Successful su for nobody by root 问题

/var/log/auth.log* 文件中出现了如下的条目:
Jul 30 06:52:59 jaseywang-pc su[3973]: Successful su for nobody by root
Jul 30 06:52:59 jaseywang-pc su[3973]: + ??? root:nobody
Jul 30 06:52:59 jaseywang-pc su[3973]: pam_unix(su:session): session opened for user nobody by (uid=0)
Jul 30 06:52:59 jaseywang-pc su[3973]: pam_unix(su:session): session closed for user nobody
Jul 30 06:52:59 jaseywang-pc su[3988]: Successful su for nobody by root
Jul 30 06:52:59 jaseywang-pc su[3988]: + ??? root:nobody
Jul 30 06:52:59 jaseywang-pc su[3988]: pam_unix(su:session): session opened for user nobody by (uid=0)
Jul 30 06:52:59 jaseywang-pc su[3988]: pam_unix(su:session): session closed for user nobody
Jul 30 06:52:59 jaseywang-pc su[4016]: Successful su for nobody by root
Jul 30 06:52:59 jaseywang-pc su[4016]: + ??? root:nobody
Jul 30 06:52:59 jaseywang-pc su[4016]: pam_unix(su:session): session opened for user nobody by (uid=0)
Jul 30 06:53:04 jaseywang-pc su[4016]: pam_unix(su:session): session closed for user nobody
Jul 30 06:53:05 jaseywang-pc CRON[27528]: pam_unix(cron:session): session closed for user root

并且是差不多每天这个时段出现,最开始以为是被 hack 了,后来排查发现其实是 cron 跑的 log 输出:
$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts –report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts –report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts –report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts –report /etc/cron.monthly )

看来不要遇到不正常的情况就以为被 hack 了,SA 要镇静。

ref:
http://serverfault.com/questions/226110/entries-in-auth-log-are-i-am-not-sure-what-it-means