Su: (to nobody) root on none?

Hey,

So I have Wazuh monitoring our environment. This gives me strange readings and I can’t figure out what could be causing it.
Every day a 06:25 both of our UCSs do something like this:
(from /var/log/auth.log)

Aug  6 06:25:03 dc01 su: (to nobody) root on none
Aug  6 06:25:03 dc01 su: pam_unix(su:session): session opened for user nobody by (uid=0)
Aug  6 06:25:03 dc01 su: pam_unix(su:session): session closed for user nobody
Aug  6 06:25:03 dc01 su: (to nobody) root on none
Aug  6 06:25:03 dc01 su: pam_unix(su:session): session opened for user nobody by (uid=0)
Aug  6 06:25:04 dc01 su: pam_unix(su:session): session closed for user nobody
Aug  6 06:25:04 dc01 su: (to nobody) root on none
Aug  6 06:25:04 dc01 su: pam_unix(su:session): session opened for user nobody by (uid=0)

This event gets highlighted as NIST 800-53 AU-14 and NIST 800-53 AC-7 messing up my high severity triggers.

Any idea what could be causing this, and why root would do PAM to nobody?

I finally found it; it is generated by this cron entry in the /etc/crontab:

25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )

interestingly, next two lines don’t get reported:

47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

Any idea how to fix this?

Mastodon