When managing multiple client Linux servers across email, web, and firewall roles, traditional CM tools like Puppet/Chef often become overkill. Here's why basic version control shines:
- Lightweight footprint on client systems
- Granular change history without infrastructure dependencies
- Integration with existing admin workflows
The mentioned etckeeper remains a solid choice for tracking /etc changes:
# Install on Debian/Ubuntu
sudo apt install etckeeper git
# Configure daily auto-commits
sudo vim /etc/etckeeper/etckeeper.conf
# Set:
VCS="git"
AVOID_DAILY_AUTOCOMMITS=0
# Manual commit example
sudo etckeeper commit -m "Updated postfix main.cf"
Pro Tip: Combine with gitolite for centralized repository hosting across client servers.
For broader coverage beyond /etc:
# Initialize in root (caution with large directories)
cd /
sudo git init
sudo git config --global user.email "admin@example.com"
sudo git config --global user.name "Server Admin"
# Create .gitignore
sudo vim /.gitignore
# Add exclusions:
/proc/*
/sys/*
/dev/*
/tmp/*
/var/log/*
/var/cache/*
# First commit
sudo git add .
sudo git commit -m "Initial server state"
When you need forensic-level tracking:
# Monitor /etc changes
sudo auditctl -w /etc -p wa -k etc_changes
# Watch package manager activities
sudo auditctl -w /usr/bin/apt -p x -k package_mgmt
sudo auditctl -w /usr/bin/dpkg -p x -k package_mgmt
# Generate reports
ausearch -k etc_changes | aureport -f -i
My production setup for client servers:
- Etckeeper for /etc versioning
- Auditd rules for critical binaries
- Custom git repos for application configs (e.g., /opt/app/configs)
- Cron job for weekly git fsck checks
When implementing these on client systems:
- Always encrypt git repos containing sensitive data
- Use separate SSH keys per client
- Implement
git gc --aggressivein cron to control repo size - Consider
git-annexfor large binary files
| Tool | Best For | Overhead |
|---|---|---|
| AIDE | File integrity checking | Medium |
| Rsnapshot | Point-in-time recovery | High |
| Osquery | Live querying | Low |
The optimal solution depends on your specific compliance requirements and change frequency. For most multi-client scenarios, etckeeper + targeted auditd rules provides the best balance.
When managing multiple Linux servers across different roles (email, web, firewalls, etc.), especially in a remote support scenario, tracking configuration changes becomes critical. Traditional CM tools like Puppet might be overkill when you don't own the infrastructure.
Etckeeper is indeed a solid starting point. It hooks into package managers and uses version control (typically Git) to track /etc changes. Basic setup:
# Install on Debian/Ubuntu
sudo apt install etckeeper git
# Configure (edit /etc/etckeeper/etckeeper.conf)
VCS="git"
AVOID_DAILY_AUTOCOMMITS=1
AVOID_COMMAND_BEFORE_INSTALL=1
# Initialize
sudo etckeeper init
sudo etckeeper commit "Initial commit"
1. AIDE (Advanced Intrusion Detection Environment)
For security-focused change tracking:
sudo apt install aide
sudo aideinit
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
aide --check
2. Rdiff-backup + Custom Scripts
Combines backup with change tracking:
#!/bin/bash
# Daily diff script
rdiff-backup --print-statistics /etc /backup/etc
rdiff-backup --compare /etc /backup/etc > /var/log/config-diffs/$(date +%F).log
The Linux audit framework provides low-level tracking:
# Monitor /etc changes
sudo auditctl -w /etc -p wa -k etc_changes
# View logs
ausearch -k etc_changes | aureport -f -i
For more control than etckeeper:
# Initialize repo
sudo mkdir /var/lib/config-tracker
sudo git init /var/lib/config-tracker
# Daily cron job
*/15 * * * * root cd / && \
find /etc -type f -exec stat --printf="%n %Y\n" {} + > \
/var/lib/config-tracker/timestamps && \
cd /var/lib/config-tracker && \
git add . && \
git commit -m "Config snapshot $(date)" >/dev/null 2>&1
- Osquery (Facebook): SQL-powered OS instrumentation
- Tripwire Enterprise: File integrity monitoring
- Wazuh: Open-source security monitoring