Re: logcheck
On Wed, 20 Sep 2000, Art Sackett wrote:
>On Tue, Sep 19, 2000 at 06:03:48PM -0500, debian-isp@ghost.net.cfw.com wrote:
>> Hey Guys,
>> Do any of you know what may have caused this message in my syslogs?
>>
>> Unusual System Events
>> =-=-=-=-=-=-=-=-=-=-=
>> Sep 19 06:25:02 ghost su[322]: + ??? root-nobody
>> Sep 19 06:25:02 ghost PAM_unix[322]: (su) session opened for user nobody
>> by (uid=0)
>
>Likely, it's logrotate or somebody else who starts as nobody but
>has to get root to move things around.
You got that wrong. root-nobody means that some program running as root
executed "su nobody". Just to verify this I did a test with su and checked my
logs before posting this message.
>At least, that's the normal, non-threatening thing that probably
>happens every morning at about the same time, I'd guess.
Nobody suing to root is not non-threatening! Ideally you would have a group
wheel or root required for su to root to prevent this. Currently I haven't as
I haven't got the PAM setup for it going yet.
Russell Coker
Reply to:
- References:
- logcheck
- From: <debian-isp@ghost.net.cfw.com>
- Re: logcheck
- From: Art Sackett <asackett@artsackett.com>