Understanding auth.log
 

Hi I have the auth.log given below and I do not understand most of it. I googled around for a while to understand the cron:sessions happening regularly but I could not find anything useful. Also the successful su for www-data is another thing. If anybody could explain what is causing these it would be great. By the way I was sleeping while this auth.log is occuring so I did not get online. Thank you...

P.S:I am using debian lenny. Installed a couple of weeks ago...


Jan 9 06:09:01 hdd CRON[2116]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 9 06:09:01 hdd CRON[2116]: pam_unix(cron:session): session closed for user root
Jan 9 06:17:01 hdd CRON[2127]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 9 06:17:01 hdd CRON[2127]: pam_unix(cron:session): session closed for user root
Jan 9 06:25:01 hdd CRON[2132]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 9 06:25:03 hdd su[2147]: Successful su for www-data by root
Jan 9 06:25:03 hdd su[2147]: + ??? root:www-data
Jan 9 06:25:03 hdd su[2147]: pam_unix(su:session): session opened for user www-data by (uid=0)
Jan 9 06:25:03 hdd su[2147]: pam_unix(su:session): session closed for user www-data
Jan 9 06:25:03 hdd su[2151]: Successful su for www-data by root
Jan 9 06:25:03 hdd su[2151]: + ??? root:www-data
Jan 9 06:25:03 hdd su[2151]: pam_unix(su:session): session opened for user www-data by (uid=0)
Jan 9 06:25:04 hdd su[2151]: pam_unix(su:session): session closed for user www-data
Jan 9 06:26:02 hdd CRON[2132]: pam_unix(cron:session): session closed for user root

well, the CRON lines are for a cron job that runs as root.

the "su" lines are when a user needs to do something as another user. Here, it appears that root's cron that executed at Jan 9 06:25:01 had to do some stuff with apache (so it does it as the 'www-data' user to be safe).... notice the 06:25:01 CRON entry says "session opened for root" then a bunch of other "su" stuff, then @ 06:26:02 you see another CRON entry with "session closed for root"... So all that was what happened in root's cron. In other words, nothing to worry about. ;)

The auth.log messages are normal and created by the pam module.
It would seem you have a cron job running under the 'www-date' userid.
Check the system and www-data user cron jobs to determine what's running:
sudo crontab -u www-data -l
sudo cat /etc/crontab

thanx for the advice but
# crontab -u www-data -l says
no crontab for www-data

Isn't that weird??
Actually my root device is a usb disk and I do not want that regular messages to appear. I do not want my usb disk to wear out soon. Any advice to prevent those messages?

#17 * * * * root cd / && run-parts --report /etc/cron.hourly
#25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --repo$
#47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --repo$
#52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --repo$

I commented those lines. I think this will disable the messages happening again. Is that ok what I do in here?

These have nothing to do with the messages in auth.log, they are used by the system
cron jobs also live in /etc/cron.*

Do you have apache running ?

No I use lighttpd instead. I found the problem by the way. It was in cron.d. It was php5 and closing sessions in every 30 mins 9,39 so I commented that line also. After that the problem solved. No more lines like that but I do not know if it causes a problem for me.