Thanks very much.
It seems too odd to be a coincidence that the behavior changed on the same day on all three of my cloudlinux 6 servers.
Before March 20, 2019, there were none of these additional
Jan 12 05:35:01 servername su: pam_unix(su:session): session opened for user cpanelusername by (uid=0)
Jan 12 05:35:01 servername su[1978341]: pam_unix(su:session): session closed for user cpanelusername
lines in /var/log/secure when the 5:35 cron ran.
Beginning on March 20 each of the three cloudlinux6 servers began inserting the lines at 5:35 for two cpanel usernames per server and did so every day from March 20 when the following packages were updated
lvemanager-4.1.2-1.el6.cloudlinux.noarch
cagefs-6.1-31.el6.cloudlinux.x86_64
alt-php-config-1-32.el6.noarch
cagefs-safebin-6.1-31.el6.cloudlinux.x86_64
lve-utils-3.1.2-1.el6.cloudlinux.x86_64
alt-python27-cllib-1.5.1-1.el6.cloudlinux.x86_64
Beginning March 20, server1 had
root -> cpanelusername: 1 Time(s)
root -> cpanelusername2: 1 Time(s)
Server2 had
root -> cpanelusername4: 1 Time(s)
root -> cpanelusername7: 1 Time(s)
Server3 had
root -> cpanelusername3: 1 Time(s)
root -> cpanelusername14: 1 Time(s)
Then on May 31, each of the three cloudlinux6 servers changed the behavior to inserting the line for one cpanel username per cloudlinux server each day from the 5:35 cron and continued to do so until the current day after the following pacakages were updated on that day
cagefs-6.1.2-1.1.el6.cloudlinux.x86_64
cagefs-safebin-6.1.2-1.1.el6.cloudlinux.x86_64
alt-python27-cllib-1.5.5-1.el6.cloudlinux.x86_64
After May 31 server1 has
root -> cpanelusername: 1 Time(s)
Server2 has
root -> cpanelusername7: 1 Time(s)
Server3 has
root -> cpanelusername14: 1 Time(s)
It's not the first or last cpanel username created.
I can't see the commonality between the cpanelusername on each server used for the nightly "test" (?)
I did a quick look at the /usr/bin/cldiag --cron-check script but the action where cloudlinux does the su to an individual cpanel account must be in one of the includes ?
Very curious how cloudlinux chooses which cpanel username to check or what exactly would create the
Jan 12 05:35:01 servername su: pam_unix(su:session): session opened for user cpanelusername by (uid=0)
Jan 12 05:35:01 servername su[1978341]: pam_unix(su:session): session closed for user cpanelusername
log entry since it's occurring on three different cloudlinux6 servers, with the behavior beginning and then changing on the same day for all three of the servers.
I'd like to understand exactly what the 5:35 script is intended to do that would generate the su to cpaneluser line in /var/log/secure.
It seems to choose exactly one cpanel account to test and I'm curious how it chooses which cpanelusername to test with.