From fdb60047acf69dac300a156958a7e115f185f322 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Wed, 9 Nov 2011 19:35:05 +0100 Subject: Take into account that disabling RAMRUN is not supported since Wheezy. --- README | 4 ++++ manifests/debian.pp | 5 ++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/README b/README index 68cf39b..8395501 100644 --- a/README +++ b/README @@ -12,6 +12,7 @@ Dependencies ============ - the common module: git://labs.riseup.net/shared-common +- the lsb module: git://labs.riseup.net/shared-lsb Configuration ============= @@ -54,6 +55,9 @@ Default: have the initscripts mount a ramdisk on /var/run. When set to a false, non-empty value, the mounting of a ramdisk on /var/run is disabled. +This has no effect on Debian Wheezy or later: a ramdisk is always +mounted on /run, regardless of this setting. + Please note that the changes only take effect on reboot. When enabling this feature, you probably want to get rid of any file previously stored on the files (such as utmp) stored in the non-ramdisk diff --git a/manifests/debian.pp b/manifests/debian.pp index e68185b..c20be6c 100644 --- a/manifests/debian.pp +++ b/manifests/debian.pp @@ -33,7 +33,10 @@ class loginrecords::debian inherits loginrecords::base { if $loginrecords::ramdisk_on_var_run { class{'loginrecords::ramrun::enable': } } else { - class{'loginrecords::ramrun::disable': } + case $lsbdistrelease { + 'lenny','squeeze': { class{'loginrecords::ramrun::disable': } } + default: { err("Disabling RAMRUN is not supported since Wheezy") } + } } } -- cgit v1.2.3 From 868c2bee3b8c77a01bdd2b003c0560c3006a0f8f Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 5 Jun 2012 20:06:17 -0300 Subject: new style for 2.7 --- manifests/init.pp | 35 +++++++++++++++++------------------ 1 file changed, 17 insertions(+), 18 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 0bc7a22..5c9f800 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,22 +1,21 @@ class loginrecords( - $disable_btmp = true, - $disable_faillog = true, - $disable_lastlog = true, - $protect_utmp = true, - $disable_wtmp = true, - $ramdisk_on_var_run = true + $disable_btmp = true, + $disable_faillog = true, + $disable_lastlog = true, + $protect_utmp = true, + $disable_wtmp = true, + $ramdisk_on_var_run = true ){ - # Include main class - case $kernel { - "Linux": { - case $operatingsystem { - "debian", "ubuntu": { include loginrecords::debian } - default: { include loginrecords::base } - } - } - default: { - err("Kernel $kernel is not supported.") - } + # Include main class + case $::kernel { + "Linux": { + case $::operatingsystem { + "debian", "ubuntu": { include loginrecords::debian } + default: { include loginrecords::base } + } } - + default: { + err("Kernel ${::kernel} is not supported.") + } + } } -- cgit v1.2.3 From 43cba80d2ede774ecf91cb26531ecbca0f097551 Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 2 Jan 2013 11:43:18 +0100 Subject: linting according to puppet-lint --- manifests/base.pp | 4 ++++ manifests/btmp/disable.pp | 3 ++- manifests/btmp/enable.pp | 9 ++++++--- manifests/debian.pp | 1 + manifests/faillog/disable.pp | 7 ++++--- manifests/faillog/enable.pp | 11 ++++++----- manifests/init.pp | 20 +++++++++++--------- manifests/lastlog/disable.pp | 3 ++- manifests/lastlog/enable.pp | 11 +++++++---- manifests/ramrun/disable.pp | 7 +++---- manifests/ramrun/enable.pp | 9 ++++----- manifests/utmp/protect.pp | 3 ++- manifests/utmp/unprotect.pp | 9 ++++++--- manifests/wtmp/disable.pp | 3 ++- manifests/wtmp/enable.pp | 9 ++++++--- 15 files changed, 66 insertions(+), 43 deletions(-) diff --git a/manifests/base.pp b/manifests/base.pp index 66d3477..07f4541 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -1,3 +1,7 @@ +# main class to manage things +# empty so we don't harm +# any non supported linux +# systems class loginrecords::base { } diff --git a/manifests/btmp/disable.pp b/manifests/btmp/disable.pp index f32d36a..77c5d1e 100644 --- a/manifests/btmp/disable.pp +++ b/manifests/btmp/disable.pp @@ -1,5 +1,6 @@ +# ensure that btmp is not on the system class loginrecords::btmp::disable inherits loginrecords::btmp::enable { - File[$btmp_file]{ + File[$loginrecords::btmp::enable::btmp_file]{ ensure => 'absent', backup => false, } diff --git a/manifests/btmp/enable.pp b/manifests/btmp/enable.pp index c173362..95c663d 100644 --- a/manifests/btmp/enable.pp +++ b/manifests/btmp/enable.pp @@ -1,8 +1,11 @@ +# manage the btmp file class loginrecords::btmp::enable( $btmp_file = '/var/log/btmp' ){ - file{$btmp_file: - ensure => 'present', - owner => 'root', group => 'utmp', mode => 660; + file{$loginrecords::btmp::enable::btmp_file: + ensure => 'present', + owner => 'root', + group => 'utmp', + mode => '0660'; } } diff --git a/manifests/debian.pp b/manifests/debian.pp index e68185b..0813d2f 100644 --- a/manifests/debian.pp +++ b/manifests/debian.pp @@ -1,3 +1,4 @@ +# how loginrecords are managed on debian class loginrecords::debian inherits loginrecords::base { if $loginrecords::disable_btmp { diff --git a/manifests/faillog/disable.pp b/manifests/faillog/disable.pp index c05e6bc..4e1df4e 100644 --- a/manifests/faillog/disable.pp +++ b/manifests/faillog/disable.pp @@ -1,9 +1,10 @@ +# do not log any faillog class loginrecords::faillog::disable inherits loginrecords::faillog::enable{ Replace['loginrecords-faillog']{ - pattern => '^FAILLOG_ENAB[[:space:]]+yes$', - replacement => 'FAILLOG_ENAB no', + pattern => '^FAILLOG_ENAB[[:space:]]+yes$', + replacement => "FAILLOG_ENAB\tno", } Line['loginrecords-faillog']{ - line => 'FAILLOG_ENAB no', + line => "FAILLOG_ENAB\tno", } } diff --git a/manifests/faillog/enable.pp b/manifests/faillog/enable.pp index c714b74..d600f6f 100644 --- a/manifests/faillog/enable.pp +++ b/manifests/faillog/enable.pp @@ -1,14 +1,15 @@ +# manage faillog logging class loginrecords::faillog::enable( $login_defs_file = '/etc/login.defs' ) { replace{'loginrecords-faillog': - file => $login_defs_file, - pattern => '^FAILLOG_ENAB[[:space]]+no$', - replacement => 'FAILLOG_ENAB yes', + file => $loginrecords::faillog::enable::login_defs_file, + pattern => '^FAILLOG_ENAB[[:space]]+no$', + replacement => "FAILLOG_ENAB\tyes", } line{'loginrecords-faillog': - file => $login_defs_file, - line => 'FAILLOG_ENAB yes', + file => $loginrecords::faillog::enable::login_defs_file, + line => "FAILLOG_ENAB\tyes", require => Replace['loginrecords-faillog'], } } diff --git a/manifests/init.pp b/manifests/init.pp index 5c9f800..dd0e48e 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,17 +1,19 @@ +# manage how login records are +# stored on the system class loginrecords( - $disable_btmp = true, - $disable_faillog = true, - $disable_lastlog = true, - $protect_utmp = true, - $disable_wtmp = true, + $disable_btmp = true, + $disable_faillog = true, + $disable_lastlog = true, + $protect_utmp = true, + $disable_wtmp = true, $ramdisk_on_var_run = true ){ # Include main class case $::kernel { - "Linux": { - case $::operatingsystem { - "debian", "ubuntu": { include loginrecords::debian } - default: { include loginrecords::base } + Linux: { + case $::operatingsystem { + debian, ubuntu: { include loginrecords::debian } + default: { include loginrecords::base } } } default: { diff --git a/manifests/lastlog/disable.pp b/manifests/lastlog/disable.pp index 69e13d5..f97c49c 100644 --- a/manifests/lastlog/disable.pp +++ b/manifests/lastlog/disable.pp @@ -1,6 +1,7 @@ +# disable lastlog loggin of pam class loginrecords::lastlog::disable inherits loginrecords::lastlog::enable { Replace['loginrecords-lastlog']{ - pattern => '^session[[:space:]]+optional[[:space:]]+pam_lastlog.so$', + pattern => '^session[[:space:]]+optional[[:space:]]+pam_lastlog.so$', replacement => '#session optional pam_lastlog.so', } File['/var/log/lastlog']{ diff --git a/manifests/lastlog/enable.pp b/manifests/lastlog/enable.pp index bd9378b..b8dec35 100644 --- a/manifests/lastlog/enable.pp +++ b/manifests/lastlog/enable.pp @@ -1,13 +1,16 @@ +# manage the lastlog logging of pam class loginrecords::lastlog::enable( $pam_login_file = '/etc/pam.d/login' ){ replace{'loginrecords-lastlog': - file => $pam_login_file, - pattern => '^#session[[:space:]]+optional[[:space:]]+pam_lastlog.so$', + file => $pam_login_file, + pattern => '^#session[[:space:]]+optional[[:space:]]+pam_lastlog.so$', replacement => 'session optional pam_lastlog.so', } file{'/var/log/lastlog': - ensure => present, - owner => root, group => utmp, mode => 0664; + ensure => present, + owner => 'root', + group => 'utmp', + mode => '0664'; } } diff --git a/manifests/ramrun/disable.pp b/manifests/ramrun/disable.pp index 3d282a3..d745bf0 100644 --- a/manifests/ramrun/disable.pp +++ b/manifests/ramrun/disable.pp @@ -1,7 +1,6 @@ +# do not put /var/run on a ramdisk class loginrecords::ramrun::disable inherits loginrecords::ramrun::enable { - - Augeas["ramdisk-on-var-run"]{ - changes => "set RAMRUN yes", + Augeas['ramdisk-on-var-run']{ + changes => 'set RAMRUN yes', } - } diff --git a/manifests/ramrun/enable.pp b/manifests/ramrun/enable.pp index 564ef06..27bf409 100644 --- a/manifests/ramrun/enable.pp +++ b/manifests/ramrun/enable.pp @@ -1,8 +1,7 @@ +# put /var/run on a ramdisk? class loginrecords::ramrun::enable { - - augeas { "ramdisk-on-var-run": - context => "/files/etc/default/rcS", - changes => "set RAMRUN yes", + augeas{'ramdisk-on-var-run': + context => '/files/etc/default/rcS', + changes => 'set RAMRUN yes', } - } diff --git a/manifests/utmp/protect.pp b/manifests/utmp/protect.pp index 166df5e..603064e 100644 --- a/manifests/utmp/protect.pp +++ b/manifests/utmp/protect.pp @@ -1,5 +1,6 @@ +# make the unprotect file protected from global read class loginrecords::utmp::protect inherits loginrecords::utmp::unprotect { - File[$utmp_file]{ + File[$loginrecords::utmp::protect::utmp_file]{ mode => 660, } } diff --git a/manifests/utmp/unprotect.pp b/manifests/utmp/unprotect.pp index 9da7517..54d821b 100644 --- a/manifests/utmp/unprotect.pp +++ b/manifests/utmp/unprotect.pp @@ -1,8 +1,11 @@ +# manage the utmp file class loginrecords::utmp::unprotect( $utmp_file = '/var/run/utmp' ){ - file{$utmp_file: - ensure => 'present', - owner => 'root', group => 'utmp', mode => 664; + file{$loginrecords::utmp::unprotect::utmp_file: + ensure => 'present', + owner => 'root', + group => 'utmp', + mode => '0664'; } } diff --git a/manifests/wtmp/disable.pp b/manifests/wtmp/disable.pp index 0d53e57..f98e201 100644 --- a/manifests/wtmp/disable.pp +++ b/manifests/wtmp/disable.pp @@ -1,5 +1,6 @@ +# ensure that wtmp is not on the system class loginrecords::wtmp::disable inherits loginrecords::wtmp::enable { - File[$wtmp_file]{ + File[$loginrecords::wtmp::enable::wtmp_file]{ ensure => 'absent', backup => false, } diff --git a/manifests/wtmp/enable.pp b/manifests/wtmp/enable.pp index f3b5ee9..4ba57ee 100644 --- a/manifests/wtmp/enable.pp +++ b/manifests/wtmp/enable.pp @@ -1,8 +1,11 @@ +# manage wtmp class loginrecords::wtmp::enable( $wtmp_file = '/var/log/wtmp' ){ - file{$wtmp_file: - ensure => 'present', - owner => 'root', group => 'utmp', mode => 664; + file{$loginrecords::wtmp::enable::wtmp_file: + ensure => 'present', + owner => 'root', + group => 'utmp', + mode => '0664'; } } -- cgit v1.2.3 From 4fe16c0993d0adfe0e652d76177d0f1736e45cf3 Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 2 Jan 2013 11:45:03 +0100 Subject: replace old resources with stdlib functions stdlib has the new file_line, which can also do the same as we used replace for in one run. --- README | 2 +- manifests/faillog/disable.pp | 6 +----- manifests/faillog/enable.pp | 13 ++++--------- 3 files changed, 6 insertions(+), 15 deletions(-) diff --git a/README b/README index 68cf39b..06f29ea 100644 --- a/README +++ b/README @@ -11,7 +11,7 @@ Defaults to disable all supported login records. Dependencies ============ -- the common module: git://labs.riseup.net/shared-common +- the stdlib module from puppetlabs: http://forge.puppetlabs.com/puppetlabs/stdlib Configuration ============= diff --git a/manifests/faillog/disable.pp b/manifests/faillog/disable.pp index 4e1df4e..c55e39e 100644 --- a/manifests/faillog/disable.pp +++ b/manifests/faillog/disable.pp @@ -1,10 +1,6 @@ # do not log any faillog class loginrecords::faillog::disable inherits loginrecords::faillog::enable{ - Replace['loginrecords-faillog']{ - pattern => '^FAILLOG_ENAB[[:space:]]+yes$', - replacement => "FAILLOG_ENAB\tno", - } - Line['loginrecords-faillog']{ + File_line['loginrecords-faillog']{ line => "FAILLOG_ENAB\tno", } } diff --git a/manifests/faillog/enable.pp b/manifests/faillog/enable.pp index d600f6f..6120193 100644 --- a/manifests/faillog/enable.pp +++ b/manifests/faillog/enable.pp @@ -2,14 +2,9 @@ class loginrecords::faillog::enable( $login_defs_file = '/etc/login.defs' ) { - replace{'loginrecords-faillog': - file => $loginrecords::faillog::enable::login_defs_file, - pattern => '^FAILLOG_ENAB[[:space]]+no$', - replacement => "FAILLOG_ENAB\tyes", - } - line{'loginrecords-faillog': - file => $loginrecords::faillog::enable::login_defs_file, - line => "FAILLOG_ENAB\tyes", - require => Replace['loginrecords-faillog'], + file_line{'loginrecords-faillog': + path => $loginrecords::faillog::enable::login_defs_file, + match => '^FAILLOG_ENAB', + line => "FAILLOG_ENAB\tyes", } } -- cgit v1.2.3 From b94947ba7f99a69837c65c9217e692d74052b651 Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 2 Jan 2013 11:46:38 +0100 Subject: hard fail instead of just logging an error message --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index dd0e48e..fd2f86b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -17,7 +17,7 @@ class loginrecords( } } default: { - err("Kernel ${::kernel} is not supported.") + fail("Kernel ${::kernel} is not supported.") } } } -- cgit v1.2.3 From ed222aced2762800363f4428a26a58e960e22983 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Wed, 2 Jan 2013 13:12:59 +0100 Subject: Hard-fail on deprecated manifests. --- manifests/debian.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/debian.pp b/manifests/debian.pp index 9208145..d85b287 100644 --- a/manifests/debian.pp +++ b/manifests/debian.pp @@ -36,7 +36,7 @@ class loginrecords::debian inherits loginrecords::base { } else { case $lsbdistrelease { 'lenny','squeeze': { class{'loginrecords::ramrun::disable': } } - default: { err("Disabling RAMRUN is not supported since Wheezy") } + default: { fail("Disabling RAMRUN is not supported since Wheezy") } } } -- cgit v1.2.3