Add (untested) lastlog disabling support.

4 files changed, 21 insertions, 0 deletions

diff --git a/README b/README
index 3a0ef24..48100c5 100644
--- a/README
+++ b/README
@@ -22,6 +22,12 @@ $disable_faillog
 Default: faillog is disabled.
 When set to false, faillog is enabled.
 
+$disable_lastlog
+----------------
+
+Default: lastlog is disabled.
+When set to a false, non-empty value, lastlog is not changed.
+
 Copyright
 =========
 
diff --git a/manifests/debian.pp b/manifests/debian.pp
index 8bc296d..8cf95f1 100644
--- a/manifests/debian.pp
+++ b/manifests/debian.pp
@@ -1,5 +1,6 @@
 class loginrecords::debian inherits loginrecords::base {
 
+    $pam_login_file  = '/etc/pam.d/login'
     $login_defs_file = '/etc/login.defs'
 
     if $disable_faillog {
@@ -9,4 +10,8 @@ class loginrecords::debian inherits loginrecords::base {
         include loginrecords::faillog::enable
     }
 
+    if $disable_lastlog {
+        include loginrecords::lastlog::disable
+    }
+
 }
diff --git a/manifests/init.pp b/manifests/init.pp
index 0dbe627..6826c32 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -6,6 +6,9 @@ class loginrecords {
     if $disable_faillog == '' {
         $disable_faillog = true
     }
+    if $disable_lastlog == '' {
+        $disable_lastlog = true
+    }
 
     # Include main class
     case $kernel {
diff --git a/manifests/lastlog.pp b/manifests/lastlog.pp
new file mode 100644
index 0000000..da6c735
--- /dev/null
+++ b/manifests/lastlog.pp
@@ -0,0 +1,7 @@
+class loginrecords::lastlog::disable {
+    replace { 'loginrecords-lastlog-disable':
+        file        => $pam_login_file,
+        pattern     => '^session[[:space:]]+optional[[:space:]]+pam_lastlog.so$',
+        replacement => '#session    optional   pam_lastlog.so',
+    }
+}