Ever wondered what the files /var/spool/cron/crontabs/\*.au are
By martin on Aug 06, 2007
You might have noticed some strange files in
/var/spool/cron/crontabs ending with
These are not µlaw audit files, but auxiliary audit files for
which are created when auditing have been enabled and you edit your
# cd /var/spool/cron/crontabs # ls -l total 19 -rw------- 1 root sys 1010 Feb 25 18:04 adm -r-------- 1 root root 1371 Feb 25 18:06 lp -rw------- 1 root martin 38 Jun 21 00:20 martin -r-------- 1 root martin 45 Jun 21 00:20 martin.au -rw------- 1 root sys 1401 Mar 13 04:28 root -rw------- 1 root sys 1128 Feb 25 18:09 sys
Looking closer at what is in my
.au file we find the following:
# cat martin.au 300 0 0 7ff81600 4 1dad35c9 0 0 0 2441309132
This is quite cryptic, especially as it isn't documented anywhere but in the source! Using it you can discern what the above settings are.
The first number (300) is the audit id, i.e. my user id.
The second and third rows are the pre-selection mask split up in two parts,
first the audit on success and then audit on failure.
The next three rows are the terminal id, starting with the port, address type and last the address.
The port number (5f81600) is made up of two parts (major and minor) which are joined together.
After that follows the address type (4) which represents IPv4, as defined in
Note that the address is made up of 4 numbers to fit IPv6 addresses,
but since I logged from a system using IPv4 it is only the first part which is filled.
There is a gotcha here, the number is written depends on the architecture,
the example is from my X2200 M2,
1dad35c9 needs to be changed to network byte order to map correctly to an IP address.
The last row is the session id (2441309132).
This file is created (and updated) when you edit crontab, which can cause a lot of confusion.
The pre-selection mask used by
cron is calculated by logically ORing the entry
.au file with the user entry from
audit_user and the global
So if you reduce the auditing for a particular user in
you expect that the audit trail from the user's
cron jobs would change too,
but if the
.au file have already been created the pre-selection masks are frozen.
To fix this you need to update the
.au file too when you change the audit flags or
crontab so that the
.au file gets rewritten.