SE alert

[jd1008]

On 07/18/2015 08:46 PM, Ed Greshko wrote:
> On 07/19/15 10:17, jd1008 wrote:
>> The original I posted says:
>>
>> type=SYSCALL msg=audit(1437267001.953:644): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=4fcb93 a2=80800 a3=0 items=0 ppid=6474 pid=6476 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=22 tty=(none) comm=sa1 exe=/usr/bin/sh subj=system_u:system_r:sysstat_t:s0-s0:c0.c1023 key=(null)
>>
>> So, it says pid=6476
>>
>> but by the time I see the alert, the process is gone!!
> Yes, that was the one you posted.  You said you had others.  So, the pid is different in each one, yes?
>
> The question would be, what is the frequency of sealerts?  Could it correspond with a cronjob?
>
> Also, do you have sysstat-collect.timer and sysstat.service enabled in systemd?
>
It is gosh darned fast!!!!
Like every 2 minutes.

$ sudo systemctl -l | grep sysstat
sysstat.service loaded active exited    Resets System Activity Logs

As far as cron, I do not see anyhting that is being run that frequently.