On 1/9/19 12:46 PM, Jason Shaw via talk wrote:
darryl, you should be able to look at yum or apt/dpk histories to see
if/when cron was updated and possibly gleam some information about
who/what did it.
for debian and ubuntu :
https://serverfault.com/questions/175504/how-do-i-get-the-history-of-apt-get-install-on-ubuntu
<snip
Certainly sounds like something automatically updated the cron package
to me. Good luck in the forensics.
Sounds bad on all counts. I'm not aware of any bugs in 16.04 that would
wipe out any crontabs on auto-updates or manual updates. If you're the
lucky person to discover one, it will definitely require an SRU update
to the cron package itself.
Does anything show up related to cron in /var/log/apt/*.log as Jason
pointed out?
What about in syslog and auth.log? Anything there that would show
something like 'crontab -r' being invoked?
Lastly, are you using any config management tool like puppet, chef,
salt, ansible, juju, etc.? My immediate reaction upon reading this is to
cast aspersions at config management - think sorcerer's apprentice and
all that.
Cheers, Jamon
---
Talk Mailing List
[email protected]
https://gtalug.org/mailman/listinfo/talk
