diff options
author | intrigeri <intrigeri@boum.org> | 2013-01-02 12:47:34 +0100 |
---|---|---|
committer | intrigeri <intrigeri@boum.org> | 2013-01-02 12:47:34 +0100 |
commit | 4cfb1fc6bbe356e335d8635bbadfd6ea72f8bc20 (patch) | |
tree | 9ee65026036cde571b27aaa7e57b9a421701907e | |
parent | fdb60047acf69dac300a156958a7e115f185f322 (diff) | |
parent | b94947ba7f99a69837c65c9217e692d74052b651 (diff) | |
download | puppet-loginrecords-4cfb1fc6bbe356e335d8635bbadfd6ea72f8bc20.tar.gz puppet-loginrecords-4cfb1fc6bbe356e335d8635bbadfd6ea72f8bc20.tar.bz2 |
Merge branch 'shared'
Conflicts:
README
-rw-r--r-- | README | 2 | ||||
-rw-r--r-- | manifests/base.pp | 4 | ||||
-rw-r--r-- | manifests/btmp/disable.pp | 3 | ||||
-rw-r--r-- | manifests/btmp/enable.pp | 9 | ||||
-rw-r--r-- | manifests/debian.pp | 1 | ||||
-rw-r--r-- | manifests/faillog/disable.pp | 9 | ||||
-rw-r--r-- | manifests/faillog/enable.pp | 14 | ||||
-rw-r--r-- | manifests/init.pp | 37 | ||||
-rw-r--r-- | manifests/lastlog/disable.pp | 3 | ||||
-rw-r--r-- | manifests/lastlog/enable.pp | 11 | ||||
-rw-r--r-- | manifests/ramrun/disable.pp | 7 | ||||
-rw-r--r-- | manifests/ramrun/enable.pp | 9 | ||||
-rw-r--r-- | manifests/utmp/protect.pp | 3 | ||||
-rw-r--r-- | manifests/utmp/unprotect.pp | 9 | ||||
-rw-r--r-- | manifests/wtmp/disable.pp | 3 | ||||
-rw-r--r-- | manifests/wtmp/enable.pp | 9 |
16 files changed, 73 insertions, 60 deletions
@@ -11,8 +11,8 @@ Defaults to disable all supported login records. Dependencies ============ -- the common module: git://labs.riseup.net/shared-common - the lsb module: git://labs.riseup.net/shared-lsb +- the stdlib module from puppetlabs: http://forge.puppetlabs.com/puppetlabs/stdlib Configuration ============= diff --git a/manifests/base.pp b/manifests/base.pp index 66d3477..07f4541 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -1,3 +1,7 @@ +# main class to manage things +# empty so we don't harm +# any non supported linux +# systems class loginrecords::base { } diff --git a/manifests/btmp/disable.pp b/manifests/btmp/disable.pp index f32d36a..77c5d1e 100644 --- a/manifests/btmp/disable.pp +++ b/manifests/btmp/disable.pp @@ -1,5 +1,6 @@ +# ensure that btmp is not on the system class loginrecords::btmp::disable inherits loginrecords::btmp::enable { - File[$btmp_file]{ + File[$loginrecords::btmp::enable::btmp_file]{ ensure => 'absent', backup => false, } diff --git a/manifests/btmp/enable.pp b/manifests/btmp/enable.pp index c173362..95c663d 100644 --- a/manifests/btmp/enable.pp +++ b/manifests/btmp/enable.pp @@ -1,8 +1,11 @@ +# manage the btmp file class loginrecords::btmp::enable( $btmp_file = '/var/log/btmp' ){ - file{$btmp_file: - ensure => 'present', - owner => 'root', group => 'utmp', mode => 660; + file{$loginrecords::btmp::enable::btmp_file: + ensure => 'present', + owner => 'root', + group => 'utmp', + mode => '0660'; } } diff --git a/manifests/debian.pp b/manifests/debian.pp index c20be6c..9208145 100644 --- a/manifests/debian.pp +++ b/manifests/debian.pp @@ -1,3 +1,4 @@ +# how loginrecords are managed on debian class loginrecords::debian inherits loginrecords::base { if $loginrecords::disable_btmp { diff --git a/manifests/faillog/disable.pp b/manifests/faillog/disable.pp index c05e6bc..c55e39e 100644 --- a/manifests/faillog/disable.pp +++ b/manifests/faillog/disable.pp @@ -1,9 +1,6 @@ +# do not log any faillog class loginrecords::faillog::disable inherits loginrecords::faillog::enable{ - Replace['loginrecords-faillog']{ - pattern => '^FAILLOG_ENAB[[:space:]]+yes$', - replacement => 'FAILLOG_ENAB no', - } - Line['loginrecords-faillog']{ - line => 'FAILLOG_ENAB no', + File_line['loginrecords-faillog']{ + line => "FAILLOG_ENAB\tno", } } diff --git a/manifests/faillog/enable.pp b/manifests/faillog/enable.pp index c714b74..6120193 100644 --- a/manifests/faillog/enable.pp +++ b/manifests/faillog/enable.pp @@ -1,14 +1,10 @@ +# manage faillog logging class loginrecords::faillog::enable( $login_defs_file = '/etc/login.defs' ) { - replace{'loginrecords-faillog': - file => $login_defs_file, - pattern => '^FAILLOG_ENAB[[:space]]+no$', - replacement => 'FAILLOG_ENAB yes', - } - line{'loginrecords-faillog': - file => $login_defs_file, - line => 'FAILLOG_ENAB yes', - require => Replace['loginrecords-faillog'], + file_line{'loginrecords-faillog': + path => $loginrecords::faillog::enable::login_defs_file, + match => '^FAILLOG_ENAB', + line => "FAILLOG_ENAB\tyes", } } diff --git a/manifests/init.pp b/manifests/init.pp index 0bc7a22..fd2f86b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,22 +1,23 @@ +# manage how login records are +# stored on the system class loginrecords( - $disable_btmp = true, - $disable_faillog = true, - $disable_lastlog = true, - $protect_utmp = true, - $disable_wtmp = true, - $ramdisk_on_var_run = true + $disable_btmp = true, + $disable_faillog = true, + $disable_lastlog = true, + $protect_utmp = true, + $disable_wtmp = true, + $ramdisk_on_var_run = true ){ - # Include main class - case $kernel { - "Linux": { - case $operatingsystem { - "debian", "ubuntu": { include loginrecords::debian } - default: { include loginrecords::base } - } - } - default: { - err("Kernel $kernel is not supported.") - } + # Include main class + case $::kernel { + Linux: { + case $::operatingsystem { + debian, ubuntu: { include loginrecords::debian } + default: { include loginrecords::base } + } } - + default: { + fail("Kernel ${::kernel} is not supported.") + } + } } diff --git a/manifests/lastlog/disable.pp b/manifests/lastlog/disable.pp index 69e13d5..f97c49c 100644 --- a/manifests/lastlog/disable.pp +++ b/manifests/lastlog/disable.pp @@ -1,6 +1,7 @@ +# disable lastlog loggin of pam class loginrecords::lastlog::disable inherits loginrecords::lastlog::enable { Replace['loginrecords-lastlog']{ - pattern => '^session[[:space:]]+optional[[:space:]]+pam_lastlog.so$', + pattern => '^session[[:space:]]+optional[[:space:]]+pam_lastlog.so$', replacement => '#session optional pam_lastlog.so', } File['/var/log/lastlog']{ diff --git a/manifests/lastlog/enable.pp b/manifests/lastlog/enable.pp index bd9378b..b8dec35 100644 --- a/manifests/lastlog/enable.pp +++ b/manifests/lastlog/enable.pp @@ -1,13 +1,16 @@ +# manage the lastlog logging of pam class loginrecords::lastlog::enable( $pam_login_file = '/etc/pam.d/login' ){ replace{'loginrecords-lastlog': - file => $pam_login_file, - pattern => '^#session[[:space:]]+optional[[:space:]]+pam_lastlog.so$', + file => $pam_login_file, + pattern => '^#session[[:space:]]+optional[[:space:]]+pam_lastlog.so$', replacement => 'session optional pam_lastlog.so', } file{'/var/log/lastlog': - ensure => present, - owner => root, group => utmp, mode => 0664; + ensure => present, + owner => 'root', + group => 'utmp', + mode => '0664'; } } diff --git a/manifests/ramrun/disable.pp b/manifests/ramrun/disable.pp index 3d282a3..d745bf0 100644 --- a/manifests/ramrun/disable.pp +++ b/manifests/ramrun/disable.pp @@ -1,7 +1,6 @@ +# do not put /var/run on a ramdisk class loginrecords::ramrun::disable inherits loginrecords::ramrun::enable { - - Augeas["ramdisk-on-var-run"]{ - changes => "set RAMRUN yes", + Augeas['ramdisk-on-var-run']{ + changes => 'set RAMRUN yes', } - } diff --git a/manifests/ramrun/enable.pp b/manifests/ramrun/enable.pp index 564ef06..27bf409 100644 --- a/manifests/ramrun/enable.pp +++ b/manifests/ramrun/enable.pp @@ -1,8 +1,7 @@ +# put /var/run on a ramdisk? class loginrecords::ramrun::enable { - - augeas { "ramdisk-on-var-run": - context => "/files/etc/default/rcS", - changes => "set RAMRUN yes", + augeas{'ramdisk-on-var-run': + context => '/files/etc/default/rcS', + changes => 'set RAMRUN yes', } - } diff --git a/manifests/utmp/protect.pp b/manifests/utmp/protect.pp index 166df5e..603064e 100644 --- a/manifests/utmp/protect.pp +++ b/manifests/utmp/protect.pp @@ -1,5 +1,6 @@ +# make the unprotect file protected from global read class loginrecords::utmp::protect inherits loginrecords::utmp::unprotect { - File[$utmp_file]{ + File[$loginrecords::utmp::protect::utmp_file]{ mode => 660, } } diff --git a/manifests/utmp/unprotect.pp b/manifests/utmp/unprotect.pp index 9da7517..54d821b 100644 --- a/manifests/utmp/unprotect.pp +++ b/manifests/utmp/unprotect.pp @@ -1,8 +1,11 @@ +# manage the utmp file class loginrecords::utmp::unprotect( $utmp_file = '/var/run/utmp' ){ - file{$utmp_file: - ensure => 'present', - owner => 'root', group => 'utmp', mode => 664; + file{$loginrecords::utmp::unprotect::utmp_file: + ensure => 'present', + owner => 'root', + group => 'utmp', + mode => '0664'; } } diff --git a/manifests/wtmp/disable.pp b/manifests/wtmp/disable.pp index 0d53e57..f98e201 100644 --- a/manifests/wtmp/disable.pp +++ b/manifests/wtmp/disable.pp @@ -1,5 +1,6 @@ +# ensure that wtmp is not on the system class loginrecords::wtmp::disable inherits loginrecords::wtmp::enable { - File[$wtmp_file]{ + File[$loginrecords::wtmp::enable::wtmp_file]{ ensure => 'absent', backup => false, } diff --git a/manifests/wtmp/enable.pp b/manifests/wtmp/enable.pp index f3b5ee9..4ba57ee 100644 --- a/manifests/wtmp/enable.pp +++ b/manifests/wtmp/enable.pp @@ -1,8 +1,11 @@ +# manage wtmp class loginrecords::wtmp::enable( $wtmp_file = '/var/log/wtmp' ){ - file{$wtmp_file: - ensure => 'present', - owner => 'root', group => 'utmp', mode => 664; + file{$loginrecords::wtmp::enable::wtmp_file: + ensure => 'present', + owner => 'root', + group => 'utmp', + mode => '0664'; } } |