Will the required pat set be backported to older kernel, such as Ubuntu 4.15.0-70.79-generic 4.15.18?
Will the patches be in 20.04 LTS (kernel >= 4.18), which is around the corner? NOTE: Unfortunately with issue #1774711 the use of "auditd" has become problematic on systems with SSDs, since systemd allows in-memory configuration (Storage=volatile; SplitMode=none), but auditd does not support such a complex configuration (write_logs = no; log_file = /var/log/audit/audit.log). That means with the excessive SECCOMP lines (i.e. tens/hundreds of thousands a day) we cannot re-enable auditd (sudo systemctl start|enable auditd.service) until this issue is resolved, UNLESS there is a way to make auditd not to write logs to disk but continue to function properly. We need auditd for enforcing audit.rules (complex ISO 27001, PCI-DSS, etc. compliant rulesets) and statistics (sudo aureport (-n)), which require log data stored (dmesg kernel bugger is insufficient for ISO compliant store and analysis of events and stats). Our tests show, that up to several hundred MiB of logs are written to the SSDs per pay, which accumulates to approx 0.5 TiB over the course of 4 years. With in avg. 50% of the SSD cells occupied and given the models, this translates to a slightly increased wear-out of our SSDs, even when a good wear-leveling algorithm and background garbage collector is in use (our desktop models: Samsung Enterprise SSD with super capacitor mod. SM/PM863(a)). -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1774711 Title: excessive seccomp audit logs Status in linux package in Ubuntu: Triaged Bug description: Hello, my audit logs are currently filled with messages from Firefox's seccomp filters which looks like this: type=SECCOMP msg=audit(1527882167.659:223316): auid=1000 uid=1000 gid=1000 ses=1 pid=28901 comm=57656220436F6E74656E74 exe=2F7573722F6C69622F66697265666F782F66697265666F78202864656C6574656429 sig=0 arch=c000003e syscall=257 compat=0 ip=0x7f4329623d19 code=0x30000 type=SECCOMP msg=audit(1527882167.659:223317): auid=1000 uid=1000 gid=1000 ses=1 pid=28901 comm=57656220436F6E74656E74 exe=2F7573722F6C69622F66697265666F782F66697265666F78202864656C6574656429 sig=0 arch=c000003e syscall=4 compat=0 ip=0x7f4329623775 code=0x30000 type=SECCOMP msg=audit(1527882167.659:223318): auid=1000 uid=1000 gid=1000 ses=1 pid=28901 comm=57656220436F6E74656E74 exe=2F7573722F6C69622F66697265666F782F66697265666F78202864656C6574656429 sig=0 arch=c000003e syscall=87 compat=0 ip=0x7f4329625d47 code=0x30000 type=SECCOMP msg=audit(1527882167.687:223319): auid=1000 uid=1000 gid=1000 ses=1 pid=28901 comm=57656220436F6E74656E74 exe=2F7573722F6C69622F66697265666F782F66697265666F78202864656C6574656429 sig=0 arch=c000003e syscall=257 compat=0 ip=0x7f4329623d19 code=0x30000 type=SECCOMP msg=audit(1527882167.687:223320): auid=1000 uid=1000 gid=1000 ses=1 pid=28901 comm=57656220436F6E74656E74 exe=2F7573722F6C69622F66697265666F782F66697265666F78202864656C6574656429 sig=0 arch=c000003e syscall=4 compat=0 ip=0x7f4329623775 code=0x30000 type=SECCOMP msg=audit(1527882167.687:223321): auid=1000 uid=1000 gid=1000 ses=1 pid=28901 comm=57656220436F6E74656E74 exe=2F7573722F6C69622F66697265666F782F66697265666F78202864656C6574656429 sig=0 arch=c000003e syscall=87 compat=0 ip=0x7f4329625d47 code=0x30000 type=SECCOMP msg=audit(1527882167.691:223322): auid=1000 uid=1000 gid=1000 ses=1 pid=28901 comm=57656220436F6E74656E74 exe=2F7573722F6C69622F66697265666F782F66697265666F78202864656C6574656429 sig=0 arch=c000003e syscall=257 compat=0 ip=0x7f4329623d19 code=0x30000 type=SECCOMP msg=audit(1527882167.691:223323): auid=1000 uid=1000 gid=1000 ses=1 pid=28901 comm=57656220436F6E74656E74 exe=2F7573722F6C69622F66697265666F782F66697265666F78202864656C6574656429 sig=0 arch=c000003e syscall=4 compat=0 ip=0x7f4329623775 code=0x30000 type=SECCOMP msg=audit(1527882167.691:223324): auid=1000 uid=1000 gid=1000 ses=1 pid=28901 comm=57656220436F6E74656E74 exe=2F7573722F6C69622F66697265666F782F66697265666F78202864656C6574656429 sig=0 arch=c000003e syscall=87 compat=0 ip=0x7f4329625d47 code=0x30000 $ aa-decode 57656220436F6E74656E74 Decoded: Web Content $ aa-decode 2F7573722F6C69622F66697265666F782F66697265666F78202864656C6574656429 Decoded: /usr/lib/firefox/firefox (deleted) Over a recent 48 hour stretch it averaged out to nearly one message per second. My current audit rules are: ## This file is automatically generated from /etc/audit/rules.d -D -b 8192 --loginuid-immutable -a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time-change -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change -w /etc/localtime -p wa -k time-change -w /usr/share/zoneinfo/ -p wa -k time-change -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity -a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale -a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/network -p wa -k system-locale -a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -F key=system-locale -w /etc/audit/ -p wa -k CFG_audit -w /var/log/audit/ -k audit-logs -w /etc/apparmor/ -p wa -k MAC-policy -w /etc/apparmor.d/ -p wa -k MAC-policy -w /etc/init.d/apparmor -p wa -k MAC-policy -w /lib/apparmor/ -p wa -k MAC-policy -w /sbin/apparmor_parser -p wa -k MAC-policy -w /lib/x86_64-linux-gnu/libpthread.so.0 -p wa -k MAC-policy -w /lib/x86_64-linux-gnu/libm.so.6 -p wa -k MAC-policy -w /lib/x86_64-linux-gnu/libc.so.6 -p wa -k MAC-policy -w /lib/x86_64-linux-gnu/ld-2.23.so -p wa -k MAC-policy -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/run/utmp -p wa -k session -w /var/log/btmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions -w /etc/sysctl.conf -p wa -k CFG_sysctl.conf -w /etc/sysctl.d/ -p wa -k CFG_sysctl.conf -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -w /bin/kmod -p x -k modules -a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load -a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load -a always,exit -F arch=b32 -S delete_module -F key=module-unload -a always,exit -F arch=b64 -S delete_module -F key=module-unload -w /etc/modprobe.d/ -p wa -k CFG_modprobe -a always,exit -F arch=b64 -S mount,umount2 -a always,exit -F arch=b32 -S mount,umount,umount2 -w /etc/ld.so.cache -p wa -k CFG_ld.so.conf -w /etc/ld.so.conf -p wa -k CFG_ld.so.conf -w /etc/ld.so.conf.d -p wa -k CFG_ld.so.conf -w /etc/ld.so.preload -p wa -k CFG_ld.so.conf -w /etc/pam.d/ -p wa -k CFG_pam -w /etc/security/ -p wa -k CFG_pam -w /etc/ssh/sshd_config -k CFG_sshd_config It's my understanding that this is addressed in an upcoming kernel via this specific patch in a series of cleanups around seccomp logging: https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git/commit/?h=next&id=326bee0286d7f6b0d780f5b75a35ea9fe489a802 Please consider backporting this fix into the Bionic kernel. Thanks ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-20-generic 4.15.0-20.21 ProcVersionSignature: Ubuntu 4.15.0-20.21-generic 4.15.17 Uname: Linux 4.15.0-20-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.9-0ubuntu7 Architecture: amd64 Date: Fri Jun 1 12:42:04 2018 InstallationDate: Installed on 2012-10-18 (2052 days ago) InstallationMedia: Ubuntu 12.04.1 LTS "Precise Pangolin" - Release amd64 (20120823.1) ProcEnviron: TERM=rxvt-unicode-256color PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: linux-signed UpgradeStatus: Upgraded to bionic on 2018-05-02 (30 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1774711/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
