Dry run mode, using the --noop
switch, is a simple way to audit any changes to a machine under Puppet's control. However, Puppet also has a dedicated audit
feature, which can report changes to resources or specific attributes.
Here's an example showing Puppet's auditing capabilities:
- Modify your
site.pp
file as follows:
node 'cookbook' { file { '/etc/passwd': audit => [ owner, mode ], } }
- Run Puppet:
[root@cookbook ~]# puppet agent -t ... Warning: /File[/etc/passwd]/audit: The `audit` metaparameter is deprecated and will be ignored in a future release. (at /etc/puppetlabs/code/environments/production/manifests/site.pp:53)
Notice: /Stage[main]/Main/Node[cookbook]/Tidy[/var/log]: Tidying 0 files Info: Applying configuration version '1521221789' Notice: /Stage[main]/Main/Node[cookbook]/File[/etc/passwd]/owner: audit change: newly-recorded value 0 Notice: /Stage[main]/Main/Node[cookbook]/File[/etc/passwd]/mode: audit change: newly-recorded value 0644...