I want to receive an alert whenever root’s crontab of a machine has been updated.
In RHEL (Red Hat Enterprise Linux) 6 the crontab is stored in /var/spool/cron/root and it is only readable/writable for root itself.
After installing the required yum packages (examples: nagios-plugins-all, nagios-plugins-nrpe, nrpe) you can begin this implementation by checking if the file is older than 15 minutes (900 seconds):
# /usr/lib64/nagios/plugins/check_file_age -c 900 -f /var/spool/cron/root
And, then, negate its output to check if the file is newer than the previous period:
# /usr/lib64/nagios/plugins/negate -o CRITICAL -c OK -u UNKNOWN -s /usr/lib64/nagios/plugins/check_file_age -c 900 -f /var/spool/cron/root
-o, --ok=STATUS -w, --warning=STATUS -c, --critical=STATUS -u, --unknown=STATUS -s, --substitute
Let’s check this:
# ls -l /var/spool/cron/root ; echo '# test' >> /var/spool/cron/root ; ls -l /var/spool/cron/root
NOTE: be sure to append (>>) the random text to the contrab file rather than overwriting (>) it.
FILE_AGE CRITICAL: /var/spool/cron/root is 1 seconds old and 212 bytes
OK. That’s the desired output. We can go on but… remember, by default NRPE commands will be executed by nrpe user:
# grep '^nrpe_user=' /etc/nagios/nrpe.cfg nrpe_user=nrpe
and such user doesn’t have permissions to read root’s crontab file.
# su - nrpe $ /usr/lib64/nagios/plugins/check_file_age -c 900 -f /var/spool/cron/root FILE_AGE CRITICAL: File not found - /var/spool/cron/root
NOTE: I was able to log as nrpe user because I updated /etc/passwd file and changed the nrpe’s shell from /sbin/nologin to /bin/bash.
- Give permissions to nrpe to read root’s crontab, or
- Grant sudo permissions to run the check as root
both of them involve security issues, but having to choose, I prefer the second one so I edit the sudoers permissions file using visudo command to add the following lines:
Cmnd_Alias NRPE = /usr/lib64/nagios/plugins/check_root_cron_file_age nrpe ALL=(ALL) NOPASSWD: NRPE
As you can see, I wrote a simple script for this check (/usr/lib64/nagios/plugins/check_root_cron_file_age), since it is easier to maintain this way.
In order to let NRPE daemon know how to answer this check you have to define it as a command (/etc/nagios/nrpe.cfg):
restart the daemon:
# /etc/init.d/nrpe restart
and check it via NRPE:
# /usr/lib64/nagios/plugins/check_nrpe -H localhost -c check_root_cron_file_age
at this point you will probably get some errors like the following ones:
sudo: sorry, you must have a tty to run sudo sudo: no tty present and no askpass program specified
To avoid the tty and password related problems you have to update the sudo configuration file again:
Defaults !requiretty Defaults !visiblepw
Setting this check in Nagios is out of the scope of this post but the rest of the procedure is straightforward.