On Fri, 01 Oct 2004 21:42:17 GMT, Dave shaped electrons to write:
> I recently started having the following entry (sometimes one, sometimes a
> dozen) show up in my log. I am running RH9, 2.4.25 modified.
>
> --------------------- pam_unix Begin ------------------------
>
> su:
>
> Sessions Opened:
>
> (uid=0) -> root: 1 Time(s)
>
> ---------------------- pam_unix End -------------------------
>
> I haven't made any h/w or s/w mods in a few months and never saw this entry,
> now it's pretty much every day since last weekend. It even happens when
> nobody is logged in, nothing going on, like on weekend days.
>
> Anybody seen this and know what's causing it? The machine is behind a
> firewall with ONLY ssh allowed through inbound.
>
> Thanks, Dave

Usually it's the result of a cron job. Logwatch flags it because it
doesn't know any better. Unless there are other symptoms, I don't worry
about that particular message. [Look in the /etc/cron.* entries for
explicit and inplicit su's.]

--
G.Wolfe Woodbury `- -'
RHCT U
The Line Eater is a boojum!