Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi I have the auth.log given below and I do not understand most of it. I googled around for a while to understand the cron:sessions happening regularly but I could not find anything useful. Also the successful su for www-data is another thing. If anybody could explain what is causing these it would be great. By the way I was sleeping while this auth.log is occuring so I did not get online. Thank you...
P.S:I am using debian lenny. Installed a couple of weeks ago...
Jan 9 06:09:01 hdd CRON[2116]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 9 06:09:01 hdd CRON[2116]: pam_unix(cron:session): session closed for user root
Jan 9 06:17:01 hdd CRON[2127]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 9 06:17:01 hdd CRON[2127]: pam_unix(cron:session): session closed for user root
Jan 9 06:25:01 hdd CRON[2132]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 9 06:25:03 hdd su[2147]: Successful su for www-data by root
Jan 9 06:25:03 hdd su[2147]: + ??? root:www-data
Jan 9 06:25:03 hdd su[2147]: pam_unix(su:session): session opened for user www-data by (uid=0)
Jan 9 06:25:03 hdd su[2147]: pam_unix(su:session): session closed for user www-data
Jan 9 06:25:03 hdd su[2151]: Successful su for www-data by root
Jan 9 06:25:03 hdd su[2151]: + ??? root:www-data
Jan 9 06:25:03 hdd su[2151]: pam_unix(su:session): session opened for user www-data by (uid=0)
Jan 9 06:25:04 hdd su[2151]: pam_unix(su:session): session closed for user www-data
Jan 9 06:26:02 hdd CRON[2132]: pam_unix(cron:session): session closed for user root
well, the CRON lines are for a cron job that runs as root.
the "su" lines are when a user needs to do something as another user. Here, it appears that root's cron that executed at Jan 9 06:25:01 had to do some stuff with apache (so it does it as the 'www-data' user to be safe).... notice the 06:25:01 CRON entry says "session opened for root" then a bunch of other "su" stuff, then @ 06:26:02 you see another CRON entry with "session closed for root"... So all that was what happened in root's cron. In other words, nothing to worry about.
The auth.log messages are normal and created by the pam module.
It would seem you have a cron job running under the 'www-date' userid.
Check the system and www-data user cron jobs to determine what's running:
sudo crontab -u www-data -l
sudo cat /etc/crontab
The auth.log messages are normal and created by the pam module.
It would seem you have a cron job running under the 'www-date' userid.
Check the system and www-data user cron jobs to determine what's running:
sudo crontab -u www-data -l
sudo cat /etc/crontab
thanx for the advice but
# crontab -u www-data -l says
no crontab for www-data
Isn't that weird??
Actually my root device is a usb disk and I do not want that regular messages to appear. I do not want my usb disk to wear out soon. Any advice to prevent those messages?
These have nothing to do with the messages in auth.log, they are used by the system
cron jobs also live in /etc/cron.*
Do you have apache running ?
No I use lighttpd instead. I found the problem by the way. It was in cron.d. It was php5 and closing sessions in every 30 mins 9,39 so I commented that line also. After that the problem solved. No more lines like that but I do not know if it causes a problem for me.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.