Lots of su (user) in logs?

[Richard G]

I presume this is caused by some cronjob, but I didn't really see this before. In the system log there are a lot of these:

Apr 19 00:17:15 server23 su: (to piet) root on none
Apr 19 00:17:15 server23 su: (to piet) root on none
Apr 19 00:17:15 server23 su: (to piet) root on none
Apr 19 00:17:15 server23 su: (to piet) root on none
Apr 19 00:17:15 server23 su: (to piet) root on none
Apr 19 00:17:15 server23 su: (to piet) root on none
Apr 19 00:17:17 server23 su: (to piet) root on none
Apr 19 00:17:18 server23 su: (to klaas) root on none
Apr 19 00:17:18 server23 su: (to klaas) root on none
Apr 19 00:17:18 server23 su: (to klaas) root on none
Apr 19 00:17:18 server23 su: (to klaas) root on none
Apr 19 00:17:18 server23 su: (to klaas) root on none
Apr 19 00:17:18 server23 su: (to klaas) root on none

and so on for almost every user.

I checked and see that Softaculous is doing backups then, but time differs a bit:

Apr 19 00:17:01 server23 CROND[26130]: (root) CMD (/usr/local/directadmin/dataskq)
Apr 19 00:18:01 server23 CROND[30654]: (root) CMD (/usr/local/directadmin/dataskq)
Apr 19 00:19:01 server23 CROND[32677]: (root) CMD (/usr/local/directadmin/dataskq)
Apr 19 00:20:01 server23 CROND[310]: (root) CMD (/usr/local/bin/php -d disable_functions="" /usr/local/directadmin/plugins/softaculous/do_backups.php 
>> /dev/null 2>&1)

So this does not look like softaculous.

I do see this every day starting around the same time, like this:

Apr 14 00:10:01 server23 systemd: Created slice User Slice of root.
Apr 14 00:10:01 server23 systemd: Started Session 97656 of user root.
Apr 14 00:10:01 server23 systemd: Started Session 97658 of user root.
Apr 14 00:10:01 server23 systemd: Started Session 97657 of user root.
Apr 14 00:10:01 server23 systemd: Started Session 97659 of user root.
Apr 14 00:10:01 server23 systemd: Started Session 97660 of user root.
Apr 14 00:10:03 server23 su: (to foobar) root on none
Apr 14 00:10:03 server23 su: (to foobar) root on none
Apr 14 00:10:03 server23 su: (to foobar) root on none
Apr 14 00:10:03 server23 su: (to foobar) root on none
Apr 14 00:10:03 server23 su: (to foobar) root on none
Apr 14 00:10:03 server23 su: (to foobar) root on none

So it might be something of systemd? Anyone a clue on to what this might be?

 

[BillyS]

I do see this every day starting around the same time, like this:

I see that pattern too in the System Security Log, around the same time every day (/var/log/secure).

Are you seeing the first set here? /var/log/directadmin/system.log because I do not see that on my server.

 

[Richard G]

Are you seeing the first set here? /var/log/directadmin/system.log

No I only see the tally there running for every user, however not exactly matching the time on the seconds.
I found these lines in /var/log/messages which is my syslog file.

After you posted I had a look and indeed they are also to be found in the /var/log/secure file.

Apr 18 00:10:03 server23 su: pam_unix(su-l:session): session opened for user foobar by (uid=0)
Apr 18 00:10:03 server23 su: pam_unix(su-l:session): session closed for user foobar
Apr 18 00:10:03 server23 su: pam_unix(su-l:session): session opened for user foobar by (uid=0)
Apr 18 00:10:03 server23 su: pam_unix(su-l:session): session closed for user foobar
Apr 18 00:10:03 server23 su: pam_unix(su-l:session): session opened for user foobar by (uid=0)
Apr 18 00:10:03 server23 su: pam_unix(su-l:session): session closed for user foobar
Apr 18 00:10:03 server23 su: pam_unix(su-l:session): session opened for user foobar by (uid=0)
Apr 18 00:10:03 server23 su: pam_unix(su-l:session): session closed for user foobar
Apr 18 00:10:03 server23 su: pam_unix(su-l:session): session opened for user foobar by (uid=0)
Apr 18 00:10:03 server23 su: pam_unix(su-l:session): session closed for user foobar
Apr 18 00:10:03 server23 su: pam_unix(su-l:session): session opened for user foobar by (uid=0)
Apr 18 00:10:05 server23 su: pam_unix(su-l:session): session closed for user foobar
Apr 18 00:10:05 server23 su: pam_unix(su-l:session): session opened for user foobar by (uid=0)
Apr 18 00:10:05 server23 su: pam_unix(su-l:session): session closed for user foobar

and then the next user.

Since you also have it, I guess I don't need to be worried. Just checked my other Centos 7 system and it's the same. So probably the tally or something.

It's not showing like this on the Almalinux 8.5 server.

 

[BillyS]

I also see them here: /var/log/messages just like yours (I just looked). But I am running Rocky Linux 8.5, which should be like your AlmaLinux 8.5 server..

 

[Richard G]

Thank you for your response and check. In that case I'm sure we don't need to be worried.
Probably indeed the tally then.....