Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
hourly mails from cron since last update - logcheck?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Elleni
Veteran
Veteran


Joined: 23 May 2006
Posts: 1121

PostPosted: Mon Jul 20, 2020 5:40 pm    Post subject: hourly mails from cron since last update - logcheck? Reply with quote

After my last update on my gentoo vps, I get an email message hourly of the following type. Can anyone assist me please in stopping this?

Code:
Security Events for su
=-=-=-=-=-=-=-=-=-=-=-
Jul 20 19:01:01 hostename su[17214]: pam_unix(su:session): session opened for user logcheck(uid=nr) by (uid=0)

System Events
=-=-=-=-=-=-=
Jul 20 18:05:01 itsrv2 crond[15113]: pam_unix(crond:session): session opened for user apache(uid=81) by (uid=0)
Jul 20 18:10:01 itsrv2 crond[15310]: pam_unix(crond:session): session opened for user apache(uid=81) by (uid=0)
Jul 20 18:15:01 itsrv2 crond[15484]: pam_unix(crond:session): session opened for user apache(uid=81) by (uid=0)
Jul 20 18:20:01 itsrv2 crond[15683]: pam_unix(crond:session): session opened for user apache(uid=81) by (uid=0)
Jul 20 18:25:01 itsrv2 crond[15881]: pam_unix(crond:session): session opened for user apache(uid=81) by (uid=0)
Jul 20 18:30:01 itsrv2 crond[16075]: pam_unix(crond:session): session opened for user apache(uid=81) by (uid=0)
Jul 20 18:35:01 itsrv2 crond[16252]: pam_unix(crond:session): session opened for user apache(uid=81) by (uid=0)
Jul 20 18:36:01 itsrv2 crond[16289]: pam_unix(crond:session): session opened for user clamav(uid=996) by (uid=0)
Jul 20 18:40:01 itsrv2 crond[16446]: pam_unix(crond:session): session opened for user apache(uid=81) by (uid=0)
Jul 20 18:45:01 itsrv2 crond[16628]: pam_unix(crond:session): session opened for user apache(uid=81) by (uid=0)
Jul 20 18:50:01 itsrv2 crond[16810]: pam_unix(crond:session): session opened for user apache(uid=81) by (uid=0)
Jul 20 18:55:01 itsrv2 crond[16993]: pam_unix(crond:session): session opened for user apache(uid=81) by (uid=0)
Jul 20 19:00:01 itsrv2 crond[17167]: pam_unix(crond:session): session opened for user apache(uid=81) by (uid=0)
Jul 20 19:00:01 itsrv2 crond[17168]: pam_unix(crond:session): session opened for user root(uid=0) by (uid=0)


In /etc/cron.hourly I have logcheck
Code:
#!/bin/bash

set -e

if [ ! -d /var/lock/logcheck ]; then
        mkdir -p /var/lock/logcheck
fi
chown -R logcheck:logcheck /var/lock/logcheck

su -s /bin/bash -c /usr/sbin/logcheck logcheck


Thanks in advance.
Back to top
View user's profile Send private message
Banana
l33t
l33t


Joined: 21 May 2004
Posts: 680
Location: Germany

PostPosted: Tue Jul 21, 2020 11:20 am    Post subject: Reply with quote

what does a 'crontab -l' say?
What happens if you remove the file which is located in the hourly crontab folder?
_________________
My personal space
Back to top
View user's profile Send private message
Elleni
Veteran
Veteran


Joined: 23 May 2006
Posts: 1121

PostPosted: Tue Jul 21, 2020 12:27 pm    Post subject: Reply with quote

crontab -l:
Code:
0 * * * * wget -O - -q http://localhost/drupal/cron.php
45 03  * * * certbot renew --renew-hook /usr/local/bin/restart_services.sh --quiet 2>&1
10 04  1-31/2 * * /usr/local/bin/update_srv_info.sh


Well, I would like to continue to use logcheck. But I commented out all lines in /etc/cron.hourly/logcheck.cron to confirm if it is because of this cronjob. Confirmed thats the logcheck.cron that causes this. So how can this be corrected?
Back to top
View user's profile Send private message
Banana
l33t
l33t


Joined: 21 May 2004
Posts: 680
Location: Germany

PostPosted: Wed Jul 22, 2020 2:10 pm    Post subject: Reply with quote

according to the manpage there should be a config file
Code:
/etc/logcheck/logcheck.conf
in which you can change the email to a local one. This way you can read those but only locally
Code:
SENDMAILTO="root@localhost"

_________________
My personal space
Back to top
View user's profile Send private message
Elleni
Veteran
Veteran


Joined: 23 May 2006
Posts: 1121

PostPosted: Wed Jul 22, 2020 5:20 pm    Post subject: Reply with quote

Well, I want to receive them not only locally but on my mailbox, thats not the problem. The problem is, that it got disfunctional after my last update, as those mails mentioned in my initial post only startet after the update. I have no problem getting the mails to my mailbox as before, if they are the normally intended mails, but these mails I got now have nothing to do with normal function of logcheck, they are certainly caused by a bug.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 16202

PostPosted: Thu Jul 23, 2020 1:33 am    Post subject: Reply with quote

What is the bug? It looks like your cron job is opening a PAM session for the logcheck to run, and logcheck is reporting on the existence of a PAM session being opened. Is logcheck not supposed to report PAM sessions?
Back to top
View user's profile Send private message
Elleni
Veteran
Veteran


Joined: 23 May 2006
Posts: 1121

PostPosted: Thu Jul 23, 2020 1:37 am    Post subject: Reply with quote

Well this sort of message is nothing I was used to get until now, but I don't know what has changed after last update. I found this thread after having created this one, maybe related?
Back to top
View user's profile Send private message
Banana
l33t
l33t


Joined: 21 May 2004
Posts: 680
Location: Germany

PostPosted: Thu Jul 23, 2020 7:58 am    Post subject: Reply with quote

you can define the log files which should be scanned with
Code:
/etc/logcheck/logcheck.logfile

_________________
My personal space
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 16202

PostPosted: Fri Jul 24, 2020 2:19 am    Post subject: Reply with quote

Your other cron jobs apparently get their userid from cron. If you want to stop getting warnings about logcheck being different, then stop handling it differently. Remove the su from it and tell cron to run it as the proper user. This probably also means moving the maintenance of /var/lock/logcheck somewhere else.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum