On 07/18/2015 08:46 PM, Ed Greshko wrote:
On 07/19/15 10:17, jd1008 wrote:
The original I posted says:
type=SYSCALL msg=audit(1437267001.953:644): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=4fcb93 a2=80800 a3=0 items=0 ppid=6474 pid=6476 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=22 tty=(none) comm=sa1 exe=/usr/bin/sh subj=system_u:system_r:sysstat_t:s0-s0:c0.c1023 key=(null)
So, it says pid=6476
but by the time I see the alert, the process is gone!!
Yes, that was the one you posted. You said you had others. So, the pid is different in each one, yes?
The question would be, what is the frequency of sealerts? Could it correspond with a cronjob?
Also, do you have sysstat-collect.timer and sysstat.service enabled in systemd?
It is gosh darned fast!!!!
Like every 2 minutes.
$ sudo systemctl -l | grep sysstat
sysstat.service loaded active exited Resets System Activity Logs
As far as cron, I do not see anyhting that is being run that frequently.
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
