See matching posts in thread - Cron
See matching posts in thread - Cron email alerts...I've got anoth...
See matching posts in thread - Bulk mail from Cron Deamon
See matching posts in thread - After 10.8 Upgrade, Getting Cron...
See matching posts in thread - After upgraded to 10.8.0 Cron D...
This is an excellent way to make sure that an attacker is not able to stop your log analysis tools, syslog daemon, cron, or other important services
Standard arguments to execution apply. Process 201 is cron . cron is started in the S75cron file in /etc/rc2.d. The sole purpose of this file is the graceful starting and stopping of cron. It checks for the file /etc/cron.d/FIFO and the process cron in the process table, and if cron is already running, will not execute an additional process. If cron is not running, it executes rm to remove /etc/cron.d/FIFO from the file system in case it exists, and executes a new cron process
However, the fact remains that from the time that a cracker gets root on a system, until he shuts down cron or otherwise defeats Tripwire, there is a race in time. This means that a small, specialized system monitoring tool dedicated purely to Tripwire protection which is non-cron-dependent, runs frequently, and is camouflaged to the greatest extent possible, is probably the best bet for winning that race-in-time with a cracker