On 07/19/15 10:17, jd1008 wrote: > The original I posted says: > > type=SYSCALL msg=audit(1437267001.953:644): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=4fcb93 a2=80800 a3=0 items=0 ppid=6474 pid=6476 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=22 tty=(none) comm=sa1 exe=/usr/bin/sh subj=system_u:system_r:sysstat_t:s0-s0:c0.c1023 key=(null) > > So, it says pid=6476 > > but by the time I see the alert, the process is gone!! Yes, that was the one you posted. You said you had others. So, the pid is different in each one, yes? The question would be, what is the frequency of sealerts? Could it correspond with a cronjob? Also, do you have sysstat-collect.timer and sysstat.service enabled in systemd? -- If I wanted a blog or social media I'd go elsewhere -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
