[GTALUG] cron scripts **BOOM**
Jamon Camisso
jamon.camisso at utoronto.ca
Thu Jan 10 13:16:37 EST 2019
On 1/9/19 12:46 PM, Jason Shaw via talk wrote:
> darryl, you should be able to look at yum or apt/dpk histories to see
> if/when cron was updated and possibly gleam some information about
> who/what did it.
>
> for debian and ubuntu :
> https://serverfault.com/questions/175504/how-do-i-get-the-history-of-apt-get-install-on-ubuntu
<snip
>
> Certainly sounds like something automatically updated the cron package
> to me. Good luck in the forensics.
Sounds bad on all counts. I'm not aware of any bugs in 16.04 that would
wipe out any crontabs on auto-updates or manual updates. If you're the
lucky person to discover one, it will definitely require an SRU update
to the cron package itself.
Does anything show up related to cron in /var/log/apt/*.log as Jason
pointed out?
What about in syslog and auth.log? Anything there that would show
something like 'crontab -r' being invoked?
Lastly, are you using any config management tool like puppet, chef,
salt, ansible, juju, etc.? My immediate reaction upon reading this is to
cast aspersions at config management - think sorcerer's apprentice and
all that.
Cheers, Jamon
More information about the talk
mailing list