is automatically generated from /etc/audit/rules.d -D -b 8192 --loginuid-immutable -a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time-change -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change -w /etc/localtime -p wa -k time-change -w /usr/share/zoneinfo/ -p wa -k time-change -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity -a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale -a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/network -p wa -k system-locale -a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -F key=system-locale -w /etc/audit/ -p wa -k CFG_audit -w /var/log/audit/ -k audit-logs -w /etc/apparmor/ -p wa -k MAC-policy -w /etc/apparmor.d/ -p wa -k MAC-policy -w /etc/init.d/apparmor -p wa -k MAC-policy -w /lib/apparmor/ -p wa -k MAC-policy -w /sbin/apparmor_parser -p wa -k MAC-policy -w /lib/x86_64-linux-gnu/libpthread.so.0 -p wa -k MAC-policy -w /lib/x86_64-linux-gnu/libm.so.6 -p wa -k MAC-policy -w /lib/x86_64-linux-gnu/libc.so.6 -p wa -k MAC-policy -w /lib/x86_64-linux-gnu/ld-2.23.so -p wa -k MAC-policy -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/run/utmp -p wa -k session -w /var/log/btmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions -w /etc/sysctl.conf -p wa -k CFG_sysctl.conf -w /etc/sysctl.d/ -p wa -k CFG_sysctl.conf -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -w /bin/kmod -p x -k modules -a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load -a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load -a always,exit -F arch=b32 -S delete_module -F key=module-unload -a always,exit -F arch=b64 -S delete_module -F key=module-unload -w /etc/modprobe.d/ -p wa -k CFG_modprobe -a always,exit -F arch=b64 -S mount,umount2 -a always,exit -F arch=b32 -S mount,umount,umount2 -w /etc/ld.so.cache -p wa -k CFG_ld.so.conf -w /etc/ld.so.conf -p wa -k CFG_ld.so.conf -w /etc/ld.so.conf.d -p wa -k CFG_ld.so.conf -w /etc/ld.so.preload -p wa -k CFG_ld.so.conf -w /etc/pam.d/ -p wa -k CFG_pam -w /etc/security/ -p wa -k CFG_pam -w /etc/ssh/sshd_config -k CFG_sshd_config It's my understanding that this is addressed in an upcoming kernel via this specific patch in a series of cleanups around seccomp logging: https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git/commit/?h=next&id=326bee0286d7f6b0d780f5b75a35ea9fe489a802 Please consider backporting this fix into the Bionic kernel. Thanks ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-20-generic 4.15.0-20.21 ProcVersionSignature: Ubuntu 4.15.0-20.21-generic 4.15.17 Uname: Linux 4.15.0-20-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.9-0ubuntu7 Architecture: amd64 Date: Fri Jun 1 12:42:04 2018 InstallationDate: Installed on 2012-10-18 (2052 days ago) InstallationMedia: Ubuntu 12.04.1 LTS "Precise Pangolin" - Release amd64 (20120823.1) ProcEnviron: TERM=rxvt-unicode-256color PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: linux-signed UpgradeStatus: Upgraded to bionic on 2018-05-02 (30 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1774711/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
