I've got a user reporting his gnome-shell process starts maxing out his CPU usage, and his workstation appears to freeze. He has rebooted twice to get his machine back, or else goes to a different workstation, SSH into his workstation and kill the processes consuming all the CPU.
When I look in /var/log/audit, I see that the audit logs have rolled over 3 times today, and 99% of the audit entries are of "type=SECCOMP" entries.
The pid referenced in each line is a firefox process.
I don't see any entries in the audit logs for the gnome-shell process. I believe it's the disk I/O that is killing the machine - it generated 45,000 lines of audit events in about 70 minutes.
The user workstation is running CentOS 7.7
Any idea why this is generating so much noise?
Huge number of "type=SECCOMP" audit log entries
Re: Huge number of "type=SECCOMP" audit log entries
HA!!! I indeed know what your problem is: It is called gdm. While I don't not know what "type=SECCOMP" is gdm causes things to run WILD!!phil.e wrote: ↑2020/02/07 21:40:03I've got a user reporting his gnome-shell process starts maxing out his CPU usage, and his workstation appears to freeze. He has rebooted twice to get his machine back, or else goes to a different workstation, SSH into his workstation and kill the processes consuming all the CPU.
When I look in /var/log/audit, I see that the audit logs have rolled over 3 times today, and 99% of the audit entries are of "type=SECCOMP" entries.
The pid referenced in each line is a firefox process.
I don't see any entries in the audit logs for the gnome-shell process. I believe it's the disk I/O that is killing the machine - it generated 45,000 lines of audit events in about 70 minutes.
The user workstation is running CentOS 7.7
Any idea why this is generating so much noise?
See: HELP! /var/log/Xorg.0.log Growing Wild!!
viewtopic.php?f=47&t=62294&p=274188&hil ... at#p274188
The solution is simple and elegant: DUMP GDM ASAP!!! "So...", as any reasonable might ask, "...what do I replace gdm with?!?" The answer is lightdm. Before RH broke it, my GoTo DE that fixed the problem was SDDM, but as I said, RH broke it so I then found lightdm.
"So..." you might ask, "...how do I install lightdm?!?" I'm glad you asked!
See: [SOLVED] Installing Lightdm on CentOS 7.5
viewtopic.php?f=47&t=67166&p=282241&hil ... dm#p282241
If you read through these two threads you will see problems very similar to yours. Once you ditch gdm the problem disappears and the AUDIT files return to within their normal boundaries, and rollover once per week.
Hope this helps.
D'Cat
Re: Huge number of "type=SECCOMP" audit log entries
I'd be worried if I were you.
"SECure COMPuting with filters" allows the filtering of syscalls to the kernel - i.e.: it reduces the kernel attack surface. It's been around since (about) 2.6.12.
As far as I remember, the default is to log "normally unused syscalls."
You don't say what's being attempted, but that's where I'd be looking.
"SECure COMPuting with filters" allows the filtering of syscalls to the kernel - i.e.: it reduces the kernel attack surface. It's been around since (about) 2.6.12.
As far as I remember, the default is to log "normally unused syscalls."
You don't say what's being attempted, but that's where I'd be looking.
Re: Huge number of "type=SECCOMP" audit log entries
aks - by 'worried' do you mean worried about malicious activity going on?
The system calls referenced in the log file are
sys call 2 = sys_fork
sys call 87 = sys_swapon
The process ID's appear to be Firefox processes - is Firefox maybe going a little berserk with the system calls?
The system calls referenced in the log file are
sys call 2 = sys_fork
sys call 87 = sys_swapon
The process ID's appear to be Firefox processes - is Firefox maybe going a little berserk with the system calls?
Re: Huge number of "type=SECCOMP" audit log entries
Well that's the general idea (and what it's there for).by 'worried' do you mean worried about malicious activity going on?
I'm not aware of sys_fork() and sys_swapon() outside of bootlin (I am aware of fork(), the sys_ could be a prepend).
Well either something strange is going on or you've got a weird seccomp profile.
I associate seccomp with containers (so Docker and friends). As a starting point have a look here: https://access.redhat.com/documentation ... nd_seccomp (note it's NOT CentOS 7/RHEL7, it's the atomic version which has containers for "all the things".)
Re: Huge number of "type=SECCOMP" audit log entries
OK take a DEEP BREATH!! Have you done as I suggested and changed the DISPLAY MANAGER from gdm ==> lightdm?!? This is the first thing that causes things to run wild. gdm is really, REALLY bad. IF you switched your display manager and if you still have the problem, then it is time to start to worry.aks wrote: ↑2020/02/12 18:25:28Well that's the general idea (and what it's there for).by 'worried' do you mean worried about malicious activity going on?
I'm not aware of sys_fork() and sys_swapon() outside of bootlin (I am aware of fork(), the sys_ could be a prepend).
Well either something strange is going on or you've got a weird seccomp profile.
I associate seccomp with containers (so Docker and friends). As a starting point have a look here: https://access.redhat.com/documentation ... nd_seccomp (note it's NOT CentOS 7/RHEL7, it's the atomic version which has containers for "all the things".)