history audit

files/conf.sh

@@ -0,0 +1,4 @@
+{%- from "history/map.jinja" import history with context -%}
+export HISTTIMEFORMAT=" %F %T "
+echo "#$(date +%s)" >> .bash_history
+echo '{{ history.login_split }}' >> ~/.bash_history

files/logrotate

@@ -0,0 +1,17 @@
+{%- from "history/map.jinja" import history with context -%}
+
+{{ history.log_directory }}/{{ history.log_file }}
+{
+	{{ history.rotate_frequency }}
+	prerotate
+    /usr/bin/chattr -a {{ history.log_directory }}/{{ history.log_file }}
+    endscript
+    postrotate
+    /usr/bin/chattr +a {{ history.log_directory }}/{{ history.log_file }}
+    endscript
+	rotate	{{ history.rotate_keep }}
+	dateext
+	missingok
+	nocompress
+	create 222 root root
+}

files/scripts_file

@@ -0,0 +1,3 @@
+{%- from "history/map.jinja" import history with context -%}
+HISTORY_FILE={{ history.log_directory }}/{{ history.log_file }}
+date "+%Y-%m-%d %T #### USER:$USER IP:$SSH_CLIENT PS:$SSH_TTY pwd=$PWD #### $(history 1 | { read x y z cmd; echo "$cmd"; })" >>$HISTORY_FILE

init.sls

@@ -0,0 +1,48 @@
+{%- from "history/map.jinja" import history with context -%}
+
+history_conf_directory:
+  file.directory:
+    - name: {{ history.conf_directory }}
+
+history_conf_file:
+  file.managed:
+    - name: {{ history.conf_directory }}/{{ history.conf_file }}
+    - source: salt://history/files/conf.sh
+    - template: jinja
+    - require:
+      - file: history_conf_directory
+
+{%- for script in history.scripts_list %}
+history_scripts_file_{{ script }}:
+  file.managed:
+    - name: {{ script }}
+    - source: salt://history/files/scripts_file
+    - mode: 755
+    - template: jinja
+    - require:
+      - file: history_conf_file
+{%- endfor %}
+
+history_log_directory:
+  file.directory:
+    - name: {{ history.log_directory }}
+    - mode: 755
+    - require:
+      - file: history_conf_file
+
+history_log_file:
+  file.managed:
+    - name: {{ history.log_directory }}/{{ history.log_file }}
+    - user: root
+    - group: root
+    - mode: 222
+    - attrs: a
+    - require: 
+      - file: history_log_directory
+
+{% if history.logrotate %}
+
+include:
+  - history.logrotate
+
+{%- endif -%}

logrotate.sls

@@ -0,0 +1,21 @@
+{%- from "history/map.jinja" import history with context -%}
+
+history_logrotate_package:
+  pkg.installed:
+    - name: {{ history.logrotate_package }}
+
+history_log_logrotate_conf_directory:
+  file.directory:
+    - name: {{ history.logrotate_conf_directory }}
+    - require:
+      - pkg: history_logrotate_package
+
+history_log_logrotate_conf_file:
+  file.managed:
+    - name: {{ history.logrotate_conf_directory }}/{{ history.logrotate_conf_file }}
+    - source: salt://history/files/logrotate
+    - template: jinja
+    - require:
+      - pkg: history_logrotate_package
+      - file: history_log_logrotate_conf_directory
+

map.jinja

@@ -0,0 +1,22 @@
+# vim: sts=2 ts=2 sw=2 et ai
+
+{% set history = salt['grains.filter_by']({
+  'RedHat': {
+    'conf_directory': '/etc/profile.d',
+    'logrotate_conf_directory': '/etc/logrotate.d',
+    'logrotate_package': 'logrotate',
+    'conf_file': 'history.sh',
+    'scripts_list': [
+      '/etc/sysconfig/bash-prompt-xterm',
+      '/etc/sysconfig/bash-prompt-screen',
+      '/etc/sysconfig/bash-prompt-default',
+      ],
+    'login_split': '<login>',
+    'log_directory': '/var/log/history',
+    'log_file': 'history.log',
+    'logrotate': True,
+    'logrotate_conf_file': 'history',
+    'rotate_frequency': 'yearly',
+    'rotate_keep': 5,
+  },
+}, merge = salt['pillar.get']('history',{})) %}