Puppet users - Jan 2012 - Anyone know a good tool for 'watching' configurations?

Now that we have configuration management for our OS and we are
actively managing our operating systems nearly hands off we want to
now start doing some configuration mgmt of our applications.

We don''t frankly see having all our application teams use puppet or
anything else to actively manage their applications.  What we would
like to do is watch the applications and know when things change.
Basically, watch the directories that the developers put their
applications into and keep a history of what changes and when.

Does anyone have any idea on if there are any tools that can provide
the ability to watch directories for changes like that.

I know there is auditd that can do this, as well as maybe an intrusion
detection tool like AIDE, but those solutions would involve lots of
raw data and not much human readable stuff.   I suppose we could write
something to take all that data, digest it and report on it.

But I was wondering if anyone knows of a tool that would do this type
of function and provide some human friendly data and reports etc..

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Tue, Jan 24, 2012 at 08:02, NixFU <nixfu.nixfu@gmail.com> wrote:
> Now that we have configuration management for our OS and we are
> actively managing our operating systems nearly hands off we want to
> now start doing some configuration mgmt of our applications.
>
> We don''t frankly see having all our application teams use puppet
or
> anything else to actively manage their applications.  What we would
> like to do is watch the applications and know when things change.
> Basically, watch the directories that the developers put their
> applications into and keep a history of what changes and when.
>
> Does anyone have any idea on if there are any tools that can provide
> the ability to watch directories for changes like that.
The Puppet Enterprise suite includes some compliance tools that use
the Puppet model to watch the system and note changes - at the level
of resources, rather than just "files", so you can monitor, eg, user
and service resources.

Beyond that, I don''t know of anything that works at a higher level
that "this file changed" - but I have never really invested much
effort in looking.

-- 
Daniel Pittman
⎋ Puppet Labs Developer – http://puppetlabs.com
♲ Made with 100 percent post-consumer electrons

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

You could use a source code repository system. Have the client running
on the host that periodically checks in the configuration files. It
would be most useful with text configuration files but there are
repository systems like perforce that can store binaries really well.
Perforce also supports triggers which is useful for a scenario like
this (you could fire off notifications for example). It''s pricey but
you can demo it for free.

On Tue, Jan 24, 2012 at 8:02 AM, NixFU <nixfu.nixfu@gmail.com>
wrote:
> Now that we have configuration management for our OS and we are
> actively managing our operating systems nearly hands off we want to
> now start doing some configuration mgmt of our applications.
>
> We don''t frankly see having all our application teams use puppet
or
> anything else to actively manage their applications.  What we would
> like to do is watch the applications and know when things change.
> Basically, watch the directories that the developers put their
> applications into and keep a history of what changes and when.
>
> Does anyone have any idea on if there are any tools that can provide
> the ability to watch directories for changes like that.
>
> I know there is auditd that can do this, as well as maybe an intrusion
> detection tool like AIDE, but those solutions would involve lots of
> raw data and not much human readable stuff.   I suppose we could write
> something to take all that data, digest it and report on it.
>
> But I was wondering if anyone knows of a tool that would do this type
> of function and provide some human friendly data and reports etc..
>
> --
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

NixFU wrote (ao):
> We don''t frankly see having all our application teams use puppet
or
> anything else to actively manage their applications.  What we would
> like to do is watch the applications and know when things change.
> Basically, watch the directories that the developers put their
> applications into and keep a history of what changes and when.
[..]
> But I was wondering if anyone knows of a tool that would do this type
> of function and provide some human friendly data and reports etc..
What about ''audit''?

http://projects.puppetlabs.com/projects/puppet/wiki/Release_Notes#2.6.0

==Audit Metaparameter

Puppet now supports an audit metaparameter in the style of Tripwire.

Using this new metaparameter we can specify our resource like:

file { ''/etc/hosts'':
   audit => [ owner, group, mode ],
}

Now instead of changing each value (though you can change it too if you
wish) Puppet will instead generate auditing log messages, which are
available in your standard Puppet reports:

audit change: previously recorded value owner root has been changed to
owner james

This allows you to track any changes that occur on resources under
management on your hosts. You can specify this audit metaparameter for
any resource and all their attributes and track users, groups, files,
services and the myriad of other resources Puppet can manage.

You can also specify the special value of all to have Puppet audit every
attribute of a resource rather than needing to list all possible
attributes, like so:

file { ''/etc/hosts'':
   audit => all,
}

You can also combine the audited resources with managed resources
allowing you to manage some configuration items and simply track others.
It is important to remember though, unlike many file integrity systems,
that your audit state is not protected by a checksum or the like and is
stored on the client in the state.yaml file. In future releases we will
look at protecting and centralising this state data.
==
	Sander

-- 
Humilis IT Services and Solutions
http://www.humilis.net

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

>
> Does anyone have any idea on if there are any tools that can provide 
> the ability to watch directories for changes like that. 
>
You might want to take a look at  http://joey.kitenet.net/code/etckeeper/ for 
ideas.

Cheers,
Paul

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/NCukkAW5NMEJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi, 
I know it''s been a while since this original posting but if you are
still
looking for a solution to ''track changes'' please check out the
tool we
built, www.metaforsoftware.com.  We just opened it up to free beta.  I 
think it can help you.

On Tuesday, January 24, 2012 8:02:03 AM UTC-8, NixFU
wrote:
>
> Now that we have configuration management for our OS and we are 
> actively managing our operating systems nearly hands off we want to 
> now start doing some configuration mgmt of our applications. 
>
> We don''t frankly see having all our application teams use puppet
or
> anything else to actively manage their applications.  What we would 
> like to do is watch the applications and know when things change. 
> Basically, watch the directories that the developers put their 
> applications into and keep a history of what changes and when. 
>
> Does anyone have any idea on if there are any tools that can provide 
> the ability to watch directories for changes like that. 
>
> I know there is auditd that can do this, as well as maybe an intrusion 
> detection tool like AIDE, but those solutions would involve lots of 
> raw data and not much human readable stuff.   I suppose we could write 
> something to take all that data, digest it and report on it. 
>
> But I was wondering if anyone knows of a tool that would do this type 
> of function and provide some human friendly data and reports etc.. 
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.