Published on 15 September 2010 by

One of the (many!) new features introduced in Puppet 2.6.0 was an audit capability. So what does this mean? Well a normal Puppet resources controls the state you'd like a configuration item to be in, for example:

file { '/etc/hosts':
  owner => 'root',
  group => 'root',
  mode => 0660,
}

This file resource specifies that the /etc/hosts file should be owned by the root user and group and have permissions set to 0660. Every time Puppet runs it will check that this file's settings are correct and make changes if they are not. But what if you don't want to make changes but rather just want to audit the values on your hosts? Enter the audit metaparameter.

Using this new metaparameter we can specify our resource like:

file { '/etc/hosts':
  audit => [ owner, group, mode ],
}

Now instead of changing each value (though you can change it too if you wish) Puppet will instead generate auditing log messages, which are available in your standard Puppet reports:

audit change: previously recorded value owner root has been changed to owner james

This allows you to track any changes that occur on resources under management on your hosts. You can specify this audit metaparameter for any resource and all their attributes and track users, groups, files, services and the myriad of other resources Puppet can manage.

You can also specify the special value of all to have Puppet audit every attribute of a resource rather than needing to list all possible attributes, like so:

file { '/etc/hosts':
  audit => all,
}

You can also combine the audited resources with managed resources allowing you to manage some configuration items and simply track others. It is important to remember though, unlike many file integrity systems, that your audit state is not protected by a checksum or the like and is stored on the client in the state.yaml file. In future releases we will look at protecting and centralising this state data.

We're envisaging a wide variety of use cases for this functionality: auditing and compliance, security scanning, file integrity control, and asset/configuration management. We already have one customer considering replacing their file integrity scanner and auditing tool with a pure Puppet solution.

Share via:
The content of this field is kept private and will not be shown publicly.

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.