SE alert
Ed Greshko
ed.greshko at greshko.com
Sun Jul 19 02:46:15 UTC 2015
On 07/19/15 10:17, jd1008 wrote:
> The original I posted says:
>
> type=SYSCALL msg=audit(1437267001.953:644): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=4fcb93 a2=80800 a3=0 items=0 ppid=6474 pid=6476 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=22 tty=(none) comm=sa1 exe=/usr/bin/sh subj=system_u:system_r:sysstat_t:s0-s0:c0.c1023 key=(null)
>
> So, it says pid=6476
>
> but by the time I see the alert, the process is gone!!
Yes, that was the one you posted. You said you had others. So, the pid is different in each one, yes?
The question would be, what is the frequency of sealerts? Could it correspond with a cronjob?
Also, do you have sysstat-collect.timer and sysstat.service enabled in systemd?
--
If I wanted a blog or social media I'd go elsewhere
More information about the users
mailing list