Bernhard Bock
a technology blog about Linux, virtualization and more

Most organizations try to perform some kind of change control for their Unix servers, be it for compliance reasons or simply because several admins are taking care of the same set of servers and need to know about what the others did.

I've seen very complex configuration management databases,  issue tracking systems or even Excel sheets for this purpose. None of those systems are working well in my point of view. They need to

• make sure that they are up to date, i.e. nobody can forget to write down changes.
• be easy enough to use to log changes even at 3 am in the morning at the call-out.
• show the latest changes that may have caused the current problems.

A colleague at TNG developed the following set of scripts to tackle this problem in an effective and easy way:

Put the following code snippet into ~root/.bash_logout

# update changelog if I am root
if [[ $EUID == 0 ]]; then
    logfile=/var/log/changelog
    login=`logname`
    realname=`grep "^$login:" /etc/passwd | awk -F ':|,' '{ print $5; }'`
    echo $realname, `date`: >>$logfile
    echo >>$logfile
    vi + -c '$' $logfile
fi


and in ~root/.bash_login

if [[ $EUID == 0 && -f /etc/changelog ]]; then
    echo "------------ last entries in changelog --------"
    tail -n 20 /var/log/changelog
fi


Voila: On each root login, one is preseted with the latest changes including login time and user that made the changes. At logout, the changelog is opened automatically to add a couple of words what you just did.

Of course this is not tamper-proof in any way, but given that your admin are actually not trying to harm the company, this mechanism works great and is very easy to use. Give it a try!