Su: (to nobody) root on none?

Hey,

So I have Wazuh monitoring our environment. This gives me strange readings and I can’t figure out what could be causing it.
Every day a 06:25 both of our UCSs do something like this:
(from /var/log/auth.log)

Aug  6 06:25:03 dc01 su: (to nobody) root on none
Aug  6 06:25:03 dc01 su: pam_unix(su:session): session opened for user nobody by (uid=0)
Aug  6 06:25:03 dc01 su: pam_unix(su:session): session closed for user nobody
Aug  6 06:25:03 dc01 su: (to nobody) root on none
Aug  6 06:25:03 dc01 su: pam_unix(su:session): session opened for user nobody by (uid=0)
Aug  6 06:25:04 dc01 su: pam_unix(su:session): session closed for user nobody
Aug  6 06:25:04 dc01 su: (to nobody) root on none
Aug  6 06:25:04 dc01 su: pam_unix(su:session): session opened for user nobody by (uid=0)

This event gets highlighted as NIST 800-53 AU-14 and NIST 800-53 AC-7 messing up my high severity triggers.

Any idea what could be causing this, and why root would do PAM to nobody?

I finally found it; it is generated by this cron entry in the /etc/crontab:

25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )

interestingly, next two lines don’t get reported:

47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

Any idea how to fix this?

Hi @dzidek23 I have the same warning from a new installation of Wazuh 4.8.2, I’m newbie with this monitoring system. Did you fix it?

Hi @honeypot
No, unfortunately I haven’t found a way to get rid of this or mark it as “accepted”.

This is an expected behaviour of debian/ubuntu based system, so not sure why Wazuh reports this in the first place (while only pointing at the first line)
https://ubuntuforums.org/showthread.php?t=2225648

[EDIT]
I found this in Wazuh issues… will give it a go and see if this helps