The audit meta-parameter
The audit meta-parameter is the primary change tracking method currently in Puppet. It was introduced in Puppet 2.6, and it provides a way to monitor a resource without enforcing a state on it.
With the introduction of Puppet Enterprise 1.2, Puppet Enterprise gained a compliance dashboard that allowed you to configure and track file changes. This dashboard has since been removed, but it relied heavily on the audit meta-parameter and allowed you to quickly set up auditing.
The audit meta-parameter is a bit of a divergence in the Puppet world. The declarative nature of Puppet is to model the desired state of a resource and allow Puppet to get it there. The audit meta-parameter can allow you to say that you may not care about the state of an item, but you want to know if it changes.
How it works
The audit system works by keeping track of the state of the attributes you monitor. At the end of every run, it persists the state of those objects.
If at the start of a run Puppet notices that the current state of an object changes, it raises an alert. Additionally, information on these changes is reported back to the master as part of any reports. This report data can be used to generate logs of changes to attributes.
Internally, Puppet implements auditing by persisting the state of the audited objects to a YAML file. This data is stored on each of the agent nodes, and not on the master server. On each Puppet run, YAML is read and the state in the file is compared to the existing state.
Tip
What is YAML?
YAML is a markup language. Originally, it was called "Yet another markup language". It is now known as "YAML Ain't Markup Language". YAML is a way to store data in a file similar to formats such as JSON. Puppet stores much of its internal data in the YAML format, and as we approach reporting and other processing of Puppet data, we will need to parse and create YAML files.
What can be audited
Being a meta-parameter, audit can be applied to any resource. The code to handle the audit meta-parameter is present in the Puppet core. In theory, any attribute on any resource should be permitted to be audited, but there are likely cases that are untested and do not work well.
Files, users, and packages are the most common use cases for auditing since they tend to be the resources that are critical security-wise.