web-dev-qa-db-fra.com

"Su réussi pour utilisateur par root" - entrées suspectes dans mon /var/log/auth.log?

Ce post sur reddit m'a fait parcourir mes journaux. C'est à ce moment que j'ai découvert les entrées suivantes, qui sont apparues deux jours non suivants. "utilisateur" est mon compte d'utilisateur.

Aug  4 22:50:37 UbuntuSystem Sudo: pam_unix(Sudo:session): session opened for user root by user(uid=1000)
Aug  4 22:50:39 UbuntuSystem Sudo: pam_unix(Sudo:session): session closed for user root
Aug  4 22:51:16 UbuntuSystem su[10710]: Successful su for user by root
Aug  4 22:51:16 UbuntuSystem su[10710]: + ??? root:user
Aug  4 22:51:16 UbuntuSystem su[10710]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 22:51:17 UbuntuSystem su[10710]: pam_unix(su:session): session closed for user user
Aug  4 22:51:17 UbuntuSystem su[10720]: Successful su for user by root
Aug  4 22:51:17 UbuntuSystem su[10720]: + ??? root:user
Aug  4 22:51:17 UbuntuSystem su[10720]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 22:51:17 UbuntuSystem su[10720]: pam_unix(su:session): session closed for user user
Aug  4 22:51:17 UbuntuSystem su[10735]: Successful su for user by root
Aug  4 22:51:17 UbuntuSystem su[10735]: + ??? root:user
Aug  4 22:51:17 UbuntuSystem su[10735]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 22:51:17 UbuntuSystem su[10735]: pam_unix(su:session): session closed for user user
Aug  4 22:51:17 UbuntuSystem su[10763]: Successful su for user by root
Aug  4 22:51:17 UbuntuSystem su[10763]: + ??? root:user
Aug  4 22:51:17 UbuntuSystem su[10763]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 22:51:17 UbuntuSystem su[10763]: pam_unix(su:session): session closed for user user
Aug  4 22:51:17 UbuntuSystem su[10773]: Successful su for user by root
Aug  4 22:51:17 UbuntuSystem su[10773]: + ??? root:user
Aug  4 22:51:17 UbuntuSystem su[10773]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 22:51:17 UbuntuSystem su[10773]: pam_unix(su:session): session closed for user user
Aug  4 22:51:17 UbuntuSystem su[10788]: Successful su for user by root
Aug  4 22:51:17 UbuntuSystem su[10788]: + ??? root:user
Aug  4 22:51:17 UbuntuSystem su[10788]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 22:51:17 UbuntuSystem su[10788]: pam_unix(su:session): session closed for user user
Aug  4 22:51:17 UbuntuSystem su[10801]: Successful su for user by root
Aug  4 22:51:17 UbuntuSystem su[10801]: + ??? root:user
Aug  4 22:51:17 UbuntuSystem su[10801]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 22:51:17 UbuntuSystem su[10801]: pam_unix(su:session): session closed for user user
Aug  4 22:51:17 UbuntuSystem su[10814]: Successful su for user by root
Aug  4 22:51:17 UbuntuSystem su[10814]: + ??? root:user
Aug  4 22:51:17 UbuntuSystem su[10814]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 22:51:17 UbuntuSystem su[10814]: pam_unix(su:session): session closed for user user
Aug  4 22:51:17 UbuntuSystem su[10829]: Successful su for user by root
Aug  4 22:51:17 UbuntuSystem su[10829]: + ??? root:user
Aug  4 22:51:17 UbuntuSystem su[10829]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 22:51:17 UbuntuSystem su[10829]: pam_unix(su:session): session closed for user user
Aug  4 22:51:17 UbuntuSystem su[10842]: Successful su for user by root
Aug  4 22:51:17 UbuntuSystem su[10842]: + ??? root:user
Aug  4 22:51:17 UbuntuSystem su[10842]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 22:51:17 UbuntuSystem su[10842]: pam_unix(su:session): session closed for user user
Aug  4 22:51:17 UbuntuSystem su[10855]: Successful su for user by root
Aug  4 22:51:17 UbuntuSystem su[10855]: + ??? root:user
Aug  4 22:51:17 UbuntuSystem su[10855]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 22:51:17 UbuntuSystem su[10855]: pam_unix(su:session): session closed for user user
Aug  4 23:41:39 UbuntuSystem su[11153]: Successful su for user by root
Aug  4 23:41:39 UbuntuSystem su[11153]: + ??? root:user
Aug  4 23:41:39 UbuntuSystem su[11153]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 23:41:39 UbuntuSystem su[11153]: pam_unix(su:session): session closed for user user
Aug  4 23:41:39 UbuntuSystem su[11166]: Successful su for user by root
Aug  4 23:41:39 UbuntuSystem su[11166]: + ??? root:user
Aug  4 23:41:39 UbuntuSystem su[11166]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 23:41:39 UbuntuSystem su[11166]: pam_unix(su:session): session closed for user user
Aug  4 23:41:39 UbuntuSystem su[11181]: Successful su for user by root
Aug  4 23:41:39 UbuntuSystem su[11181]: + ??? root:user
Aug  4 23:41:39 UbuntuSystem su[11181]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 23:41:39 UbuntuSystem su[11181]: pam_unix(su:session): session closed for user user
Aug  4 23:41:39 UbuntuSystem su[11193]: Successful su for user by root
Aug  4 23:41:39 UbuntuSystem su[11193]: + ??? root:user
Aug  4 23:41:39 UbuntuSystem su[11193]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 23:41:39 UbuntuSystem su[11193]: pam_unix(su:session): session closed for user user
Aug  4 23:41:39 UbuntuSystem su[11211]: Successful su for user by root
Aug  4 23:41:39 UbuntuSystem su[11211]: + ??? root:user
Aug  4 23:41:39 UbuntuSystem su[11211]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 23:41:39 UbuntuSystem su[11211]: pam_unix(su:session): session closed for user user
Aug  4 23:41:39 UbuntuSystem su[11226]: Successful su for user by root
Aug  4 23:41:39 UbuntuSystem su[11226]: + ??? root:user
Aug  4 23:41:39 UbuntuSystem su[11226]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 23:41:39 UbuntuSystem su[11226]: pam_unix(su:session): session closed for user user
Aug  4 23:41:39 UbuntuSystem su[11241]: Successful su for user by root
Aug  4 23:41:39 UbuntuSystem su[11241]: + ??? root:user
Aug  4 23:41:39 UbuntuSystem su[11241]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 23:41:39 UbuntuSystem su[11241]: pam_unix(su:session): session closed for user user
Aug  4 23:41:39 UbuntuSystem su[11253]: Successful su for user by root
Aug  4 23:41:39 UbuntuSystem su[11253]: + ??? root:user
Aug  4 23:41:39 UbuntuSystem su[11253]: pam_unix(su:session): session opened for user user by (uid=0)
Aug  4 23:41:39 UbuntuSystem su[11253]: pam_unix(su:session): session closed for user user
Aug  4 23:42:18 UbuntuSystem gnome-screensaver-dialog: gkr-pam: unlocked login keyring
Aug  4 23:42:33 UbuntuSystem polkitd(authority=local): Unregistered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session2 (system bus name :1.48, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)

Aug 15 20:17:01 UbuntuSystem CRON[26579]: pam_unix(cron:session): session opened for user root by (uid=0)
Aug 15 20:17:01 UbuntuSystem CRON[26579]: pam_unix(cron:session): session closed for user root
Aug 15 21:15:15 UbuntuSystem su[27098]: Successful su for user by root
Aug 15 21:15:15 UbuntuSystem su[27098]: + ??? root:user
Aug 15 21:15:15 UbuntuSystem su[27098]: pam_unix(su:session): session opened for user user by (uid=0)
Aug 15 21:15:15 UbuntuSystem su[27098]: pam_unix(su:session): session closed for user user
Aug 15 21:17:01 UbuntuSystem CRON[27141]: pam_unix(cron:session): session opened for user root by (uid=0)
Aug 15 21:17:01 UbuntuSystem CRON[27141]: pam_unix(cron:session): session closed for user root

En dehors de ces itérations, les seules autres fois où j'ai trouvé une sortie similaire étaient lors de l'essai du compte invité:

Aug 11 22:38:49 UbuntuSystem lightdm: pam_unix(lightdm:session): session closed for user lightdm
Aug 11 22:38:49 UbuntuSystem groupadd[2918]: group added to /etc/group: name=guest-4Eflre, GID=125
Aug 11 22:38:49 UbuntuSystem groupadd[2918]: group added to /etc/gshadow: name=guest-4Eflre
Aug 11 22:38:49 UbuntuSystem groupadd[2918]: new group: name=guest-4Eflre, GID=125
Aug 11 22:38:50 UbuntuSystem useradd[2922]: new user: name=guest-4Eflre, UID=115, GID=125, home=/, Shell=/bin/bash
Aug 11 22:38:50 UbuntuSystem usermod[2927]: change user 'guest-4Eflre' password
Aug 11 22:38:50 UbuntuSystem chage[2932]: changed password expiry for guest-4Eflre
Aug 11 22:38:50 UbuntuSystem chfn[2935]: changed user 'guest-4Eflre' information
Aug 11 22:38:50 UbuntuSystem usermod[2943]: change user 'guest-4Eflre' home from '/' to '/tmp/guest-4Eflre'
Aug 11 22:38:50 UbuntuSystem su[2948]: Successful su for guest-4Eflre by root
Aug 11 22:38:50 UbuntuSystem su[2948]: + ??? root:guest-4Eflre
Aug 11 22:38:50 UbuntuSystem su[2948]: pam_unix(su:session): session opened for user guest-4Eflre by (uid=0)
Aug 11 22:38:50 UbuntuSystem su[2948]: pam_unix(su:session): session closed for user guest-4Eflre
Aug 11 22:38:50 UbuntuSystem lightdm: pam_unix(lightdm-autologin:session): session opened for user guest-4Eflre by (uid=0)
Aug 11 22:38:50 UbuntuSystem lightdm: pam_ck_connector(lightdm-autologin:session): nox11 mode, ignoring PAM_TTY :0

Je devrais peut-être ajouter que je n'ai installé mon système que récemment (le 4 août).

Ce comportement est-il normal? Qu'est-ce qui se passe exactement avec toutes les commandes su? Dois-je avoir peur que mon système soit compromis?

Merci d'avance.

7
Glutanimate

Ces avertissements sont lorsque vous passez de la racine à votre utilisateur

Il ne semble pas que vous ayez de problème.

7
LnxSlck

Ce sont pas à partir de quand vous exécutez Sudo. Mais ils ne sont pas un problème non plus.

Les messages disent:

Successful su for user by root

Cela se produit chaque fois que vous vous connectez. Que vous vous connectiez en tant qu'utilisateur réel ou en tant qu'invité, le l’écran de connexion fonctionne comme suit: root, il doit donc changer l’identité de l’utilisateur à partir de root à un utilisateur non -root dans le cadre du processus de connexion.

Ce n'est pas user en train de devenir root. root devient user.

4
Eliah Kagan

Je pense avoir trouvé au moins un des coupables:

Aug 21 16:15:09 UbuntuSystem su[30135]: Successful su for user by root
Aug 21 16:15:09 UbuntuSystem su[30135]: + ??? root:user
Aug 21 16:15:09 UbuntuSystem su[30135]: pam_unix(su:session): session opened for user user by (uid=0)
Aug 21 16:15:09 UbuntuSystem su[30135]: pam_unix(su:session): session closed for user user
Aug 21 16:15:09 UbuntuSystem Sudo: pam_unix(Sudo:session): session closed for user root
Aug 21 16:15:12 UbuntuSystem Sudo:      user : TTY=unknown ; PWD=/home/user ; USER=root ; COMMAND=/usr/lib/jupiter/scripts/cpu-control high
Aug 21 16:15:12 UbuntuSystem Sudo: pam_unix(Sudo:session): session opened for user root by (uid=1000)
Aug 21 16:15:12 UbuntuSystem su[30174]: Successful su for user by root
Aug 21 16:15:12 UbuntuSystem su[30174]: + ??? root:user
Aug 21 16:15:12 UbuntuSystem su[30174]: pam_unix(su:session): session opened for user user by (uid=0)
Aug 21 16:15:12 UbuntuSystem su[30174]: pam_unix(su:session): session closed for user user
Aug 21 16:15:12 UbuntuSystem Sudo: pam_unix(Sudo:session): session closed for user root

Dans ce cas, les entrées étaient connectées à l'applet d'alimentation Jupiter et apparaissaient spécifiquement lors du changement de mode d'alimentation du processeur. Comme il n’a été fait mention de Jupiter dans aucun des autres cas, je ne peux pas être sûr qu’ils puissent être attribués au même processus.

Je continuerai à surveiller mes journaux et posterai tous les résultats ici.

2
Glutanimate