Yes, 'su' isn't called in the cron files, it's used to run the commands in the cron files as the specified user. So for example, my /etc/cron.d/mrtg contains: 0-55/5 * * * * root if [ -x /usr/bin/mrtg ] && [ -r /etc/mrtg.cfg ]; then /usr/bin/mrtg /etc/mrtg.cfg/var/log/mrtg/mrtg.log; fiso basically, it runs mrtg as user 'root' every 5 minutes. Thus, you'll see an entry like you posted, to indicate that su has been used to become root and execute the mrtg command.
Not Quite.This would necessitate having an entry run as "nobody" somewhere in my /etc/cron.d or /etc/crontab which I don't have. This would also imply that I would have to have a log entry for the exim user every 15 minutes, those entries are evidently absent... However, digging in /etc/cron.daily produced the answer for this little riddle, the "su" command is run by non other then the /usr/bin/updatedb script to switch to the "nobody" user before executing find...
updatedb itself is of course run by /etc/cron.daily/find.Well, I guess I can safely add this to my logcheck ignore files and get back to sleep...
ifb. p.s. I guess those hidden processes are unrelated after all...