| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 11 Apr 2016 21:17:46 -0400 From: Paul Moore <paul@...l-moore.com> To: Eric Paris <eparis@...hat.com> Cc: Andi Kleen <andi@...stfloor.org>, linux-kernel@...r.kernel.org, Andi Kleen <ak@...ux.intel.com>, linux-audit@...hat.com Subject: Re: [PATCH] audit: Don't spam logs with SECCOMP_KILL/RET_ERRNO by default On Monday, April 11, 2016 10:58:06 AM Eric Paris wrote: > I'm all for a way to shut up unsolicited audit messages, especially > seccomp with errno or trap. I think it would be best to default 'KILL' > to on and everything else to off. I'm no so sure a sysctl is the right > way though. Enabling more forms of 'seccomp audit' should really be a > part of the audit policy. The seccomp events are very useful for people who are working with seccomp filters and I want to ensure that we have the ability to emit these events regardless of if audit is enabled, or even compiled into the kernel using dmesg/syslog as we do today with other auditable events, e.g. SELinux. Because of this desire to log regardless of audit, I figured a sysctl tunable made more sense than an audit based filter. As I mentioned previously, I'm not completely sold on the sysctl based solution, but it is the best solution that I can think of at the moment. Alternatives are welcome. -- paul moore www.paul-moore.com
Powered by blists - more mailing lists