Hey;
Interesting idea for a script - so I wrote it :)!
#!/usr/bin/perl
=cut
###############################################################
bad_crons: Attempts to ID cron jobs that are sending mail to root
Created based on an idea from itrc.
Author: Doug O'Leary
Created: 09/12/06
###############################################################
=cut
use strict;
my $last = '';
my $first = '';
my $subj = '';
my $mail_file = "/var/mail/root";
open (In, "< $mail_file") || die "Can't read $mail_file - ($!)";
while (
)
{ next if (/^\s*$/);
chomp;
switch:
{ if (/^From root/)
{ printf("%-30s %s\n", $first, $last)
if (length($first) > 0 && length($subj) > 0);
($first) = $_ =~ m{from root[^\s]* (.*)}i;
$subj = '';
last switch;
}
if (/^Subject:\s+cron$/)
{ $subj = 'cron'; last switch; }
$last = $_;
}
}
close In;
sample output using one of my problem systems:
Mon Sep 11 08:02:01 EDT 2006 /usr/contrib/bin/check_root
Mon Sep 11 09:02:01 EDT 2006 /usr/contrib/bin/check_root
Mon Sep 11 10:02:00 EDT 2006 /usr/contrib/bin/check_root
Mon Sep 11 11:02:00 EDT 2006 /usr/contrib/bin/check_root
Mon Sep 11 12:02:00 EDT 2006 /usr/contrib/bin/check_root
Mon Sep 11 13:02:00 EDT 2006 /usr/contrib/bin/check_root
Mon Sep 11 14:02:01 EDT 2006 /usr/contrib/bin/check_root
Mon Sep 11 14:02:01 EDT 2006 /usr/contrib/bin/secfile.sh
Mon Sep 11 14:02:01 EDT 2006 /usr/contrib/bin/secfile.sh
Mon Sep 11 16:02:00 EDT 2006 /usr/contrib/bin/check_root
Mon Sep 11 18:02:01 EDT 2006 /usr/contrib/bin/check_root
Tue Sep 12 01:02:00 EDT 2006 /usr/contrib/bin/check_root
Tue Sep 12 02:20:10 EDT 2006 /usr/local/bin/scanlog
Tue Sep 12 03:35:02 EDT 2006 /usr/local/bin/cleanall -r
Tue Sep 12 04:02:01 EDT 2006 /usr/contrib/bin/check_root
Tue Sep 12 05:02:01 EDT 2006 /usr/contrib/bin/check_root
Tue Sep 12 07:02:00 EDT 2006 /usr/contrib/bin/check_root
HTH;
Doug
------
Senior UNIX Admin
O'Leary Computers Inc
linkedin: http://www.linkedin.com/dkoleary
Resume: http://www.olearycomputers.com/resume.html
