On 07/18/2015 08:09 PM, Ed Greshko wrote:
On 07/19/15 09:57, jd1008 wrote:
On 07/18/2015 07:53 PM, Ed Greshko wrote:
On 07/19/15 09:17, jd1008 wrote:
debugfs -R 'ncheck 47972353' /dev/sda3 2>/dev/null
Inode Pathname
47972353 //root
So, why is it trying to do that?
I am not logged in as root.
How can I find out the process(es) that spawned sh
to access /root?
OK, so you have determined that the path being accessed and cited by the alert is /root.
Don't know if the process is still around, but supposedly it was pid=6476.
This is frustrating!!
$ ps -p 6476
PID TTY TIME CMD
$
That should then mean that the pid= on each sealert is different. Yes?
The original I posted says:
type=SYSCALL msg=audit(1437267001.953:644): arch=x86_64 syscall=openat
success=no exit=EACCES a0=ffffffffffffff9c a1=4fcb93 a2=80800 a3=0
items=0 ppid=6474 pid=6476 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 ses=22 tty=(none) comm=sa1 exe=/usr/bin/sh
subj=system_u:system_r:sysstat_t:s0-s0:c0.c1023 key=(null)
So, it says pid=6476
but by the time I see the alert, the process is gone!!
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
