Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Ubuntu 11.4,DD-WRT micro plus ssh,lfs-6.6,Fedora 15,Fedora 16
Posts: 3,233
Rep:
unusual auth.log entry, should i be worried?
trying to investigate why a machine crashed, this line appears in the auth.log, is this a problem?
Code:
Oct 18 04:21:01 Radio-One CRON[4092]: pam_unix(cron:session): session closed for user smmsp
Oct 18 04:39:01 Radio-One CRON[4124]: pam_unix(cron:session): session opened for user root by (uid=0)
Oct 18 04:39:01 Radio-One CRON[4124]: pam_unix(cron:session): session closed for user root
Oct 18 04:40:01 Radio-One CRON[4133]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Oct 18 04:41:01 Radio-One CRON[4133]: pam_unix(cron:session): session closed for user smmsp
Oct 18 05:00:01 Radio-One CRON[4163]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Oct 18 05:01:02 Radio-One CRON[4163]: pam_unix(cron:session): session closed for Oct 18 10:58:49 Radio-One sshd[871]: Received signal 15; terminating.
Oct 18 10:58:49 Radio-One sshd[1248]: Server listening on 0.0.0.0 port 22.
Oct 18 10:58:49 Radio-One sshd[1248]: Server listening on :: port 22.
Oct 18 11:01:19 Radio-One gdm-session-worker[1173]: pam_unix(gdm-autologin:session): session opened for user jock by (uid=0)
Oct 18 11:01:19 Radio-One gdm-session-worker[1173]: pam_ck_connector(gdm-autologin:session): nox11 mode, ignoring PAM_TTY :0
Oct 18 11:01:20 Radio-One sshd[874]: Received signal 15; terminating.
Oct 18 11:01:20 Radio-One sshd[1322]: Server listening on 0.0.0.0 port 22.
Oct 18 11:01:20 Radio-One sshd[1322]: Server listening on :: port 22.
Oct 18 11:01:21 Radio-One polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.21 [/usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Oct 18 11:01:22 Radio-One dbus-daemon: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.26" (uid=1000 pid=1353 comm="nautilus ") interface="org.freedesktop.DBus.Properties" member="GetAll" error name="(unset)" requested_reply=0 destination=":1.4" (uid=0 pid=912 comm="/usr/sbin/console-kit-daemon --no-daemon "))
that it is, but I should mention that there are similar gaps in other log files, what are the chances of this being an attempt to cover tracks?
If and when you question system integrity you don't want to talk about "chances" but properly investigate the cause instead. And unless there's other anomalies you haven't told us about I wouldn't immediately attribute it to malice but check SAR data for resource bottlenecks first.
Distribution: Ubuntu 11.4,DD-WRT micro plus ssh,lfs-6.6,Fedora 15,Fedora 16
Posts: 3,233
Original Poster
Rep:
Quote:
Originally Posted by unSpawn
If and when you question system integrity you don't want to talk about "chances" but properly investigate the cause instead. And unless there's other anomalies you haven't told us about I wouldn't immediately attribute it to malice but check SAR data for resource bottlenecks first.
sorry, indeed
I forgot to mention the indication of device eth0 going in and out of promiscuous mode
Actually, there clearly should have been a log in there every 20 minutes from cron, but that's gone. Anything in messages about syslogd dying? That would cover gaps in multiple files.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.