Our change alert report processor is pretty useful and will inform us when something we've managed has been changed. That's excellent, but there are times when we want to monitor resources that are not necessarily something we also want to manage. A good example is the passwd file in the /etc directory. We will never manage this file directly with Puppet; we have the user and group resource types to do that, but we may still want to know when something has changed it. Luckily, we can do this using the somewhat overlooked audit option within a resource.

Auditing was introduced in Puppet 2.6.0 and allows you to specify a nonmanaged resource within a Puppet manifest. The audit metaparameter tells Puppet that although you do not want to manage the resource, you'd still like it to make note of its values and log when it changes. Take a look at the following example Puppet code:

file { '/etc/passwd':
audit => [ owner, group, mode ],
}

From now on, whenever...