Why do I see a CRON session opening and closing every hour in /var/log/auth.log?

I am quite fresh with Linux as a whole, so this may be a silly question - but I would still like to know the answer

This morning when I look at my /var/log/auth.log (which I've been told to make a habit) I notice that once an hour it has logged an event that looks like this:

     May 13 20:17:01 Ubuntu-Server-1401-VM CRON[2280]: pam_unix(cron:session): session opened for user root by (uid=0)
     May 13 20:17:01 Ubuntu-Server-1401-VM CRON[2280]: session closed for user root

It has then proceeded to happen every hour at x:17:01 until I opened the log. An SSH connection to this server has been kept alive during this time (where the log entires occured). My best guess is that every hour my SSH client has looked to see whether or not it could obtain root access as a way to verify the connection to the SSH connection to the server - but I would like to be on the safe side. Does anyone know what this is?


Solution 1:

Assuming you have not changed anything from the default cron setup, this is your /etc/crontab running. On my Ubuntu 10.04.3 LTS server, its contents include:

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly

So, cron wakes up every hour and runs any scrips located in /etc/cron.hourly. You probably don't have any which is why it doesn't do anything. It simply runs a root session which executes run-parts and then closes the session again.

Solution 2:

These log entries were written by the PAM libraries when the crond daemon ran tasks in the background. crond runs jobs on a schedule, on behalf of the system and the users on the system.

Every user has their own crontab configuration file, which can be edited with the crontab -e command or shown using crontab -l. The system administrator can also configure jobs via a plethora of /etc/ files and directories; /etc/cron.d/ provides an easy place for services to drop their own configurations, and /etc/crontab drives the hourly, daily, and weekly directories, as well as runs whatever the administrator may choose to run.

crond will change users to the correct user (either specified in the /etc/crontab file and the /etc/cron.d/ directory, or from the user-supplied crontab files) before running the jobs; it uses the PAM system to change users.

PAM provides a single place to configure different ways to authenticate and authorize users and provide session setup, as well as provide a way to change passwords (or other authentication tokens). Every service that uses PAM has a configuration file in /etc/pam.d/ that describes which PAM modules to use when 'logging in' a user.

My /etc/pam.d/cron file looks like this:

# The PAM configuration file for the cron daemon

@include common-auth

# Read environment variables from pam_env's default files, /etc/environment
# and /etc/security/pam_env.conf.
session       required   pam_env.so

# In addition, read system locale information
session       required   pam_env.so envfile=/etc/default/locale

@include common-account
@include common-session-noninteractive 

# Sets up user limits, please define limits for cron tasks
# through /etc/security/limits.conf
session    required   pam_limits.so

This ensures limits that are configured for users are applied to users' tasks when they run them via cron. If you wanted to change those limits per-service, you could configure pam_limits.so in this file with your own conf=/etc/security/cron-limits.conf and apply different limits than ssh logins (/etc/pam.d/sshd) or console logins (/etc/pam.d/login).