help-cfengine
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Solaris BSM auditing with editfiles

From: Dmitry Sazonov
Subject: Re: Solaris BSM auditing with editfiles
Date: Wed, 04 May 2005 22:01:19 -0400
User-agent: KMail/1.7.1 
On Wednesday 04 May 2005 02:50 pm, Luke Youngblood wrote:
> Consider the following section of code:
> 
>  
control:
         AddInstallable  = ( reload_crontab )


> 
> editfiles:
>  
>   { /var/spool/cron/crontabs/root
>  
>   AutoCreate
>   DeleteLinesContaining "cfwrap"
>   AppendIfNoSuchLine "0,30 * * * * /usr/local/sbin/cfexecd -F"
     DefineClasses "reload_crontab"
>   }
> 
>  
shellcommands:
  reload_crontab::
    "/usr/bin/crontab /var/spool/cron/crontabs/root"


> 
> When the Sunshield BSM (basic security module) is enabled on a Solaris box,
> the above code will no longer function properly.  After Sunshield BSM is
> enabled, any time a user edits their crontab using "crontab -e", the audit
> subsystem will write to a file called /var/spool/cron/crontabs/$username.au.
> This file contains about 50 bytes of binary data, indicating the true UID
> (who logged in originally, not the UID of an account they may have su'd to)
> and date/timestamp when the crontab was edited.  The purpose of this is to
> provide an audit trail for cron jobs.  If this wasn't the case, it would be
> trivial for any user that has become root to "hide" jobs they want to run in
> another user's crontab, and there would be no real audit trail back to the
> original root user.
> 
>  
> 
> The effect is this:
> 
>  
> 
> 1.    cfagent edits the user's crontab.
> 2.    crond reads the new crontab, sees that the crontab has been
> manipulated manually without properly updating the .au token.
> 3.    crond throws an error and refuses to run the new cron job that was
> added, since there is no audit token tying it back to a user that added the
> cron job.
> 
>  
> 
> Has anyone on this list run into this issue before?  If so, how was it
> resolved?  Did you do something like use addinstallable to detect if there
> is a new cron, and then execute "crontab filename" to install it?
> 
>  
> 
> Any advice or tips would be greatly appreciated.
> 
> Luke Youngblood
> Senior System Administrator
> PhoneCharge, Inc.
> (203) 732-7639 x279
>  <http://www.phonechargeinc.com> http://www.phonechargeinc.com 
> 
>  
> 
>
reply via email to
[Prev in Thread] Current Thread [Next in Thread]