System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Finding out who made changes

SOLVED
Go to solution
Shivkumar
Super Advisor

Finding out who made changes

Hello,

I am trying to research a situation.
We have a cron job and want to know when someone might be disabling or enabling.

We have a powerbroker client running on the servers and cronjob can be modified only by
a privileged user by doing pbrun su-someuser.

Now if i want to know which user has enabled or disabled cron jobs then which place i should be looking ?

Thanks,
Shiv
3 REPLIES
Dennis Handly
Acclaimed Contributor

Re: Finding out who made changes

You can look at the files in /var/spool/cron/crontabs/. Check the date of the files and of the directory.

Note: If a user directly modifies these files, cron(1m) may not pick up the changes because it expects crontab to signal it.
George Spencer_4
Frequent Advisor
Solution

Re: Finding out who made changes

Hi,

Try a find & grep of crontab in the user's shell history files (.sh_history). This may show you who has been using crontab; but it will not show direct editing of the crontab files. Unfortunately, a guilty part can delete the info in their shell history. Also, since there is no timestamp in the HP-UX shell history, you may wish to consider adding something like the following to /etc/profile.

# HISTORY environment variables for all users and a login timestamp
HISTSIZE=1000
EXTENDED_HISTORY=ON
HISTDATEFMT='%d/%m/%Y %H:%M:%S'
FCEDIT=/usr/bin/vi
export HISTSIZE EXTENDED_HISTORY HISTDATEFMT FCEDIT

userDetail=`who am i | tr -s ' '`
echo "## $userDetail " | read -s
echo "##\n\n" | read -s

This works on both HP-UX and AIX, and allows you to see what was done on a particular day.

Good luck
Johnson Punniyalingam
Honored Contributor

Re: Finding out who made changes

Hi Shiv,

You need check the /var/spool/cron/crontabs
which cron users has been recently edited.or

cd /var/spool/cron/crontabs
ls -lrt (will show recerntly edit cron)

By this you can identify which cron has been recently edited.

finding which <
you check " sulog " on the particular day which the cron was recently edited,

Hope this Helps,

Thanks,
Johnson
Problems are common to all, but attitude makes the difference