Checking for changes to cronjobs

Solution 1

[user@user-ld ~]$ sudo tail /var/log/cron | grep RELOAD
Jan  3 00:19:01 user-ld crond[3074]: (user) RELOAD (/var/spool/cron/user)

grep for 'RELOAD' in cron log (/var/log/cron). So if some one edit/add a cron job, you can see above kind of thing in cron log.

Write a monitoring script for this log file and using which sent an alert to your email ID.

If you want you can use following script for monitoring a particular users cron entries:

#!/bin/bash
echo 'YOURPASSWORD_SUDO' | sudo -S crontab -l -u user > current_status_`date +"%m%d%y%s"`
diff <(cat `ls -1tr current_status_*| tail -1`) <(cat `ls -1tr current_status_* | tail -2 | head -1`)
if [[ $? == 0 ]] ; then 
    echo "no change in cron"
else
    echo "cron changed"
fi

Solution 2

If someone edits his per-user crontab file via crontab -e a log entry gets written to /var/log/syslog. Examples:

user alex edited his own crontab file:

Jan  3 08:42:47 localhost crontab[4278]: (alex) BEGIN EDIT (alex)
Jan  3 08:42:50 localhost crontab[4278]: (alex) END EDIT (alex)

user root edited the crontab file of user alex:

Jan  3 08:49:06 localhost crontab[4557]: (root) BEGIN EDIT (alex)
Jan  3 08:49:07 localhost crontab[4557]: (root) END EDIT (alex)

If the crontab gets changed by an external editor, then the following example log entry appears in /var/log/syslog:

Jan  3 08:46:01 localhost cron[1146]: (*system*) RELOAD (/etc/crontab)

This logging mechanism is probably configurable but is activated by default at least on Debian and Ubuntu and I suppose most other distributions, too.

Solution 3

Lots of them, but (afaik) nothing intrinsic to cron. I would probably use tripwire on the server, and make sure that /var/spool/cron was tripwired.

Related videos on Youtube