Checking for changes to cronjobs
Solution 1
[user@user-ld ~]$ sudo tail /var/log/cron | grep RELOAD
Jan 3 00:19:01 user-ld crond[3074]: (user) RELOAD (/var/spool/cron/user)
grep for 'RELOAD
' in cron log (/var/log/cron
). So if some one edit/add a cron job, you can see above kind of thing in cron log.
Write a monitoring script for this log file and using which sent an alert to your email ID.
If you want you can use following script for monitoring a particular users cron entries:
#!/bin/bash
echo 'YOURPASSWORD_SUDO' | sudo -S crontab -l -u user > current_status_`date +"%m%d%y%s"`
diff <(cat `ls -1tr current_status_*| tail -1`) <(cat `ls -1tr current_status_* | tail -2 | head -1`)
if [[ $? == 0 ]] ; then
echo "no change in cron"
else
echo "cron changed"
fi
Solution 2
If someone edits his per-user crontab file via crontab -e
a log entry gets written to /var/log/syslog. Examples:
user alex edited his own crontab file:
Jan 3 08:42:47 localhost crontab[4278]: (alex) BEGIN EDIT (alex)
Jan 3 08:42:50 localhost crontab[4278]: (alex) END EDIT (alex)
user root edited the crontab file of user alex:
Jan 3 08:49:06 localhost crontab[4557]: (root) BEGIN EDIT (alex)
Jan 3 08:49:07 localhost crontab[4557]: (root) END EDIT (alex)
If the crontab gets changed by an external editor, then the following example log entry appears in /var/log/syslog:
Jan 3 08:46:01 localhost cron[1146]: (*system*) RELOAD (/etc/crontab)
This logging mechanism is probably configurable but is activated by default at least on Debian and Ubuntu and I suppose most other distributions, too.
Solution 3
Lots of them, but (afaik) nothing intrinsic to cron. I would probably use tripwire on the server, and make sure that /var/spool/cron
was tripwired.
Related videos on Youtube
Comments
-
nitins over 1 year
Any way check and notify if some one made a change/addition to cronjobs for a particular user on a Linux server?
Is it possible to know the changes made too?
-
scai over 11 yearsDon't store your password in a file unless you know what you are doing and how to keep it safe.