I am working on getting our Linux (and eventually Windows if possible) systems setup so that we can monitor administrative changes and have a history of them to refer to. Currently, I have a pretty good setup going with etckeeper, logwatch, and mercurial.
I would like to make this just a bit more robust by nagging any admin when they logoff with a message that asks them if they would like to create a changelog for what they just did on the server. A "no" answer would continue the logoff process and a yes answer would take them to whatever editor they use where they could enter whatever they wanted about what they just changed on the system. The changlog helper would then add some standard formatting to what they put there (add a date/time, username, indent, rewrap to 70 chars per line, etc.) and prepend that to a file somewhere on the system. I would then include that changelog in the monitoring setup I have already which would result in it being version controlled and sent to a centralized location.
I am envisioning something that would look and work very much the way the commit/comment feature works with mercurial/git/svn, except the comment gets formatted different and saved to a file locally. Bonus points for having some pre/post commit hooks or otherwise being able to customize it.
Thanks.
Two simple ideas come to mind:
Utilize the "logger" command to let admins send one-liners to syslog. Since the user name is included, it makes for easy scripted reporting. If you're logging to a central host, you get these changes logged centrally as well.
Simply appended all changes to /etc/motd, not only documenting the changes, but also displaying them to everyone when they log on.
Both methods lend themselves well to being done manually by faithful admins or by scripting.
Never heard of such a tool.
But I guess following can be done
Admin will write down the names of files modified in a some text file along with the appropriate description.
Those files are then rsynced with some remote server or may be in some folder on same system with timestamp attached to it. This backup will also contain the file admin use to write about modifications.
The text file in which admin writes changes will have some standard format for writing down file names and respective description, which will be read by some bash / python / perl script before executing rsync.
Other backup tools like rdiff or rsnapshot can be used instead of rsync.
If "whatever editor they use" happens to be Emacs, then you could make use of its change log editing commands. At the simplest, this could something as simple as running the following command
which will prompt for the change log file location, and automatically create a new entry with name, email address, and date, ready for editing.
use of something like iwatch or tripwire should be able to show you diffrences on files. - then save these reports with comments somewhere.
I'm no Linux expert but it seems to me you would need to hook the system to capture any way the admin might log off the system. e.g. If someone typed
exitat the console to log off, it would be necessary to have the shell perform a completely different action to it's normal response toexit, otherwise the user will simply be logged off.Is that possible? Perhaps, but it would mean customising the shell(s). Of course I might be wrong and there is already a convenient way to hook the built-in commands bit if there is I don't know about it.
Of course none of the above would help at all if the user in question accessed the system remotely, such as via SSH.
I specifically don't document anything on servers. We use puppet, which is the canonical configuration resource for servers. The configuration for puppet is in version control. If a server needs to be rebuilt, we use puppet to do that. Any configuration that wasn't in puppet is lost. Therefore most configuration is in puppet and the changelog is in puppet commits.