RedHat 6 Testing
Sean.Hollinger at gdc4s.com
Sean.Hollinger at gdc4s.com
Fri Mar 25 15:32:40 UTC 2011
Even if the cron is owned by root, I believe the audit records the user
id of the last user to edit the /var/spool/cron/croncrontab file (or
wherever your crontab is located). I have seen this using Solaris but I
haven't specifically noticed it with Linux.
Sean
From: linux-audit-bounces at redhat.com
[mailto:linux-audit-bounces at redhat.com] On Behalf Of Boyce, Kevin P (AS)
Sent: Friday, March 25, 2011 9:56 AM
To: linux-audit at redhat.com
Subject: RedHat 6 Testing
All,
I have some puzzling behavior, can anyone shed some light here?
I have a script in cron.weekly that has a command being executed which I
am auditing for execve. That part seems to work fine. However, in the
detailed audit report my user id is associated with the execution. Root
owns the files there and ultimately root is the effective UID in the
record, but why am I associated with the activity at all?
Audit version is: 2.0.4-1
Kernel version is: 2.6.32-71
I did not notice this behavior in RHEL5.
Regards,
Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20110325/1916c890/attachment.htm>
More information about the Linux-audit
mailing list