Atuin as an auditing tool

I just read about Atuin in Linux Magazine and installed it on one of my systems.

After seeing it in action, I immediately thought about using the SYNC function as a sort of auditing tool. What I’m thinking is that rather than have all of my commands synced from server to server, I’d like a separate remote repository for each server where all of the commands issued by a privileged user on that server would be backed. This way, if anything ever goes wrong, the command stream could be reviewed to see if a specific command caused the issue.

This in combination with etckeeper would pretty much set up the ability to keep track of any and all changes.

Of course, timestamps would be nice as well.

Please let me know what you think.


Hey! Welcome to the forum

I can definitely see how the functionality you’ve described would be useful, but I have some concerns about including it with Atuin

Atuin has been designed very explicitly so that the server cannot read any data synchronised with it. I’d like to avoid adding such functionality, even if it’s gated by configuration - accidental misconfiguration or a bug would be a risk, as would someone running a malicious server.

Otherwise, you could achieve a similar setup by having two clients logged in to the same account. One would be the server you wish to audit, and the other would be a client you use for viewing history ran on the server

I would also like to highlight that it would be fairly trivial for a malicious actor to disable Atuin’s logging/syncing, so this would only really work if that’s not a part of your risk model