Question about questionable auth.log entries.

tac-shell · 01-21-2013, 09:42 PM

First of all I like to say hi to everyone out there in the community. I've found countless solutions to my many frustration as I've learned to use linux. But this is the first time I've had a question specific enough to warrant a post of my own.

So I was looking over some old auth.log entries on my Debian server (squeeze) and I noticed the following two lines:

Code:

Nov 23 06:25:01 hesiod CRON[3969]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 23 06:26:50 hesiod su[4122]: Successful su for nobody by root
Nov 23 06:26:50 hesiod su[4122]: + ??? root:nobody
Nov 23 06:26:50 hesiod su[4122]: pam_unix(su:session): session opened for user nobody by (uid=0)
Nov 23 06:27:16 hesiod su[4122]: pam_unix(su:session): session closed for user nobody

The second line is really the one that is the most troubling. If I'm not mistaken (which may very well be the case) the ??? should be the TTY device that was used for the session.

gilead · 01-21-2013, 10:10 PM

Have you checked for entries in other logs with the same timestamp? Since it's changing to nobody from root, it could be a normal part of something's startup.

vishesh · 01-22-2013, 04:46 AM

Check your crontab entries if some script or job scheduled to perform this .

Thanks

tac-shell · 01-22-2013, 11:03 PM

I took your suggestion gilead and wrote a script that searched through all the logs in /var/log for the time stamp of the entries in my original excerpt and the only thing that was found was the original three lines that had piqued my interest. However, when I searched for the "+ ???" string I was able to find the following three lines:

Code:

Jan 18 06:37:59 hesiod su[2815]: Successful su for nobody by root
Jan 18 06:37:59 hesiod su[2815]: + ??? root:nobody
Jan 18 06:37:59 hesiod su[2815]: pam_unix(su:session): session opened for user nobody by (uid=0)

So what ever wrote these entries has recurred recently.

Vishesh, currently my crontab for root is empty on this machine. Is there another place were tasks for the cron daemon would be stored?

unSpawn · 01-23-2013, 08:21 AM

Try

Code:

grep -r /etc/crontab /etc/cron*/ -e "su ";

tac-shell · 01-23-2013, 07:58 PM

unSpawn, I ran the command you suggested and found:

Code:

/etc/cron.daily/popularity-contest:	su -s /bin/sh -c "/usr/sbin/popularity-contest" nobody

Which would explain the su to nobody by root. However, this entry is listed under cron.daily so why aren't there daily records of this command being run in the auth.log? In any case it seems that those lines are no cause for alarm.

unSpawn · 01-23-2013, 08:20 PM

Quote:

Originally Posted by tac-shell

However, this entry is listed under cron.daily so why aren't there daily records of this command being run in the auth.log?

Because of the priority / facility assigned to user auth by the system and how /etc/(r)syslog(-ng).conf is configured to log that in which log file?

Quote:

Originally Posted by tac-shell

In any case it seems that those lines are no cause for alarm.

It does seem so. Should you wish to investigate things further have a look at 'man crond' for debug settings, SAR like Atop, Dtstat or Collectl and the audit service.