Sorry, this is bad advice. When auditing is enabled, the .au file is required in order for crond to execute a cron job. The reason for it is this:
Hypothetically, let's say a root user wants to execute malicious commands, but doesn't want an audit trail pointing to them as the one that executed the commands. Without the .au file, the root user could edit any user's crontab, hiding the malicious commands. Then, cron would execute those jobs and the audit trail would point to the innocent user. The .au file stores the UID of the person that actually ran "crontab -e", as well as a timestamp indicating when it was edited. That way, when cron runs the job, it can update the audit trail with the correct UID of who actually requested the job to be run (edited the crontab). There are a couple of things that break this: 1. On Solaris 8, OpenSSH doesn't seem to update the .au files properly. In order to fix this, you have to set "UseLogin Yes" in your sshd_config. 2. Editing crontabs manually with any method, such as cfagent editfiles, does not update the .au token properly, which causes cron to throw those errors. Deleting the .au files will ensure that your cron jobs never run. Also, it might even keep crond from starting properly on a reboot. The only way to properly update crontabs when auditing is enabled is to use the crontab command. Luke -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Baker, Darryl Sent: Friday, May 27, 2005 10:22 AM To: 'PAUL WILLIAMSON' Cc: 'help-cfengine@gnu.org' Subject: RE: Solaris cron audit problem I believe the other way around it is to remove the .au files from the crontab directory and restart cron whenever cfengine makes an edit to a crontab file. _____________________________________________________________________ Darryl Baker Senior Unix Specialist gedas USA, Inc. Operational Services Business Unit 3800 Hamlin Road Auburn Hills, MI 48326 US phone +1-248-754-5341 fax +1-248-754-6399 [EMAIL PROTECTED] http://www.gedasusa.com _____________________________________________________________________ > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf > Of PAUL WILLIAMSON > Sent: Friday, May 27, 2005 12:29 AM > To: help-cfengine@gnu.org > Subject: Solaris cron audit problem > > > More fun... > > I finally have 2.1.14 running for the most part. When I set > cfagent to > make an entry > to the crontab, I get this in my /var/cron/log: > > !cron audit problem. job failed (x/x/x) for user root > > After doing some googling, I've tracked it down to a combination of > Solaris, BMS (audit/security), and openssh. Apparently my only > options are to turn off auditing or making crontab entries via > the console. Neither of which are an option. Any ideas? > > Switching to linux is sounding better and better... > I'm not having these problems with those boxes... > > Paul > > > > _______________________________________________ > Help-cfengine mailing list > Help-cfengine@gnu.org > http://lists.gnu.org/mailman/listinfo/help-cfengine > _______________________________________________ Help-cfengine mailing list Help-cfengine@gnu.org http://lists.gnu.org/mailman/listinfo/help-cfengine
