You might have noticed some strange files in /var/spool/cron/crontabs ending with .au.
These are not µlaw audit files, but auxiliary audit files for crontab,
which are created when auditing have been enabled and you edit your crontab entry.
# cd /var/spool/cron/crontabs # ls -l total 19 -rw------- 1 root sys 1010 Feb 25 18:04 adm -r-------- 1 root root 1371 Feb 25 18:06 lp -rw------- 1 root martin 38 Jun 21 00:20 martin -r-------- 1 root martin 45 Jun 21 00:20 martin.au -rw------- 1 root sys 1401 Mar 13 04:28 root -rw------- 1 root sys 1128 Feb 25 18:09 sys
Looking closer at what is in my .au file we find the following:
# cat martin.au 300 0 0 7ff81600 4 1dad35c9 0 0 0 2441309132
This is quite cryptic, especially as it isn't documented anywhere but in the source! Using it you can discern what the above settings are.
The first number (300) is the audit id, i.e. my user id.
The second and third rows are the pre-selection mask split up in two parts,
first the audit on success and then audit on failure.
The next three rows are the terminal id, starting with the port, address type and last the address.
The port number (5f81600) is made up of two parts (major and minor) which are joined together.
After that follows the address type (4) which represents IPv4, as defined in
audit.h.
Note that the address is made up of 4 numbers to fit IPv6 addresses,
but since I logged from a system using IPv4 it is only the first part which is filled.
There is a gotcha here, the number is written depends on the architecture,
the example is from my X2200 M2,
so the 1dad35c9 needs to be changed to network byte order to map correctly to an IP address.
The last row is the session id (2441309132).
This file is created (and updated) when you edit crontab, which can cause a lot of confusion.
If you increase the auditing for a particular user,
you expect that the audit trail from the users cron jobs would increase too,
but if the .au file have already been created the pre-selection masks are frozen.
To fix this you need to update the .au file too when you change the audit flags.
[Technorati Tags: OpenSolaris Security ]
