[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Solaris cron audit problem
|
From: |
PAUL WILLIAMSON |
|
Subject: |
RE: Solaris cron audit problem |
|
Date: |
Fri, 27 May 2005 12:22:43 -0400 |
When I enabled UseLogin Yes, I got booted right back out from
logging in. Do I need to enable something else? I thought about
setting up ldap with central user authentication to deal with this,
but it doesn't seem to be doing the job either.
Paul
>>> "Luke Youngblood" <lyoungblood@phonechargeinc.com> 05/27/05 12:12
PM >>>
Sorry, this is bad advice.
When auditing is enabled, the .au file is required in order for crond
to
execute a cron job. The reason for it is this:
Hypothetically, let's say a root user wants to execute malicious
commands,
but doesn't want an audit trail pointing to them as the one that
executed
the commands. Without the .au file, the root user could edit any
user's
crontab, hiding the malicious commands. Then, cron would execute those
jobs
and the audit trail would point to the innocent user. The .au file
stores
the UID of the person that actually ran "crontab -e", as well as a
timestamp
indicating when it was edited. That way, when cron runs the job, it
can
update the audit trail with the correct UID of who actually requested
the
job to be run (edited the crontab).
There are a couple of things that break this:
1. On Solaris 8, OpenSSH doesn't seem to update the .au files properly.
In
order to fix this, you have to set "UseLogin Yes" in your sshd_config.
2. Editing crontabs manually with any method, such as cfagent
editfiles,
does not update the .au token properly, which causes cron to throw
those
errors.
Deleting the .au files will ensure that your cron jobs never run.
Also, it
might even keep crond from starting properly on a reboot.
The only way to properly update crontabs when auditing is enabled is to
use
the crontab command.
Luke
-----Original Message-----
From: help-cfengine-bounces+lyoungblood=phonechargeinc.com@gnu.org
[mailto:help-cfengine-bounces+lyoungblood=phonechargeinc.com@gnu.org]
On
Behalf Of Baker, Darryl
Sent: Friday, May 27, 2005 10:22 AM
To: 'PAUL WILLIAMSON'
Cc: 'help-cfengine@gnu.org'
Subject: RE: Solaris cron audit problem
I believe the other way around it is to remove the .au files from the
crontab directory and restart cron whenever cfengine makes an edit to
a
crontab file.
_____________________________________________________________________
Darryl Baker
Senior Unix Specialist
gedas USA, Inc.
Operational Services Business Unit
3800 Hamlin Road
Auburn Hills, MI 48326
US
phone +1-248-754-5341
fax +1-248-754-6399
Darryl.Baker@gedas.com
http://www.gedasusa.com
_____________________________________________________________________
> -----Original Message-----
> From: help-cfengine-bounces+darryl.baker=gedas.com@gnu.org
> [mailto:help-cfengine-bounces+darryl.baker=gedas.com@gnu.org]On
Behalf
> Of PAUL WILLIAMSON
> Sent: Friday, May 27, 2005 12:29 AM
> To: help-cfengine@gnu.org
> Subject: Solaris cron audit problem
>
>
> More fun...
>
> I finally have 2.1.14 running for the most part. When I set
> cfagent to
> make an entry
> to the crontab, I get this in my /var/cron/log:
>
> !cron audit problem. job failed (x/x/x) for user root
>
> After doing some googling, I've tracked it down to a combination of
> Solaris, BMS (audit/security), and openssh. Apparently my only
> options are to turn off auditing or making crontab entries via
> the console. Neither of which are an option. Any ideas?
>
> Switching to linux is sounding better and better...
> I'm not having these problems with those boxes...
>
> Paul
>
>
>
> _______________________________________________
> Help-cfengine mailing list
> Help-cfengine@gnu.org
> http://lists.gnu.org/mailman/listinfo/help-cfengine
>