5

CentOS 6, Parallels PLESK 10.4, Apache

One of my servers went down over the weekend much to my dismay. On the day and time it occurred, my log errors/messages end with this -

/var/log/secure:

Jul 29 03:53:15 u######## su: PAM adding faulty module: 
  /lib64/security/pam_fprintd.so
Jul 29 03:53:15 u######## su: pam_unix(su-l:session): 
  session opened for user popuser by (uid=0)
Jul 29 03:53:16 u######## su: pam_unix(su-l:session): 
  session closed for user popuser
Jul 29 03:53:16 u######## su: PAM unable to dlopen(/lib64/security/pam_fprintd.so):
 /lib64/security/pam_fprintd.so: cannot open shared object file: No such file or
 directory
Jul 29 03:53:16 u######## su: PAM adding faulty module: 
 /lib64/security/pam_fprintd.so
Jul 29 03:53:16 u######## su: pam_unix(su-l:session):
 session opened for user popuser by (uid=0)
Jul 29 03:53:18 u######## su: pam_unix(su-l:session): 
 session closed for user popuser

then immediately afterwards,

/var/log/messages:

Jul 29 03:53:21 u######## kernel: imklog 4.6.2, log source = /proc/kmsg started.
Jul 29 03:53:21 u######## rsyslogd: [origin software="rsyslogd" swVersion="4.6.2"
 x-pid="1370" x-info="http://www.rsyslog.com"] (re)start

/var/log/messages (of that day):

Jul 29 03:53:21 u######## rsyslogd: [origin software="rsyslogd" swVersion="4.6.2"
 x-pid="1370" x-info="http://www.rsyslog.com"] rsyslogd was HUPed,type 'restart'.
Jul 29 03:53:21 u######## kernel: Kernel logging (proc) stopped.

And from /var/log/cron

Jul 29 03:53:20 u######## run-parts(/etc/cron.daily)[29257]: starting awstats
Jul 29 03:53:20 u######## run-parts(/etc/cron.daily)[32242]: finished awstats
Jul 29 03:53:20 u######## run-parts(/etc/cron.daily)[29257]: starting logrotate

That's the last message I get before the server goes down. Everything I've Googled leads me to believe that the session opened for user popuser is a fairly common log entry and shouldn't be considered a threat, but for some reason I interpret that as something not so nice.

Others have mentioned that PAM adding a faulty module could be a bug? I don't even know what PAM is....

Any insight on how to interpret these would be greatly appreciated. I've checked

/var/log/secure
/var/log/messages
/var/log/cron

Are there any other places I could look into to help diagnose this?

Many thanks, SF.

RCNeil
  • 615
  • 3
  • 9
  • 17
  • Who are you hosting the server with? Is it possible that your hosting company had an outage or something? also, since a restart was issued, did the server actually come back up or did you have to start it back up yourself? – Hersheezy Aug 01 '12 at 15:00
  • @Hersheezy, I was away on vacation (of course) so someone from my company called 1&1 (the company that has the server) and they rebooted it for them. No explanation was given to them, so I am investigating it now. Thank you for your help. – RCNeil Aug 01 '12 at 15:07

1 Answers1

11
Jul 29 03:53:15 u######## su: PAM adding faulty module: 
  /lib64/security/pam_fprintd.so

It looks like a bug: https://bugzilla.redhat.com/show_bug.cgi?id=505266

Install authconfig and try this:

authconfig --disablefingerprint --update
quanta
  • 51,413
  • 19
  • 159
  • 217
  • many thanks. This definitely provides insight on the matter. It's nice to finally see someone else have this issue so it's not a fluke. – RCNeil Aug 03 '12 at 13:01