/var/log/secure flurry of logs in secure.log (how to stop/investigate)

reefermadness26 · Posted 05-18-2022 03:34 AM

secure log is being populated every minute like this:
May 18 10:01:20 sasoa01p su: pam_unix(su:session): session opened for user sas by (uid=0)
May 18 10:01:20 sasoa01p su: pam_tty_audit(su:session): changed status from 1 to 0
May 18 10:01:21 sasoa01p su: pam_unix(su:session): session closed for user sas
May 18 10:01:21 sasoa01p su: pam_tty_audit(su:session): restored status to 1
May 18 10:01:21 sasoa01p su: pam_unix(su:session): session opened for user sas by (uid=0)
May 18 10:01:21 sasoa01p su: pam_tty_audit(su:session): changed status from 1 to 0
May 18 10:01:23 sasoa01p su: pam_unix(su:session): session closed for user sas
May 18 10:01:23 sasoa01p su: pam_tty_audit(su:session): restored status to 1
May 18 10:01:47 sasoa01p sshd[76487]: Accepted keyboard-interactive/pam for sas from 10.36.65.178 port 59682 ssh2
May 18 10:01:47 sasoa01p sshd[76487]: pam_tty_audit(sshd:session): changed status from 0 to 0
May 18 10:01:47 sasoa01p sshd[76487]: pam_unix(sshd:session): session opened for user sas by (uid=0)
May 18 10:01:53 sasoa01p su: pam_unix(su:session): session opened for user sas by (uid=0)
May 18 10:01:53 sasoa01p su: pam_tty_audit(su:session): changed status from 1 to 0
May 18 10:01:54 sasoa01p su: pam_unix(su:session): session closed for user sas
May 18 10:01:54 sasoa01p su: pam_tty_audit(su:session): restored status to 1
May 18 10:01:54 sasoa01p su: pam_unix(su:session): session opened for user sas by (uid=0)
May 18 10:01:54 sasoa01p su: pam_tty_audit(su:session): changed status from 1 to 0
May 18 10:01:56 sasoa01p su: pam_unix(su:session): session closed for user sas
May 18 10:01:56 sasoa01p su: pam_tty_audit(su:session): restored status to 1
May 18 10:02:26 sasoa01p su: pam_unix(su:session): session opened for user sas by (uid=0)
May 18 10:02:26 sasoa01p su: pam_tty_audit(su:session): changed status from 1 to 0
May 18 10:02:27 sasoa01p su: pam_unix(su:session): session closed for user sas
May 18 10:02:27 sasoa01p su: pam_tty_audit(su:session): restored status to 1
May 18 10:02:27 sasoa01p su: pam_unix(su:session): session opened for user sas by (uid=0)
May 18 10:02:27 sasoa01p su: pam_tty_audit(su:session): changed status from 1 to 0
May 18 10:02:29 sasoa01p su: pam_unix(su:session): session closed for user sas
May 18 10:02:29 sasoa01p su: pam_tty_audit(su:session): restored status to 1

how do I stop these or investigate the cause of this,

I have checked crond for sas and root user and have not found much here,

also /etc/cron.d/ has just hourly and monthly jobs that should not be populating secure log on such high frequency,

please any ideas why this log is being populated so frequently and it is just wasting space with this consistent log.

Br, HS

gwootton · Posted 05-18-2022 03:21 PM

This seems to translate as the root user running the su command to become the user "sas", auditing being turned off (presumably because it's only turned on for root), then the session ends and auditing is turned on again.
May 18 10:01:20 sasoa01p su: pam_unix(su:session): session opened for user sas by (uid=0)
May 18 10:01:20 sasoa01p su: pam_tty_audit(su:session): changed status from 1 to 0
May 18 10:01:21 sasoa01p su: pam_unix(su:session): session closed for user sas
May 18 10:01:21 sasoa01p su: pam_tty_audit(su:session): restored status to 1

Might be worth checking to see what processes are running as the root user, and/or the audit report (aureport --tty)
https://linux.die.net/man/8/pam_tty_audit

--
Greg Wootton | Principal Systems Technical Support Engineer

reefermadness26 · Posted 05-19-2022 05:07 AM

@gwootton
Hi,
I have checked aureport -tty documentation link you sent.
So if auditing is only enabled for root user, would it help if I enable auditing for sas user as well?

then this flurry of logs might stop.
But I am unable to find pam.conf in my installation, and seems like contents of /etc/pam.d/ are alternatives to that, but I am not sure where I can enable that option so that sas auditing enable flag can be changed.
then these checks on session auditing might stop in secure log.

Br,

HS

gwootton · Posted 05-19-2022 11:46 AM

Enabling audit for the sas user might prevent two of those lines from showing up (those for pam_tty_audit) because the status wouldn't be changing, but it would not change what is happening (su being run as root to switch to sas and perform some action or no action). The existing audit report might have some detail on what root is doing when switching to sas. Adding sas to the audit will probably increase other file usage as it will now start capturing sas tty activity as well as root.

The /etc/pam.d/su file is what is being used, and it probably has a session line that is calling some other pam.d file like system-auth where the pam_tty_audit line is. You could do something like grep tty /etc/pam.d/* to find it and make changes.

--
Greg Wootton | Principal Systems Technical Support Engineer

/var/log/secure flurry of logs in secure.log (how to stop/investigate)

Re: /var/log/secure flurry of logs in secure.log (how to stop/investigate)

Re: /var/log/secure flurry of logs in secure.log (how to stop/investigate)

Re: /var/log/secure flurry of logs in secure.log (how to stop/investigate)