About a month ago I got our email alerts working. I'm now seeing some below alerts appear. I was wondering if the information field is self explanatory on why the alert is appearing?
IE freespace override = ran out of space and purged logs?
Is there a document or something that would explain what these alerts mean?
For a complete listing of the events that triggered this alarm please execute the following command (All on one line):
acat -a -e "(event AUDIT_R_DDT || event AUDIT_R_DIT || event AUDIT_R_DOM) and stime 20160318040233 and etime 20160318040233" /var/log/audit.raw ___END_CMD___
Note: Due to rounding error and network traffic patterns, the above command
may produce more events than were included in this alarm.
The following are the last 1 events seen:
2016-03-18 04:02:33 -0500 f_kernel a_tepm t_attack p_major
pid: 1578 logid: 0 cmd: 'sfagent'
hostname: XXXX category: policy_violation
event: dom violation srcdmn: SFag
reason: OP: OP_SYS_FS_MGMT wanted perm: 0x80<rootness> granted perm: 0x0
information: ffs_alloc(): freespace override
acat -a -e "(event AUDIT_R_DDT || event AUDIT_R_DIT || event AUDIT_R_DOM) and stime 20160317214806 and etime 20160317214806" /var/log/audit.raw ___END_CMD___
2016-03-17 21:48:06 -0500 f_kernel a_tepm t_attack p_major
pid: 15321 logid: 108 cmd: 'vscanupdate'
event: ddt violation srcdmn: SCDU filedom: Kern filetype: diry
reason: OP: OP_FS_WRITE perm wanted: 0x2<write> perm granted: 0x1<read>
information: dumpcore: vscanupdate.core
acat -a -e "(event AUDIT_R_DDT || event AUDIT_R_DIT || event AUDIT_R_DOM) and stime 20160307152455 and etime 20160307152455" /var/log/audit.raw ___END_CMD___
2016-03-07 15:24:55 -0600 f_kernel a_tepm t_attack p_major
pid: 1778 logid: 105 cmd: 'tcsh'
event: dit violation srcdmn: User tgtdmn: Audt
reason: OP: OP_PROC_TRAN perm wanted: 0x1<trans> perm granted: 0x0
information: Exec /usr/bin/acat
acat -a -e "(event AUDIT_R_DDT || event AUDIT_R_DIT || event AUDIT_R_DOM) and stime 20160217084609 and etime 20160217084609" /var/log/audit.raw ___END_CMD___
2016-02-17 08:46:09 -0600 f_kernel a_tepm t_attack p_major
pid: 3771 logid: 108 cmd: 'tcsh'
event: ddt violation srcdmn: User filedom: mtac filetype: scrp
reason: OP: OP_FS_EXEC perm wanted: 0x2000<exec> perm granted: 0x9<read,execute>
information: Exec /usr/bin/mailq
Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center
2821 Mission College Blvd.
Santa Clara, CA 95054 USA
Consumer Support | Enterprise Support | McAfee.com
Legal | Privacy | Copyright © 2019 McAfee, LLC