Merge branch 'master' of ssh://labs.riseup.net/shared-loginrecords

16 files changed, 81 insertions, 61 deletions

diff --git a/README b/README
index 68cf39b..d5acff3 100644
--- a/README
+++ b/README
@@ -11,7 +11,8 @@ Defaults to disable all supported login records.
 Dependencies
 ============
 
-- the common module: git://labs.riseup.net/shared-common
+- the lsb module: git://labs.riseup.net/shared-lsb
+- the stdlib module from puppetlabs: http://forge.puppetlabs.com/puppetlabs/stdlib
 
 Configuration
 =============
@@ -54,6 +55,9 @@ Default: have the initscripts mount a ramdisk on /var/run.
 When set to a false, non-empty value, the mounting of a ramdisk on
 /var/run is disabled.
 
+This has no effect on Debian Wheezy or later: a ramdisk is always
+mounted on /run, regardless of this setting.
+
 Please note that the changes only take effect on reboot. When enabling
 this feature, you probably want to get rid of any file previously
 stored on the files (such as utmp) stored in the non-ramdisk
diff --git a/manifests/base.pp b/manifests/base.pp
index 66d3477..07f4541 100644
--- a/manifests/base.pp
+++ b/manifests/base.pp
@@ -1,3 +1,7 @@
+# main class to manage things
+# empty so we don't harm
+# any non supported linux
+# systems
 class loginrecords::base {
 
 }
diff --git a/manifests/btmp/disable.pp b/manifests/btmp/disable.pp
index f32d36a..77c5d1e 100644
--- a/manifests/btmp/disable.pp
+++ b/manifests/btmp/disable.pp
@@ -1,5 +1,6 @@
+# ensure that btmp is not on the system
 class loginrecords::btmp::disable inherits loginrecords::btmp::enable {
-  File[$btmp_file]{
+  File[$loginrecords::btmp::enable::btmp_file]{
     ensure => 'absent',
     backup => false,
   }
diff --git a/manifests/btmp/enable.pp b/manifests/btmp/enable.pp
index c173362..95c663d 100644
--- a/manifests/btmp/enable.pp
+++ b/manifests/btmp/enable.pp
@@ -1,8 +1,11 @@
+# manage the btmp file
 class loginrecords::btmp::enable(
   $btmp_file = '/var/log/btmp'
 ){
-  file{$btmp_file:
-    ensure => 'present',
-    owner => 'root', group => 'utmp', mode => 660;
+  file{$loginrecords::btmp::enable::btmp_file:
+    ensure  => 'present',
+    owner   => 'root',
+    group   => 'utmp',
+    mode    => '0660';
   }
 }
diff --git a/manifests/debian.pp b/manifests/debian.pp
index e68185b..d85b287 100644
--- a/manifests/debian.pp
+++ b/manifests/debian.pp
@@ -1,3 +1,4 @@
+# how loginrecords are managed on debian
 class loginrecords::debian inherits loginrecords::base {
 
   if $loginrecords::disable_btmp {
@@ -33,7 +34,10 @@ class loginrecords::debian inherits loginrecords::base {
   if $loginrecords::ramdisk_on_var_run {
     class{'loginrecords::ramrun::enable': }
   } else {
-    class{'loginrecords::ramrun::disable': }
+    case $lsbdistrelease {
+      'lenny','squeeze': { class{'loginrecords::ramrun::disable': } }
+      default: { fail("Disabling RAMRUN is not supported since Wheezy") }
+    }
   }
 
 }
diff --git a/manifests/faillog/disable.pp b/manifests/faillog/disable.pp
index c05e6bc..c55e39e 100644
--- a/manifests/faillog/disable.pp
+++ b/manifests/faillog/disable.pp
@@ -1,9 +1,6 @@
+# do not log any faillog
 class loginrecords::faillog::disable inherits loginrecords::faillog::enable{
-  Replace['loginrecords-faillog']{
-    pattern   => '^FAILLOG_ENAB[[:space:]]+yes$',
-    replacement => 'FAILLOG_ENAB		no',
-  }
-  Line['loginrecords-faillog']{
-    line  => 'FAILLOG_ENAB		no',
+  File_line['loginrecords-faillog']{
+    line  => "FAILLOG_ENAB\tno",
   }
 }
diff --git a/manifests/faillog/enable.pp b/manifests/faillog/enable.pp
index c714b74..6120193 100644
--- a/manifests/faillog/enable.pp
+++ b/manifests/faillog/enable.pp
@@ -1,14 +1,10 @@
+# manage faillog logging
 class loginrecords::faillog::enable(
   $login_defs_file = '/etc/login.defs'
 ) {
-  replace{'loginrecords-faillog':
-    file    => $login_defs_file,
-    pattern   => '^FAILLOG_ENAB[[:space]]+no$',
-    replacement => 'FAILLOG_ENAB		yes',
-  }
-  line{'loginrecords-faillog':
-    file  => $login_defs_file,
-    line  => 'FAILLOG_ENAB		yes',
-    require => Replace['loginrecords-faillog'],
+  file_line{'loginrecords-faillog':
+    path  => $loginrecords::faillog::enable::login_defs_file,
+    match => '^FAILLOG_ENAB',
+    line  => "FAILLOG_ENAB\tyes",
   }
 }
diff --git a/manifests/init.pp b/manifests/init.pp
index 0bc7a22..fd2f86b 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,22 +1,23 @@
+# manage how login records are
+# stored on the system
 class loginrecords(
-    $disable_btmp = true,
-    $disable_faillog = true,
-    $disable_lastlog = true,
-    $protect_utmp = true,
-    $disable_wtmp = true,
-    $ramdisk_on_var_run = true
+  $disable_btmp       = true,
+  $disable_faillog    = true,
+  $disable_lastlog    = true,
+  $protect_utmp       = true,
+  $disable_wtmp       = true,
+  $ramdisk_on_var_run = true
 ){
-    # Include main class
-    case $kernel {
-        "Linux": {
-            case  $operatingsystem {
-                "debian", "ubuntu": { include loginrecords::debian }
-                default:            { include loginrecords::base   }
-            }
-        }
-        default: {
-            err("Kernel $kernel is not supported.")
-        }
+  # Include main class
+  case $::kernel {
+    Linux: {
+      case $::operatingsystem {
+        debian, ubuntu: { include loginrecords::debian }
+        default:        { include loginrecords::base }
+      }
     }
-
+    default: {
+      fail("Kernel ${::kernel} is not supported.")
+    }
+  }
 }
diff --git a/manifests/lastlog/disable.pp b/manifests/lastlog/disable.pp
index 69e13d5..f97c49c 100644
--- a/manifests/lastlog/disable.pp
+++ b/manifests/lastlog/disable.pp
@@ -1,6 +1,7 @@
+# disable lastlog loggin of pam
 class loginrecords::lastlog::disable inherits loginrecords::lastlog::enable {
   Replace['loginrecords-lastlog']{
-    pattern   => '^session[[:space:]]+optional[[:space:]]+pam_lastlog.so$',
+    pattern     => '^session[[:space:]]+optional[[:space:]]+pam_lastlog.so$',
     replacement => '#session  optional   pam_lastlog.so',
   }
   File['/var/log/lastlog']{
diff --git a/manifests/lastlog/enable.pp b/manifests/lastlog/enable.pp
index bd9378b..b8dec35 100644
--- a/manifests/lastlog/enable.pp
+++ b/manifests/lastlog/enable.pp
@@ -1,13 +1,16 @@
+# manage the lastlog logging of pam
 class loginrecords::lastlog::enable(
   $pam_login_file = '/etc/pam.d/login'
 ){
   replace{'loginrecords-lastlog':
-    file => $pam_login_file,
-    pattern   => '^#session[[:space:]]+optional[[:space:]]+pam_lastlog.so$',
+    file        => $pam_login_file,
+    pattern     => '^#session[[:space:]]+optional[[:space:]]+pam_lastlog.so$',
     replacement => 'session  optional   pam_lastlog.so',
   }
   file{'/var/log/lastlog':
-    ensure => present,
-    owner => root, group => utmp, mode => 0664;
+    ensure  => present,
+    owner   => 'root',
+    group   => 'utmp',
+    mode    => '0664';
   }
 }
diff --git a/manifests/ramrun/disable.pp b/manifests/ramrun/disable.pp
index 3d282a3..d745bf0 100644
--- a/manifests/ramrun/disable.pp
+++ b/manifests/ramrun/disable.pp
@@ -1,7 +1,6 @@
+# do not put /var/run on a ramdisk
 class loginrecords::ramrun::disable inherits loginrecords::ramrun::enable {
-
-  Augeas["ramdisk-on-var-run"]{
-    changes => "set RAMRUN yes",
+  Augeas['ramdisk-on-var-run']{
+    changes => 'set RAMRUN yes',
   }
-
 }
diff --git a/manifests/ramrun/enable.pp b/manifests/ramrun/enable.pp
index 564ef06..27bf409 100644
--- a/manifests/ramrun/enable.pp
+++ b/manifests/ramrun/enable.pp
@@ -1,8 +1,7 @@
+# put /var/run on a ramdisk?
 class loginrecords::ramrun::enable {
-
-  augeas { "ramdisk-on-var-run":
-    context => "/files/etc/default/rcS",
-    changes => "set RAMRUN yes",
+  augeas{'ramdisk-on-var-run':
+    context => '/files/etc/default/rcS',
+    changes => 'set RAMRUN yes',
   }
-
 }
diff --git a/manifests/utmp/protect.pp b/manifests/utmp/protect.pp
index 166df5e..603064e 100644
--- a/manifests/utmp/protect.pp
+++ b/manifests/utmp/protect.pp
@@ -1,5 +1,6 @@
+# make the unprotect file protected from global read
 class loginrecords::utmp::protect inherits loginrecords::utmp::unprotect {
-  File[$utmp_file]{
+  File[$loginrecords::utmp::protect::utmp_file]{
     mode => 660,
   }
 }
diff --git a/manifests/utmp/unprotect.pp b/manifests/utmp/unprotect.pp
index 9da7517..54d821b 100644
--- a/manifests/utmp/unprotect.pp
+++ b/manifests/utmp/unprotect.pp
@@ -1,8 +1,11 @@
+# manage the utmp file
 class loginrecords::utmp::unprotect(
   $utmp_file = '/var/run/utmp'
 ){
-  file{$utmp_file:
-    ensure => 'present',
-    owner => 'root', group => 'utmp', mode => 664;
+  file{$loginrecords::utmp::unprotect::utmp_file:
+    ensure  => 'present',
+    owner   => 'root',
+    group   => 'utmp',
+    mode    => '0664';
   }
 }
diff --git a/manifests/wtmp/disable.pp b/manifests/wtmp/disable.pp
index 0d53e57..f98e201 100644
--- a/manifests/wtmp/disable.pp
+++ b/manifests/wtmp/disable.pp
@@ -1,5 +1,6 @@
+# ensure that wtmp is not on the system
 class loginrecords::wtmp::disable inherits loginrecords::wtmp::enable {
-  File[$wtmp_file]{
+  File[$loginrecords::wtmp::enable::wtmp_file]{
     ensure => 'absent',
     backup => false,
   }
diff --git a/manifests/wtmp/enable.pp b/manifests/wtmp/enable.pp
index f3b5ee9..4ba57ee 100644
--- a/manifests/wtmp/enable.pp
+++ b/manifests/wtmp/enable.pp
@@ -1,8 +1,11 @@
+# manage wtmp
 class loginrecords::wtmp::enable(
   $wtmp_file = '/var/log/wtmp'
 ){
-  file{$wtmp_file:
-    ensure => 'present',
-    owner => 'root', group => 'utmp', mode => 664;
+  file{$loginrecords::wtmp::enable::wtmp_file:
+    ensure  => 'present',
+    owner   => 'root',
+    group   => 'utmp',
+    mode    => '0664';
   }
 }