auth log 似乎正在运行神秘的 cronjob

auth log 似乎正在运行神秘的 cronjob

我查看了我的身份验证日志,以查看机器人是否试图获得访问权限,我看到一个 cronjob 似乎正在运行,但我不明白为什么。身份验证日志如下所示...

Dec  7 13:55:01 myuser CRON[7362]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec  7 13:55:01 myuser CRON[7362]: pam_unix(cron:session): session closed for user root
Dec  7 14:05:01 myuser CRON[7385]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec  7 14:05:01 myuser CRON[7385]: pam_unix(cron:session): session closed for user root
Dec  7 14:15:01 myuser CRON[7408]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec  7 14:15:01 myuser CRON[7408]: pam_unix(cron:session): session closed for user root

所以它每十分钟准时运行一次。当我查看我的 root crontab 时,我看到了这一点。

#0      0       *       *       *       job.sh
0       0       *       *       *       job2.sh
#0      23      *       *       *       job3.sh
0       0       */10    *       *       job4.sh
0       0       */5     *       *       job5.sh

有些作业被故意注释掉了。我只看到一个有 */10 间隔的东西,但它在天列而不是分钟列中......知道我下一步该看哪里吗?

sudo -u root crontab -l:

#0  0   *   *   *   job.sh
0   0   *   *   *   job2.sh
#0  23  *   *   *   job3.sh
0   0   */10    *   *   job4.sh
0   0   */5 *   *   job5.sh

在 /etc/crontab 中:

# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#

我做了cat *cron.d目录并编辑了所有注释并得到了以下结果:

57 0 * * 0 root if [ -x /usr/share/mdadm/checkarray ] && [ $(date +\%d) -le 7 ]; then /usr/share/mdadm/checkarray --cron --all --idle --quiet; fi
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
31 21 * * *   root    test -x /etc/cron.daily/popularity-contest && /etc/cron.daily/popularity-contest --crond
PATH=/usr/lib/sysstat:/usr/sbin:/usr/sbin:/usr/bin:/sbin:/bin
5-55/10 * * * * root command -v debian-sa1 > /dev/null && debian-sa1 1 1
59 23 * * * root command -v debian-sa1 > /dev/null && debian-sa1 60 2

答案1

如图所示,这些来自:

5-55/10 * * * * root command -v debian-sa1 > /dev/null && debian-sa1 1 1

并且命令debian-sa1( /usr/lib/sysstat/debian-sa1) 基本上是一个包装脚本,来自sysstat包。 中的文件名/etc/cron.d/应该是sysstat

更多确认:

% dpkg -S /usr/lib/sysstat/debian-sa1
sysstat: /usr/lib/sysstat/debian-sa1

% dpkg -S /etc/cron.d/sysstat 
sysstat: /etc/cron.d/sysstat

上面的注释是:

# Activity reports every 10 minutes everyday
5-55/10 * * * * root command -v debian-sa1 > /dev/null && debian-sa1 1 1

debian-sa1正在呼叫/usr/lib/sysstat/sa1,而这最终又会呼叫sadc

相关内容