Question

73

Why do I see a CRON session opening and closing every hour in /var/log/auth.log?

rated 0 times [ 73] [ 0] / answers: 1 / hits: 135641 / 3 Years ago, thu, july 15, 2021, 5:59:42

I am quite fresh with Linux as a whole, so this may be a silly question - but
I would still like to know the answer

This morning when I look at my /var/log/auth.log (which I've been told to make a habit)
I notice that once an hour it has logged an event that looks like this:

     May 13 20:17:01 Ubuntu-Server-1401-VM CRON[2280]: pam_unix(cron:session): session opened for user root by (uid=0)

     May 13 20:17:01 Ubuntu-Server-1401-VM CRON[2280]: session closed for user root

It has then proceeded to happen every hour at x:17:01 until I opened the log.
An SSH connection to this server has been kept alive during this time (where the log entires occured). My best guess is that every hour my SSH client has looked to see whether or not it could obtain root access as a way to verify the connection to the SSH connection to the server - but I would like to be on the safe side. Does anyone know what this is?

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

njuash

Add To Favorites

Follow

Total Points: 402

Total Questions: 125

Total Answers: 98

Location: Jersey

Member since Sun, Dec 4, 2022

1 Year ago

answered 3 Years ago oatglori · Accepted Answer

Assuming you have not changed anything from the default cron setup, this is your /etc/crontab running. On my Ubuntu 10.04.3 LTS server, its contents include:

# m h dom mon dow user  command

17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly

So, cron wakes up every hour and runs any scrips located in /etc/cron.hourly. You probably don't have any which is why it doesn't do anything. It simply runs a root session which executes run-parts and then closes the session again.