6

Two times every minute I get this in auth.log:

May 12 15:21:01 ruptai CRON[25303]: pam_unix(cron:session): session opened for user root by (uid=0)
May 12 15:21:01 ruptai CRON[25303]: pam_unix(cron:session): session closed for user root

This never stops, two times every minute, every minute of every day.

I've no idea what it is, I would just to stop it from pointless logging this stuff. This has been going on for ages so I can't recall when it started.

OS is debian stable.

Btw, I've found questions on google but no answers

Update:

On /etc/pam.d/ there are, among other things, four files named common-* that are included by the others.

common-auth:

auth    required        pam_unix.so md5

common-account:

account required        pam_unix.so md5

common-session:

session required        pam_unix.so md5

common-password:

password   required   pam_unix.so nullok obscure min=4 max=8 md5

(I tried adding that line to common-session but to no avail)

o0'.
  • 411
  • 5
  • 20

3 Answers3

6

Javier gave a Debian specific answer there: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=293272#36

I added this at the beginning of /etc/pam.d/cron on a Lenny system and it worked (I restarted cron but I don't know if that was necessary):

session     [success=1 default=ignore] pam_succeed_if.so service in cron quiet use_uid
Michaël Witrant
  • 358
  • 3
  • 6
  • Note that the linked page specifies that the edit should occur in /etc/pam.d/common-session-noninteractive ; /etc/pam.d/cron (as well as /etc/pam.d/samba) @include this file. – mikewaters Jun 23 '11 at 18:44
  • I had this problem licked, somehow, but a recent upgrade of the Debian distro to a new release reverted the change. Looking at `/etc/pam` backups, it's not obvious what I had done; it wasn't the above, though. – Kaz Jul 17 '14 at 23:26
  • This solution, as presented, is not working on Debian Squeeze. mikewaters above has the right clue. – Kaz Jul 31 '14 at 22:33
  • will this change survive against pam updates? – filippo Mar 10 '21 at 07:24
3

This is the relevant portion of /etc/pam.d/password-auth on a Fedora system with a silent crond:

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

The important line is the third one. Put that in the appropriate location in Debian's PAM config and that should shut it up.

Ignacio Vazquez-Abrams
  • 45,939
  • 6
  • 79
  • 84
0

i would guess there's a crontab'd task for root, either in root's crontab or the system-wide cron files, that runs every minute.

once you locate that task, you can maybe adjust it so it doesn't run every minute.

i'm wondering what the concern is, if this continues? if /var is low on disk-space you could set up log rotation to be a little more aggressive with auth.log, and compress every day (should compress to a very small size, since the lines are nearly identical).

for general log monitoring egrep -v 'session (opened|closed) for user root' would filter out all those messages...

cpbills
  • 2,720
  • 18
  • 12
  • 1
    The concern is simply one of "order" and "good practice". It's not a useful log, so there's no reason to keep it. There are reasons to remove it, so I want to remove it. Simple as that :) – o0'. May 13 '10 at 09:01
  • The nuisance logs go to `auth.log` which I often look at for messages related to intrusion attempts, generated by security tools. The nuisance logs add clutter which makes the log harder to read. – Kaz Jul 17 '14 at 23:24