Eu criei um servidor central auditd onde estou enviando todos os logs de auditoria de servidores locais.
Gostaria de acessar relatórios de um nó específico.
Então eu criei um relatório simples sript onde uma linha é algo como:
ausearch -n XXXXX | aureport -i
Ele é enviado como este: 0 * / 4 * * * root /home/XXXX/report.sh
A permissão é:
-rwxr-xr-x 1 root 743 10 de fevereiro 11:27 report.sh
Quando eu executo o script do shell, everithing parece OK, eu recebi mensagens com saída de log:
Summary Report
======================
Range of time in logs: **02/22/2017 23:24:09.603 - 02/24/2017 10:16:26.313**
Selected time for report: **02/22/2017 23:24:09 - 02/24/2017 10:16:26.313**
Number of changes in configuration: 0
Number of changes to accounts, groups, or roles: 0
Number of logins: 22
Number of failed logins: 2
Number of authentications: 54
Number of failed authentications: 0
Number of users: 5
Number of terminals: 4
Number of host names: 4
Number of executables: 14
Number of commands: 21
Number of files: 101
Number of AVC's: 0
Number of MAC events: 0
Number of failed syscalls: 20
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 256
Number of integrity events: 0
Number of virt events: 0
Number of keys: 1
Number of process IDs: 25087
Number of events: 96620
Mas o problema é que quando eu shedule através de crontab.
Então eu recebo data e hora ruins sem eventos ...
Algo parecido com isto:
Summary Report
======================
Range of time in logs: **01/01/1970 01:00:00.000 - 01/01/1970 01:00:00.000**
Selected time for report: **01/01/1970 01:00:00 - 01/01/1970 01:00:00.000**
Number of changes in configuration: 0
Number of changes to accounts, groups, or roles: **0**
Number of logins: **0**
Number of failed logins: **0**
Number of authentications: **0**
Number of failed authentications: **0**
Number of users: **0**
Number of terminals: **0**
Number of host names: **0**
Number of executables: **0**
Number of commands: **0**
Number of files: **0**
Number of AVC's: **0**
Number of MAC events: **0**
Number of failed syscalls: **0**
Number of anomaly events: **0**
Number of responses to anomaly events: **0**
Number of crypto events: **0**
Number of integrity events: **0**
Minha versão do Linux:
Versão Linux 3.10.0-514.2.2.el7.x86_64 ([email protected]) (gcc versão 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC)) # 1 SMP ter 6 de dezembro 23:06:41 UTC de 2016
Alguma idéia de por que isso aconteceu?