cancel
Showing results for 
Search instead for 
Did you mean: 

Question on email alerts

About a month ago I got our email alerts working.  I'm now seeing some below alerts appear.  I was wondering if the information field is self explanatory on why the alert is appearing?

IE freespace override = ran out of space and purged logs?

Is there a document or something that would explain what these alerts mean?

For a complete listing of the events that triggered this alarm please execute the following command (All on one line):

___BEGIN_CMD___

acat -a -e "(event AUDIT_R_DDT || event AUDIT_R_DIT || event AUDIT_R_DOM) and stime 20160318040233 and etime 20160318040233" /var/log/audit.raw ___END_CMD___

Note: Due to rounding error and network traffic patterns, the above command

      may produce more events than were included in this alarm.

The following are the last 1 events seen:

2016-03-18 04:02:33 -0500 f_kernel a_tepm t_attack p_major

pid: 1578 logid: 0 cmd: 'sfagent'

hostname: XXXX category: policy_violation

event: dom violation srcdmn: SFag

reason: OP: OP_SYS_FS_MGMT wanted perm: 0x80<rootness> granted perm: 0x0

information: ffs_alloc(): freespace override

___BEGIN_CMD___

acat -a -e "(event AUDIT_R_DDT || event AUDIT_R_DIT || event AUDIT_R_DOM) and stime 20160317214806 and etime 20160317214806" /var/log/audit.raw ___END_CMD___

Note: Due to rounding error and network traffic patterns, the above command

      may produce more events than were included in this alarm.

The following are the last 1 events seen:

2016-03-17 21:48:06 -0500 f_kernel a_tepm t_attack p_major

pid: 15321 logid: 108 cmd: 'vscanupdate'

hostname: XXXX category: policy_violation

event: ddt violation srcdmn: SCDU filedom: Kern filetype: diry

reason: OP: OP_FS_WRITE perm wanted: 0x2<write> perm granted: 0x1<read>

information: dumpcore: vscanupdate.core

For a complete listing of the events that triggered this alarm please execute the following command (All on one line):

___BEGIN_CMD___

acat -a -e "(event AUDIT_R_DDT || event AUDIT_R_DIT || event AUDIT_R_DOM) and stime 20160307152455 and etime 20160307152455" /var/log/audit.raw ___END_CMD___

Note: Due to rounding error and network traffic patterns, the above command

      may produce more events than were included in this alarm.

The following are the last 1 events seen:

2016-03-07 15:24:55 -0600 f_kernel a_tepm t_attack p_major

pid: 1778 logid: 105 cmd: 'tcsh'

hostname: XXXX category: policy_violation

event: dit violation srcdmn: User tgtdmn: Audt

reason: OP: OP_PROC_TRAN perm wanted: 0x1<trans> perm granted: 0x0

information: Exec /usr/bin/acat

For a complete listing of the events that triggered this alarm please execute the following command (All on one line):

___BEGIN_CMD___

acat -a -e "(event AUDIT_R_DDT || event AUDIT_R_DIT || event AUDIT_R_DOM) and stime 20160217084609 and etime 20160217084609" /var/log/audit.raw ___END_CMD___

Note: Due to rounding error and network traffic patterns, the above command

      may produce more events than were included in this alarm.

The following are the last 1 events seen:

2016-02-17 08:46:09 -0600 f_kernel a_tepm t_attack p_major

pid: 3771 logid: 108 cmd: 'tcsh'

hostname: XXXX category: policy_violation

event: ddt violation srcdmn: User filedom: mtac filetype: scrp

reason: OP: OP_FS_EXEC perm wanted: 0x2000<exec> perm granted: 0x9<read,execute>

information: Exec /usr/bin/mailq

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support
  • The McAfee ePO Support Center Plug-in is now available in the Software Manager. Follow the instructions in the Product Guide for more.