1
0
I have a log like this in /var/log/authlog :
<date> <server> su: [ID 366847 auth.notice] 'su root' succeeded for root on /dev/???
and in /var/adm/sulog
SU 12/12 11:13 + ??? root-root
It is repeated every 2 minutes, but there is no scheduled job active for this purpose.
1) What's the meaning of /dev/??? , why these '???'?
2) How can i see if a process (if this is) is doing this action every 2 minutes ?
Thanks in advance !
Kiks777
Posted 2017-12-12T13:46:09.910
Reputation: 11
2It’s probably trying to tell you what terminal it happened on — this is a holdover from the days of physical terminals that were in fixed locations, so if you saw
/dev/tty42, you might know “that’s in room 217” and you could go and look who it was./dev/???probably means that a call tottyname()failed, so it’s a detached process (which, I expect, you had already guessed).'su root' succeeded for rootprobably means that the process is already root, and is running'su root'for some unknown reason — so, in a sense, it may be harmless. Sorry I don’t have a real answer. – G-Man Says 'Reinstate Monica' – 2017-12-12T15:08:40.2831What's in root's crontab? – Andrew Henle – 2017-12-12T17:33:56.230
Thanxs @G-Man ... good hint ttryname() that i didn't know ... – Kiks777 – 2017-12-13T14:25:11.117
@AndrewHenle Anything that run every 2 minutes (i'm sure). I was thinking about a process running as root, that tries the 'su root', the problem is that i don't know how to find this process (there are so many as root, is not my machine), that also fails the call to ttyname() .. i will go more in deep with this ttyname() .. if you have some suggestions how i can troublehsoot this problem will be helpful :) – Kiks777 – 2017-12-13T14:29:01.640