How can I track the details of a task created in CRON?

I

ipoluda2021-04-23 01:46:47

linux

ipoluda, 2021-04-23 01:46:47

There are several Ubuntu 20.04 and Debian 7 Linux machines. Also on these machines is a log collector that transfers the logs of these machines to the log collection server.
I need to track the creation of a CRON task, making sure that the command that this task should execute is visible.
I’ve been googling for two days, all that is there is the START EDITING, END EDITING event (but there is no executable file / script for this task) and the actual launch of the task itself (where the executable file is already visible, but by this time it may be too late.
The question is more from the field of information security , that is, you need to see that a task was created with such and such parameters even BEFORE it is launched..
That is, you need to get the cron line itself, for example:
*/1 * * * * /home/user/start.sh
Is this even possible to implement?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

S

SOTVM, 2021-04-23
@sotvm

I don't think so, or almost nothing.
because Theoretically, a task can be created/changed "every second", which means you need to monitor changes in /var/spool/cron*
at least "1 time per second" * Well, you saw the changes and the task itself, and ... then what???? I think you're approaching the problem in the wrong way.

P

pfg21, 2021-04-23
@pfg21

track changes in cron configs via incron or systemd.path and send diff with a script and generate a change report.

D

Denis Yuriev, 2021-04-23
@dyuriev

Keep track of files

/etc/crontab
/etc/cron.d/*
/var/spool/cron/*

and already log the changes in them