don't log cron events in auth.log
If an attacker can control part of the message logged, they could mask events by filtering on the message contents.
Alternatively, you can filter out messages from the process CRON with:
#Continue logging CRON to syslog
*.*;auth,authpriv.none -/var/log/syslog
#Filter events from the process CRON out of auth.log
:programname, isequal, "CRON" ~
auth,authpriv.* /var/log/auth.log
If you don't want any CRON events logged, you can put the filter line first in your rsyslog.conf
.
I believe this is what you are looking for:
:msg, contains, "pam_unix(cron:session)" ~
auth,authpriv.* /var/log/auth.log
the first line matches cron auth events, and deletes them. The second line then logs as per your rule, minus the previously deleted lines.