Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
First of all I like to say hi to everyone out there in the community. I've found countless solutions to my many frustration as I've learned to use linux. But this is the first time I've had a question specific enough to warrant a post of my own.
So I was looking over some old auth.log entries on my Debian server (squeeze) and I noticed the following two lines:
Code:
Nov 23 06:25:01 hesiod CRON[3969]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 23 06:26:50 hesiod su[4122]: Successful su for nobody by root
Nov 23 06:26:50 hesiod su[4122]: + ??? root:nobody
Nov 23 06:26:50 hesiod su[4122]: pam_unix(su:session): session opened for user nobody by (uid=0)
Nov 23 06:27:16 hesiod su[4122]: pam_unix(su:session): session closed for user nobody
The second line is really the one that is the most troubling. If I'm not mistaken (which may very well be the case) the ??? should be the TTY device that was used for the session.
Have you checked for entries in other logs with the same timestamp? Since it's changing to nobody from root, it could be a normal part of something's startup.
I took your suggestion gilead and wrote a script that searched through all the logs in /var/log for the time stamp of the entries in my original excerpt and the only thing that was found was the original three lines that had piqued my interest. However, when I searched for the "+ ???" string I was able to find the following three lines:
Code:
Jan 18 06:37:59 hesiod su[2815]: Successful su for nobody by root
Jan 18 06:37:59 hesiod su[2815]: + ??? root:nobody
Jan 18 06:37:59 hesiod su[2815]: pam_unix(su:session): session opened for user nobody by (uid=0)
So what ever wrote these entries has recurred recently.
Vishesh, currently my crontab for root is empty on this machine. Is there another place were tasks for the cron daemon would be stored?
unSpawn, I ran the command you suggested and found:
Code:
/etc/cron.daily/popularity-contest: su -s /bin/sh -c "/usr/sbin/popularity-contest" nobody
Which would explain the su to nobody by root. However, this entry is listed under cron.daily so why aren't there daily records of this command being run in the auth.log? In any case it seems that those lines are no cause for alarm.
However, this entry is listed under cron.daily so why aren't there daily records of this command being run in the auth.log?
Because of the priority / facility assigned to user auth by the system and how /etc/(r)syslog(-ng).conf is configured to log that in which log file?
Quote:
Originally Posted by tac-shell
In any case it seems that those lines are no cause for alarm.
It does seem so. Should you wish to investigate things further have a look at 'man crond' for debug settings, SAR like Atop, Dtstat or Collectl and the audit service.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.