Module to configure and install immutable commands history log




4,825 latest version

4.5 quality score

Version information

  • 0.3.2 (latest)
  • 0.3.1
  • 0.3.0
  • 0.2.0
  • 0.1.0
released Jul 4th 2017
This version is compatible with:
  • RedHat

Start using this module


soufas/audit_history_command — version 0.3.2 Jul 4th 2017


Table of Contents

  1. Overview
  2. Module Description
  3. Usage
  4. Limitations


This is a module to install and configure an immutable log file that contains the bash commands history for all users with other audit informations The module will allow administrators to monitor and find the history of all commands ran by users on productions systems to help in identifying a cause of an issue after a manual intervention.

Module Description

When installing this module , every node will have a log file /var/audit/audit_YYYYMMDD.log file that contains any command ran by any user on bash along with othe useful information described below . Every line in the audit_YYYYMMDD.log file will contain the following:

  • Command execute
  • user
  • filesystem
  • Source IP address
  • date
  • time in seconds
  • Current directory

Example of lines generated in the audit log file:

less /etc/bashrc == root /dev/pts/0 ( 20170526 19:07:17 /home/seif/
su root == seif /dev/pts/0 ( 20170526 19:11:39 /etc/
cd /etc/puppetlabs/code/environments/production/modules/ == root /dev/pts/1 ( 20170527 02:52 /root -> /etc/puppetlabs/code/environments/production/modules
ls == root /dev/pts/1 ( 20170527 02:52 /etc/puppetlabs/code/environments/production/modules

Example of immutability of the audit log file even with root user:

[root@client ~ ] rm -f /var/audit/audit_20170527.log
rm: cannot remove /var/audit/audit_20170527.log: Operation not permitted
[root@client ~ ] chmod 777 /var/audit/audit_20170527.log
chmod: changing permissions of /var/audit/audit_20170527.log: Operation not permitted


Minimal usage:

include audit_history_command


This module is tested only on RHEL servers