| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20160411215516.GK9407@two.firstfloor.org> Date: Mon, 11 Apr 2016 14:55:17 -0700 From: Andi Kleen <andi@...stfloor.org> To: Eric Paris <eparis@...hat.com> Cc: Paul Moore <paul@...l-moore.com>, Andi Kleen <andi@...stfloor.org>, linux-kernel@...r.kernel.org, Andi Kleen <ak@...ux.intel.com>, linux-audit@...hat.com Subject: Re: [PATCH] audit: Don't spam logs with SECCOMP_KILL/RET_ERRNO by default On Mon, Apr 11, 2016 at 10:58:06AM -0500, Eric Paris wrote: > Just an FYI originally the idea was to follow the pattern of logging > set by core dumps see kernel/auditsc.c::audit_core_dumps(). Which is > gated by audit_enable but not anything else. I believe at that time the > only option was kill, which meant, much like the core dumper, spam was > not a likely result given the initiator is killed. Given that user space now uses audit independently for its own logging I don't think making things depend only on audit_enable is good practice anymore. > > I'm all for a way to shut up unsolicited audit messages, especially > seccomp with errno or trap. I think it would be best to default 'KILL' > to on and everything else to off. I'm no so sure a sysctl is the right > way though. Enabling more forms of 'seccomp audit' should really be a > part of the audit policy. That was my original patch -- make it conditional on syscall auditing. If that's the right approach please apply that one. -Andi
Powered by blists - more mailing lists