So far I am still manually doing the checks from Ubuntu security page.
For some reason there are auth.log and auth.log.1, the same occurs for many other logs, I am unsure if this is normal, I have not found info on that yet.
One thing I noticed in the both auth.log is login at 06:25:01 hours, every day for same duration since the 8th November (my oldest log date), it takes root/su, using a default in the distro, Linuxquestions says this is used as default for "Samba and Apache to run services in distros", then afterwards it removes its session.
I am unsure why or which services it is running at this time each day ?
It can also be used to backdoor distros, they advice using /dev/null instead to prevent that possibility.
I am not sure on that.
These are the only unknowns in auth.log/s.
Syslog is clear.
I will continue on with the processes and report back.
For some reason there are auth.log and auth.log.1, the same occurs for many other logs, I am unsure if this is normal, I have not found info on that yet.
One thing I noticed in the both auth.log is login at 06:25:01 hours, every day for same duration since the 8th November (my oldest log date), it takes root/su, using a default in the distro, Linuxquestions says this is used as default for "Samba and Apache to run services in distros", then afterwards it removes its session.
I am unsure why or which services it is running at this time each day ?
It can also be used to backdoor distros, they advice using /dev/null instead to prevent that possibility.
I am not sure on that.
These are the only unknowns in auth.log/s.
Syslog is clear.
I will continue on with the processes and report back.