About a month ago I got our email alerts working. I'm now seeing some below alerts appear. I was wondering if the information field is self explanatory on why the alert is appearing?
IE freespace override = ran out of space and purged logs?
Is there a document or something that would explain what these alerts mean?
For a complete listing of the events that triggered this alarm please execute the following command (All on one line):
acat -a -e "(event AUDIT_R_DDT || event AUDIT_R_DIT || event AUDIT_R_DOM) and stime 20160318040233 and etime 20160318040233" /var/log/audit.raw ___END_CMD___
Note: Due to rounding error and network traffic patterns, the above command
may produce more events than were included in this alarm.
The following are the last 1 events seen:
2016-03-18 04:02:33 -0500 f_kernel a_tepm t_attack p_major
pid: 1578 logid: 0 cmd: 'sfagent'
hostname: XXXX category: policy_violation
event: dom violation srcdmn: SFag
reason: OP: OP_SYS_FS_MGMT wanted perm: 0x80<rootness> granted perm: 0x0
information: ffs_alloc(): freespace override
acat -a -e "(event AUDIT_R_DDT || event AUDIT_R_DIT || event AUDIT_R_DOM) and stime 20160317214806 and etime 20160317214806" /var/log/audit.raw ___END_CMD___
2016-03-17 21:48:06 -0500 f_kernel a_tepm t_attack p_major
pid: 15321 logid: 108 cmd: 'vscanupdate'
event: ddt violation srcdmn: SCDU filedom: Kern filetype: diry
reason: OP: OP_FS_WRITE perm wanted: 0x2<write> perm granted: 0x1<read>
information: dumpcore: vscanupdate.core
acat -a -e "(event AUDIT_R_DDT || event AUDIT_R_DIT || event AUDIT_R_DOM) and stime 20160307152455 and etime 20160307152455" /var/log/audit.raw ___END_CMD___
2016-03-07 15:24:55 -0600 f_kernel a_tepm t_attack p_major
pid: 1778 logid: 105 cmd: 'tcsh'
event: dit violation srcdmn: User tgtdmn: Audt
reason: OP: OP_PROC_TRAN perm wanted: 0x1<trans> perm granted: 0x0
information: Exec /usr/bin/acat
acat -a -e "(event AUDIT_R_DDT || event AUDIT_R_DIT || event AUDIT_R_DOM) and stime 20160217084609 and etime 20160217084609" /var/log/audit.raw ___END_CMD___
2016-02-17 08:46:09 -0600 f_kernel a_tepm t_attack p_major
pid: 3771 logid: 108 cmd: 'tcsh'
event: ddt violation srcdmn: User filedom: mtac filetype: scrp
reason: OP: OP_FS_EXEC perm wanted: 0x2000<exec> perm granted: 0x9<read,execute>
information: Exec /usr/bin/mailq