How to read cron log ?

rachael · September 28, 2015, 5:58pm

Hi everyone,

I have set up a cron job and it ran as i have expected, however, i unable to determined whether it was executed by a regular user (rml5723 in this case) or by root. My intention was for it to run as root (notice the 's' bit set on the script), the script itself is owned by the regular user. As you can see per below cut/paste from /var/adm/cron/log, its command was executed but i am not able to determine who actually ran the script. I have been looking for documentation that might explain how to read this cron log but unable to find anythinng, your help is greatly appreciated.

>  CMD: /home/rml5723/testcron > /home/rml5723/logs
>  rml5723 6768 c Mon Sep 28 11:30:00 PDT 2015
<  rml5723 6768 c Mon Sep 28 11:30:01 PDT 2015


$ whoami
rml5723

$ pwd
/home/rml5723
$ ll
total 16
-rwsr-xr-x   1 rml5723    users           38 Sep 28 10:01 testcron
-rw-rw-rw-   1 rml5723    users            0 Dec 15  2014 testing


root@some_server[/var/adm/cron]
# cat cron.allow
root
rml5723


$  cat testcron
ll /home/rml5723 
echo "HELLO"

$ crontab -l
5,10,15,20,25,30 0 * * * /home/rml5723/testcron > /home/rml5723/logs

$ cat logs
total 32
-rw-r--r--   1 rml5723    users            0 Sep 28 11:30 logs
-rwsr-xr-x   1 rml5723    users           31 Sep 28 11:20 testcron
-rw-rw-rw-   1 rml5723    users            0 Dec 15  2014 testing
-rw-r-----   1 rml5723    users           31 Sep 28 11:20
HELLO

Thanks!

Corona688 · September 28, 2015, 6:06pm

Sticky-bits don't work on scripts.

Even if they did, it wouldn't run a user-owned script as root, but as the user that owns it. Otherwise anyone could create a script that would run as root.

If you want something in crontab to be run as root, I suggest telling cron so by putting it in root's crontab. This has the advantage that you're not opening the door for anyone to run that script as root, you're only permitting cron to do it.

Another way to manage this would be using sudo.

rachael · September 28, 2015, 6:29pm

Hello Corona688,

Thanks for your quick response. Our internal syst admin policy is we don't put application cron jobs in root's crontab, we separate them. Maybe i did not mention earlier, i put this cron job in the regular user's (rml5723 in this case) cron tab.

So if I provide this user sudo privs, i'd remove the 's' bit, and then keep the job in its user's crontab but how would i integrate the below sudoers with cron? It will need to run weekly.

The syntax in the sudoers file would be like

# Host alias specification
Host_Alias SERVERS=abc124

# User alias specification
User_Alias   Developer=rml5723

Developer  SERVER = (root) NOPASSWD:/home/rml5723/testcron

Again thanks!

Rachael

Corona688 · September 28, 2015, 6:46pm

Instead of doing /path/to/script.sh, you'd do sudo /path/to/script.sh Otherwise you can use the line you had.

rachael · September 28, 2015, 9:40pm

Hi Corona688,

Do you mean put the below line in the user's crontab?

sudo /path/to/script.sh

Thanks,

Rachael

MadeInGermany · September 29, 2015, 8:04am

suid-root is not the correct method (and neither the suid-root sudo )!
What OS do you have?

uname -sr

Corona688 · September 29, 2015, 11:10am

No. I meant the line you had before, with 'sudo script' instead of 'script.

rachael · September 29, 2015, 11:38am

it is HPux 11.31

Thanks,

Rachael

MadeInGermany · September 29, 2015, 4:53pm

While sudo might suit best here, I present another method of delegation.

Add these root crontab entries

47 * * * * /usr/bin/run-parts -l /var/log/run-parts.log /etc/cron.d/hourly
40 4 * * * /usr/bin/run-parts -l /var/log/run-parts.log /etc/cron.d/daily
30 4 * * 0 /usr/bin/run-parts -l /var/log/run-parts.log /etc/cron.d/weekly
20 4 1 * * /usr/bin/run-parts -l /var/log/run-parts.log /etc/cron.d/monthly

Prepare directories by

mkdir -p /etc/cron.d/hourly /etc/cron.d/daily /etc/cron.d/weekly /etc/cron.d/monthly
mkdir -p /var/log

Install the executable /usr/bin/run-parts script

#!/bin/sh
# run-parts:  Runs all the scripts found in a directory.

# keep going when something fails
set +e
# ensure wild card matching
set +f

if [ x"$1" = x"-l" ]; then
  logfile=$2
  shift 2
fi

if [ $# -lt 1 ]; then
  echo "Usage: run-parts [-l logfile] <directory>"
  exit 1
fi

if [ ! -d "$1" ]; then
  echo "Not a directory: $1"
  exit 1
fi

umask 22

if [ -n "$logfile" ]; then
# rotate if >10MB
  [ -f "$logfile" ] && find "$logfile" -size +20000 -exec mv "$logfile" "$logfile.old" \;
  exec >> "$logfile" 2>&1 || exit
fi

# an individual pause:
sleep `cksum /etc/hosts | awk '{print $1'\%'60}'`

# Main loop:
for SCRIPT in "$1"/* ; do
# There are several types of files that we would like to
# ignore automatically, as they are likely to be backups
# of other scripts:
  case $SCRIPT in
  *.bak|*.new|*.old|*.orig|*.swp)
    continue # the loop
    ;;
  *[a-zA-Z0-9])
# The last character is legal :-)
    ;;
  *)
    continue # the loop
    ;;
  esac
# If we've made it this far, then run the script if it's executable:
  if [ -f "$SCRIPT" -a -x "$SCRIPT" ]; then
    echo "`date` run $SCRIPT":
    "$SCRIPT"
    echo
  fi
done

exit 0

Now add your executable script to /etc/cron.d/weekly , for weekly execution.
Its output is logged to /var/log/run-parts.log .
You can put more than one script to any of the hourly daily weekly monthly directories.
It works like the /etc/cron.*ly/ in Linux.

rachael · September 29, 2015, 5:22pm

Hi MadeInGermany,

I can see that this is Linux concept, but do you think it will work in HPux?

Thanks,

Rachael

MadeInGermany · September 29, 2015, 6:22pm

Well, has been running on Solaris until now. But I have no doubt it runs on HP-UX as well.

rachael · October 5, 2015, 11:28pm

Thanks MadeInGermany for your help, but right now my priority has changed, will let you know the results once I get back to this.