Excessive resource usage Executable: /usr/lib/systemd/systemd Command Line: (sd-pam)

[Spirogg]

Hello,
I am aware that CSF reports these via email, but I have never seen this with one of my websites .

usually its /usr/bin/curl
or /opt/cpanel/ea-php7.4/root/usr/sbin/php-fpm
or /opt/cpanel/ea-php8/root/usr/sbin/php-fpm

but never systemd or command line (sd-pam)

Any reason you can think of for this?
possible it's Cron's running on my website script?
but why this is happening on AlmaLinux OS and not Centos7 server same website -script I had for years.

I am running AlmaLinux 8.5.0 and cPanel 100.0.9
using Autom8n plugin for Nginx for this account.
php7.4
MySQL 8

Im getting 2 emails every hour

here is 2 of the emails same time stamp but a little different

( NOTE: the Parent PID of the first one is itself?)
1st example

Time: Fri Feb 4 17:52:27 2022 -0600
Account: mywebsite11
Resource: Process Time
Exceeded: 48745 > 1800 (seconds)
Executable: /usr/lib/systemd/systemd
Command Line: /usr/lib/systemd/systemd -- user
PID: 3294 (Parent PID:3294)
Killed: No

2nd one the Parent PID is 3294 but PID is 3296
2nd example

Time: Fri Feb 4 17:52:27 2022 -0600
Account: mywebsite11
Resource: Process Time
Exceeded: 48745 > 1800 (seconds)
Executable: /usr/lib/systemd/systemd
Command Line: (sd-pam)
PID: 3296 (Parent PID:3294)
Killed: No

I know I can silence them in pignore but I would rather find out why it's running systemd and sd-pam
before I do so.


wonder if its because New Operating System? AlmaLinux 8.5.0

Because it was not doing this with CentOS7


Thanks in advance if anyone has an answer or where to find an answer

Kind Regards,
Spiro

 

[Spirogg]

Pretty much I’m wondering if this is normal or is this an issue with systemd ? Should it not kill the process or does it run since my website is live. Or because I have 5 min interval to run cron jobs ?
Just not sure if this is a normal process

 

[quietFinn]

In a VPS running AlmaLinux I see that process running as the user I have SSH connection to the server.

If I open SFTP connection as a cPanel user I see that sd-pam process running as that cPanel user.

Was googling a bit and as far as I understand that is normal.

 

[Spirogg]

In a VPS running AlmaLinux I see that process running as the user I have SSH connection to the server.

If I open SFTP connection as a cPanel user I see that sd-pam process running as that cPanel user.

Was googling a bit and as far as I understand that is normal.

Ok. Thanks for your reply.
I have not logged in as that user just as root. Also did not use SFTP for that user ?
But still getting this every hour and it just increases the time. After you close that session. Does it stop the process SSH or SFTP or still running can you tell somehow ?
is it normal if I have not logged in as that user but via as root ? Or if I login to WHM and go to cPanel for that user even as root it will run that process ?
Just wondering. Hopefully in my case it’s just normal.
Thanks again for your reply. It is much appreciated
Kind Regards
SPIRO

 

[quietFinn]

I never open SSH connection to any server as root so I don't know if it creates such a process.

If I go to cPanel -> Advanced -> Terminal I see that sd-pam process running as that cPanel user.

If you run:
ps auxf | grep "sd-pam"
you see those processes.

 

[Spirogg]

I never open SSH connection to any server as root so I don't know if it creates such a process.

If I go to cPanel -> Advanced -> Terminal I see that sd-pam process running as that cPanel user.

If you run:
ps auxf | grep "sd-pam"
you see those processes.

I see it, but I am logged in as root via WHM and used Terminal

[root@server1 ~]# ps auxf | grep "sd-pam"
root      298727  0.0  0.0 221932  1112 pts/0    S+   19:34   0:00          \_ grep --color=auto sd-pam
lats+  298320  0.0  0.0 285832  5164 ?        S    19:30   0:00  \_ (sd-pam)

also if I grep systems I see the user lats+

[root@server1 ~]# ps auxf | grep "systemd"
root           1  0.1  0.0 241248 12576 ?        Ss   Feb04   6:45 /usr/lib/systemd/systemd --switched-root --system --deserialize 16
root        1090  0.0  0.2 397128 258612 ?       Ss   Feb04   1:15 /usr/lib/systemd/systemd-journald
root        1142  0.0  0.0 106128  9220 ?        Ss   Feb04   0:01 /usr/lib/systemd/systemd-udevd
dbus        1468  0.0  0.0  76984  5832 ?        Ss   Feb04   1:35 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
root        1830  0.0  0.0  79744  7560 ?        Ss   Feb04   0:41 /usr/lib/systemd/systemd-logind
root      299230  0.0  0.0 221932  1184 pts/0    S+   19:42   0:00  |       \_ grep --color=auto systemd
lats+  298318  0.0  0.0  89472  9328 ?        Ss   19:30   0:00 /usr/lib/systemd/systemd --user

I also have 2 other websites but they are not showing in grep under sd-pam or grep systemd

so wondering why its still running or seems as if its still logged in as sd-pam and systemd --user even though I am not logged in via SSH or SFTP for this user ?

thanks again for your replies

Spiro

 

[Spirogg]

Well I killed those processes and now there not showing. So I will wait a couple hours and check again if they start by themselves. If so I need to check that script to make sure it’s not opening up ssh or SFTP somehow. Thanks again for your help. At least I’m on the right track to finding out

thanks so much
@quietFinn

SPIRO

 

[cPRex]

Thanks @quietFinn - I especially like when a couple of the more well-known people collaborate and come up with something!

 

[quietFinn]

Well I killed those processes and now there not showing. So I will wait a couple hours and check again if they start by themselves. If so I need to check that script to make sure it’s not opening up ssh or SFTP somehow. Thanks again for your help. At least I’m on the right track to finding out

Probably it was just a "zombie" process.

 

[JIKOmetrix]

I know this is an old post.

I had the same issue. I was related jailed-shell. Once the user was moved to Normal shell or disabled shell then the "sd-pam" noticed stopped and ps auxf | grep "sd-pam" did not show any user but root.

 

[butikhosting]

Did you ever find the cause to this issue ? I've tried changing all users to disabled shell, but I still get these tens of systemd & (sd-pam) processes created for every user.

 

[Kent Brockman]

Hey guys, I was wondering the same thing and after googling it a bit, just found this is a new feature in Almalinux, to PAMify user processes.

So, you should add sd-pam to the Process Exclude list on CSF (/etc/csf/csf.pignore).

More info here:

Reddit - Dive into anything

www.reddit.com

 

[WorkinOnIt]

I'm also seeing a lot of these " lfd on [server-domain.example]: Excessive resource usage:

Executable: /usr/lib/systemd/systemd
Command Line: /usr/lib/systemd/systemd --user

I have not seen these before and I'm on the AlmaLinux 8.8.0. I've also manually killed the process in whm - see what happens.

 

[cPRex]

@WorkinOnIt - I seem to say this a lot, but CSF/LFD isn't created or distributed by cPanel. It's a great tool, but it may need some manual tweaking for your particular system, such as excluding systemd as that's unlikely to be causing a real problem.