LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Debian (https://www.linuxquestions.org/questions/debian-26/)
-   -   (pam_unix) session opened for user root by (uid=0) (https://www.linuxquestions.org/questions/debian-26/pam_unix-session-opened-for-user-root-by-uid%3D0-610173/)

frenchn00b 12-31-2007 12:45 PM
(pam_unix) session opened for user root by (uid=0)
 
Hello guys,

I have Debian Stable (Etch). I indeed love its stability.

I have the following auth.log message:
http://nopaste.debianforum.de/7093

and this /etc/crontab
Code:
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file.
# This file also has a username field, that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *  root    run-parts --report /etc/cron.hourly
25 6    * * *  root    test -x /usr/sbin/anacron || run-parts --report /etc/cron.daily
47 6    * * 7  root    test -x /usr/sbin/anacron || run-parts --report /etc/cron.weekly
52 6    1 * *  root    test -x /usr/sbin/anacron || run-parts --report /etc/cron.monthly
#
# no crontab -l for root


I noted that the apache2 went ON 2days ago, switched on, on ps -aux with www-data.
Is that normal ? what should I try to check ?

I have fail2ban installed but no idea how it works.

digen 01-01-2008 07:18 AM
It appears there is a cron configured which runs a script every 12 minutes.

Quote:
#
Dec 3 12:17:01 garfield CRON[11651]: (pam_unix) session opened for user root by (uid=0)
#
Dec 3 12:17:01 garfield CRON[11651]: (pam_unix) session closed for user root
#
Dec 3 12:39:01 garfield CRON[11655]: (pam_unix) session opened for user root by (uid=0)
#
Dec 3 12:39:01 garfield CRON[11655]: (pam_unix) session closed for user root
I found the below information in the Debian Security manual,


Quote:
11.2.3 I found users doing 'su' in my logs: Am I compromised?

You might find lines in your logs like:

Apr 1 09:25:01 server su[30315]: + ??? root-nobody
Apr 1 09:25:01 server PAM_unix[30315]: (su) session opened for user nobody by (uid=0)

Don't worry too much, check out if this is due to a job running through the cron (usually /etc/cron.daily/find or logrotate):

$ grep 25 /etc/crontab
25 6 * * * root test -e /usr/sbin/anacron || run-parts --report
/etc/cron.daily
$ grep nobody /etc/cron.daily/*
find:cd / && updatedb --localuser=nobody 2>/dev/null
http://www.linuxsecurity.com/docs/ha...o/ch11.en.html


All times are GMT -5. The time now is 12:52 AM.