I am searching a way to block changes in a debian server using Puppet.
What I want is that every time a user try to make a change, for instance installing a package or changing a permission, Puppet block it and sends a notification elsewhere.
It is not about one single module, but all the server. I want to block any modification, even from packages that are not described in the manifests.
Is that possible?
Puppet does not actively monitor software installs, configuration changes, etc.. Rather, at the frequency you specify, it compares the state of all resources it is managing on the system to a model you specify of what resources should (and should not) be present, and how they should be configured. When it finds discrepancies, it fixes them.
If you tell Puppet all of the system packages that you expect to be installed on a given machine, then Puppet is able to remove packages that are not among those you told it about. Puppet comes with tools that can help you create such a list based on a machine's current configuration. It cannot, however, prevent such packages from being installed in the first place by users who have sufficient privilege to do so -- it can only remove them again after the fact.
The correct solution is to avoid granting capabilities to users whom you don't trust. And generally speaking, you shouldn't trust anybody. You can restrict user capabilities in various ways, but generally speaking, if a user can obtain sufficient privilege to manage system packages then they own the box.