Forge Home

audit_history_command

Module to configure and install immutable commands history log

6,711 downloads

5,593 latest version

4.5 quality score

Version information

  • 0.3.2 (latest)
  • 0.3.1
  • 0.3.0
  • 0.2.0
  • 0.1.0
released Jul 4th 2017
This version is compatible with:
  • ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'soufas-audit_history_command', '0.3.2'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add soufas-audit_history_command
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install soufas-audit_history_command --version 0.3.2

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

soufas/audit_history_command — version 0.3.2 Jul 4th 2017

audit_history_command

Table of Contents

  1. Overview
  2. Module Description
  3. Usage
  4. Limitations

Overview

This is a module to install and configure an immutable log file that contains the bash commands history for all users with other audit informations The module will allow administrators to monitor and find the history of all commands ran by users on productions systems to help in identifying a cause of an issue after a manual intervention.

Module Description

When installing this module , every node will have a log file /var/audit/audit_YYYYMMDD.log file that contains any command ran by any user on bash along with othe useful information described below . Every line in the audit_YYYYMMDD.log file will contain the following:

  • Command execute
  • user
  • filesystem
  • Source IP address
  • date
  • time in seconds
  • Current directory

Example of lines generated in the audit log file:

less /etc/bashrc == root /dev/pts/0 (122.30.68.5) 20170526 19:07:17 /home/seif/
su root == seif /dev/pts/0 (122.30.68.7) 20170526 19:11:39 /etc/
cd /etc/puppetlabs/code/environments/production/modules/ == root /dev/pts/1 (192.168.1.4) 20170527 02:52 /root -> /etc/puppetlabs/code/environments/production/modules
ls == root /dev/pts/1 (192.168.1.4) 20170527 02:52 /etc/puppetlabs/code/environments/production/modules

Example of immutability of the audit log file even with root user:

[root@client ~ ] rm -f /var/audit/audit_20170527.log
rm: cannot remove /var/audit/audit_20170527.log: Operation not permitted
[root@client ~ ] chmod 777 /var/audit/audit_20170527.log
chmod: changing permissions of /var/audit/audit_20170527.log: Operation not permitted

Usage

Minimal usage:

include audit_history_command

Limitations

This module is tested only on RHEL servers