On Sat, Jul 18, 2015 at 10:02 PM, jd1008 <jd1008@xxxxxxxxx> wrote: > > > On 07/18/2015 08:46 PM, Ed Greshko wrote: >> >> On 07/19/15 10:17, jd1008 wrote: >>> >>> The original I posted says: >>> >>> type=SYSCALL msg=audit(1437267001.953:644): arch=x86_64 syscall=openat >>> success=no exit=EACCES a0=ffffffffffffff9c a1=4fcb93 a2=80800 a3=0 items=0 >>> ppid=6474 pid=6476 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 >>> fsgid=0 ses=22 tty=(none) comm=sa1 exe=/usr/bin/sh >>> subj=system_u:system_r:sysstat_t:s0-s0:c0.c1023 key=(null) >>> >>> So, it says pid=6476 >>> >>> but by the time I see the alert, the process is gone!! >> >> Yes, that was the one you posted. You said you had others. So, the pid >> is different in each one, yes? >> >> The question would be, what is the frequency of sealerts? Could it >> correspond with a cronjob? >> >> Also, do you have sysstat-collect.timer and sysstat.service enabled in >> systemd? >> > So, why is the auditd running so freaking often??? > > TO wit (from the alert that JUST happened): > > type=SYSCALL msg=audit(1437274801.754:808): arch=x86_64 syscall=openat > success=no exit=EACCES a0=ffffffffffffff9c a1=4fcb93 a2=80800 a3=0 items=0 > ppid=8525 pid=8527 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 ses=37 tty=(none) comm=sa1 exe=/usr/bin/sh > subj=system_u:system_r:sysstat_t:s0-s0:c0.c1023 key=(null) sa1 appears to be the culprit. It is normally run from a cronjob typically every 10 minutes. John -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
