I'm looking for a way to log crontab file writes. A friend of mine pranked me, and did something that occasionally adds */5 * * * * say "deranged" "The current time is `date`"
I haven't been able to identify a pattern yet: Nothing for 2 weeks, then twice in 5 minutes. I'm trying to find the process that writes to the crontab. Is there any way to log crontab writes to a file so I can catch this thing?
Best Answer
Open terminal and run this:
I'd run it using tmux or screen so that you can detach and check later. Depending on how many cron jobs you have, this could generate a lot of messages and you'll want to not run it where a runaway process could cause harm. (backup, check filesystems for space, etc...)
You can also use
mdfindto see if you can locate the file/script/package that is calling crontab (perhaps) and correlate that with the times when the actual filesystem changes are happening.