[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: RedHat 6 Testing



I remembered that behavior with Solaris as well.  However, this should be an anacron job.  There is a text file in /var/spool/anacron/cron.weekly with the date of the last time the job was run.  The files here are also owned by root.  Nothing under /var/spool/cron.  I have also disabled SELinux.

 

The script I have under /etc/cron.weekly does get installed by an rpm package I made and installed (using sudo rpm –ihv).  I can’t imagine the audit system queries rpm for who installed the file?

 

Kevin

 

From: Sean Hollinger gdc4s com [mailto:Sean Hollinger gdc4s com]
Sent: Friday, March 25, 2011 11:33 AM
To: Boyce, Kevin P (AS); linux-audit redhat com
Subject: EXT :RE: RedHat 6 Testing

 

Even if the cron is owned by root, I believe the audit records the user id of the last user to edit the /var/spool/cron/croncrontab file (or wherever your crontab is located). I have seen this using Solaris but I haven’t specifically noticed it with Linux.

 

Sean

 

 

From: linux-audit-bounces redhat com [mailto:linux-audit-bounces redhat com] On Behalf Of Boyce, Kevin P (AS)
Sent: Friday, March 25, 2011 9:56 AM
To: linux-audit redhat com
Subject: RedHat 6 Testing

 

All,

 

I have some puzzling behavior, can anyone shed some light here?

 

I have a script in cron.weekly that has a command being executed which I am auditing for execve.  That part seems to work fine. However, in the detailed audit report my user id is associated with the execution.  Root owns the files there and ultimately root is the effective UID in the record, but why am I associated with the activity at all?

Audit version is: 2.0.4-1

Kernel version is: 2.6.32-71

 

I did not notice this behavior in RHEL5.

 

Regards,

Kevin


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]