|Subject:||Solaris BSM auditing with editfiles|
|Date:||Wed, 4 May 2005 14:50:53 -0400|
Consider the following section of code:
AppendIfNoSuchLine "0,30 * * * * /usr/local/sbin/cfexecd -F"
When the Sunshield BSM (basic security module) is enabled on a Solaris box, the above code will no longer function properly. After Sunshield BSM is enabled, any time a user edits their crontab using “crontab –e”, the audit subsystem will write to a file called /var/spool/cron/crontabs/$username.au. This file contains about 50 bytes of binary data, indicating the true UID (who logged in originally, not the UID of an account they may have su’d to) and date/timestamp when the crontab was edited. The purpose of this is to provide an audit trail for cron jobs. If this wasn’t the case, it would be trivial for any user that has become root to “hide” jobs they want to run in another user’s crontab, and there would be no real audit trail back to the original root user.
The effect is this:
Has anyone on this list run into this issue before? If so, how was it resolved? Did you do something like use addinstallable to detect if there is a new cron, and then execute “crontab filename” to install it?
Any advice or tips would be greatly appreciated.
|[Prev in Thread]||Current Thread||[Next in Thread]|