paulday
By:
paulday

Weird CRON logs appearing for no reasion

May 3, 2015 5.7k views
Security PHP Ubuntu

Hey today I found a bunch of strange CRON log activity in my auth.log file. Anyone know what is this about? I checked and I don't have any CRON jobs running...

May  3 06:37:30 EngageLive CRON[7350]: pam_unix(cron:session): session closed for user root
May  3 06:39:01 EngageLive CRON[7588]: pam_unix(cron:session): session opened for user root by (uid=0)
May  3 06:39:01 EngageLive CRON[7588]: pam_unix(cron:session): session closed for user root
May  3 06:47:01 EngageLive CRON[7601]: pam_unix(cron:session): session opened for user root by (uid=0)
May  3 06:47:02 EngageLive CRON[7601]: pam_unix(cron:session): session closed for user root
May  3 07:09:01 EngageLive CRON[7631]: pam_unix(cron:session): session opened for user root by (uid=0)
May  3 07:09:01 EngageLive CRON[7631]: pam_unix(cron:session): session closed for user root
May  3 07:17:01 EngageLive CRON[7644]: pam_unix(cron:session): session opened for user root by (uid=0)
May  3 07:17:01 EngageLive CRON[7644]: pam_unix(cron:session): session closed for user root
May  3 07:39:01 EngageLive CRON[7647]: pam_unix(cron:session): session opened for user root by (uid=0)
May  3 07:39:01 EngageLive CRON[7647]: pam_unix(cron:session): session closed for user root
May  3 08:09:01 EngageLive CRON[7660]: pam_unix(cron:session): session opened for user root by (uid=0)
May  3 08:09:01 EngageLive CRON[7660]: pam_unix(cron:session): session closed for user root
May  3 08:17:01 EngageLive CRON[7672]: pam_unix(cron:session): session opened for user root by (uid=0)
May  3 08:17:01 EngageLive CRON[7672]: pam_unix(cron:session): session closed for user root
May  3 08:39:01 EngageLive CRON[7675]: pam_unix(cron:session): session opened for user root by (uid=0)
May  3 08:39:01 EngageLive CRON[7675]: pam_unix(cron:session): session closed for user root
May  3 09:09:01 EngageLive CRON[7687]: pam_unix(cron:session): session opened for user root by (uid=0)
May  3 09:09:01 EngageLive CRON[7687]: pam_unix(cron:session): session closed for user root
May  3 09:17:01 EngageLive CRON[7699]: pam_unix(cron:session): session opened for user root by (uid=0)
May  3 09:17:01 EngageLive CRON[7699]: pam_unix(cron:session): session closed for user root
May  3 09:39:01 EngageLive CRON[7702]: pam_unix(cron:session): session opened for user root by (uid=0)
May  3 09:39:01 EngageLive CRON[7702]: pam_unix(cron:session): session closed for user root
May  3 10:09:01 EngageLive CRON[7715]: pam_unix(cron:session): session opened for user root by (uid=0)
May  3 10:09:02 EngageLive CRON[7715]: pam_unix(cron:session): session closed for user root
May  3 10:17:01 EngageLive CRON[7727]: pam_unix(cron:session): session opened for user root by (uid=0)
May  3 10:17:01 EngageLive CRON[7727]: pam_unix(cron:session): session closed for user root
May  3 10:39:01 EngageLive CRON[7730]: pam_unix(cron:session): session opened for user root by (uid=0)
May  3 10:39:01 EngageLive CRON[7730]: pam_unix(cron:session): session closed for user root
May  3 11:09:01 EngageLive CRON[7742]: pam_unix(cron:session): session opened for user root by (uid=0)
May  3 11:09:01 EngageLive CRON[7742]: pam_unix(cron:session): session closed for user root
May  3 11:17:01 EngageLive CRON[7754]: pam_unix(cron:session): session opened for user root by (uid=0)
May  3 11:17:01 EngageLive CRON[7754]: pam_unix(cron:session): session closed for user root
May  3 11:39:01 EngageLive CRON[7758]: pam_unix(cron:session): session opened for user root by (uid=0)
May  3 11:39:01 EngageLive CRON[7758]: pam_unix(cron:session): session closed for user root
May  3 12:09:01 EngageLive CRON[7770]: pam_unix(cron:session): session opened for user root by (uid=0)
May  3 12:09:01 EngageLive CRON[7770]: pam_unix(cron:session): session closed for user root
May  3 12:17:01 EngageLive CRON[7782]: pam_unix(cron:session): session opened for user root by (uid=0)
May  3 12:17:01 EngageLive CRON[7782]: pam_unix(cron:session): session closed for user root
May  3 12:39:01 EngageLive CRON[7785]: pam_unix(cron:session): session opened for user root by (uid=0)
May  3 12:39:01 EngageLive CRON[7785]: pam_unix(cron:session): session closed for user root
1 Answer

@paulday

To resolve this, login to the CLI and cd to

/etc/pam.d

In your favorite editor of choice, open:

common-session-noninteractive

Find:

session required pam_unix.so

Above it, add:

session [success=1 default=ignore] pam_succeed_if.so service in cron quiet use_uid

and then restart CRON:

/etc/init.d/cron restart

I had this bookmarked as a client of mine was asking a similar question not too long ago :).

Source: http://languor.us/cron-pam-unix-cron-session-session-opened-closed-user-root-uid0

Have another answer? Share your knowledge.