pcmoore
commented
4 years ago Hi @max7255,
We generally try to avoid duplicating information across record types, if an admin/user needs that particular information the recommended solution is to enable the record type which provides that information.
I'm going to close this issue as I don't think this is anything we will act on, but you are welcome to continue the discussion here or on the linux-audit mailing list; the mailing list being the preferred discussion forum.
Mailing List
Mailing List Archive
Hi!
I noticed that seccomp's actions are audited unconditionally, even when kernel audit is completely disabled.
In fact this is useful for tracking certain actions of a small subset of tasks (e.g. suspicious or requiring mandatory audit) without significant performance impact for other trusted processes in host.
The seccomp filter though is limited, so it does not allow actual dereference of syscall arguments (e.g. sockaddr in connect). The AUDIT_SECCOMP message also does not provide useful information for deeper inspection of particular seccomp event.
For example, we want to audit only remote connections of the user interactive session, but to allow connections to local sockets.
I wonder if it will be useful to log some well-known syscall parameters, as it is done when constructing AUDIT_SYSCALL message, so emitted AUDIT_SECCOMP message can be easily filtered by the NETLINK_AUDIT receiver in user space.
I apologize if this RFE duplicates some of the previous discussions or ideas, but I haven't found anything related yet.