Audit log for cron jobs (Doc ID 1019047.1)

Last updated on JULY 29, 2016

Applies to:

Solaris Operating System - Version 8 6/00 U1 and later
All Platforms

Symptoms

A user who edits crontab, is also logged in audit log. Some users may question this behavior and wonder if they meet a BSM (Basic Security Module) bug.

For example,
1. Super user (root) logs in to the specific system and uses crontab -e to define the following 2 cron jobs.
...
44 9 * * * rm /tmp/123
46 9 * * * rm /tmp/124
...
2. At 9:45 user (user1) logs in to the specific system and then changes to root via su -. Finally user1 uses crontab -e to put a comment line as below.
...
# comment
44 9 * * * rm /tmp/123
46 9 * * * rm /tmp/124
...
3. From the audit log, at 9:44, BSM successfully logged the rm event for /tmp/123 with the user id (root). However, at 9:46, BSM logged the other event with the audit id (user1).
NOTE: Audit log files (see audit.log(4) for details) are written to the directory /var/audit. praudit(1M) can be used to make the audit log 'readable', and auditreduce(1M) to select the audit records in which we are interested.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms