Join Log in
Score:0
wtf_1x avatar Server

which entries in the auth.log could be dangerouse and which not

hm flag
wtf_1x

which kind of entries in the auth.log are not good or from which one should i been scared?

Oct  3 05:00:01 webv2 CRON[25757]: pam_unix(cron:session): session opened for user www-data(uid=33) by (uid=0)
Oct  3 05:00:01 webv2 CRON[25757]: pam_unix(cron:session): session closed for user www-data

1 ) is that because i have some entries in the /etc/sudoers who allow www-data to start an file or am i wrong?

Oct  3 08:23:30 webv2 PackageKit: uid 1000 is trying to obtain org.freedesktop.packagekit.system-sources-refresh auth (only_trusted:0)
Oct  3 08:23:30 webv2 PackageKit: uid 1000 obtained auth for org.freedesktop.packagekit.system-sources-refresh
Oct  3 10:58:14 webv2 polkitd(authority=local): Unregistered Authentication Agent for unix-session:1 (system bus name :1.26, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale de_AT.UTF-8) (disconnected from bus)
Oct  3 10:58:36 webv2 polkitd(authority=local): Registered Authentication Agent for unix-session:1 (system bus name :1.28 [lxpolkit], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale de_AT.UTF-8)

2 ) no idea. that "Unregistered Authentication Agent" and "Registered Authentication Agent" make me feel not well

Oct  3 12:55:13 webv2 dbus-daemon[549]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.25" (uid=1000 pid=1153 comm="/usr/bin/pulseaudio --daemonize=no --log-target=jo") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.UnknownMethod" requested_reply="0" destination=":1.27" (uid=0 pid=1383 comm="/usr/libexec/bluetooth/bluetoothd ")

3 ) ?? i see only org.freedesktop. and ask myself what has that with bluetooth to do?

Oct  3 10:58:14 webv2 lightdm: pam_unix(lightdm-autologin:session): session closed for user pi
Oct  3 10:58:26 webv2 lightdm: pam_unix(lightdm-autologin:session): session opened for user pi(uid=1000) by (uid=0)
Oct  3 10:58:27 webv2 lightdm: pam_unix(lightdm-autologin:session): session opened for user pi(uid=1000) by (uid=0)

4 ) Light Display Manager. is that because i installed the normal desktop GUI for the pi? i can also join over vnc to my pi, but i dont use it really often, because i am almoast over ssh. so is that he logging me in automaticly to the desktop?

Oct  3 10:58:58 webv2 login[722]: pam_unix(login:session): session opened for user pi(uid=1000) by LOGIN(uid=0)

5 ) the problem what i have with that msg is, that it isn't typical as the rest of the login msg's. is here something to be scared about?

thx for any help

340
1 + 0
Score:0
diya avatar Server
la flag
diya

It depends a bit (on the specific distribution and the applications you've installed) which events get logged to /var/log/auth.log.

By default though: all events that that the applications/system components themselves mark with the syslog facility auth and/or authpriv, regardless of the syslog "security level" or "severity" of the event.

On most systems that means that the majority, if not all messages in that log will be informational, mostly harmless and certainly not important warnings or critical emergencies.

Oct  3 05:00:01 webv2 CRON[25757]: pam_unix(cron:session): session opened for user www-data(uid=33) by (uid=0)
Oct  3 05:00:01 webv2 CRON[25757]: pam_unix(cron:session): session closed for user www-data

Is that because I have some entries in the /etc/sudoers who allow www-data to start an file or am I wrong?

These are security events generated by your cron daemon and they simplified mean that a cron job, running with the effective user ID of "www-data" was started and completed.

They are only informational.

Oct  3 08:23:30 webv2 PackageKit: uid 1000 is trying to obtain org.freedesktop.packagekit.system-sources-refresh auth (only_trusted:0)
Oct  3 08:23:30 webv2 PackageKit: uid 1000 obtained auth for org.freedesktop.packagekit.system-sources-refresh
Oct  3 10:58:14 webv2 polkitd(authority=local): Unregistered Authentication Agent for unix-session:1 (system bus name :1.26, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale de_AT.UTF-8) (disconnected from bus)
Oct  3 10:58:36 webv2 polkitd(authority=local): Registered Authentication Agent for unix-session:1 (system bus name :1.28 [lxpolkit], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale de_AT.UTF-8)

That "Unregistered Authentication Agent" and "Registered Authentication Agent" make me feel not well.

Polkit polkitd (formerly PolicyKit) is a component for controlling system-wide privileges in Linux. An authentication helper program, the Authentication Agent, is started ("Registered") at the start of an authenticated session and stopped ("Unregistered") when the session ends.

Those are verbs, to register, to unregister, rather than adjectives implying something like (il-)legal (un-)trusted etc.

Also informational messages only.

Oct  3 10:58:58 webv2 login[722]: pam_unix(login:session): session opened for user pi(uid=1000) by LOGIN(uid=0)

The problem what i have with that msg is, that it isn't typical as the rest of the login msg's. is here something to be scared about?

That message basically says a login session was started for user ID "pi".

If that is unexpected or not, that completely depends on the user ID's you created and are using... Raspian and possibly other Raspberry specific distributions use that pi user ID as the default user though.

Again purely informational unless it concerns a service account user that shouldn't be logging in.

+ 1
wtf_1x avatar
hm flag
wtf_1x
ah ok. so it looks like worse that it is to me. good to know. thx
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.