From: Paul Moore <paul@paul-moore.com>
To: Eric Paris <eparis@redhat.com>
Cc: Andi Kleen <andi@firstfloor.org>, linux-kernel@vger.kernel.org,
        Andi Kleen <ak@linux.intel.com>, linux-audit@redhat.com
Subject: Re: [PATCH] audit: Don't spam logs with SECCOMP_KILL/RET_ERRNO by default
Date: Mon, 11 Apr 2016 21:17:46 -0400
Message-ID: <1688459.VTSZtqjx8i@sifl>
User-Agent: KMail/4.14.10 (Linux/4.4.5-gentoo; KDE/4.14.18; x86_64; ; )
In-Reply-To: <1460390286.3268.36.camel@redhat.com>
References: <1460348008-27076-1-git-send-email-andi@firstfloor.org> <CAHC9VhTnkbU_kJbOdwTF4BW=qZTL_xR7CddCZ5CDXKNNvi_nUQ@mail.gmail.com> <1460390286.3268.36.camel@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1004
Lines: 20

On Monday, April 11, 2016 10:58:06 AM Eric Paris wrote:
> I'm all for a way to shut up unsolicited audit messages, especially
> seccomp with errno or trap. I think it would be best to default 'KILL'
> to on and everything else to off. I'm no so sure a sysctl is the right
> way though. Enabling more forms of 'seccomp audit' should really be a
> part of the audit policy.

The seccomp events are very useful for people who are working with seccomp 
filters and I want to ensure that we have the ability to emit these events 
regardless of if audit is enabled, or even compiled into the kernel using 
dmesg/syslog as we do today with other auditable events, e.g. SELinux.

Because of this desire to log regardless of audit, I figured a sysctl tunable 
made more sense than an audit based filter.  As I mentioned previously, I'm 
not completely sold on the sysctl based solution, but it is the best solution 
that I can think of at the moment.  Alternatives are welcome.

-- 
paul moore
www.paul-moore.com