4

Any way check and notify if some one made a change/addition to cronjobs for a particular user on a Linux server?

Is it possible to know the changes made too?

nitins
  • 2,579
  • 15
  • 44
  • 68

4 Answers4

5
[user@user-ld ~]$ sudo tail /var/log/cron | grep RELOAD
Jan  3 00:19:01 user-ld crond[3074]: (user) RELOAD (/var/spool/cron/user)

grep for 'RELOAD' in cron log (/var/log/cron). So if some one edit/add a cron job, you can see above kind of thing in cron log.

Write a monitoring script for this log file and using which sent an alert to your email ID.

If you want you can use following script for monitoring a particular users cron entries:

#!/bin/bash
echo 'YOURPASSWORD_SUDO' | sudo -S crontab -l -u user > current_status_`date +"%m%d%y%s"`
diff <(cat `ls -1tr current_status_*| tail -1`) <(cat `ls -1tr current_status_* | tail -2 | head -1`)
if [[ $? == 0 ]] ; then 
    echo "no change in cron"
else
    echo "cron changed"
fi
Suku
  • 2,036
  • 13
  • 15
  • 3
    Don't store your password in a file unless you know what you are doing and how to keep it safe. – scai Jan 03 '13 at 11:32
2

If someone edits his per-user crontab file via crontab -e a log entry gets written to /var/log/syslog. Examples:

user alex edited his own crontab file:

Jan  3 08:42:47 localhost crontab[4278]: (alex) BEGIN EDIT (alex)
Jan  3 08:42:50 localhost crontab[4278]: (alex) END EDIT (alex)

user root edited the crontab file of user alex:

Jan  3 08:49:06 localhost crontab[4557]: (root) BEGIN EDIT (alex)
Jan  3 08:49:07 localhost crontab[4557]: (root) END EDIT (alex)

If the crontab gets changed by an external editor, then the following example log entry appears in /var/log/syslog:

Jan  3 08:46:01 localhost cron[1146]: (*system*) RELOAD (/etc/crontab)

This logging mechanism is probably configurable but is activated by default at least on Debian and Ubuntu and I suppose most other distributions, too.

scai
  • 2,269
  • 2
  • 13
  • 16
1

Lots of them, but (afaik) nothing intrinsic to cron. I would probably use tripwire on the server, and make sure that /var/spool/cron was tripwired.

MadHatter
  • 79,770
  • 20
  • 184
  • 232
0

You can use incron which is similar to cron but handles file system events (changes to files/folders) instead of handling events based on time. You can monitor the folder /var/spool/cron/crontabs for changes and invoke a script to log them and do whatever you want.

Khaled
  • 36,533
  • 8
  • 72
  • 99