On 07/18/2015 08:46 PM, Ed Greshko wrote:
On 07/19/15 10:17, jd1008 wrote:
The original I posted says:
type=SYSCALL msg=audit(1437267001.953:644): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=4fcb93 a2=80800 a3=0 items=0 ppid=6474 pid=6476 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=22 tty=(none) comm=sa1 exe=/usr/bin/sh subj=system_u:system_r:sysstat_t:s0-s0:c0.c1023 key=(null)
So, it says pid=6476
but by the time I see the alert, the process is gone!!
Yes, that was the one you posted. You said you had others. So, the pid is different in each one, yes?
The question would be, what is the frequency of sealerts? Could it correspond with a cronjob?
Also, do you have sysstat-collect.timer and sysstat.service enabled in systemd?
So, why is the auditd running so freaking often???
TO wit (from the alert that JUST happened):
type=SYSCALL msg=audit(1437274801.754:808): arch=x86_64 syscall=openat
success=no exit=EACCES a0=ffffffffffffff9c a1=4fcb93 a2=80800 a3=0
items=0 ppid=8525 pid=8527 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 ses=37 tty=(none) comm=sa1 exe=/usr/bin/sh
subj=system_u:system_r:sysstat_t:s0-s0:c0.c1023 key=(null)
Hash: sa1,sysstat_t,admin_home_t,dir,read
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
