BugZero | Red Hat BugID RHEL-5919 - cron should not be using pam

Red Hat - Defect ID: RHEL-5919

cron should not be using pam_systemd, leading to CRED failed in audit

Red Hat - Defect ID: RHEL-5919

cron should not be using pam_systemd, leading to CRED failed in audit

Last updated on 1/20/2025

Overall: 5.15.1

Severity: 5.55.5

Community: 66.0

Lifecycle: 5.85.8

What is the BugZero Risk Score?

Vendor details

Priority: Normal
Status: New
Impact Category: systemd

Overall: 5.15.1

Severity: 5.55.5

Community: 66.0

Lifecycle: 5.85.8

What is the BugZero Risk Score?

Vendor details

Priority: Normal
Status: New
Impact Category: systemd

Issue

+++ This bug was initially created as a clone of Bug #2053750 +++ Description of problem: Every user cron job is spamming the logs with systemd session messages. In RHEL9, we also have an CRED error in audit: type=CRED_ACQ msg=audit(07/18/22 14:34:01.335:375) : pid=4429 uid=root auid=unset ses=unset subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct=test exe=/usr/sbin/crond hostname=? addr=? terminal=cron res=success' type=CRED_ACQ msg=audit(07/18/22 14:34:01.478:379) : pid=4432 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='op=PAM:setcred grantors=? acct=test exe=/usr/lib/systemd/systemd hostname=? addr=? terminal=? res=failed' Version-Release number of selected component (if applicable): cronie-1.5.7-5.el9.x86_64 How reproducible: 100% Steps to Reproduce: 1. Create a cron job for a user at some reasonably high frequency, say every 5 minutes 2. Wait for cron job to fire Actual results: For every job, messages file is spammed with the like of: 04:06:01 systemd Created slice User Slice of UID 1001. 04:06:01 systemd Starting User runtime directory /run/user/1001... 04:06:01 systemd Started User runtime directory /run/user/1001. 04:06:01 systemd Starting User Manager for UID 1001... 04:06:02 systemd Starting D-Bus User Message Bus Socket. 04:06:02 systemd Started Mark boot as successful after the user session has run 2 minutes. 04:06:02 systemd Reached target Timers. 04:06:02 systemd Reached target Paths. 04:06:02 systemd Listening on D-Bus User Message Bus Socket. 04:06:02 systemd Reached target Sockets. 04:06:02 systemd Reached target Basic System. 04:06:02 systemd Started User Manager for UID 1001. 04:06:02 systemd Reached target Default. 04:06:02 systemd Startup finished in 65ms. 04:06:02 systemd pam_unix(systemd-user:session): session opened for user brian by (uid=0) 04:06:06 systemd session-2180.scope: Succeeded. 04:06:13 systemd session-2177.scope: Succeeded. 04:06:16 systemd Stopping User Manager for UID 1001... 04:06:16 systemd Stopped target Default. 04:06:16 systemd Stopped target Basic System. 04:06:16 systemd Stopped target Timers. 04:06:16 systemd Stopped Mark boot as successful after the user session has run 2 minutes. 04:06:16 systemd Stopped target Paths. 04:06:16 systemd Stopped target Sockets. 04:06:16 systemd Closed D-Bus User Message Bus Socket. 04:06:16 systemd Reached target Shutdown. 04:06:16 systemd Starting Exit the Session... 04:06:16 systemd user@1001.service: Succeeded. 04:06:16 systemd Stopped User Manager for UID 1001. 04:06:16 systemd Stopping User runtime directory /run/user/1001... 04:06:16 systemd run-user-1001.mount: Succeeded. 04:06:16 systemd user-runtime-dir@1001.service: Succeeded. 04:06:16 systemd Stopped User runtime directory /run/user/1001. 04:06:16 systemd Removed slice User Slice of UID 1001. 04:06:16 systemd pam_unix(systemd-user:session): session closed for user brian in audit: type=CRED_ACQ msg=audit(07/18/22 14:34:01.478:379) : pid=4432 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='op=PAM:setcred grantors=? acct=test exe=/usr/lib/systemd/systemd hostname=? addr=? terminal=? res=failed' Expected results: No landslide of systemd spam for each and every cron job run No CRED fail in audit Additional info: I workaround that with this pam system-auth config: — #%PAM-1.0 This file is auto-generated. User changes will be destroyed the next time authselect is run. auth required pam_env.so auth sufficient pam_unix.so try_first_pass nullok auth required pam_deny.so account required pam_unix.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so —

Release Notes

No. of Comments

Resolution

Unresolved

No bugs this month

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Red Hat - Defect ID: RHEL-5919

cron should not be using pam_systemd, leading to CRED failed in audit

Red Hat - Defect ID: RHEL-5919

cron should not be using pam_systemd, leading to CRED failed in audit

Last updated on 1/20/2025

Vendor details

Vendor details

Description

Issue

Release Notes

No. of Comments

Resolution

Links

Top Red Hat defects by risk score

Ready to prevent the next vendor outage?